Access client lan from server side RT-AC88U OpenVPN

[SystemF]

Hello guys! I have home pc connected to rt-ac88u (stock latest firmware) with lan subnet 192.168.199.0/24,
Set up an openvpn server in the router with subnet 10.222.33.0/24. When connect the client to rt-ac88u 172.16.100.112/24 with subnet 172.16.100.0/24 to i want to be able to reach the client from server side (home pc). I have tried numrios of things nothing seem to work. Read few topics here, in openvpn forum, i see its posibble wit Merlink Firmware, but with Asus stock?
Posting screenshots


p.s. Also tried with clien-client option no luck either.

Update: I’m able to access the server’s LAN from a client but not vice versa.

 

[somms]

TAP

 

[SystemF]

Thanks! My client is in office invoirment and other folks respond in the thread recomended to avoid it.
Do I have any other alternatives?

I suggest you don't do this if you can possibly avoid it. You haven't gone into any detail about where you are situated, but it sounds like you are in an office environment. The problem with TAP is that it creates an Ethernet bridge between your local network and the remote one. This assumes complete trust in the remote network (which the local administrators probably don't have) and can also disrupt traffic on the local network if not properly setup.

The same problems can of course occur with TUN connections but are less likely because of the separation of subnets.

 

[eibgrad]

Those warnings about using a bridged OpenVPN (tap) configuration are primarily directed at those looking to remotely access their workplace's OpenVPN server. You typically do NOT want to use a bridged OpenVPN in that situation since it allows total and complete access to the remote network, as if you were located physically at the remote site (i.e., no firewall)! Workplace admins typically don't allow this for the obvious security concerns it creates, and instead prefer routed OpenVPN (tun) tunnels, so they can still incorporate a firewall between the OpenVPN client and workplace network.

But your situation is different. It's YOUR home network that's being exposed, not the workplace. And that may change the calculus when it comes to deciding if this is or isn't a good option.

You *might* have your own similar security concerns when it comes to a bridged OpenVPN tunnel. It's something you have to consider. Should you lose control of the OpenVPN client for any reason, then you too would have your entire network exposed to potentially unauthorized users. At least until you disabled your OpenVPN server. But if you can live w/ a bridged OpenVPN tunnel knowing the risks, then it does make things a lot easier. And it should work w/ the OEM firmware.

That's not to say you couldn't use a routed OpenVPN (tun) tunnel. But that requires additional steps. And it's something I explain in the following post.

https://www.snbforums.com/threads/h...the-server-side-of-openvpn.46680/#post-411676

But even that assumes that you at least have Merlin. Using stock/OEM firmware, it's unlikely to give you the same low-level access necessary to configure a site-to-site tunnel (which is effectively what you're asking for). Merlin also makes this a bit easier to setup since it has a "Manage Client-Side Options" section that automatically configures a CCD directory and iroute directive for specific clients.