What's new

Weird routing issue from VPN to LAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

L2wxg

New Around Here
Having a weird routing issue from VPN to LAN, on RT-AX88U with Merlin 386.3_2

Running OpenVPN server on the router, client on Windows10.
My goal is to make both internet and LAN accessible to client.
Connection to VPN works fine and internet is accessible, but no access to LAN (ping timeout to any LAN IP including the router IP and the VPN gateway IP).
(LAN is 10.0.0.0/23 , router IP is 10.0.0.138)

Tried enabling/disabling Firewall - makes no difference.
Tried the solution from this thread - not working.
After trying a bunch of random stuff, I've found a sort of workaround.
When I add and then remove (!) the following LAN static route in the router, it starts working as expected:

Network/Host IP: 10.0.0.0
Netmask: 255.255.254.0
Gateway: 10.0.0.138
Metric: 1
Interface: VPN

Sometimes it works while the above static route still exists (mostly it doesn't), but after router reboot it consistently stops working again (whether it exists or not), until the route is added and then removed again.

How can I make it work permanently?
Any help would be appreciated.
Thanks
 
I am only marginally familiar with VPNs, so consider that caveat to anything that follows :)

What do you accomplish by running a VPN client on Windows IN ADDITION to the VPN running on the router? I would assume that your Windows client is encrypting it's network activity, and nothing on your network (short of a configured VPN server) is going to know how to respond to it. I thought the whole point of running the VPN on your router was so that all your local network devices can take advantage of the VPN without having to be configured in any special way.
 
Sorry, I should've explained my setup better.
The router is in the office, and the Windows client is at home.
There are some servers in the office that aren't accessible from the internet, and I want to make them accessible to client only after client connects to the VPN.
There are also some servers on the internet (not in the office), which are firewalled and are accessible only from the office, and I want to allow the client at home to access these servers when the client connects to the office VPN.

Also, I don't know if it's relevant, but the router has a DualWAN setup (2 different ISPs, one static and one PPPoE).
 
Examine the router's syslog for openvpn messages. Do the same for the Windows VPN client's log. Are there any errors or routing conflicts?

How is your VPN client configured? Is it TUN or TAP? Is it using split tunnelling?

If possible, temporarily disable dual WAN to see if that's the problem.
 
There is no errors in server or client logs (only some irrelevant warnings).

Client config:
Code:
client
dev tun
proto tcp
remote x.x.x.x YYYY
persist-key
persist-tun
cipher AES-256-GCM
auth SHA256
key-direction 1
remote-cert-tls server
<...certs/keys...>

Server config:
(Putting the client inside the LAN. Also tried VPN network/subnet outside the LAN, but it had no effect on the original problem):
Code:
daemon ovpn-server1
topology subnet
server 10.0.1.128 255.255.255.192
proto tcp-server
port YYYY
dev tun21
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
auth SHA256
keepalive 15 60
push "route 10.0.0.0 255.255.254.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
push "redirect-gateway def1"
push "dhcp-option DNS x.x.x.x"
push "block-outside-dns"
key-direction 0
<...certs/keys...>

I think I figured out the cause...
It wasn't the Dual WAN itself that was the problem, but the Dual WAN Routing rules, when Dual WAN mode was Load Balance.
Removing these routing rules, or setting Dual WAN mode to Fail Over fixes the original problem.

It creates a new problem though.
Now I can't assign specific devices (or subnets) to a specific WAN, and I'd like to do that.
Is there a way to do that without it breaking the VPN, or when WAN is in Fail Over mode?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top