Greetings I have configured a VPN between two Asus routers:
Server side RT-AX55
DMZ from ISP
xxx.asuscomm.com working
IP 192.168.101.1
Client side RT-AC68U
IP 192.168.100.1
From configuration of server:
Allowed clients
From Client I only atach the ovpn config file on a new profile, but when the vpn was connected, the interface show ip conflict error ( the second one).
The first work but is a VPN on amazon VM with openvpn server
On both sides don't exist Rules on IP routes tables
The log when vpn are connected show this:
Jan 19 22:29:46 rc_service: httpd 8769:notify_rc restart_vpncall
Jan 19 22:29:47 vpnclient5[18833]: event_wait : Interrupted system call (code=4)
Jan 19 22:29:47 vpnclient5[18833]: /etc/openvpn/ovpn-route-pre-down tun15 1500 1553 10.8.0.10 10.8.0.9 init
Jan 19 22:29:48 vpnclient5[18833]: Closing TUN/TAP interface
Jan 19 22:29:48 vpnclient5[18833]: /sbin/ifconfig tun15 0.0.0.0
Jan 19 22:29:48 vpnclient5[18833]: /etc/openvpn/ovpn-down tun15 1500 1553 10.8.0.10 10.8.0.9 init
Jan 19 22:29:48 dnsmasq[8589]: ignoring nameserver 192.168.100.1 - local interface
Jan 19 22:29:48 vpnclient5[18833]: SIGTERM[hard,] received, process exiting
Jan 19 22:29:51 rc_service: httpd 8769:notify_rc restart_vpncall
Jan 19 22:29:52 vpnclient5[19028]: OpenVPN 2.4.11 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 14 2022
Jan 19 22:29:52 vpnclient5[19028]: library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.03
Jan 19 22:29:52 vpnclient5[19029]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 19 22:29:52 vpnclient5[19029]: TCP/UDP: Preserving recently used remote address: [AF_INET]189.238.144.29:1024
Jan 19 22:29:52 vpnclient5[19029]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jan 19 22:29:52 vpnclient5[19029]: UDP link local: (not bound)
Jan 19 22:29:52 vpnclient5[19029]: UDP link remote: [AF_INET]189.238.144.29:1024
Jan 19 22:29:52 vpnclient5[19029]: TLS: Initial packet from [AF_INET]189.238.144.29:1024, sid=b9ffdc5d 28f34a53
Jan 19 22:29:52 vpnclient5[19029]: VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AX55, emailAddress=me@myhost.mydomain
Jan 19 22:29:52 vpnclient5[19029]: VERIFY KU OK
Jan 19 22:29:52 vpnclient5[19029]: Validating certificate extended key usage
Jan 19 22:29:52 vpnclient5[19029]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 19 22:29:52 vpnclient5[19029]: VERIFY EKU OK
Jan 19 22:29:52 vpnclient5[19029]: VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AX55, emailAddress=me@myhost.mydomain
Jan 19 22:29:53 vpnclient5[19029]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA
Jan 19 22:29:53 vpnclient5[19029]: [RT-AX55] Peer Connection Initiated with [AF_INET]189.238.144.29:1024
Jan 19 22:29:54 vpnclient5[19029]: SENT CONTROL [RT-AX55]: 'PUSH_REQUEST' (status=1)
Jan 19 22:29:54 vpnclient5[19029]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.100.0 255.255.255.0,route 192.168.101.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,dhcp-option DNS 192.168.101.1,route 192.168.101.1,block-outside-dns,redirect-gateway def1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 30,ifconfig 10.8.0.14 10.8.0.13,peer-id 2,cipher AES-256-GCM'
Jan 19 22:29:54 vpnclient5[19029]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: block-outside-dns (2.4.11)
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: route options modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: peer-id set
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: adjusting link_mtu to 1625
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: data channel crypto options modified
Jan 19 22:29:54 vpnclient5[19029]: Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 19 22:29:54 vpnclient5[19029]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 19 22:29:54 vpnclient5[19029]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 19 22:29:54 vpnclient5[19029]: TUN/TAP device tun15 opened
Jan 19 22:29:54 vpnclient5[19029]: TUN/TAP TX queue length set to 100
Jan 19 22:29:54 vpnclient5[19029]: /sbin/ifconfig tun15 10.8.0.14 pointopoint 10.8.0.13 mtu 1500
Jan 19 22:29:54 vpnclient5[19029]: /etc/openvpn/ovpn-up tun15 1500 1553 10.8.0.14 10.8.0.13 init
Jan 19 22:29:54 dnsmasq[8589]: ignoring nameserver 192.168.101.1 - local interface
Jan 19 22:29:54 vpnclient5: WARNING: Ignore conflicted routing rule: 192.168.100.0 255.255.255.0 gw 10.8.0.13
Jan 19 22:29:54 vpnclient5: WARNING: Ignore conflicted routing rule: 192.168.101.0 255.255.255.0 gw 10.8.0.13
Jan 19 22:29:54 vpnclient5: WARNING: Ignore conflicted routing rule: 192.168.101.1 255.255.255.255 gw 10.8.0.13
Jan 19 22:29:54 vpnclient5[19029]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 19 22:29:54 vpnclient5[19029]: Initialization Sequence Completed
On the IP Route Tables show this on client side:
I hope some advice for access site-to-site, actually only response ping to the device
[from client]
Haciendo ping a 192.168.101.1 con 32 bytes de datos:
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64
I have a feeling that you only have to add the route on the client side, but I already tried it and it's still not resolved, I hope you can help me to configure the vpn correctly and I can have full access from both sides of the network.
Greetings and excellent day.
