What's new

VPN between Asus RT cannot communicate

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

raynaud

New Around Here
Greetings I have configured a VPN between two Asus routers:

Server side RT-AX55
DMZ from ISP
xxx.asuscomm.com working
IP 192.168.101.1

Client side RT-AC68U
IP 192.168.100.1

From configuration of server:
1674188512910.png

1674188285439.png

1674188353446.png

Allowed clients

DescriptionHostMaskPush
clientA192.168.100.0255.255.255.0Yes


From Client I only atach the ovpn config file on a new profile, but when the vpn was connected, the interface show ip conflict error ( the second one).
1674188739257.png

The first work but is a VPN on amazon VM with openvpn server

On both sides don't exist Rules on IP routes tables

The log when vpn are connected show this:

Jan 19 22:29:46 rc_service: httpd 8769:notify_rc restart_vpncall
Jan 19 22:29:47 vpnclient5[18833]: event_wait : Interrupted system call (code=4)
Jan 19 22:29:47 vpnclient5[18833]: /etc/openvpn/ovpn-route-pre-down tun15 1500 1553 10.8.0.10 10.8.0.9 init
Jan 19 22:29:48 vpnclient5[18833]: Closing TUN/TAP interface
Jan 19 22:29:48 vpnclient5[18833]: /sbin/ifconfig tun15 0.0.0.0
Jan 19 22:29:48 vpnclient5[18833]: /etc/openvpn/ovpn-down tun15 1500 1553 10.8.0.10 10.8.0.9 init
Jan 19 22:29:48 dnsmasq[8589]: ignoring nameserver 192.168.100.1 - local interface
Jan 19 22:29:48 vpnclient5[18833]: SIGTERM[hard,] received, process exiting
Jan 19 22:29:51 rc_service: httpd 8769:notify_rc restart_vpncall
Jan 19 22:29:52 vpnclient5[19028]: OpenVPN 2.4.11 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 14 2022
Jan 19 22:29:52 vpnclient5[19028]: library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.03
Jan 19 22:29:52 vpnclient5[19029]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 19 22:29:52 vpnclient5[19029]: TCP/UDP: Preserving recently used remote address: [AF_INET]189.238.144.29:1024
Jan 19 22:29:52 vpnclient5[19029]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Jan 19 22:29:52 vpnclient5[19029]: UDP link local: (not bound)
Jan 19 22:29:52 vpnclient5[19029]: UDP link remote: [AF_INET]189.238.144.29:1024
Jan 19 22:29:52 vpnclient5[19029]: TLS: Initial packet from [AF_INET]189.238.144.29:1024, sid=b9ffdc5d 28f34a53
Jan 19 22:29:52 vpnclient5[19029]: VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AX55, emailAddress=me@myhost.mydomain
Jan 19 22:29:52 vpnclient5[19029]: VERIFY KU OK
Jan 19 22:29:52 vpnclient5[19029]: Validating certificate extended key usage
Jan 19 22:29:52 vpnclient5[19029]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 19 22:29:52 vpnclient5[19029]: VERIFY EKU OK
Jan 19 22:29:52 vpnclient5[19029]: VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AX55, emailAddress=me@myhost.mydomain
Jan 19 22:29:53 vpnclient5[19029]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 1024 bit RSA
Jan 19 22:29:53 vpnclient5[19029]: [RT-AX55] Peer Connection Initiated with [AF_INET]189.238.144.29:1024
Jan 19 22:29:54 vpnclient5[19029]: SENT CONTROL [RT-AX55]: 'PUSH_REQUEST' (status=1)
Jan 19 22:29:54 vpnclient5[19029]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.100.0 255.255.255.0,route 192.168.101.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,dhcp-option DNS 192.168.101.1,route 192.168.101.1,block-outside-dns,redirect-gateway def1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 30,ifconfig 10.8.0.14 10.8.0.13,peer-id 2,cipher AES-256-GCM'
Jan 19 22:29:54 vpnclient5[19029]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: block-outside-dns (2.4.11)
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: route options modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: peer-id set
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: adjusting link_mtu to 1625
Jan 19 22:29:54 vpnclient5[19029]: OPTIONS IMPORT: data channel crypto options modified
Jan 19 22:29:54 vpnclient5[19029]: Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 19 22:29:54 vpnclient5[19029]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 19 22:29:54 vpnclient5[19029]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 19 22:29:54 vpnclient5[19029]: TUN/TAP device tun15 opened
Jan 19 22:29:54 vpnclient5[19029]: TUN/TAP TX queue length set to 100
Jan 19 22:29:54 vpnclient5[19029]: /sbin/ifconfig tun15 10.8.0.14 pointopoint 10.8.0.13 mtu 1500
Jan 19 22:29:54 vpnclient5[19029]: /etc/openvpn/ovpn-up tun15 1500 1553 10.8.0.14 10.8.0.13 init
Jan 19 22:29:54 dnsmasq[8589]: ignoring nameserver 192.168.101.1 - local interface
Jan 19 22:29:54 vpnclient5: WARNING: Ignore conflicted routing rule: 192.168.100.0 255.255.255.0 gw 10.8.0.13
Jan 19 22:29:54 vpnclient5: WARNING: Ignore conflicted routing rule: 192.168.101.0 255.255.255.0 gw 10.8.0.13
Jan 19 22:29:54 vpnclient5: WARNING: Ignore conflicted routing rule: 192.168.101.1 255.255.255.255 gw 10.8.0.13
Jan 19 22:29:54 vpnclient5[19029]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 19 22:29:54 vpnclient5[19029]: Initialization Sequence Completed

On the IP Route Tables show this on client side:
1674189137442.png


I hope some advice for access site-to-site, actually only response ping to the device

[from client]
Haciendo ping a 192.168.101.1 con 32 bytes de datos:
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 192.168.101.1: bytes=32 tiempo<1m TTL=64

I have a feeling that you only have to add the route on the client side, but I already tried it and it's still not resolved, I hope you can help me to configure the vpn correctly and I can have full access from both sides of the network.

Greetings and excellent day.
 
Do not use 192.168.101.x as a subnet.

192.168.101.x and 192.168.102.x are subnets used by Asus for WiFi guest networks.
 
Do not use 192.168.101.x as a subnet.

192.168.101.x and 192.168.102.x are subnets used by Asus for WiFi guest networks.
Thanks, i was changed the segment of the server and still the error message but the result is good because log only have collition with de subnet of client.
the log says now:
Jan 20 09:47:39 vpnclient5[6410]: /etc/openvpn/ovpn-up tun15 1500 1553 10.8.0.10 10.8.0.9 init
Jan 20 09:47:40 vpnclient5: WARNING: Ignore conflicted routing rule: 192.168.100.0 255.255.255.0 gw 10.8.0.9
Jan 20 09:47:40 vpnclient5[6410]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 20 09:47:40 vpnclient5[6410]: Initialization Sequence Completed

and from client i can join now to the router server but not ping my computer on the server side and the server side i can't ping any device of client side.

I wonder if only with a static route can fix it?
 
Finally I was conected twice device on vpn using diferet ip of 192.168.x.x, but the client device go out to internet from router server, how can set that the client takes internet from local isp device and only access remote devices from router server?
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top