Asus RT-N66U openvpn access server lan

[Mate Rigo]

Hi All.

I am running a RT-N66U on Asus stock fw version 3.0.0.4.382_50702

The router LAN is running on subnet: 192.168.10.0/24
The router's IP address is 192.168.10.1

I'd like to set up a openvpn server, where I can access the LAN remotely, e.g. a NAS on IP 192.168.10.4

I have already done this running tomato fw, but I switched now back to stock, so I do have some experience with openvpn setup.

What is working, is that I can connect to the openvpn server, and I can access the router at address 192.168.10.1, but nothing else can be seen on the lan.

For testing purposes I did try it my win10 PC, and also another RT-N66U, which is being used as an openvpn client, both resulted in failure.

The local subnet, from where I'd like to reach the server is 192.168.17.0/24

Here is a screenshot from my setup:

(Excuse the mismatch of the VPN subnet, the screenshot shows 10.9.0.0, because I experimented, what would happen if I change it.
It should show 10.8.0.0)

This is the generated config file via telnet:

admin@RT-N66U:/tmp/etc/openvpn/server1# cat config.ovpn
# Automatically generated configuration

# Tunnel options
proto tcp-server
port 3153
dev tun21
sndbuf 0
rcvbuf 0
keepalive 15 60
daemon vpnserver1
verb 3
status-version 2
status status 10
comp-lzo adaptive
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn

# Server Mode
server 10.8.0.0 255.255.255.0
duplicate-cn
push "route 192.168.10.0 255.255.255.0 vpn_gateway 500"
push "dhcp-option DNS 192.168.10.1"

# Data Channel Encryption Options
auth SHA1
cipher AES-128-CBC

# TLS Mode Options
ca ca.crt
dh dh.pem
cert server.crt
key server.key

This is the client config file:

admin@RT-N66U:/tmp/etc/openvpn/server1# cat client.ovpn
remote magic.asuscomm.com 3153
float
nobind
proto tcp-client
dev tun
sndbuf 0
rcvbuf 0
keepalive 15 60
comp-lzo adaptive
auth-user-pass
client
auth SHA1
cipher AES-128-CBC
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
removed
-----END CERTIFICATE-----
</ca>

<cert>
    paste client certificate data here
</cert>

<key>
    paste client key data here
</key>

This is the route table from the server after a connection was established:

admin@RT-N66U:/tmp/etc/openvpn/server1# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.1        *               255.255.255.255 UH    0      0        0 ppp0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun21
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun21
192.168.10.0    *               255.255.255.0   U     0      0        0 br0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         10.0.0.1        0.0.0.0         UG    0      0        0 ppp0

This is the route table from the asus client after a connection was established:

admin@RT-N66U:/tmp/home/root# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        *               255.255.255.255 UH    0      0        0 tun15
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun15
192.168.0.1     *               255.255.255.255 UH    0      0        0 eth0
192.168.17.0    *               255.255.255.0   U     0      0        0 br0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
192.168.10.0    10.8.0.5        255.255.255.0   UG    500    0        0 tun15
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         compalhub.home  0.0.0.0         UG    0      0        0 eth0

I am thinking that some routing option might be still missing, so that the server does not really make it sure, that if a client wants to access 192.168.10.4 for example, that that has to go through the openvpn interface to the br0 where it can actually reach the destination.

But theoretically this line in the server config:

push "route 192.168.10.0 255.255.255.0 vpn_gateway 500"

Should do the trick, as far I understood this howto correctly: https://openvpn.net/index.php/open-source/documentation/howto.html#scope

If someone could point me into the right direction, I would be really happy.

 

[ColinTaylor]

It sounds like everything is setup correctly. The fact that you can access your NAS indicates that the routing is correct.

Define what you mean by "but nothing else can be seen on the lan." What have you tried?

 

[Mate Rigo]

It sounds like everything is setup correctly. The fact that you can access your NAS indicates that the routing is correct.

Define what you mean by "but nothing else can be seen on the lan." What have you tried?

Ok, I agree I did not go into much detail, so here is what I tried:

I tried to ping various members on the server's LAN, such as the NAS under the IP address 192.168.10.4.
I tried pinging from the client RT-N66U, which is connected to the openvpn server, and I also tried pinging from my PC, which is on the client routers side LAN, with IP address: 192.168.17.208

I also tried accessing the NAS' web interface from my PC.

I am aware that name resolution does not work, so I always try to use the IP addresses if I want to access the other subnet.

None of the methods were successful.


One addition might be, what I did not mention, is that the server asus RT-N66U has ipv6 enabled. I might try to disable it, and see what will happen.
I already tried to disable the firewall, just in case to see if that was causing the trouble.


Is there some similar command to tracert, which might show at which exact step the packet does not seem to get further.

