Menu
What's new
By:
Filters Better Search

RT-AX86U - OpenVPN Server configuration to add a 2nd subnet

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

R

Rassal

Regular Contributor
I have a specific configuration i want to achieve... here's the rundown.

I have a Modem at home Like a Comcast Xfinity X1 that my ISP provides for my TV Setup Box to work... this Modem is my cable modem but also a router, but i do NOT use this router for my home network, only as the MODEM and as the Xfinity comcast boxes.

I plugged in my Asus RT-AX86U in the Comcast Router/Modem in order to use my Asus router at home, instead of the poor router... and everything works.

My Xfinity Router LAN is setup on 10.0.0.x subnet and the router gateway IP is 10.0.0.1. All my Comcast TV boxes are using the Wifi of that Xfinity Router to work, so i would imagine they are all using 10.0.0.x IP's like 10.0.0.2, 10.0.0.3... etc...

My Asus router is plugged in one of the 4 ethernet ports in that Xfinity Router, and the WAN port of my Asus Router. So the WAN port of the Asus router picks up an IP from the Xfinity router, like 10.0.0.4.

All works, here...

My Asus router subnet is 192.168.0.x and the router itself is 192.168.0.1.

I setup an OpenVPN server on my Asus router, i can connect with my OpenVPN client from the internet... so far, this is expected. The subnet of the OpenVPN Server that is on my Asus Router is 10.16.0.x.

Now, from home, when i am on any computer that uses the Asus Router, i can access both subnets, the 192.168.0.x subnet of my router, and also the 10.0.0.x subnet for the Xfinity TV Setup boxes...

When i am remote, and i connect to my OpenVPN server, i can access any of the IP i have on my Asus Router, which is the 192.168.0.x subnet, through the openvpn vpn ip (10.16.0.3) for example as i am connected now.

But when i am connected, i can only access the 192.168.0.x subnet. I would like to also be able to connect to the 10.0.0.x subnet... but i lack the knowledge to understand if i need to configure this in the OpenVPN client, or on the OpenVPN server.

I would think it needs to be on the OpenVPN Server, but i have no idea what is needed...

Can anyone help guide me in the right direction?
 
Given you're apparently using the OEM firmware, the easiest solution would be to configure the "Client will use VPN to access" option on the OpenVPN server w/ Both. However, this will also configure your OpenVPN clients to use the OpenVPN server as their default gateway once connected. IOW, they will be routed through your OpenVPN server for internet access. That may or may NOT be what you wanted. If you do NOT want that behavior, then you need to add the following directive to the OpenVPN client config file.

Code: 
pull-filter ignore "redirect-gateway"
 
Last edited:
P.S. You'll also want to push any additional networks to the OpenVPN client using the custom config field of the OpenVPN server.

Code: 
push "route 10.0.0.0 255.255.255.0"
 
eibgrad said:
Given you're apparently using the OEM firmware, the easiest solution would be to configure the "Client will use VPN to access" option on the OpenVPN server w/ Both. However, this will also configure your OpenVPN clients to use the OpenVPN server as their default gateway once connected. IOW, they will be routed through your OpenVPN server for internet access. That may or may NOT be what you wanted. If you do NOT want that behavior, then you need to add the following directive to the OpenVPN client config file.

Code: 
pull-filter ignore "redirect-gateway"
Click to expand...
I tried the "Redirect all traffic through the VPN" but whenever i enable this, i have no more internet access at all, can talk to the 192.168.0.x subnet still, can't talk to 10.0.0.x subnet with the VPN even if i do the push suggestion below...
 
