What's new

Ultimate Guide to setting up Bi-Directional VPN using two Asus Routers via OpenVPN in TUN mode

Ed B.

Occasional Visitor
As per suggestions I turned off the firewall but it still didn't work. Upon closer inspection she has three firewalls running (and I only turned off one) so I've more work to do. (Who runs three firewalls?)
Crazy. But I'm still guessing the issue is you're on a domain and not using its DNS server. (See Addendum 2, Paragraph 5, Sentence 3... of the Guide). That's why you can't log into the Database Server, etc. Have to add 'dhcp-option DNS' as outlined in Addendum 2.
 

maxbraketorque

Very Senior Member
A few questions regarding the OpenVPN server configuration:

- Why do you have "Username/Password Auth. Only" in the Details section set to <yes>? Doesn't this bypass using the certificates for authentication?
- In the Details section, why did you change the the "VPN subnet" from the factory value of <10.8.0.0> to <10.1.2.0>? Is it a personal pref to use this IP range?
- After you are done configuring the "Details" portion, when you look at the General page, is "Client will use VPN to access" now set to <Custom>?

With regard to the client LAN IP range configurations: I think you have a typo in Step 28. You wrote, "So, if in step 17 you picked 10.100.101.100 and 255.255.255.0 as the subnet, then...", but I think you meant to write, "So, if in step 17 you picked *10.100.101.0* and 255.255.255.0 as the subnet, then...". Also in Step 28, I would change your wording from, "...then you must set your client's IP address to something like 10.100.101.1 or 10.100.101.100." to, "then you must set your *client router's LAN* IP address to something like 10.100.101.1 or 10.100.101.100." Making those two changes would help a bunch for clarity.

After scanning through your how-to a few times, I get the impression that setting up a router-to-router OpenVPN bridge distills down to using the "Manage Client-Specific Options" to enable the "Client<->Client" option. And then correct use of the subnet and mask values. Does that sound accurate to you?
 

maxbraketorque

Very Senior Member
I have this sort of working. I found that I had to change "Username/Password Auth. Only" to <yes> to get it to work. Based on what I have read, I should be able to set this to <no>, and then enter the domain name of my client router, but my client router is currently accessing the internet through my USB tethering to my phone, and DDNS is not working because of this. Once I get the client router onto its actual internet access point and get DDNS to work, I should be able to switch back to <yes>, or at least I think so.

The sort of working aspect is that from the server router network, I can access the client router configuration webpage, and I can access an IP camera webpage on the client router network, but I cannot access the client router HD storage via SMB. Any thoughts?
 

maxbraketorque

Very Senior Member
I was hoping the SMB issue was due to the test client router being on a USB tethered internet connection, but it appears not to be the cause. I just set up the same configuration using another ASUS router client that has a direct connection to the internet, and I cannot access the SMB share on that client router as well.
 

maxbraketorque

Very Senior Member
Ed B., are you setting up your LAN-to-LAN network using the "home" router as the OpenVPN server, or are you configuring the satellite LANs to be OpenVPN servers?
 

David Gursky

New Around Here
I was hoping the SMB issue was due to the test client router being on a USB tethered internet connection, but it appears not to be the cause. I just set up the same configuration using another ASUS router client that has a direct connection to the internet, and I cannot access the SMB share on that client router as well.
Did you ever get SMB working? I have a similar scenario.

SWMBO operates a non-profit from her home in Maryland (192.168.58.0/24). I have set up an Ubuntu box with a RAID 6 array for backups. Now this is great if a tree falls on her house, notsomuch if the house catches fire. To that end, I want a server in my home in Virginia (192.168.60.0/24) to backup the backups. I have implemented a VPN with a pair of stock RT-AC66U_B1 with the latest firmware according to the instructions in
The Ultimate Guide to setting up Bi-Directional VPN using two Asus Routers via OpenVPN in TUN mode
The problem is that I can’t see inside the Maryland LAN from Virginia nor inside the Virginia LAN from Maryland. I’ve shut off the Firewalls on both sides but nada. How do I debut this / fix this? [I don’t think it is an SMB issue — maybe a routing issue?]
 

Pej5

Occasional Visitor
Ed B. Thanks for your thorough setup instructions. I am having a couple of issues and I am hoping to can direct me to the answers.

I have no problem setting up two Asus routers (one server and one client) to establish an OpenVPN connection using either TUN or TAP. The Asus built-in client even reconnects should the server side shutdown for a reboot etc.

I am having problem with the LAN to LAN communications.