This is my output for tracing the server:

C:\Users\mester>tracert 192.168.10.1
Tracing route to 192.168.10.1 over a maximum of 30 hops
  1     1 ms    <1 ms     3 ms  router.asus.com [192.168.17.1]
  2   240 ms    46 ms   254 ms  192.168.10.1
Trace complete.

This is my output, when I try to access the NAS:

Tracing route to 192.168.10.4 over a maximum of 30 hops

  1    93 ms    <1 ms    <1 ms  router.asus.com [192.168.17.1]
  2    44 ms    43 ms    39 ms  10.8.0.1
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *

What stings out, that the second hop is to the 10.8.0.1, when I try to access the router, then the hop to 10.8.0.1 is skipped.

If I do an ifconfig on the asus server, I get this:

tun21      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
           UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
           RX packets:873 errors:0 dropped:0 overruns:0 frame:0
           TX packets:186 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:100
           RX bytes:58442 (57.0 KiB)  TX bytes:17215 (16.8 KiB)

Which means, that 10.8.0.1 is the IP address of the openvpn server tunnel interface.

 

[ColinTaylor]

Thanks for the extra info. I must have misread your original post, I thought you said you could access your NAS.

One thing to bear in mind is that devices on the target LAN will perceive any incoming traffic as "not local". So in the case of Windows PCs that means they will not answer ICMP pings (or traceroutes). So you either need to create a Windows Firewall rule, or temporarily turn off the firewall when you're trying to ping/traceroute them.

I don't know anything about your NAS but you might want to check its firewall configuration as well.

Other than that I can't think of anything at the moment.

 

[Mate Rigo]

Hi Colin, thanks for the pointer about

One thing to bear in mind is that devices on the target LAN will perceive any incoming traffic as "not local"

This has put me into the right direction.
So it turns out, that I could not access my NAS, because it had an openvpn server configured, with the same subnet of 10.8.0.6

When I try to reach the LAN of the openvpn router 192.168.10.0/24 the packets appear as they would come from the IP address 10.8.0.6.

So the NAS was seeing packets from 10.8.0.6 and took a look at its routing table, where it found entries for 10.8.0.0
(See routing table of NAS

ash-4.3# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         router.asus.com 0.0.0.0         UG    0      0        0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

Then it tried to answer back from its own openvpn interface, which obviously went wrong,


Now I modified the Asus RT-N66U server config to use the subnet 10.10.0.0, and I can access the NAS just fine.
If I do a netstat on the NAS, I can verify that I connect to it using the openvpn subnet.

ash-4.3# netstat | grep 10.10.0.6
tcp        0      0 Synology:DSM-http       10.10.0.6:63004         ESTABLISHED
tcp        0     64 Synology:ssh            10.10.0.6:63030         ESTABLISHED
tcp        0      0 Synology:ssh            10.10.0.6:58912         ESTABLISHED

And here is your insight, why pinging would not work, because many devices on 192.168.10.0/24 will refuse to answer to unknown IP addresses, which might come from the internet. So basically their firewall kicks in.

So the question remains, how do I set up my openvpn server on the ASUS, that it makes some form of NATing on the openvpn connection, that it appears for the devices on the 192.168.10.0/24 subnet as the router would send them requests.

Aka. 10.10.0.6 gets translated to 192.168.10.1 and then gets sent to the devices.


Edit:
One more addition:
I've set up the client to client access, because I want to reach both subnets in both directions.
192.168.10.0/24 ->192.168.17.0/24
192.168.10.0/24 <-192.168.17.0/24
Which is working fine, except, that the network access is "not NAT-ed" here neither.

Little showcase:
So I pinged my PC (192.168.17.208) from my NAS (192.168.10.4) over the openvpn connection. It worked only, if I added a special rule to my windows firewall, because as you can see the packets in Wireshark, they seem to arrive from the IP 192.168.10.4, which my PC thinks of as untrustable.

This whole firewall issue makes me somewhat confused, because I used to have a very similar setup before changing back to stock fw from tomato, but instead of openvpn I used Tinc.
In the end Tinc is also just some private tunnel with routes that are created.
And I don't recall that I could not ping nor access certain members on the subnets, because they thought of the inbound traffic as non trustable :\

 

[ColinTaylor]

So the question remains, how do I set up my openvpn server on the ASUS, that it makes some form of NATing on the openvpn connection, that it appears for the devices on the 192.168.10.0/24 subnet as the router would send them requests.

Aka. 10.10.0.6 gets translated to 192.168.10.1 and then gets sent to the devices.

I'm not sure whether that's possible. You could try setting the VPN server's subnet & netmask to something like 192.168.10.248/255.255.255.248. That would in theory give you a range of 192.168.10.248 to 192.168.10.255. Of course you'll have to reduce the LAN DHCP address pool accordingly and make sure none of your LAN devices use that range. I'm not sure whether the routing would work though.

Alternatively you could change from using TUN to TAP. That would create an Ethernet bridge using your LAN address range.

