Menu
What's new
By:
Filters Better Search

Help needed with client-side routing

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

A

andres99

Occasional Visitor
I need a site-to-site OpenVPN connection between two LANs in different locations. I have managed to get the OpenVPN connection running but there seems to be a problem with client-side routing.

The OpenVPN server is on Asuswrt-Merlin (Asus RT-AC68U). That machine is the gateway, 192.168.0.1, on the server-side LAN (192.168.0.0 / 255.255.255.0). On OpenVPN it is 192.168.5.1.

The OpenVPN client is on FreshTomato. It is running on a Linksys WRT54GL (192.168.34.202), which is *not* the gateway, on the client-side LAN (192.168.34.0 / 255.255.255.0). The client’s user name is "vpn4" and IP address on the OpenVPN is 192.168.5.2.

The gateway of the client-side LAN is a Huawei modem router with very little configurable options (192.168.34.1), and there are some more devices on the client-side LAN that I need to access from the server-side LAN.

At the moment I can ping the Linksys device (192.168.34.202) and access FreshTomato on that device over OpenVPN from the server-side LAN.

THE PROBLEM: I cannot ping or access any other devices on client-side LAN over OpenVPN from the server-side LAN. I suppose that the problem is somewhere in the client-side LAN and related to client-side routing.

VPN Client:

screenshot.2.png


and

screenshot.3.png


Current routes on VPN Client machine:

screenshot.1.png


I have not manually added any static routes to either the VPN server or the VPN client. (I tried though but none of my ideas solved the problem.)

VPN Server configuration:
TUN
UDP
VPN subnet 192.168.5.0 / 255.255.255.0
Push LAN to clients: Yes
Direct clients to redirect Internet traffic: No
Manage Client-Specific Options: Yes
Allow Client<-> Client: Yes
Allow only specified clients: No

Custom:
client-config-dir /jffs/configs/openvpn/ccd2
script-security 3
reneg-sec 0
route 192.168.34.0 255.255.255.0
push "route 192.168.34.0 255.255.255.0"

In the folder ccd2 I have a file named "vpn4" containing this:
iroute 192.168.34.0 255.255.255.0

I noticed that when I remove the route, push "route" and iroute directives from the OpenVPN server, then machines in the server-side LAN can ping (but not access) 192.168.34.1. When I add those directives to the OpenVPN server, 192.168.34.1 becomes unpingable and 192.168.34.202 (the OpenVPN client machine) becomes pingable and accessible.

Tracert from a machine on server-side LAN shows (Doomsville.KCN is the VPN server machine, which is also the gateway on the server side):

screenshot125.png


None of the numerous options I could think of during a number of hours gave me access to the client-side LAN. Any ideas how to make other devices (like 192.168.34.1 or 192.168.34.102) on the client-side LAN accessible from the server-side LAN?
 
Last edited:
So were dealing with 3 routers? Linksys, Asus, and Huawei modem router?

OpenVPN server is on Asuswrt-Merlin (Asus RT-AC68U)
Client openvpn is on Linksys.
WAN gateway is on Huawei modem router; so (double NAT) and your running automatic ip to the Linksys?

I assume their isn't any LAN devices on the gateway Huawei modem router your trying to access besides the Linksys.
 
Last edited:
DJones said:
So were dealing with 3 routers? Linksys, Asus, and Huawei modem router?
Click to expand...
Yes. The caveat is that the modem router is not very configurable. It is a small portable consumer thing (Huawei E5783B).

DJones said:
OpenVPN server is on Asuswrt-Merlin (Asus RT-AC68U)
Click to expand...
Yes.

DJones said:
Client openvpn is on Linksys.
Click to expand...
Yes, the client openvpn is on Linksys (running FreshTomato).

DJones said:
WAN gateway is on Huawei modem router; so (double NAT)
Click to expand...
Yes. The Huawei modem router is the internet gateway for the Linksys (Client OpenVPN).

DJones said:
and your running automatic ip to the Asuswrt-Merlin?
Click to expand...
I am not sure if I understand this question 100% but I suppose yes.
 
andres99 said:
I am not sure if I understand this question 100% but I suppose yes.
Click to expand...

Sorry I mean to the Linksys. Definitely sounds like a routing issue unfortunately not really my area of expertise and I'd probably take longer to figure it out just trying to understand the problem. I'm not too sure, but x3mRouting might be the way to go. Available by ssh on amtm. https://github.com/Xentrk/x3mRouting

Theirs also VPNDirector https://github.com/RMerl/asuswrt-merlin.ng/wiki/VPN-Director

github.com

Home

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng
github.com github.com

Theirs manually routing also.
github.com

Policy based routing (manual method)

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng
github.com github.com
github.com

Policy based Port routing (manual method)

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng
github.com github.com
 
Last edited:
Thank you for the hints! I took a look at the x3mRouting utility and policy-based routing but they seem to be for AsusWRT Merlin only.

Since I can establish two-way connection to the Linksys router from the server-side LAN, I can be sure that any signal from the server-side LAN passes through the Huawei router and reaches the inside of the client-side LAN (i.e. the Linksys router, which is behind the Huawei router). And the replies from the Linksys come back to the server-side network from the inside of the client-side LAN.