With a TUN link up I cannot connect TO devices on the LAN side of the VPN Client router FROM the LAN side of the VPN Server LAN.. If I connect locally to the Asus Client router then I can connect to devices on the LAN side of the VPN server router.

The title of your discussion indicated that you have this working. What parameter have I likely missed?

With TAP I can connect to a lan device on the back side of the VPN client (Asus router), but the traffic across the tunnel is higher than I would like. See:. https://www.snbforums.com/threads/tuning-data-usage-help-please.61338/

Thanks for any suggestions you can make.

Peter

Sent from my Pixel using Tapatalk
 

David Gursky

New Around Here
Could you elaborate what you mean when you wrote:

With a TUN link up I cannot connect TO devices on the LAN side of the VPN Client router FROM the LAN side of the VPN Server LAN.. If I connect locally to the Asus Client router then I can connect to devices on the LAN side of the VPN server router.
 

maxbraketorque

Very Senior Member
Did you ever get SMB working? I have a similar scenario.

SWMBO operates a non-profit from her home in Maryland (192.168.58.0/24). I have set up an Ubuntu box with a RAID 6 array for backups. Now this is great if a tree falls on her house, notsomuch if the house catches fire. To that end, I want a server in my home in Virginia (192.168.60.0/24) to backup the backups. I have implemented a VPN with a pair of stock RT-AC66U_B1 with the latest firmware according to the instructions in

The problem is that I can’t see inside the Maryland LAN from Virginia nor inside the Virginia LAN from Maryland. I’ve shut off the Firewalls on both sides but nada. How do I debut this / fix this? [I don’t think it is an SMB issue — maybe a routing issue?]
Sorry, I missed your question from back in November. From the OVPN client router network, I can seamless access everything in the OVPN server router network (http, SMB, AFP, FTP), including the SMB share on the OVPN server router. From the OVPN server router network, I can access everything in the OVPN client router network with the one caveat that I do not have an SMB share attached to the OVPN client router, so I can't verify that I can access that one feature. It sounds like you don't need that though. Did you see my alternate OVPN setup guide?
 

Pej5

Occasional Visitor
Ed B. Thanks for your thorough setup instructions. I am having a couple of issues and I am hoping to can direct me to the answers.

I have no problem setting up two Asus routers (one server and one client) to establish an OpenVPN connection using either TUN or TAP. The Asus built-in client even reconnects should the server side shutdown for a reboot etc.

I am having problem with the LAN to LAN communications.

With a TUN link up I cannot connect TO devices on the LAN side of the VPN Client router FROM the LAN side of the VPN Server LAN.. If I connect locally to the Asus Client router then I can connect to devices on the LAN side of the VPN server router.

The title of your discussion indicated that you have this working. What parameter have I likely missed?

With TAP I can connect to a lan device on the back side of the VPN client (Asus router), but the traffic across the tunnel is higher than I would like. See:. https://www.snbforums.com/threads/tuning-data-usage-help-please.61338/

Thanks for any suggestions you can make.

Peter

Sent from my Pixel using Tapatalk
With perseverance, I have successfully set up a bi-directional tunnel between two Asus routers. Here are things I changed.

I installed AsusWRT-Merlin on both routers. This provided enhanced features still through a GUI. This helped with respect to tuning, and displaying routing tables, displaying VPN client, and displaying VPN server connection status.

The VPN server side had no route defined to the VPN Client side LAN and this was the major problem to overcome. On the Server side VPN "Advanced Settings", I selected "Manage Client Specific options" and then added the route of the client side LAN and saved it. The "Common name" was indeed critical and in my case it had to be called 'client'. The VPN connection status tab (Merlin) on the Server side showed the Common name in the listing. Once that matched, I could FINALLY connect to Client LAN devices from the Server side LAN.

Merlin provided more options on the VPN Client configuration and I changed two. Create NAT on tunnel = No (allowing client LAN IP addresses through directly without NATing), and Inbound Firewall = No (allowing Server traffic through to client LAN) .

I have not tested VPNing into the VPN server #2 from my phone and then pivoting out through VPN server#1 through the tunnel. I may have to add another common name route.

The TUN tunnel is very chatty considering I only have one remote device on tunnel and it is a very quiet device. I want/need to set up the Client router through a Hotspot and it will consume more data than I hoped.
 

David Gursky

New Around Here
I don't recall having to play with routing tables or disabling "create NAT on tunnel"...
And

With perseverance, I have successfully set up a bi-directional tunnel between two Asus routers...
I will look at this over the weekend (because there is this silly thing I have to pay attention to during the week called "A Job") and get back to both of you. Thank you both for your insights.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top