Asus Openvpn Site-to-Site config with Tun can't access client network computers

[deco2d2]

Hello everyone,

I have made a VPN tunnel between two routers with TAP interface. It worked fine, but with DNS and DHCP servers (two Synology NAS with DCHP and DNS servers on both networks), I decided to change to TUN. The reason was that the DCHP server of the server network was the one that gave the ip addresses in the client's network and redirected me to the server dns of the server's network and I did not like that.

I describe the hardware:

2 RT-AC3200 routers
Merlin Firmware: 380.68.4

The lans:

Server lan: 192.168.5.0/24 255.255.255.0
Router server lan: 192.168.5.1
DHCP & DNS server lan: 192.168.5.3

Client lan: 192.168.4.0/24 255.255.255.0
Router client lan: 192.168.4.1
DCHP & DNS client lan: 192.168.4.3

I create client file in /jffs/configs/openvpn/ccd1 with this line:
iroute 192.168.4.0 255.255.255.0

Custom configuration VPN Server:
route 192.168.4.0 255.255.255.0
push "route 192.168.5.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"
client-to-client

Custom configuration VPN Client:
float
keepalive 15 60
remote-cert-tls server
route 192.168.5.0 255.255.255.0
push "route 192.168.5.0 255.255.255.0"

I attached jpg file of the Server config, Client config, VPN Status Server and VPN Status Client.

From client network I can access to the server network machines (nas, routers, rdp), but from the server network is not possible to access the clients networks (nas, routers, rdp)

I appreciate your help, I'm not a programmer and making this configuration has required many hours. I read many posts, I've done everything he says, but I can not get the vpn working in both directions.


Thank you very much.

 

[deco2d2]

If someone can give me a step-by-step tutorial to configure the VPN, I'll thank you.

 

[Martineau]

If someone can give me a step-by-step tutorial to configure the VPN, I'll thank you.

There is a thread that utilises scripts for more advanced OpenVPN setups that require different explicit user (aka COMMON) names.
OpenVPN server can't see client's LAN on Site to site connection

However, for a simple bi-directional OpenVPN Client<->Server TUN scenario using the default 'COMMON NAME' you should be able to simply define the remote client subnet to the Server GUI config.

I suggest you remove all 'route/push' directives from both the server and the client and remove /jffs/configs/openvpn/ccd1 to reset everything.

Then on the OpenVPN Server (192.168.5.xxx) simply add the following:

EDIT: Corrected subnet typo and Push=Yes

 

[deco2d2]

Hi Martineau,

First of all, thank you very much for your help. I read the thread OpenVPN server can't see client's LAN on Site to site connection but is too dificult for my level. I'll try to do the modifications that you explain in your answer and I'll get back with news.

 

[deco2d2]

In the end I got it!

I have been slow to post since at first things did not work well. Being networks in use, I had to do the tests outside of working hours. In one of those tests I restored the factory values to the remote office router, but by mistake I did the main one. I almost died !!!

Finally, following your advice I got the openvpn site to site, although there are some details that initially did not work for me. Attached screen capture for all those who are looking, as happened to me, how to create the site to site.

After having configured openvpn and it works in one direction (client -> server ok, server -> client failed). On the server you must add in allowed clients:

Username: client
is the default name

IP Address: We must put the address of the client's network 192.168.4.0 in my case.

Subnet Mask: The subnet mask of the client network 255.255.255.0 in my case.

Push: YES.

With this everything works perfectly.

Thanks,thanks,thanks, thanks, thanks, thanks, Martineau!

P.S. Forget JFFS for the site-to-site

 

[Martineau]

Username: client
is the default name

IP Address: We must put the address of the client's network 192.168.5.0 in my case.

Subnet Mask: The subnet mask of the client network 255.255.255.0 in my case.

Push: YES.

With this everything works perfectly.

Abject apologies for the stupid typos in the screenprint I posted and forgetting to set Push=Yes" but at least I was correct in my point of not needing scripts for your simple use case.
EDIT: Updated incorrect screenprint for completeness.

P.S. In your original post you did seem to state that the Client LAN was 192.168.4.0/255.255.255.0

The lans:

Server lan: 192.168.5.0/24 255.255.255.0
Router server lan: 192.168.5.1
DHCP & DNS server lan: 192.168.5.3

Client lan: 192.168.4.0/24 255.255.255.0
Router client lan: 192.168.4.1
DCHP & DNS client lan: 192.168.4.3

 

[deco2d2]

P.S. In your original post you did seem to state that the Client LAN was 192.168.4.0/255.255.255.0

I have corrected the error in the post. I was wrong to write the solution. Sorry.

I hope that our posts will serve more people who have this problem, since the solutions that I have found always asked to edit the client file in jffs, put code, etc ...

 

[deco2d2]

Next issue: The router lost the configuration of allowed client disappears when reboot.

New issue new post!:

Continue here: https://www.snbforums.com/threads/t...pn-site-to-site-disappears-when-reboot.42796/

 

[deham]

Martineau,

Great appreciated for sharing your knowledge! It fixed the VPN problem I have!

 

[deham]

Just to make small contribution to this issue. For others like me who bothers to find out why this GUI works, here is why. After the client side LAN been added in the "allowed clients" section, it will automatically create two things,
1. route xxx xxx line in the server side config.ovpn - so no need add route cmd in the server custom config any more. Unless you have multiple LANs on the server side need advertise to all clients, you won't need use route xxx xxx cmd in the custom section.

2. iroute xxx xxx line in the config file in the CCD folder. - so playing around with the ccd config file is no more required.

Just remember, if you use usr/pwd for VPN authentication, the Common Name or the "username" in the "allowed clients" section will be your VPN username instead of "client", "client1"... used in vary different examples.

 

[douglasteven]

Hi Martineau,

Thanks for the guide. however i got another question. i'm using the TUN with the allowed clients settings same with above. Site A (VPN Server) and Site B(VPN Client) can connect each other. However, when i using my mobile connected to Site A via Ovpn, seems the route will not work , Site A cannot connect Site B.

 

[paulopais]

hi,

The lans:

Server lan: 192.168.2.0/24 255.255.255.0
Router server lan: 192.168.2.1

Client lan: 192.168.3.0/24 255.255.255.0
Router client lan: 192.168.3.1


i know this old ,but i put my client.ovpn on openwrt and i only ping the router and not the clients, any idea ?

 

[speedyrules]

hey guys!
i hope people are still reading this here!
i was amazed seeing this.. because i have the same issue... hoever: i tried and failed..

maybe i try my setup

router 1 - ASUS RT-AC87U
running latest original firmware
lan setting ip address roter: 192.168.81.1
subnet mask: 255.255.255.0
openvpn - server


router 2 - ASUS RT-AC68U
running latest original firmware
lan setting ip address roter: 192.168.1.1
subnet mask: 255.255.255.0
openvpn - client
client name "openvpn"

the client connects.. and all devices behind the client can access all other servers in the router 1 lan
BUT, as the problem here: i cannot access from a computer in router lan 1 to any server behind the router 2 lan

i thought i made the right settings according to the stuff above.. but what is going wrong?
i attached my configuration for feedback .. and yes: i guess the UI has wrong labels in the "allowed clients".. or what would i be supposed to write there?

thanks for the help.. this situation is driving me nuts :O