What's new

Cannot access internet on asus vpn server Openvpn

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

peste19

Occasional Visitor
I have an old GT-AC5300 which I am trying to create a vpn server. I have followed the asus instructions but cant figure out what I am missing.

I tried setting it up using OpenVpn and IPSEC but they bother behave the same, I can connect on my phone but no access to the internet

My asus router currently sits behind an verizon router which I have forwarded the ports. Here are screenshots of my settings.

I know that at least the IPSEC ports are being forwarded correctly as I can use asus instantguard with no issues and it uses the same ports
 

Attachments

  • asus.jpg
    asus.jpg
    151 KB · Views: 29
  • Verizon.jpg
    Verizon.jpg
    73.6 KB · Views: 25
  • advancedsettings.jpg
    advancedsettings.jpg
    142.9 KB · Views: 24
Have you verified that you have internet access from a client on the LAN side of the GT-AC5300? IOW, an ordinary LAN client being routed up through the WAN of the GT-AC5300 and up to the primary router and ISP. If that doesn't work, then obviously any remote client of the OpenVPN server on the GT-AC5300 won't work either.
 
yes, everything has connectivity, but the moment i connect a client through vpn, it shows as connected on the device and on the asus router as you can see on the image but no internet access
 
Do you at least have access to the LAN? Or is NOTHING working, not LAN or internet?

Did you generate/export the client config file using the OpenVPN server?

One thing I noticed is the use of Adaptive for Compression. That is known to be a potential security risk, and it *might* be that some clients will NOT permit it, even if your client config file directs it to use it. And if the client and server are mismatched on the compression settings, you'll typically get connected but further communications will stop. The two sides are essentially speaking different languages. Just a guess at this point.

In fact, I don't like the server's encryption and hmac settings either (I assume those are the defaults). At a minimum, I would make them AES-256-CBC and SHA256, respectively, and regenerate the client import file. BF-CBC isn't even supported anymore (yet another known security risk)!

I'm just concerned that maybe the client and server are NOT compatible given your current settings. Even if the problem proves to be something unrelated, I would recommend those changes anyway.
 
Connecting my laptop to the asus router without vpn works perfectly but when i try to connect my phone using the tmobile network using the vpn, it says connected but I have no internet access.

I look at the vpn page from asus and shows I am connected to it.

I exported the opvn from the asus vpn config page and installed that on my phone.


I have also tried configuring using IPSec but it behaves the same way, I can connect to the router but no internet access
 
I'm wondering if maybe it's just a DNS problem. When that happens, it can appear you have no internet access, but it's really just a failure to resolve domain names. If that's the case, you should at least be able to ping a public IP, such as 8.8.8.8, through the VPN server.
 
I tried pinging it and it says unknown host, so im assuming its a DNS error but not sure how to fix it
 
Change "Advertise DNS to clients" on the server to NO. That will force those clients to continue using their local DNS instead. At least to see if that corrects the problem. If it does, we'll deal w/ *why* DNS isn't working when pushed to the client later.
 
Interesting. Normally when you Advertise DNS, you also Respond to DNS, and that reconfigures the router's DNS server (i.e., DNSMasq) to listen on the OpenVPN server's network interface (e.g., tun21). But that assume that in fact DNSMasq *is* the DNS server on the router. Have you done any other reconfiguration on the router to make some other DNS server available on the router? For example, pihole, Unbound, etc.?
 
I use Merlin, not OEM firmware, so I don't know if the config file names and/or locations are the same. But we'll try anyway.

Re-enable "Advertise DNS to clients", restart the server, and dump the OpenVPN server and DNSMasq config files. You''ll need to SSH into the router for these purposes.

Code:
cat /tmp/etc/dnsmasq.conf
cat /tmp/etc/openvpn/server/config.ovpn

I just want to see if what I'm expecting to be there, is there.
 
For some reason I have a different directory for the config.ovpn, its under server1 and not server anyways attached are the files you requested
 

Attachments

  • dnsMasq.jpg
    dnsMasq.jpg
    115.9 KB · Views: 14
  • openconfig.jpg
    openconfig.jpg
    60.5 KB · Views: 17
I don't see anything that's obviously amiss. It's what I would have expected. The only possible problem I can imagine is if the OpenVPN client's own local IP network was also using 192.168.2.0/24 (or was otherwise accessible from it). In that one case, that IP network would NOT get routed over the VPN, since it's local. And that would then deny access to the DNS server (DNSMasq) that resides over the VPN @ 192.168.2.1.

For the time being, all I can suggest is forcing *public* domain name resolution (e.g., Google DNS) over the tunnel by adding the following to the server's custom config field.

Code:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "route 8.8.8.8"
push "route 8.8.4.4"
push "block-outside-dns"

You'll also want to turn OFF "Advertise DNS to clients" and "Respond to DNS" on the OpenVPN server.

Of course, you'll lose local name resolution of your remote network (I'm not sure that's even required for your situation). But at least you won't have any DNS leaks over the local network of your client.
 
I will try that, thank you for looking into this for me

I feel like its some setting i have on my router as IPSec behaves the exact way, from what i am seeing, asus instantguard vpn based on IPSec and it works perfectly.

These are the settings i have for IPSec
 

Attachments

  • advanced.jpg
    advanced.jpg
    108.1 KB · Views: 17
  • ipsecgeneral.jpg
    ipsecgeneral.jpg
    128.3 KB · Views: 26
When I reach an impasse like this, there's little more I can do than recommend you reset to factory default and manual reconfigure from scratch, making sure to reconfigure and test the problematic OpenVPN server first, just in case you do eventually create a conflict down the road. As I said, there is nothing visibly or obviously wrong to my eyes.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top