What's new

Unable to reach VPN server in two-router setting

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

junk1

New Around Here
I have a VPN server in a two-router setup, and I can't make it work.

Router 1 (192.168.0.1) is my main router, connected to my ISP.

Router 2 (192.168.0.2) is an Asus RT-N66U with Merlin firmware running a VPN server.

The two routers are hooked up LAN to LAN, to avoid having two different subnets. I have enabled port forwarding in Router 1 to forward the VPN port to Router 2.

The issue is that I cannot reach the VPN server from outside the LAN. From inside it works; from outside, I don't get a server reply. Other services behind Router 1, for which I am forwarding ports as well, do not have this problem -- they are accessible from the WAN.

I guess this has to be a firewall or similar issue with Router 2. But I have disabled its firewall, as well as NAT and DHCP, and the problem persists.

Any suggestions will be highly appreciated.
 
The two routers are hooked up LAN to LAN,
As far as I am aware that is not a valid configuration. The VPN server only listens on it WAN interface, not the LAN. In fact in my particular firmware (John's fork of Merlin) the VPN server refuses to start without a valid WAN connection.
 
Thanks for your reply.

Forgive my ignorance -- is this a limitation of the router or the firmware? I am asking because I can set up a VPN server on a PC or a NAS, neither of which has a WAN interface.
 
The firmware. The code was written with the expectation (not unreasonably) that incoming VPN connections would be through the WAN interface.

I am asking because I can set up a VPN server on a PC or a NAS, neither of which has a WAN interface.
A PC or NAS doesn't have a LAN interface either, because it's not a router. It just has "an interface".
 
Colin, thanks for this, you just saved me from wasting a lot more effort.

I will have to move to a LAN-to-WAN connection among the routers. I presume that I will end up with another subnet (say 192.168.1.x) for Router 2.

Perhaps you can answer another question then. In that setting, is it still possible to create a bridged VPN, which was my original intent -- bridged with the 192.168.0.x subnet, where all my computers are ?
 
With two separate subnets you will have probably have routing (and other) issues to resolve. But you'd have these whether you're using the VPN or not. It depends on exactly what you're trying to achieve (in your network design).
 
@junk1 Thinking about this again and the problems associated with having two subnets...

It's worth trying the following with your existing (single subnet) setup. Under VPN Server > VPN Details > Custom configuration add the following line:

local 192.168.0.2

This assumes that 192.168.0.2 is the LAN IP address of your VPN server. In theory this should make the VPN server listen on the LAN interface rather than the WAN.

Whether there will be any unforeseen routing issues I couldn't say.
 
Thanks for the suggestion. Unfortunately it does not work, the server still does not reply.
 
Admittedly your setup isn't entirely clear, it just sounds like you are using a router as a VPN server behind another router connected to the internet. From what you've said you can connect to the VPN from the local network the VPN server is connected to, which means this should work if forwarding properly.

You haven't said what type of VPN. PPTP doesn't work by only port forwarding and with OpenVPN you will need to make sure you are forwarding UDP. For PPTP you have to enable PPTP/GRE passthrough as GRE is a tunneling protocol, not a port.

Sent from my MI 5 using Tapatalk
 
FYI for PPTP, I've never bothered forwarding PPTP with asuswrt and it looks like despite having PPTP as a famous server option, you also need to add GRE.

https://www.asus.com/us/support/FAQ/1033906/

Handing off GRE to an internal server is separate from the GRE NAT passthrough option available for outbound clients.
 
Last edited:
Admittedly your setup isn't entirely clear, it just sounds like you are using a router as a VPN server behind another router connected to the internet. From what you've said you can connect to the VPN from the local network the VPN server is connected to, which means this should work if forwarding properly.

You haven't said what type of VPN. PPTP doesn't work by only port forwarding and with OpenVPN you will need to make sure you are forwarding UDP. For PPTP you have to enable PPTP/GRE passthrough as GRE is a tunneling protocol, not a port.

Sent from my MI 5 using Tapatalk

Thanks for your input. Yes, my setup has a secondary router with a VPN server behind a primary router that connects to the ISP.