Server side RT-AX55
DMZ from ISP
xxx.asuscomm.com working
IP 192.168.101.1
Client side RT-AC68U
IP 192.168.100.1
From configuration of server:
Allowed clients
Description | Host | Mask | Push |
clientA | 192.168.100.0 | 255.255.255.0 | Yes |
From Client I only atach the ovpn config file on a new profile, but when the vpn was connected, the interface show ip conflict error ( the second one).
The first work but is a VPN on amazon VM with openvpn server
On both sides don't exist Rules on IP routes tables
The log when vpn are connected show this:
Jan 19 22:29:46 rc_service: httpd 8769:notify_rc restart_vpncall
Jan 19 22:29:47 vpnclient5[18833]: event_wait : Interrupted system call (code=4)
Jan 19 22:29:47 vpnclient5[18833]: /etc/openvpn/ovpn-route-pre-down tun15 1500 1553 10.8.0.10 10.8.0.9 init
Jan 19 22:29:48 vpnclient5[18833]: Closing TUN/TAP interface
Jan 19 22:29:48 vpnclient5[18833]: /sbin/ifconfig tun15 0.0.0.0
Jan 19 22:29:48 vpnclient5[18833]: /etc/openvpn/ovpn-down tun15 1500 1553 10.8.0.10 10.8.0.9 init
Jan 19 22:29:48 dnsmasq[8589]: ignoring nameserver 192.168.100.1 - local interface
Jan 19 22:29:48 vpnclient5[18833]: SIGTERM[hard,] received, process exiting
Jan 19 22:29:51 rc_service: httpd 8769:notify_rc restart_vpncall
Jan 19 22:29:52 vpnclient5[19028]: OpenVPN 2.4.11 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 14 2022
Jan 19 22:29:52 vpnclient5[19028]: library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.03
Jan 19 22:29:52 vpnclient5[19029]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 19 22:29:52 vpnclient5[19029]: TCP/UDP: Preserving recently used remote address: [AF_INET]189.238.144.29:1024
Jan 19 22:29:52 vpnclient5[19029]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jan 19 22:29:52 vpnclient5[19029]: UDP link local: (not bound)
Jan 19 22:29:52 vpnclient5[19029]: UDP link remote: [AF_INET]189.238.144.29:1024
Jan 19 22:29:52 vpnclient5[19029]: TLS: Initial packet from [AF_INET]189.238.144.29:1024, sid=b9ffdc5d 28f34a53
Jan 19 22:29:52 vpnclient5[19029]: VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AX55, emailAddress=me@myhost.mydomain
Jan 19 22:29:52 vpnclient5[19029]: VERIFY KU OK
Jan 19 22:29:52 vpnclient5[19029]: Validating certificate extended key usage
Jan 19 22:29:52 vpnclient5[19029]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 19 22:29:52 vpnclient5[19029]: VERIFY EKU OK
Jan 19 22:29:52 vpnclient5[19029]: VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AX55, emailAddress=me@myhost.mydomain
Jan 19 22:29:53 vpnclient5[19029]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA
Jan 19 22:29:53 vpnclient5[19029]: [RT-AX55] Peer Connection Initiated with [AF_INET]189.238.144.29:1024
Jan 19 22:29:54 vpnclient5[19029]: SENT CONTROL [RT-AX55]: 'PUSH_REQUEST' (status=1)
Jan 19 22:29:54 vpnclient5[19029]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.100.0 255.255.255.0,route 192.168.101.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,dhcp-option DNS 192.168.101.1,route 192.168.101.1,block-outside-dns,redirect-gateway def1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 30,ifconfig 10.8.0.14 10.8.0.13,peer-id 2,cipher AES-256-GCM'
Jan 19 22:29:54 vpnclient5[19029]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: block-outside-dns (2.4.11)
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: route options modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: peer-id set
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: adjusting link_mtu to 1625
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: data channel crypto options modified
Jan 19 22:29:54 vpnclient5[19029]: Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 19 22:29:54 vpnclient5[19029]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 19 22:29:54 vpnclient5[19029]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 19 22:29:54 vpnclient5[19029]: TUN/TAP device tun15 opened
Jan 19 22:29:54 vpnclient5[19029]: TUN/TAP TX queue length set to 100
Jan 19 22:29:54 vpnclient5[19029]: /sbin/ifconfig tun15 10.8.0.14 pointopoint 10.8.0.13 mtu 1500
Jan 19 22:29:54 vpnclient5[19029]: /etc/openvpn/ovpn-up tun15 1500 1553 10.8.0.14 10.8.0.13 init
Jan 19 22:29:54 dnsmasq[8589]: ignoring nameserver 192.168.101.1 - local interface
Jan 19 22:29:54 vpnclient5: WARNING: Ignore conflicted routing rule: 192.168.100.0 255.255.255.0 gw 10.8.0.13
Jan 19 22:29:54 vpnclient5: WARNING: Ignore conflicted routing rule: 192.168.101.0 255.255.255.0 gw 10.8.0.13
Jan 19 22:29:54 vpnclient5: WARNING: Ignore conflicted routing rule: 192.168.101.1 255.255.255.255 gw 10.8.0.13
Jan 19 22:29:54 vpnclient5[19029]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 19 22:29:54 vpnclient5[19029]: Initialization Sequence Completed
On the IP Route Tables show this on client side:
I hope some advice for access site-to-site, actually only response ping to the device
[from client]
Haciendo ping a 192.168.101.1 con 32 bytes de datos:
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64
I have a feeling that you only have to add the route on the client side, but I already tried it and it's still not resolved, I hope you can help me to configure the vpn correctly and I can have full access from both sides of the network.
Greetings and excellent day.