question of vpn director rule

[lgkahn]

i was using vpn fusion for my system behind cg-nat.

once i setup the vpn it worked as i wanted all clients went out the vpn but only to access the specific remote subnet 192.168.11.0/24

any other destination packet went out to the normal wan..

on the flip side all clients on the remote/server side of the openvpn tunnel could ping and connect to the server on its 10.9.0.2 address..

what would be the rule in vpn director to get the same functionality.. ie only packets destined for the single remote subnet going out the vpn and the rest of the internet packets going out the wan and the 10.9.0.2 ip reacheable from clients on the server 192.168.11.0 subnet?

thanks in advance.

 

[eibgrad]

Are you trying to establish a site-to-site VPN here? Because if you are, you need to configure "Manage Client-Specific Options" on the OpenVPN server, where you tell the server what IP network(s) is accessible on the client side of a particular OpenVPN client. That OpenVPN client has to be uniquely identified (by default) based on the CN (Common Name) of its cert.

P.S. I'm assuming here that the OpenVPN server side is an ASUS router.

 

[lgkahn]

I belive that is already working as i outlined it works fine in my older router using stock asus vpn fusion..

do you have any pointers on what i would need to change on the server side..

would this rule work in vpn director?

thanks in advance

 

[lgkahn]

yes server side is asus gt-axe16000 running merlin
old client i am replacing is a gt-ac5300 running stock (no merlin)

replacing with newer gt-ax11000 pro.

 

[eibgrad]

what would be the rule in vpn director to get the same functionality.. ie only packets destined for the single remote subnet going out the vpn and the rest of the internet packets going out the wan and the 10.9.0.2 ip reacheable from clients on the server 192.168.11.0 subnet?

What has this to do w/ the VPN Director? On the server side, presumably 10.9.0.0/24 is the tunnel IP network. So clients on the server side (192.168.11.0/24) should automatically have access to the tunnel's IP network. If they reference that IP network, it will be routed to their default gateway (e.g., 192.168.11.1), where presumably the VPN server is running, and be routed to the tunnel's network interface. It just happens automatically. Only time you would have an issue if the OpenVPN server was NOT running on the primary router of the server side.

That's why I asked if this was perhaps an attempt to have clients on the server side of the VPN reach *past* the tunnel and into the private IP network on which the OpenVPN client is running. That would be site-to-site.

 

[lgkahn]

ya i know but they dont... as soon as i set up the new router i cannot ping 10.9.0.2 and i changed nothing on the server. in addition
without vpn director the clients have no access to the 192.168.11.0 network.. as i dont want ALL packets going out the vpn only those destined for the remote subnet.. so i assume the issue is on the vpn client side .. why it works in vpn fusion but not in the newer router leads me to what i alluded to .. i need to set up the routing rules in vpn director that were automatically setup and working in vpn fusion..

i do have the site to site rule in the server and it is working...

ie the server side can reach the 192.168.50.x network (at least with the older client router i am attempting to replace) ie

 

[eibgrad]

Is 192.168.11.0/24 the actual IP network on which the OpenVPN server is running? IOW, it's NOT the case it's running on (for example) 192.168.2.0/24, but 192.168.11.0/24 is simply reachable from 192.168.2.0/24.

I'm suspicous because the server would normally automatically push its own IP network to the client (at least w/ Merlin firmware). You shouldn't need to specify it explicitly in Custom Config. You would only add it to Custom Config if it was some *other* reachable IP network.

 

[lgkahn]

yes that is the network it is running on..

anyway i got it working as i said using the vpn director from what i am reading here are the two sides..

without the vpn director since i did not select redirect internet traffic (set to no as i dont want all traffic going over the vpn) as i said i had only connection to the single server 192.168.11.1 and nothing else and from that side nothing could reach me.



thanks for your help..
and i now can reach the 10.9.0.2 from the server 11.0 subnet and also becuase of the route added i s the allowed clients can reach the entire 10.0 subnet which is behind my starlink cgi (pain in the butt) nat.

thanks again