What does the "Redirect all traffic through the VPN" option have to do w/ any of this? That's an option on the OpenVPN *client* of the ASUS router, NOT the OpenVPN *server*! (unless the OEM firmware is different from Merlin). You've made no mention at all of the OpenVPN client beyond the fact you can't reach the 10.0.0.0/24 network once connected to the OpenVPN server. In fact, it was my presumption your OpenVPN client was probably a smartphone or laptop.
 
eibgrad said:
What does the "Redirect all traffic through the VPN" option have to do w/ any of this? That's an option on the OpenVPN *client* of the ASUS router, NOT the OpenVPN *server*! (unless the OEM firmware is different from Merlin). You've made no mention at all of the OpenVPN client beyond the fact you can't reach the 10.0.0.0/24 network once connected to the OpenVPN server. In fact, it was my presumption your OpenVPN client was probably a smartphone or laptop.
Click to expand...
I am using merlin, not the OEM firmware.
 
Rassal said:
I am using merlin, not the OEM firmware.
Click to expand...

Ok. But the question remains, what does the "Redirect all traffic through the VPN" option on the OpenVPN client have to do w/ the changes I recommended for the OpenVPN server?
 
Here's a run down of what i want to achieve... maybe i explained the requirements wrong...

1655574750704.png
 
I tried stuff... so the "Redirect traffic through VPN" was something i tried, and it did not work...
 
If you check the diagram i posted... you can see what i want to achieve... the TV Box 4 i want to connect remotly to the ISP Modem that has the TV Sync Module. I want to be able to use the router AC87U that has a working OpenVPN client connecting to the AX86U OpenVPN Server... and when i am on the AC87U Subnet (192.168.2.x) i can ping and reach all devices on the AX86U Router with the OpenVPN Server, and all of ip's on 192.168.0.x Subnet... but i cannot talk to ANY of the 10.0.0.x stuff... this is what i would like... so that the TV BOX 4 can talk to the ISP Modem that already has TV BOX 1, 2, and 3.

Things you need to know, the AX86U router WAN port is plugged in one of the ethernet ports on the ISP Modem and the WAN of the AX86U gets an IP of the 10.0.0.x subnet, which enables anything on the 192.168.0.x subnet to be able to reach any IP on the 10.0.0.x subnet, all is local.

The problem is when i try to use the AC87U where the OpenVPN client is setup and working... but it only connects to the local AX86U subnet, just the 192.168.0.x. I cannot reach the 10.0.0.x and this is what i would like to be able to do. Maybe i explained it better this way.
 
There is NO VPN Client on any workstations... the VPN Server is the AX86U, and the VPN Client is the AC87U... i want to access both subnets that are in my house through the AX86U, through my cottage router (AC87U) and from the cottage, i want the TV Box to be able to see the 10.0.0.x subnet so it can connect to the ISP Modem and that this TV BOX works.
 
Ok, I have a better picture now. What I explained previously is pretty much the same, except NOW I know the OpenVPN client is actually another ASUS router.

Again, in this configuration, there's no need for the "Redirect all traffic through the VPN" option to be enabled on the OpenVPN client. By doing that, you're telling the OpenVPN client to route *all* of the traffic from 192.168.2.x through the OpenVPN server, including the internet! I assume that is NOT your intention. You just want access to 192.168.0.x and 10.0.0.x. You do that by setting the "Client will use VPN to access" option on the OpenVPN server to Both. But that has the undesirable side-effect of once again forcing internet traffic from 192.168.2.x through the OpenVPN server. So you need to add the pull-filter I suggested to the custom config field of the OpenVPN client to prevent it.

OpenVPN server:

1. Set "Client will use VPN to access" option to Both.
2. Add the following directive to the custom config field.
push "route 10.0.0.0 255.255.255.0"

OpenVPN client:

1. Do NOT enable "Redirect all traffic through the VPN" option.
2. Add the following directive to the custom config field.
pull-filter ignore "redirect-gateway"

If it's still NOT working, then you may have to dump the routing tables and firewall so I can see what's going on w/ each router.