It really does not seem to matter which type of VPN. Both PPTP and OpenVPN (yes, I am forwarding UDP) work from from inside the network, neither does from outside.

What really seems to make the difference is whether the routers are connected LAN-to-WAN (then both PPTP and OpenVPN work fine from both inside and outside) or LAN-to-LAN (then the problem arises when trying to access the VPN from outside.).

I'll be grateful for any other suggestions.
 
Ok, so it does service connections when using the WAN port. Sorry, I didn't see you actually confirm that was working from outside your network.

Unfortunately I've only used asuswrt/merlin stuff with basic home setups. Anything like what you're trying to do I'd be using openwrt, which gives you much more control over how the firewall and switch function (the WAN port is just another switch port, nothing special except internally VLANed).

It seems strange that you can connect internally but not externally when using a LAN port, the main difference being the originating IP and the requirement to route out the default gateway (you can rule out NAT and PAT if they are working with the WAN port). Assuming you have full internet connectivity from the VPN router when only connected via a LAN port, then I'd have to assume that either the firewall (unlikely on the LAN side) or VPN config are imposing some limitation but I can't imagine what ...

To me the only real difference between connecting the LAN or WAN port to your internal network would be how the VPN router actually routes. If you you can ping outside to the internet from the VPN router's cli then I'd test port forwarding to a different service just to isolate it to the VPN config.

Sent from my MI 5 using Tapatalk
 
I've been working w/ dd-wrt and tomato OpenVPN implementations for many years. And there's usually no problem in using a bridged (LAN to LAN) configuration on a secondary router. It would be a pretty odd situation when the OpenVPN server could only be bound to the WAN's network interface. But to be fair, I'm much less familiar w/ Merlin, although it's my understanding it shares a lot w/ tomato firmware.

One possible explanation for it not working when remoting accessed is perhaps the secondary router doesn't have a gateway IP specified. In a routed (WAN to LAN) config, this is normally configured automatically over the WAN via DHCP. But when using a LAN to LAN config, there is no WAN. And if you expect that secondary router to have internet access, you need to manually configure a gateway IP. Sometimes ppl forget and only assign a LAN ip and netmask. Which can explain why it works locally, but NOT remotely.

Another potential problem is the OpenVPN tunnel network. When the OpenVPN server is running on the local network's gateway, the tunnel network (e.g., 10.8.0.0/24) is hosted on the same device. So routing between the tunnel and the local network just works. But if the OpenVPN server is on some other LAN device, the tunnel network is NOT known to the default gateway. And now when OpenVPN clients connect to the OpenVPN server using the 10.8.0.0/24 network (in my example), and need to access local devices or the internet, there is no routing information available to route back the replies. That information is isolated on the hosting device. To fix the problem, you need a static route on the default gateway that tells it where that tunnel is located, which is the LAN ip of that second router.

All that said, I have seen a few cases where some routers when configured LAN to LAN simply can't be reached remotely, for unknown reasons. I have my suspicions why, but can't prove it.
 
I have a VPN server in a two-router setup, and I can't make it work.

Router 1 (192.168.0.1) is my main router, connected to my ISP.

Router 2 (192.168.0.2) is an Asus RT-N66U with Merlin firmware running a VPN server.

The two routers are hooked up LAN to LAN, to avoid having two different subnets. I have enabled port forwarding in Router 1 to forward the VPN port to Router 2.

The issue is that I cannot reach the VPN server from outside the LAN. From inside it works; from outside, I don't get a server reply. Other services behind Router 1, for which I am forwarding ports as well, do not have this problem -- they are accessible from the WAN.

I guess this has to be a firewall or similar issue with Router 2. But I have disabled its firewall, as well as NAT and DHCP, and the problem persists.

Any suggestions will be highly appreciated.
Did you ever get this to work? I am trying to do the exact same thing you describe. Everything works perfectly well if I am on the lan, but no connection to ovpn server on 2nd router if I am outside the lan.
 
Just sending this in case you don't get a reply ...

