What's new

Bi-Directional VPN using two Asus Routers via OpenVPN NOT WORKING .. argh :(

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

speedyrules

Occasional Visitor
hi guys,

need your help!

first, i have read the ultimate guide, which is pinned on the VPN forum.. and i also found/read 3 other threads which i worked through .. but i am being to stupid to get this running :(

my setup

router 1 - ASUS RT-AC87U
running latest original firmware
lan setting ip address router: 192.168.81.1
subnet mask: 255.255.255.0
openvpn - server


router 2 - ASUS RT-AC68U
running latest original firmware
lan setting ip address router: 192.168.0.1
subnet mask: 255.255.255.0
openvpn - client
client name "openvpn"

the client connects.. and all devices behind the client can access all other servers in the router 1 lan
BUT: i cannot access from a computer in router lan 1 to any server behind the router 2 lan
for example i cannot access from my 192.168.81.158 to 192.168.0.4.

what the heck am i doing wrong?
maybe here some settings

routing table at client

Destination Gateway Genmask Flags Metric Ref Use Type Iface
10.8.0.5 * 255.255.255.255 UH 0 0 0 tun15
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun15
xxx.xxx.42.1 * 255.255.255.255 UH 0 0 0 WAN0 eth0
10.8.1.2 * 255.255.255.255 UH 0 0 0 tun21
192.168.81.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun15
10.8.1.0 10.8.1.2 255.255.255.0 UG 0 0 0 tun21
192.168.0.0 * 255.255.255.0 U 0 0 0 LAN br0
xxx.xxx.42.0 * 255.255.254.0 U 0 0 0 WAN0 eth0
default xxx.xxx.42.1 0.0.0.0 UG 0 0 0 WAN0 eth0

routing table at server

Destination Gateway Genmask Flags Metric Ref Use Type Iface
10.8.0.2 * 255.255.255.255 UH 0 0 0 tun21
xxx.xxx.2.1 * 255.255.255.255 UH 0 0 0 WAN0 vlan2
169.254.39.0 * 255.255.255.0 U 0 0 0 LAN br0
192.168.81.0 * 255.255.255.0 U 0 0 0 LAN br0
xxx.xxx.2.0 * 255.255.255.0 U 0 0 0 WAN0 vlan2
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
192.168.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
default xxx.xxx.2.1 0.0.0.0 UG 0 0 0 WAN0 vlan2

openvpn config in openvpn - server
upload_2020-6-1_20-27-45.png


upload_2020-6-1_20-28-39.png


thanks for the help.. this situation is driving me nuts :O
 
@doczenith1 @Klueless , would you guys have an opinion`?
Thanks for the "shout out" but it's been awhile since I played with OpenVPN. It was fun, it was exciting, it worked but I dropped it when I realized Internet latency rendered my legacy database application useless.

After reading your post you're already far more advanced than me so do take what I say with a grain of salt. I never expected that one could do what you want.

The "server" is set to share its privates. As a "client" I'm looking to access information, I am not looking to share my privates. My thought was that you would have to set both routers to be "servers" to each other and both routers to be "clients" to each other. That was going to be my approach but I never got that far. Probably just as well. I read elsewhere a user did exactly that but he's reporting his own set of problems so that may not be the answer either.

With many apologies but I truly am "Klueless". Perhaps you might have something in common with the gentleman who posted this ==> https://www.snbforums.com/threads/b...site-to-site-with-two-rt-ac66u-routers.36891/
 
Last edited:
thanks for the reply @Klueless ! any 2 cents help :)

i did try setting both as servers and clients at the same time .. giving both different vpn ranges and ports.. the issue i ran into was that the routing tables were facing errors. this because the "automated" settings tried to make "doubled"/"conflicting" entries. so i gave up on that ..

but thanks for the hint wih @Mikael Johansson .. will se if he got any further
 
thanks for the reply @Klueless ! any 2 cents help :)

i did try setting both as servers and clients at the same time .. giving both different vpn ranges and ports.. the issue i ran into was that the routing tables were facing errors. this because the "automated" settings tried to make "doubled"/"conflicting" entries. so i gave up on that ..

but thanks for the hint wih @Mikael Johansson .. will se if he got any further
I am just reading your request for help. I have a working solution between my home and cottage. I can connect to devices on the client VPN router. It automatically reconnects to the VPN server (home router) should the connection ever get lost.

To start with, you will need to install Merlin code on your ASUS routers as it provides extra tuning options you will need. Next you will need to switch the VPN connection to TAP (a LAN VPN vs TUN - a routed VPN). With TAP, the LAN sides have to be the same subnet. Also you have to disable firewalling to allow the server side devices to connect to client side devices, a configuration option the stock ASUS code does not have.
Check out some comments I posted here... https://www.snbforums.com/index.php?posts/544947 and contact me if you have further issues.

