Tutorial Ultimate Guide to setting up Bi-Directional VPN using two Asus Routers via OpenVPN in TUN mode

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Ed B.

Occasional Visitor
As per suggestions I turned off the firewall but it still didn't work. Upon closer inspection she has three firewalls running (and I only turned off one) so I've more work to do. (Who runs three firewalls?)
Crazy. But I'm still guessing the issue is you're on a domain and not using its DNS server. (See Addendum 2, Paragraph 5, Sentence 3... of the Guide). That's why you can't log into the Database Server, etc. Have to add 'dhcp-option DNS' as outlined in Addendum 2.
 

maxbraketorque

Very Senior Member
A few questions regarding the OpenVPN server configuration:

- Why do you have "Username/Password Auth. Only" in the Details section set to <yes>? Doesn't this bypass using the certificates for authentication?
- In the Details section, why did you change the the "VPN subnet" from the factory value of <10.8.0.0> to <10.1.2.0>? Is it a personal pref to use this IP range?
- After you are done configuring the "Details" portion, when you look at the General page, is "Client will use VPN to access" now set to <Custom>?

With regard to the client LAN IP range configurations: I think you have a typo in Step 28. You wrote, "So, if in step 17 you picked 10.100.101.100 and 255.255.255.0 as the subnet, then...", but I think you meant to write, "So, if in step 17 you picked *10.100.101.0* and 255.255.255.0 as the subnet, then...". Also in Step 28, I would change your wording from, "...then you must set your client's IP address to something like 10.100.101.1 or 10.100.101.100." to, "then you must set your *client router's LAN* IP address to something like 10.100.101.1 or 10.100.101.100." Making those two changes would help a bunch for clarity.

After scanning through your how-to a few times, I get the impression that setting up a router-to-router OpenVPN bridge distills down to using the "Manage Client-Specific Options" to enable the "Client<->Client" option. And then correct use of the subnet and mask values. Does that sound accurate to you?
 

maxbraketorque

Very Senior Member
I have this sort of working. I found that I had to change "Username/Password Auth. Only" to <yes> to get it to work. Based on what I have read, I should be able to set this to <no>, and then enter the domain name of my client router, but my client router is currently accessing the internet through my USB tethering to my phone, and DDNS is not working because of this. Once I get the client router onto its actual internet access point and get DDNS to work, I should be able to switch back to <yes>, or at least I think so.

The sort of working aspect is that from the server router network, I can access the client router configuration webpage, and I can access an IP camera webpage on the client router network, but I cannot access the client router HD storage via SMB. Any thoughts?
 

maxbraketorque

Very Senior Member
I was hoping the SMB issue was due to the test client router being on a USB tethered internet connection, but it appears not to be the cause. I just set up the same configuration using another ASUS router client that has a direct connection to the internet, and I cannot access the SMB share on that client router as well.
 

maxbraketorque

Very Senior Member
Ed B., are you setting up your LAN-to-LAN network using the "home" router as the OpenVPN server, or are you configuring the satellite LANs to be OpenVPN servers?
 

David Gursky

New Around Here
I was hoping the SMB issue was due to the test client router being on a USB tethered internet connection, but it appears not to be the cause. I just set up the same configuration using another ASUS router client that has a direct connection to the internet, and I cannot access the SMB share on that client router as well.

Did you ever get SMB working? I have a similar scenario.

SWMBO operates a non-profit from her home in Maryland (192.168.58.0/24). I have set up an Ubuntu box with a RAID 6 array for backups. Now this is great if a tree falls on her house, notsomuch if the house catches fire. To that end, I want a server in my home in Virginia (192.168.60.0/24) to backup the backups. I have implemented a VPN with a pair of stock RT-AC66U_B1 with the latest firmware according to the instructions in
The Ultimate Guide to setting up Bi-Directional VPN using two Asus Routers via OpenVPN in TUN mode

The problem is that I can’t see inside the Maryland LAN from Virginia nor inside the Virginia LAN from Maryland. I’ve shut off the Firewalls on both sides but nada. How do I debut this / fix this? [I don’t think it is an SMB issue — maybe a routing issue?]
 

Pej5

Occasional Visitor
Ed B. Thanks for your thorough setup instructions. I am having a couple of issues and I am hoping to can direct me to the answers.

I have no problem setting up two Asus routers (one server and one client) to establish an OpenVPN connection using either TUN or TAP. The Asus built-in client even reconnects should the server side shutdown for a reboot etc.

