RT-AC66U OpenVPN Client not getting push routes

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Kaze

New Around Here
Hello, I am trying to setup an openvpn link between 2 Assus routers:
- OpenVPN Server: RT-AC66U B1, firmware 3.0.0.4.386_40558
- OpenVPN Client: RT-AC66U, firmware 3.0.0.4.382_52287

Asus VPN Server is configured like following:
Send LAN to clients: yes
Direct clients to redirect Internet traffic: no
Manage client specific options: yes
Alow client <> client: yes
Alow only specified clients: no
Custom configuration:
push "route x.y.z.w 255.255.255.255"

On the Asus VPN client I get:
Jan 3 10:50:42 vpnclient5[13591]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.2.1,route x.y.z.w 255.255.255.255,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 30,ifconfig 10.8.0.10 10.8.0.9,peer-id 0,cipher AES-256-GCM'
Jan 3 10:50:42 vpnclient5[13591]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 3 10:50:42 vpnclient5[13591]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 3 10:50:42 vpnclient5[13591]: OPTIONS IMPORT: route options modified
Jan 3 10:50:42 vpnclient5[13591]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 3 10:50:42 vpnclient5[13591]: OPTIONS IMPORT: peer-id set
Jan 3 10:50:42 vpnclient5[13591]: OPTIONS IMPORT: adjusting link_mtu to 1627
Jan 3 10:50:42 vpnclient5[13591]: OPTIONS IMPORT: data channel crypto options modified
Jan 3 10:50:42 vpnclient5[13591]: Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 3 10:50:42 vpnclient5[13591]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 3 10:50:42 vpnclient5[13591]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 3 10:50:42 vpnclient5[13591]: TUN/TAP device tun15 opened
Jan 3 10:50:42 vpnclient5[13591]: TUN/TAP TX queue length set to 100
Jan 3 10:50:42 vpnclient5[13591]: /sbin/ifconfig tun15 10.8.0.10 pointopoint 10.8.0.9 mtu 1500
Jan 3 10:50:42 vpnclient5[13591]: /etc/openvpn/ovpn-up tun15 1500 1555 10.8.0.10 10.8.0.9 init
Jan 3 10:50:42 vpnclient5[13591]: Initialization Sequence Completed

Routing table on Asus VPN client:
[email protected]:/tmp/home/root# ip route
192.168.1.254 dev eth0 proto kernel scope link
10.8.0.9 dev tun15 proto kernel scope link src 10.8.0.10
192.168.4.0/24 dev br0 proto kernel scope link src 192.168.4.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.117
127.0.0.0/8 dev lo scope link
default via 192.168.1.254 dev eth0
[email protected]:/tmp/home/root#

Route to x.y.z.w/32 is missing.
However, on an Android client is working just fine.
Also, on Windows 10 client is working just fine:

C:\Users\Kaze>route print
===========================================================================
Interface List
17...00 ff 6e 4c ff 47 ......TAP-Windows Adapter V9 for OpenVPN Connect

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.4.1 192.168.4.51 50
10.8.0.0 255.255.255.0 10.8.0.5 10.8.0.6 257
10.8.0.4 255.255.255.252 On-link 10.8.0.6 257
10.8.0.6 255.255.255.255 On-link 10.8.0.6 257
10.8.0.7 255.255.255.255 On-link 10.8.0.6 257
x.y.z.w 255.255.255.255 10.8.0.5 10.8.0.6 257

Additional question:
How do I pass default route on a per user basis?

Thank you!
 

Kaze

New Around Here
Well, thanks, but that how-to basically describes the configuration on the server side. Read it already. My problem seems to be on the client side. Asus client receives the advertised (pushed) route, however, it does not add it to the routing table. Android and Windows clients work just fine.
 

L&LD

Part of the Furniture
Did you search though? :)
 

ColinTaylor

Part of the Furniture
The most obvious difference between your Windows client and the router's is that the Windows client is using a TAP connection. I don't know whether that's relevant.
 

