What's new

OpenVPN client/server - reverse routing relationship?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

tigerdog

Occasional Visitor
I have successfully set up an OpenVPN client from an AC68U client to an AC87U server, both running 380.69. Everything works as expected - AC68U LAN devices can access devices on the AC87U's LAN. I am forced to create the VPN in this direction because the AC68U is behind a double-NAT.

HOWEVER: i need the routing relationship to be reversed. I need devices on the AC87U LAN to be able to access the AC68U's LAN. I do not want any access from the 68 site to come back to the 87.

Is there any way to initiate the VPN from a client, but have the routing set up as if the roles are reversed?
 
Last edited:
I've been trying to understand the flow of information from GUI to the underlying OpenVPN client and server but really, not making much progress. At this point, it seems like I might be able to brute-force my approach by turning off "push LAN to clients" and add a targeted route, via push, to the one resource on my 87 network that I want to be reachable from the 68. What I can't figure out is how to do the equivalent in the other direction - tell the 87 to route through the tunnel to reach the 68's LAN.

Any help greatly appreciated!
 
Last edited:

It certainly looks like it should, but it does not. When I add the user, then SSH to the router, I can see the subnet is being added to the routing tables, with the next hop being the 68 end of the tunnel. However, still no connectivity.

Even more telling, when SSH to the router, I can ping 10.8.0.1 (87/server end of the tunnel.) I can also ping 10.8.0.2, the client/68 end of the tunnel. But nothing seems to route past 10.8.0.2. I cannot ping 192.168.226.1, the LAN interface of the 68.
 
Last edited:
When I add the user...

I assume the user you have entered into the AC87U GUI is actually 'client' or do you have a different 'COMMON NAME' for the connecting AC68U?

P.S. I also assume that you have not yet implemented your 'blocking' technique to prevent the AC68U from accessing any of the AC87U LAN resources i.e. still currently retaining the normal expected client->server access?

P.P.S Perhaps the double NAT requires an explicit additional firewall rule on the AC68U end?
 
Last edited:
Holy poo, it's working! It seems the "allowed clients" info gets lost any time you restart the server. For some reason, it's not persistent. I discovered it was missing, readded it, and can now ping the remote site. My server rsync is running now. It even works after I implement my routing restrictions to keep the 68 site from accessing resources on the 87 network. Huzzah!

Thank you, Martineau! You're a gentleperson and a scholar, and a damn fine WAN guru, too!
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top