Code: 
ip route
iptables -vnL
iptables -t nat -vnL

The fact Merlin no longer supports the RT-AC87U might be causing a misconfiguration somewhere, but that's just speculation at this point.
 
eibgrad said:
Ok, I have a better picture now. What I explained previously is pretty much the same, except NOW I know the OpenVPN client is actually another ASUS router.

Again, in this configuration, there's no need for the "Redirect all traffic through the VPN" option to be enabled on the OpenVPN client. By doing that, you're telling the OpenVPN client to route *all* of the traffic from 192.168.2.x through the OpenVPN server, including the internet! I assume that is NOT your intention. You just want access to 192.168.0.x and 10.0.0.x. You do that by setting the "Client will use VPN to access" option on the OpenVPN server to Both. But that has the undesirable side-effect of once again forcing internet traffic from 192.168.2.x through the OpenVPN server. So you need to add the pull-filter I suggested to the custom config field of the OpenVPN client to prevent it.

OpenVPN server:

1. Set "Client will use VPN to access" option to Both.
2. Add the following directive to the custom config field.
push "route 10.0.0.0 255.255.255.0"

OpenVPN client:

1. Do NOT enable "Redirect all traffic through the VPN" option.
2. Add the following directive to the custom config field.
pull-filter ignore "redirect-gateway"

If it's still NOT working, then you may have to dump the routing tables and firewall so I can see what's going on w/ each router.

Code: 
ip route
iptables -vnL
iptables -t nat -vnL

The fact Merlin no longer supports the RT-AC87U might be causing a misconfiguration somewhere, but that's just speculation at this point.
Click to expand...
Ok, found the parameters on the OpenVPN server, and added to OpenVPN client... i can now reach the 10.0.0.x subnet and all their IP's... thanks!

Now i have to try and see if it works as i want it, now that the routes are working!

Thanks a lot for the guidance!
 
You must log in or register to reply here.

Similar threads

onthego41
openvpn and ax88u and gl axt1800
Replies
4
Views
215
Tech9
Tech9
S
ASUS AX86U still a good deal?
Replies
4
Views
563
RMinNJ
RMinNJ
S
Double NAT detected with BGW320 and RT-AX86U Pro
Replies
4
Views
215
ColinTaylor
C
K
Wired connections take a minute to connect to the internet (ASUS RT-AX82U AX5400)
Replies
14
Views
389
KappaMarvin
K
J
Access to device on a different subnet, but same switch
Replies
4
Views
465
ColinTaylor
C
Similar threads
Thread starter Title Forum Replies Date
D ASUS RT-AX86U OpenVPN Server Error - Key Too Small ASUS AX Routers & Adapters (Wi-Fi 6/6e) 4
BlueOrbit OpenVPN Server on AX86U - not able to access remote LAN resources ASUS AX Routers & Adapters (Wi-Fi 6/6e) 1
H OpenVPN vs WireGuard Speeds on RT-AX86U? ASUS AX Routers & Adapters (Wi-Fi 6/6e) 2
R ASUS RT-AX86U Double Hop VPN? ASUS AX Routers & Adapters (Wi-Fi 6/6e) 2
D RT-AX86U - Find Which Device is Connected to Which LAN Port ASUS AX Routers & Adapters (Wi-Fi 6/6e) 2
S Asus RT-AX86U and RT-AX86S seem to freeze after a week or so. ASUS AX Routers & Adapters (Wi-Fi 6/6e) 1
V AX86U Pro - Testing with 2.5Gb WAN ASUS AX Routers & Adapters (Wi-Fi 6/6e) 1
willyburz Opinion/feedback please on combining an AX6000 with my AX86U ASUS AX Routers & Adapters (Wi-Fi 6/6e) 6
L RT-AX86U PRO - Alexa "Get Activation Code" Missing ASUS AX Routers & Adapters (Wi-Fi 6/6e) 16
S Double NAT detected with BGW320 and RT-AX86U Pro ASUS AX Routers & Adapters (Wi-Fi 6/6e) 4

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 710 (members: 14, guests: 696)
Top