OpenVPN Static Key -- Local/Remote Endpoint Addresses...

[mdburkey]

First off, thanks for the hard work on this firmware Merlin! We appreciate you!

Next, a question....

I am trying to get a nailed OpenVPN Client connection up and running that connects to an existing server on the other end (which is running Tomato). The server on the other end is already configured and is bridging about 5 simultaneous networks together on different subnets. And I often need to have both OpenVPN clients up and running at the same time to different servers.

Using my old RT-N16 running Tomato on this end, I have no problem connecting. Unfortunately, with Asuswrt-Merlin, I can't get it to work (yet).

One question I have, is there any specific reason the firmware doesn't allow changing the local endpoint side of the client connection?

To avoid changing some IPTables scripts and configuration, it would be really nice to have both local endpoints be fully configurable (or at least in the same subnet).

Right now, if I change the client side local endpoint to anything other than 10.8.0.2 (Client 1) or 10.16.0.2 (Client 2) then after I hit apply, it reverts right back to where it was.

 

[RMerlin]

I'm not really an expert on OpenVPN itself, but aren't endpoints pushed by the server toward the client? In that case, you should be able to set the endpoint on the router running the server.

 

[mdburkey]

From my understanding, I don't think that is true if you have the "Create NAT on tunnel" option disabled. In this case, you have to have the same endpoints manually specified on each end of the VPN tunnel -- and you actually have to add the proper routing information to the Custom Configuration section (which I do) and it has to be correct for the endpoints. Basically, in static key mode with the NAT tunnel disabled, I'm pretty sure just about everything has to be specified manually -- which is why the two endpoint fields are there.

In Tomato, etc. they are fully editable and everything works. In AsusWrt-Merlin, the local side doesn't get saved whenever it is changed. I'm not sure if this is a leftover from the original AsusWrt code or not.

I downloaded the source from the Git and may nose around a bit more. My initial look at the firmware a couple of weeks ago gave me a bit of indigestion -- specifically regarding the UI portion. This makes me appreciate what you have done even more: the original UI portion of the Asus code looks, well, less than friendly, when it comes to making changes.

 

[deagle]

10.8.0.1 (local endpoint) defaults to a /32 mask, but I'm not sure what it should be.