 

[Mate Rigo]

I'm not sure whether that's possible. You could try setting the VPN server's subnet & netmask to something like 192.168.10.248/255.255.255.248. That would in theory give you a range of 192.168.10.248 to 192.168.10.255. Of course you'll have to reduce the LAN DHCP address pool accordingly and make sure none of your LAN devices use that range. I'm not sure whether the routing would work though.

Alternatively you could change from using TUN to TAP. That would create an Ethernet bridge using your LAN address range.

Ok, I did my homework, so this is what I have found out:
Apparently there is a technique called masquerade, which can be done with the iptable command.
The NAS that I mentioned to be on the address 192.168.10.4 is actually doing this. I connected to its openvpn server, and all the access I make over it is beeing seen on the 192.168.10.0/24 subnet if it was sent by the NAS itself.

So if I connect to the NAS' openvpn from my PC (192.168.17.208), and I access for example an AP with the address 192.168.10.2, the packet travels like this.
192.168.17.208->10.8.0.6->10.8.0.1 (masquerade taking place here)->192.168.10.4->192.168.10.2

Where:
192.168.17.208 : my PC's LAN address
10.8.0.6: PC's openvpn address
10.8.0.1: NAS' openvpn address
192.168.10.4: NAS' LAN address
192.168.10.2: AP's LAN address

As far the AP is concerned, it thinks that the NAS tries to access it, so it deems it trustworthy-
Now this is what I think of as a real connection of 2 subnets, because each member can communicate with the other without having to set up firewall rules on every member of the networks.

The big question is, if I can do this on stock ASUS fw?
Let's see.

Once again, thanks Colin for keeping up the discussion.

Edit:
This is what I have found in this topic: https://community.openvpn.net/openvpn/wiki/NatHack
It is actually talking about a missing routing table, which is not my case, as the ASUS router is both responsible for routing and openvpn.
But the point being is, that the AP in my example would not answer to the 10.8.0.6 IP address, because it would think it is a rouge attempt to hack it from the internet. Which I think just kills the whole purpose of connecting 2 subnets, if they don't trust each other.

 

[ColinTaylor]

Issuing the following command on the router will masquerade the VPN clients so that they appear to come from the router itself.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE

 

[Mate Rigo]

Issuing the following command on the router will masquerade the VPN clients so that they appear to come from the router itself.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE

I just tried it, and it works.
I think I could even get my stock fw to run automatically this command at boot up.
See this site: https://www.securityforrealpeople.com/2015/08/cron-on-asus.html


Colin, thanks again for your kind insights!

 

[Davor Tot]

Hi all,

Is it possible to edit config.ovpn in /tmp/etc/openvpn/server1

When I make changes and save changes are gone after reboot.
How can this be done permanently?
Thx

 

[RMerlin]

Hi all,

Is it possible to edit config.ovpn in /tmp/etc/openvpn/server1

When I make changes and save changes are gone after reboot.
How can this be done permanently?
Thx

Not possible with the stock firmware. The config file is dynamically generated when starting the instance.

 

[Davor Tot]

Not possible with the stock firmware. The config file is dynamically generated when starting the instance.

Thx very much for quick response

I just want to understand this correctly. When I change settings through web they are changed in the file so I thought there must be a way to change it somewhere. Where does web interface saves the changes?
I appreciate your help.

 

[ColinTaylor]

I just want to understand this correctly. When I change settings through web they are changed in the file so I thought there must be a way to change it somewhere. Where does web interface saves the changes.

The settings are saved in NVRAM, which the router uses to create the file.

What are you trying to change? Most settings can be modified through the GUI using the standard options or the Custom Configuration box.

 

[Davor Tot]

The settings are saved in NVRAM, which the router uses to create the file.

What are you trying to change? Most settings can be modified through the GUI using the standard options or the Custom Configuration box.

I though I will save you some reading time but now I will give you the whole story

I recently changed my old n66u to ac86u and was planning to stick to stock firmware and setup OpenVPN server there. I have reused my old keys but the Asus OpenVPN server does not accept my old clients. I am forced to add auth-user-pass to my client and this is forcing me to enter username and password. This is what I want to avoid.

I think I can achieve this if I can comment out the line:
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn

When I look through nvram show I cannot se anything that looks like this line. So the question is how to change this setting.

Thanks again for you help

 

[Davor Tot]

The settings are saved in NVRAM, which the router uses to create the file.

What are you trying to change? Most settings can be modified through the GUI using the standard options or the Custom Configuration box.

Do you think this setting can be change in nvram?

 

[ColinTaylor]

Do you think this setting can be change in nvram?

I don't think so. The NVRAM variables are the same settings that are presented through the GUI options.

It sounds like you have some fundamental problem with your client/server setup. I'd suggest that you try to fix that problem rather than using a "hack" to work around it.