I am having problem with the LAN to LAN communications.

With a TUN link up I cannot connect TO devices on the LAN side of the VPN Client router FROM the LAN side of the VPN Server LAN.. If I connect locally to the Asus Client router then I can connect to devices on the LAN side of the VPN server router.

The title of your discussion indicated that you have this working. What parameter have I likely missed?

With TAP I can connect to a lan device on the back side of the VPN client (Asus router), but the traffic across the tunnel is higher than I would like. See:. https://www.snbforums.com/threads/tuning-data-usage-help-please.61338/

Thanks for any suggestions you can make.

Peter

Sent from my Pixel using Tapatalk
 

David Gursky

New Around Here
Could you elaborate what you mean when you wrote:

With a TUN link up I cannot connect TO devices on the LAN side of the VPN Client router FROM the LAN side of the VPN Server LAN.. If I connect locally to the Asus Client router then I can connect to devices on the LAN side of the VPN server router.
 

maxbraketorque

Very Senior Member
Did you ever get SMB working? I have a similar scenario.

SWMBO operates a non-profit from her home in Maryland (192.168.58.0/24). I have set up an Ubuntu box with a RAID 6 array for backups. Now this is great if a tree falls on her house, notsomuch if the house catches fire. To that end, I want a server in my home in Virginia (192.168.60.0/24) to backup the backups. I have implemented a VPN with a pair of stock RT-AC66U_B1 with the latest firmware according to the instructions in

The problem is that I can’t see inside the Maryland LAN from Virginia nor inside the Virginia LAN from Maryland. I’ve shut off the Firewalls on both sides but nada. How do I debut this / fix this? [I don’t think it is an SMB issue — maybe a routing issue?]

Sorry, I missed your question from back in November. From the OVPN client router network, I can seamless access everything in the OVPN server router network (http, SMB, AFP, FTP), including the SMB share on the OVPN server router. From the OVPN server router network, I can access everything in the OVPN client router network with the one caveat that I do not have an SMB share attached to the OVPN client router, so I can't verify that I can access that one feature. It sounds like you don't need that though. Did you see my alternate OVPN setup guide?
 

Pej5

Occasional Visitor
Ed B. Thanks for your thorough setup instructions. I am having a couple of issues and I am hoping to can direct me to the answers.

I have no problem setting up two Asus routers (one server and one client) to establish an OpenVPN connection using either TUN or TAP. The Asus built-in client even reconnects should the server side shutdown for a reboot etc.

I am having problem with the LAN to LAN communications.

With a TUN link up I cannot connect TO devices on the LAN side of the VPN Client router FROM the LAN side of the VPN Server LAN.. If I connect locally to the Asus Client router then I can connect to devices on the LAN side of the VPN server router.

The title of your discussion indicated that you have this working. What parameter have I likely missed?

With TAP I can connect to a lan device on the back side of the VPN client (Asus router), but the traffic across the tunnel is higher than I would like. See:. https://www.snbforums.com/threads/tuning-data-usage-help-please.61338/

Thanks for any suggestions you can make.

Peter

Sent from my Pixel using Tapatalk

With perseverance, I have successfully set up a bi-directional tunnel between two Asus routers. Here are things I changed.

I installed AsusWRT-Merlin on both routers. This provided enhanced features still through a GUI. This helped with respect to tuning, and displaying routing tables, displaying VPN client, and displaying VPN server connection status.

The VPN server side had no route defined to the VPN Client side LAN and this was the major problem to overcome. On the Server side VPN "Advanced Settings", I selected "Manage Client Specific options" and then added the route of the client side LAN and saved it. The "Common name" was indeed critical and in my case it had to be called 'client'. The VPN connection status tab (Merlin) on the Server side showed the Common name in the listing. Once that matched, I could FINALLY connect to Client LAN devices from the Server side LAN.

Merlin provided more options on the VPN Client configuration and I changed two. Create NAT on tunnel = No (allowing client LAN IP addresses through directly without NATing), and Inbound Firewall = No (allowing Server traffic through to client LAN) .

I have not tested VPNing into the VPN server #2 from my phone and then pivoting out through VPN server#1 through the tunnel. I may have to add another common name route.

The TUN tunnel is very chatty considering I only have one remote device on tunnel and it is a very quiet device. I want/need to set up the Client router through a Hotspot and it will consume more data than I hoped.
 