Regards, Peter

Sent from my Pixel using Tapatalk
 
@Pej5 thanks for the reply!

i am scared a bit of installing merlin, since i am just crap in doing stuff like that :)

maybe first a general question: you say: "switch the VPN connection to TAP (a LAN VPN vs TUN - a routed VPN). With TAP, the LAN sides have to be the same subnet"
in this case you mean router 1 and router 2 would be in the same 192.168.81.0 network?
would then all the internet traffic from router 2 be routed over router 1 to the internet? (right now the router 2 network only routes over router 1 when ips from router 1 network are needed)
this would be not necessarily my optimal solution .. but..if this is the only way to get it working..

about the need of merlin:
with the stock firmware i can change as far as i know everything that is mentioned in https://www.snbforums.com/index.php?posts/544947 except maybe "Create NAT on tunnel = No (allowing client LAN IP addresses through directly without NATing), and Inbound Firewall = No (allowing Server traffic through to client LAN)". but i am not sure if these options did actually help you to solve the problem.

and what are your settings with: "Allow Client <-> Client" and "Allow only specified clients" .. i have both on "No" ..
 
@Pej5 thanks for the reply!

i am scared a bit of installing merlin, since i am just crap in doing stuff like that :)

maybe first a general question: you say: "switch the VPN connection to TAP (a LAN VPN vs TUN - a routed VPN). With TAP, the LAN sides have to be the same subnet"
in this case you mean router 1 and router 2 would be in the same 192.168.81.0 network?
would then all the internet traffic from router 2 be routed over router 1 to the internet? (right now the router 2 network only routes over router 1 when ips from router 1 network are needed)
this would be not necessarily my optimal solution .. but..if this is the only way to get it working..

about the need of merlin:
with the stock firmware i can change as far as i know everything that is mentioned in https://www.snbforums.com/index.php?posts/544947 except maybe "Create NAT on tunnel = No (allowing client LAN IP addresses through directly without NATing), and Inbound Firewall = No (allowing Server traffic through to client LAN)". but i am not sure if these options did actually help you to solve the problem.

and what are your settings with: "Allow Client <-> Client" and "Allow only specified clients" .. i have both on "No" ..

I'll answer in order.

The Merlin code installed as easily as a standard code upgrade.

With TAP, yes both would have to be Net 81 or any subnet so long as they match. I chose to enable DHCP on each router with ranges .1 to .96 on one, and .200 to .254 on the other. (See last comment below.)
You can still use the Local Internet on the router with VPN client. This is how I use it.

Merlin features: Inbound Firewall = No (allowing Server traffic through to client LAN)". This one is critical for what you want to do. You want devices on the VPN Server side to be able to access devices on the VPN client side and the stock ASUS code protects Client side with a firewall that cannot be disabled.
I cannot find the Create NAT feature you mention.
I allow client to client

Finally, there seems to be a new feature where the LAN subnets may be different. I do not recall that when I configured. Not sure how that would work.

Hope this helps.

Peter



Sent from my Pixel using Tapatalk
 
thanks for anwering!

so, just uploading the firmware file and push "upload"?
- how do i get back to stock firmware?

very clever splitting the ranges of the subnet.. somehow i was just not thinking of that ..
so you are also saying i would not need any extra settings for using the local internet?

maybe i try first jsut disabling the complete firewall to see where i get with this. there is no "Inbound Firewall" setting as i can see in the stock.. but with generally disabling the firewall i should i might get some more infos why i am stuck..
also will try TAP and and the client 2 client setting .. and if i am still stuck.. merlin :)

if anyone has any more tipps, i would appreciate any 2 cents :)

thanks again!

will take a while.. but i will keep you guys posted!
 
here 2 pics from settings in the stock firmware
upload_2020-6-8_11-3-55.png



probably could also play with this here to get things through? whilelisting the router 2 network? .. how would i whitelist all of it??
upload_2020-6-8_11-4-38.png
 
thanks for anwering!

so, just uploading the firmware file and push "upload"?
- how do i get back to stock firmware?

very clever splitting the ranges of the subnet.. somehow i was just not thinking of that ..
so you are also saying i would not need any extra settings for using the local internet?

maybe i try first jsut disabling the complete firewall to see where i get with this. there is no "Inbound Firewall" setting as i can see in the stock.. but with generally disabling the firewall i should i might get some more infos why i am stuck..
also will try TAP and and the client 2 client setting .. and if i am still stuck.. merlin :)

if anyone has any more tipps, i would appreciate any 2 cents :)

thanks again!

will take a while.. but i will keep you guys posted!

so, just uploading the firmware file and push "upload"?
- how do i get back to stock firmware?

Correct, and just upload the stock firmware if you want to switch back. Merlin looks like ASUS code, but with more features. (Maybe ASUS code looks like Merlin [emoji6])

so you are also saying i would not need any extra settings for using the local internet?

Correct Select LAN only in the VPN server config.

maybe i try first jsut disabling the complete firewall to see where i get with this.

Not a good idea as that disables protection from the Internet to all your devices. The Merlin setting only removes it from the private tunnel between routers and you are in control of both ends.

You may have to message me to get my attention as I do not follow this list daily.


Sent from my Pixel using Tapatalk
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top