Therefore I tend to think that the problem lies more probably somewhere in the client-side LAN (i.e. either in the Linksys machine or the Huawei thingy). Either (a) the signal from the server-side LAN does not reach further beyond the Linksys (i.e. does not reach other devices) or (b) it can reach even further beyond the Linksys (i.e. it reaches other devices) but any response from those devices cannot find its way back to the server-side network.

Would it really be possible to cure any such problem from the AsusWRT Merlin machine (which is the server)?

I would suppose that the most probable way to resolve this, if there is a way at all, would be to add some kind of routing directive or script to the Linksys machine, since I cannot add anything to the Huawei router.

Sorry if I posted this to the wrong section but I got really good help here with a complex OpenVPN setup a few years ago.
 
andres99 said:
Thank you for the hints! I took a look at the x3mRouting utility and policy-based routing but they seem to be for AsusWRT Merlin only.

Since I can establish two-way connection to the Linksys router from the server-side LAN, I can be sure that any signal from the server-side LAN passes through the Huawei router and reaches the inside of the client-side LAN (i.e. the Linksys router, which is behind the Huawei router). And the replies from the Linksys come back to the server-side network from the inside of the client-side LAN.

Therefore I tend to think that the problem lies more probably somewhere in the client-side LAN (i.e. either in the Linksys machine or the Huawei thingy). Either (a) the signal from the server-side LAN does not reach further beyond the Linksys (i.e. does not reach other devices) or (b) it can reach even further beyond the Linksys (i.e. it reaches other devices) but any response from those devices cannot find its way back to the server-side network.

Would it really be possible to cure any such problem from the AsusWRT Merlin machine (which is the server)?

I would suppose that the most probable way to resolve this, if there is a way at all, would be to add some kind of routing directive or script to the Linksys machine, since I cannot add anything to the Huawei router.

Sorry if I posted this to the wrong section but I got really good help here with a complex OpenVPN setup a few years ago.
Click to expand...

Assuming the layout is like this [Gateway router] -> Asus router (running dhcp & openvpn) -> Linksys client OpenVPN.

If one device (192.168.5.1) on the Asus and the other device is (192.168.5.2) is on the Linksys then the Asus router handles the dhcp server and routing of internet and lan.

If their are additional devices your trying to access on the Huawei router then that’s behind a double nat and you would need to do routing on the Huawei. ICMP Ping might still be open on these devices which is why the ping works, but smb file sharing doesn’t.

If your main devices are on the Asus router then x3mrouting or vpndirector should help. @ColinTaylor might know for sure.
 
The layout is like this, where the server side is on the left and the client side is on the right:

AsusWRT (OpenVPN server, 192.168.5.1) --- Internet (WAN) --- Client-Side gateway (Huawei) - Linksys (OpenVPN client, 192.168.5.2)

The server-side LAN is centred around the AsusWRT and the client-side LAN is centred around the Huawei. Internet traffic of the client-side network is not redirected through OpenVPN.

I need other devices behind the Huawei router to be accessible from the server side.

The Huawei has no options for routing. It has some basic options for DHCP server, Firewall (Enable/disable), port forwarding, DMZ, UPnP (on/off), NAT (only "symmetric" or "cone") and that’is it, more or less.

Everything works as needed with exactly the same setup when the Linksys (FreshTomato) is running the server but I need Linksys to run the OpenVPN client instead because I cannot afford a static WAN IP and open ports for the client-side gateway.
 
You must log in or register to reply here.

Similar threads

N
Solved OpenVPN Server split tunnell config
Replies
5
Views
374
elorimer
E
G
OpenVPN Server log, is this in error ?
Replies
7
Views
421
eibgrad
eibgrad
E
Wireguard can't access devices behind asus router
Replies
5
Views
269
ZebMcKayhan
Z
S
OpenVPN LAN access + one external IP
Replies
3
Views
275
eibgrad
eibgrad
G
Using VPN Director to route only torrent traffic through VPN
Replies
9
Views
501
goldnet
G
Similar threads
Thread starter Title Forum Replies Date
Sunny786 Help Needed: Configuring OpenVPN Server and Instant Guard on Asus GT-AX11000 with Technicolor CobraXh Modem Router Asuswrt-Merlin 11
J Help/advice needed for accessing GT-AX11000 SMB shares from WSL Asuswrt-Merlin 6
M Help needed with Asus RT-AC66U router Asuswrt-Merlin 26
el_pedr0 Please help me diagnose knotty routing problem Asuswrt-Merlin 2
T [Help] Problems setting up OpenVPN Asuswrt-Merlin 7
staralfur12 Need help with Namecheap -> Router -> Caddy Asuswrt-Merlin 10
P Asus aimesh node disconnects frequently, corresponding log entries recorded. Need help understanding the log. Asuswrt-Merlin 5
V Asus RT-AX3000 Help Asuswrt-Merlin 5
StrikerXXX Need help configuring NextDNS Asuswrt-Merlin 14
L ASUS RT-AX5400 Help Asuswrt-Merlin 1

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 782 (members: 42, guests: 740)
Top