David Gursky

New Around Here
I don't recall having to play with routing tables or disabling "create NAT on tunnel"...

And

With perseverance, I have successfully set up a bi-directional tunnel between two Asus routers...

I will look at this over the weekend (because there is this silly thing I have to pay attention to during the week called "A Job") and get back to both of you. Thank you both for your insights.
 

Bonk-70

New Around Here
Hello,
Thank you for a great instruction on how to setup VPN between two ASUS routers. I got the connection up and running with your instructions.
I was checking another site for similar setup, with different settings. (https://forums.whirlpool.net.au/archive/2724670) I didn't get that one to work.
I can now access my windows 10 computer trough remote desktop, not by name but by IP. Setting up the DNS servers should solve this, but I can't access the same computer file share. Why is this that file share is not working?
 

Bonk-70

New Around Here
Hello,
Thank you for a great instruction on how to setup VPN between two ASUS routers. I got the connection up and running with your instructions.
I was checking another site for similar setup, with different settings. (https://forums.whirlpool.net.au/archive/2724670) I didn't get that one to work.
I can now access my windows 10 computer trough remote desktop, not by name but by IP. Setting up the DNS servers should solve this, but I can't access the same computer file share. Why is this that file share is not working?
Found following solution for this:
To help anyone else who is as clueless as I and comes across this thread then the solution was to do the following.

1. Control panel
2. Windows Firewall
3. Advanced settings
4. Inbound rules
5. File and Printer sharing (SMB in)
6. Scope
7. Remote IP address (add)
8. Add subnet to the top box, 10.1.2.0. This is item 17 in the instructions above (VPN Subnet / Netmask:10.1.2.0 and 255.255.255.0)
 

jsshapiro

Occasional Visitor
Ed (the OP) has done a fantastic job here - especially in describing all of the subnets involved. Unfortunately, he introduces a security hole in his instructions, and his solution only works because of the hole. One of the reasons people here have been struggling to duplicate his results is that they didn't enable the security hole.

Since we were finally forced to solve this one at work, so I've just posted a multi-part thread that documents how to do it the way it's actually intended to be done. As I type, I'm sitting at one of the client sites, with active remote desktop connections to machines at both of the other sites. You can find the thread describing how to do it here (link), or you can search the forums for "Bi-directional VPN WRT".

About that security hole...

A while back, @maxbraketorque asked:
- Why do you have "Username/Password Auth. Only" in the Details section set to <yes>? Doesn't this bypass using the certificates for authentication?

The short answer is yes, which makes that setting a very bad thing (tm). Enabling that turns off the check for a client-side certificate on the OpenVPN server, which is definitely something that you want to have protecting you. It turns out that the site-to-site support in OpenVPN relies on having a recognizable certificate at the "client" site to decide whether bi-directional routing should be permitted. The thread that I just published describes how to create the needed certificates correctly and how to build an OVPN file that contains them for installation on the client routers.

The good news is that you don't have to make any configuration changes that require logging in to the serving router. The bad news is that the easiest way to generate the per-client-site certificates is to log in to the serving router, because that's where the certificate authority files you need are sitting. But once you have the client certificate and key, you can pop them in to the "generic" OVPN file and they will work just fine.

Hopefully the new thread is useful, but it's a first pass. Please don't hesitate to add your comments and help me make it better if you find something that isn't right or something that could be clearer.
 

justbrowsing

New Around Here
Thank you, been trough hell for 3 days until I found this guide that helped me build site-to-site VPN tunel using 2 Asus routers.

One thing I found out that may be helpful:
You can set "Username/Password Auth. Only" to <no> if ASUS router is the only client
BUT you have to set Common Name in step 17) of this guide:
In 'Allowed Clients' enter a Common Name for the Client Router
to "client".

It is because configuration you download using step 18)
Step 18) VPN->VPN Server->OpenVPN->'Export OpenVPN configuration file'->Export
contains client certificate and private key with common name "client", so when you connect with second VPN client the first one will get disconnected (as they both have same common name "client" and will be mapped to same IP address)

If you have 2 or more clients you need to set "Username/Password Auth. Only" to <yes> or generate multiple certificates with different common names (didn't try it yet).
 

Pupster

Occasional Visitor
so ...um..has anyone found a work around/fix to linking two routers that both use the VPN Fusion (i.e. x2 AX-GTE11000 routers)? I'm not able to link them since the routing tables don't get updated, apparently, (point #38 in the OP's sticky regarding the client).
 
Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top