As hinted at by myself and suggested by @eibgrad ... The most likely issue in that configuration is ensuring the default gateway or routing is correct from the VPN server/router.

If you can access the internet from the cli of the VPN server (ping google or an internet IP) then it's hard to say what the issue is.

Sent from my MI 5 using Tapatalk
 
I think I have addressed both of those possibilities. My setup is as follows:

Router 1 IP is 10.168.2.1
Router 2 IP is 10.168.2.11

In Router 2 Default Gateway is set as 10.168.2.1, WAN IP is set as 10.168.2.1 and DNS is set as 10.168.2.1

In Router 1 (the default gateway) I have the following static LAN route configured:

Network/Host IP Netmask GAteway Metric Interface
10.168.2.11 255.255.255.255 10.168.2.1 1 LAN

Do I have something messed up?

Thanks for your help!!
 
I'm assuming the WAN IP is a typo and should be .11

You're scenario is different. You won't need to route to an IP address on the same subnet. Assuming you can connect to the VPN server locally, then you should only need to port forward from router 1.

You're going to run into other potential problems though like possibly conflicting IP ranges and not being able to access the network segment/subnet you intended.

I would have to know logically what you're trying to achieve. With the current physical configuration, after port forwarding to router 2, you should be able to connect from the internet but only have access to the LAN (or LAN2) via router 2. The network on the WAN side of router 2 will be inaccessible via the VPN.

Sent from my MI 5 using Tapatalk
 
Thanks, yes you are correct, the WAN IP is 10.168.2.11 in Router 2.

I have opened the default port on 10.168.2.1 to the IP of router 2 (10.168.2.11), but it is all one subnet. I also for good measure put Router 2 in the DMZ of Router 1.

There are a couple of other issues that might help diagnose this. I can't ping anything on the net from router 2 cli (using Network Tools - Network Analysis in asuswrt-merlin actually). Tried www.google.com and 8.8.8.8 (just to make sure). Can ping everything in my network from the router though. If I plug a laptop into a LAN port of Router 2, I can ping anything on the internet no problem. Also, the second router can not reach an ntp server either (annoying, but the VPN server still works from inside the LAN so I don't thing it is contributing to the problem) .

I am trying to use the second router, an asus RT-AC5300, as my vpn server when on the road for work (the primary router is an older, weaker RT-AC3100). The AC5300 is also the wireless access point for the entire house (wireless connections work without issue, including connections to the internet). The asuswrt-merlin firmware disables a whole bunch of features on the router (LAG, VPN Server to name 2 that I wish to/do use) and I am trying to avoid putting the 2nd router in a different subnet so I am using a LAN to LAN connection with both routers in Router mode.

Any other ideas where I might gain some progress on this based on above? Thanks again for any insight!
 
This is a rushed reply so bare with me ...

LAN to LAN definitely makes a difference to how you'll need to configure. Just to clarify, you are connecting the two routers via their LAN ports?

If that is the case, the WAN port on router 2 should not be configured with the same subnet, preferably no IP at all. You'll also want to disable the DHCP server within the LAN section.

The LAN IP address for router 2 should be on the same subnet as the LAN IP for router 1 (10.168.2.11).

You'll need to be able to access the internet from the cli of router 2, if you can't, no other service running on the router will be able to either. Typically this can be rectified by only specifying the default gateway (10.168.2.1) in the static IP configuration on the WAN page. The cli command would be something like "ip r a default via 10.168.2.1" ... Review your routing table with "ip r".

Once you have internet connectivity you should be able to get it going. If you wanted router 2 to handle the LAN, with regards to DHCP etc, you can apply the reverse, disabling DHCP on router 1 etc. but the filtering features of asuswrt will only be available on the router that is the default gateway.

Sent from my MI 5 using Tapatalk
 
With regards to Merlin disabling features, I also have an RT-AC5300 and that's not my experience. I have more features because of it. Is this something you experienced?

Just to elaborate, I host OpenVPN with far more options than I was able to on stock and I use the specified ports for link aggregation to my NAS.

Sent from my MI 5 using Tapatalk
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top