Kaze

New Around Here
@ColinTaylor : Actually it seems that Windows uses a TAP connection to a TUN tunnel. :)

OVPN Conect Log:
TAP ADAPTERS:
guid='{6E4CFF47-9505-4FA9-BCA2-8737DCE31B0D}' index=17 name='Local Area Connection'
Open TAP device "Local Area Connection" PATH="\\.\Global\{6E4CFF47-9505-4FA9-BCA2-8737DCE31B0D}.tap" SUCCEEDED
TAP-Windows Driver Version 9.24
ActionDeleteAllRoutesOnInterface iface_index=17
netsh interface ip set interface 17 metric=1
Ok.
netsh interface ip set address 17 static 10.8.0.6 255.255.255.252 gateway=10.8.0.5 store=active
IPHelper: add route 192.168.2.0/24 17 10.8.0.5 metric=500
IPHelper: add route x.y.z.w/32 17 10.8.0.5 metric=-1

IPHelper: add route 10.8.0.0/24 17 10.8.0.5 metric=-1
netsh interface ip set dnsservers 17 static 192.168.2.1 register=primary validate=no
NRPT::ActionCreate names=[.] dns_servers=[192.168.2.1]
ActionWFP openvpn_app_path=C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe tap_index=17 enable=1
permit IPv4 DNS requests from OpenVPN app
permit IPv6 DNS requests from OpenVPN app
block IPv4 DNS requests from other apps
block IPv6 DNS requests from other apps
allow IPv4 traffic from TAP
allow IPv6 traffic from TAP
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
TAP handle: dc17000000000000
⏎03.01.2021, 20:11:42 Connected via TUN_WIN
⏎03.01.2021, 20:11:42 LZO-ASYM init swap=0 asym=1
⏎03.01.2021, 20:11:42 Comp-stub init swap=0
⏎03.01.2021, 20:11:42 EVENT: CONNECTED [email protected]_server:1194 (VPN_Server_IP) via /TCPv4 on TUN_WIN/10.8.0.6/ gw=[10.8.0.5/]

@L&LD : server is configured exactly as in the tutorial. Asus rt-ac66u does not get the pushed routes (server LAN and pushed /32).:

[email protected]:/tmp/home/root# ip route
192.168.1.254 dev eth0 proto kernel scope link
10.8.0.9 dev tun15 proto kernel scope link src 10.8.0.10
192.168.4.0/24 dev br0 proto kernel scope link src 192.168.4.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.117
127.0.0.0/8 dev lo scope link
default via 192.168.1.254 dev eth0
[email protected]:/tmp/home/root#

As stated above. It receives the route advertisment, but does not add them to the routing table.
 

ColinTaylor

Part of the Furniture
You can see the route being pushed in the server's logs but what about the (router) client's log?

Side note: Have a look at this thread. Not really my area, but he appears to be using the server's "Allowed Clients" list to create the routes rather than the "Custom configuration". (But I might have misunderstood what they're talking about)

EDIT: Just remembered that you're not using Merlin's firmware so the link above is probably not relevant.
 
Last edited:

Kaze

New Around Here
@ColinTaylor , actually, he complains that only 1 route out of 2 is advertised.
in my case, all routes are advertised. Both Server's LAN and custom /32.
my problem is that Asus client does not add them to routing table.

Jan 3 10:50:42 vpnclient5[13591]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.2.1,route x.y.z.w 255.255.255.255,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 30,ifconfig 10.8.0.10 10.8.0.9,peer-id 0,cipher AES-256-GCM'
Jan 3 10:50:42 vpnclient5[13591]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 3 10:50:42 vpnclient5[13591]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 3 10:50:42 vpnclient5[13591]: OPTIONS IMPORT: route options modified

Routing table - no entry for 192.168.2.0 or x.y.w.z/32:

[email protected]:/tmp/etc/openvpn# ip route
192.168.1.254 dev eth0 proto kernel scope link
10.8.0.9 dev tun15 proto kernel scope link src 10.8.0.10
192.168.4.0/24 dev br0 proto kernel scope link src 192.168.4.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.117
127.0.0.0/8 dev lo scope link
default via 192.168.1.254 dev eth0
[email protected]:/tmp/etc/openvpn#

Client config:
[email protected]:/tmp/etc/openvpn# cat /tmp/etc/openvpn/client5/config.ovpn | grep
route
route-up '/etc/openvpn/ovpn-route-up'
route-noexec
setenv route_net_defdev eth0
[email protected]:/tmp/etc/openvpn#

Where:
–route-noexec Don’t add or remove routes automatically. Instead pass routes to –route-up script using environmental variables.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top