jeremyp52
New Around Here
I am really stumped on this one. I have been having a heck of a time trying to figure out why I can't ping other computers on a client's network, while I am actively using a VPN connection into my server. This is a Client <-> Client scenario:
Client/Network A 192.168.40.0 <---> Internet <---> OVPN Server ASUS router 192.168.50.0 <---> Internet <--->Client/Network B 192.168.1.0
In the example shown, Client/Network A is using a Synology DS218j be a client to the ASUS OpenVPN server. I have enabled allowing other networked computers to use the Synology's VPN connection, but I left the use default remote gateway unchecked because I don't want that entire network's traffic, including Internet, going to my main router. That network is able to access anything on the 50.0 subnet, but nothing on the 1.0 subnet.
Client/Network B is presently a single computer connecting. It is able to see anything on my 50.0 subnet, but can only see the Synology on the 40.0 subnet (the actual client to the OpenVPN server).
I want Client A, and it's network on the 40.0 subnet to be able to communicate with anyone on the Client B 1.0 subnet. I also want to be able to use my iPhone/laptop/whatever, not have an iroute/push/route established for it (since I'm usually connecting from work or on the go), and be able to access either of these client networks directly. I realize it would be a one-way freedom to connect at that point.
I have an OpenVPN server, hosted at my home on an ASUS RT-AC66U B1 Merlin. I have customized the OpenVPN setup quite a bit, beefing up the DF key bit to 2048, and using easy-RSA to generate my own CA, server, and client certificates and keys. I then exported the OVPN file from the ASUS after entering/storing these keys, and filled in the blanks in the file (the <cert> and <key> areas) with the certs/keys specific to the clients. I also have CCD directory set up in /jffs/configs/openvpn/ccd1/ with files set to the name of the CN (common name) that contain a single line of iroute (client subnet) 192.168.xxx.0 255.255.255.0
I also disabled the duplicate-cn in the Merlin build with an ovpnserver1.postconf file, which works great, enforcing only one instance of a common name at a time.
So, here's what works:
Here's where I run into some issues:
I am attaching a myriad of pics for your viewing pleasure. Let me know if you have any ideas!
Generated OpenVPN Server config (based on both custom keys and GUI inputs in ASUS Merlin) located in /etc/openvpn/server1/config.ovpn
General client OVPN file (the cert/keys are client specific)
ASUS Routing Table
Example of me connecting to VPN on my laptop (while still technically at home and on the home network) and the OpenVPN server showing the log status when I try to visit 192.168.40.254 (client connecting to OVPN server connecting to router on a connected client's network)
ASUS VPN Server routes dynamically updated to show the recent clients I tried to access on the 40.0 subnet thru another VPN client
Client/Network A 192.168.40.0 <---> Internet <---> OVPN Server ASUS router 192.168.50.0 <---> Internet <--->Client/Network B 192.168.1.0
In the example shown, Client/Network A is using a Synology DS218j be a client to the ASUS OpenVPN server. I have enabled allowing other networked computers to use the Synology's VPN connection, but I left the use default remote gateway unchecked because I don't want that entire network's traffic, including Internet, going to my main router. That network is able to access anything on the 50.0 subnet, but nothing on the 1.0 subnet.
Client/Network B is presently a single computer connecting. It is able to see anything on my 50.0 subnet, but can only see the Synology on the 40.0 subnet (the actual client to the OpenVPN server).
I want Client A, and it's network on the 40.0 subnet to be able to communicate with anyone on the Client B 1.0 subnet. I also want to be able to use my iPhone/laptop/whatever, not have an iroute/push/route established for it (since I'm usually connecting from work or on the go), and be able to access either of these client networks directly. I realize it would be a one-way freedom to connect at that point.
I have an OpenVPN server, hosted at my home on an ASUS RT-AC66U B1 Merlin. I have customized the OpenVPN setup quite a bit, beefing up the DF key bit to 2048, and using easy-RSA to generate my own CA, server, and client certificates and keys. I then exported the OVPN file from the ASUS after entering/storing these keys, and filled in the blanks in the file (the <cert> and <key> areas) with the certs/keys specific to the clients. I also have CCD directory set up in /jffs/configs/openvpn/ccd1/ with files set to the name of the CN (common name) that contain a single line of iroute (client subnet) 192.168.xxx.0 255.255.255.0
I also disabled the duplicate-cn in the Merlin build with an ovpnserver1.postconf file, which works great, enforcing only one instance of a common name at a time.
So, here's what works:
- All clients are able to talk to the server, and, if the client is one that I've set up a push/iroute/route for, then I can communicate with that client and the client-side network while I am at home on my main network.
- Each client has its own unique common name.
- I am able to able to do access, ping, and do trace routes succesfully from the server side network (50.0 subnet) to all clients and their computers.
Here's where I run into some issues:
- If I try to traceroute from any computer on either of the clients (for example, client B the 1.0 subnet or a random iPhone connection in) to any other clients (for example, client A, the 40.0 subnet), I am able to see the packet end up at the DiskStation, but it fails beyond that.
- The ASUS router creates 'client' routes (I believe) when I try to ask it to find these particular addresses (i.e., if I'm VPN'd in to the server, and I try to go to the 40.0 router (192.168.40.254), it creates an entry on the ASUS VPN route table for 192.168.40.254C and it has a LEARN note in the system log on the ASUS.
I am attaching a myriad of pics for your viewing pleasure. Let me know if you have any ideas!
Generated OpenVPN Server config (based on both custom keys and GUI inputs in ASUS Merlin) located in /etc/openvpn/server1/config.ovpn
General client OVPN file (the cert/keys are client specific)
ASUS Routing Table
Example of me connecting to VPN on my laptop (while still technically at home and on the home network) and the OpenVPN server showing the log status when I try to visit 192.168.40.254 (client connecting to OVPN server connecting to router on a connected client's network)
ASUS VPN Server routes dynamically updated to show the recent clients I tried to access on the 40.0 subnet thru another VPN client
