What's new

Access devices in OpenVPN network created by two behind-NAT routers?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

loveleeyoungae

Regular Contributor
Hi,

I did try to search on Google for this kind of my network configuration, but couldn't find a possible guide. So I'm posting my questions here. Please have a look at my diagram below (hope you don't mind my artistic skill :)

jgmryh.png



My expectation: I'd like that any devices in any subnets can access to one another, without disabling DHCP or bridging the networks. (And it'd be more great if the firewalls can still be enabled).

Current setup:
I*: ISP Wireless-G Router-Modems. PPPoE Dial. Limited features. No toggle for firewall, but have a "Firewall" section which includes URL, Mac Filtering, Port Fortwarding, DMZ, etc... uPNP enabled and DMZ set to N* routers.
N*: Asus RT-N66U Routers with Merlin 374.41. uPNP enabled. Firewall disabled.
Firewalls on all devices are disabled.

Current situation:
+ At *each* Home, devices in both subnets (eg Sub-I1 & Sub-N1) can access one another.
+ The OpenVPN connection is established between the N* routers (Thanks RMerlin, didn't think setup on his firmware is that easy!).
+ The client-side Sub-N1 devices can access the server-side Sub-N2 devices, but not vice versa.
+ Found these two lines from a blog post to put in N1 Custom Configuration box:
ifconfig 10.8.0.1 10.8.0.2
route 192.168.21.0 255.255.255.0
And Sub-N1 devices can access Sub-I2 devices. Obviously, not vice versa.

So, I'd really appreciate if anyone could help me configuring my network. I barely know Linux, so details are welcome as I don't mind reading long post :)

Thank you in advance!
 

Attachments

  • MyOpenVPN.jpg
    MyOpenVPN.jpg
    51.1 KB · Views: 410
Last edited:
Never really messed much with VPNs, but don't you need to set up both client and server on each router to allow two-way access?
 

Attachments

  • ccd1.JPG
    ccd1.JPG
    35.3 KB · Views: 567
  • ccd0.JPG
    ccd0.JPG
    17.5 KB · Views: 828
Last edited:
Thank you guys!

My bad! I didn't think ticking the "Manage Client-Specific Options" would expand the two settings below it (Plus English is not my native language, so I got the wrong idea).

sinshiva's example screenshots just got me a bit confused. It seems that you put the VPN pool subnet into the fields(?), but it turned out that I had to add the routers' LAN subnets. For my network, I had to add the three sub-I1, sub-N1 and sub-I2.
- However, at first things didn't work. So, eventhough I'm a bit afraid of ssh, but your screenshots made me think that I got to try taking an adventure into the ssh world :D Found the iroute line in etc/openvpn/server1/ccd/MY_OPENVPN_AUTHENTICATION_USERNAME(lovelya).
- Realized that using Merlin GUI, the lovelya file is always updated with one iroute line for the last added subnet - I had to manually edit the file for the other two subnets. And voila, things worked as expected! However, edited file is only kept temporarily, a reconnection would make the file reset to its one-line state. So, is this a bug that I need to report to RMerlin or is it the normal default setup design and I have to use jffs scripts?

And actually now I feel there is one more important thing - securing the networks - which I didn't feel its importance until I've seen recent brute force attacks from some IPs originated from India in the log! For now, just for the simple connection i.e from sub-I1 to its corresponding sub-N1, I got to turn off firewall on my N66W. Could you please help me on this part?
 
you need to enable the JFFS partition (admin > system; format first time on reboot), then copy the ccd config to /jffs/configs/openvpn/ccd/common_name
 
you need to enable the JFFS partition (admin > system; format first time on reboot), then copy the ccd config to /jffs/configs/openvpn/ccd/common_name

Hi sinshiva, yes from your previous post, I understand about the scripts part for permanent settings.
Sorry that my question was a bit misleading. I meant the bug with the GUI is: No matter how many subnets you add, the GUI only sets one "iroute" command for the last subnet! (FYI, the "push route" commands are all set correctly for *all* subnets).
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top