RT-AX88U VPN CLIENT CONNECTED Traffic goes without vpn - Solved With Asus Merlin

[Andorul]

I bought a brand new RT-AX88U to be connected to a ISP ONT+Modem/Router to be VPN router thus serving a TV.


Problem: RT-AX88U gets a diferent IP from ISP router and with VPN Client activated and TV conected to Asus get the ISP Public IP


I have a ISP FiberGATEWAY

Bridge Mode ON,

DHCP ON,

Local IP 192.168.1.254,

Sub-Net 192.168.1.2 to 254

Firewall ON

IPv6 ON


RT-AX88U ethernet cable from WLAN to LAN4 in ISP FiberGateway

Operation Mode:Wireless router Firmware Version:3.0.0.4.384_7968

DHCP On

Local IP: 192.168.50.1

Sub-net 192.168.2 2 to 254

WAN Connection Type

Enable WAN Yes

Enable NAT Yes

NordVPN profile added and connected


Router 1 have a diferent Public IP from Router 2 (rt-ax88u)


LOG After VPN Client Connection

Both router ISP andAsus have diferent public ip

Jan 13 10:43:00 rc_service: httpd 6026:notify_rc restart_vpncall

Jan 13 10:43:00 vpnclient5[20657]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 17 2019

Jan 13 10:43:00 vpnclient5[20657]: library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.03

Jan 13 10:43:00 vpnclient5[20658]: WARNING: --ping should normally be used with --ping-restart or --ping-exit

Jan 13 10:43:00 vpnclient5[20658]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Jan 13 10:43:00 vpnclient5[20658]: NOTE: --fast-io is disabled since we are not using UDP

Jan 13 10:43:00 vpnclient5[20658]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

Jan 13 10:43:00 vpnclient5[20658]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication

Jan 13 10:43:00 vpnclient5[20658]: TCP/UDP: Preserving recently used remote address: [AF_INET]45.152.180.11:443

Jan 13 10:43:00 vpnclient5[20658]: Socket Buffers: R=[87380->87380] S=[16384->16384]

Jan 13 10:43:00 vpnclient5[20658]: Attempting to establish TCP connection with [AF_INET]45.152.180.11:443 [nonblock]

Jan 13 10:43:01 vpnclient5[20658]: TCP connection established with [AF_INET]45.152.180.11:443

Jan 13 10:43:01 vpnclient5[20658]: TCP_CLIENT link local: (not bound)

Jan 13 10:43:01 vpnclient5[20658]: TCP_CLIENT link remote: [AF_INET]45.152.180.11:443

Jan 13 10:43:01 vpnclient5[20658]: TLS: Initial packet from [AF_INET]45.152.180.11:443, sid=bf52862e 4b4aecf4

Jan 13 10:43:01 vpnclient5[20658]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Jan 13 10:43:02 vpnclient5[20658]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA

Jan 13 10:43:02 vpnclient5[20658]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4

Jan 13 10:43:02 vpnclient5[20658]: VERIFY KU OK

Jan 13 10:43:02 vpnclient5[20658]: Validating certificate extended key usage

Jan 13 10:43:02 vpnclient5[20658]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Jan 13 10:43:02 vpnclient5[20658]: VERIFY EKU OK

Jan 13 10:43:02 vpnclient5[20658]: VERIFY OK: depth=0, CN=us4549.nordvpn.com

Jan 13 10:43:02 vpnclient5[20658]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

Jan 13 10:43:02 vpnclient5[20658]: [us4549.nordvpn.com] Peer Connection Initiated with [AF_INET]45.152.180.11:443

Jan 13 10:43:03 vpnclient5[20658]: SENT CONTROL [us4549.nordvpn.com]: 'PUSH_REQUEST' (status=1)

Jan 13 10:43:04 vpnclient5[20658]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.1.3 255.255.255.0,peer-id 0,cipher AES-256-GCM'

Jan 13 10:43:04 vpnclient5[20658]: OPTIONS IMPORT: timers and/or timeouts modified

Jan 13 10:43:04 vpnclient5[20658]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp

Jan 13 10:43:04 vpnclient5[20658]: OPTIONS IMPORT: compression parms modified

Jan 13 10:43:04 vpnclient5[20658]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified

Jan 13 10:43:04 vpnclient5[20658]: Socket Buffers: R=[408320->1048576] S=[92160->1048576]

Jan 13 10:43:04 vpnclient5[20658]: OPTIONS IMPORT: --ifconfig/up options modified

Jan 13 10:43:04 vpnclient5[20658]: OPTIONS IMPORT: route options modified

Jan 13 10:43:04 vpnclient5[20658]: OPTIONS IMPORT: route-related options modified

Jan 13 10:43:04 vpnclient5[20658]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

Jan 13 10:43:04 vpnclient5[20658]: OPTIONS IMPORT: peer-id set

Jan 13 10:43:04 vpnclient5[20658]: OPTIONS IMPORT: adjusting link_mtu to 1659

Jan 13 10:43:04 vpnclient5[20658]: OPTIONS IMPORT: data channel crypto options modified

Jan 13 10:43:04 vpnclient5[20658]: Data Channel: using negotiated cipher 'AES-256-GCM'

Jan 13 10:43:04 vpnclient5[20658]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Jan 13 10:43:04 vpnclient5[20658]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Jan 13 10:43:04 vpnclient5[20658]: TUN/TAP device tun15 opened

Jan 13 10:43:04 vpnclient5[20658]: TUN/TAP TX queue length set to 100

Jan 13 10:43:04 vpnclient5[20658]: /sbin/ifconfig tun15 10.7.1.3 netmask 255.255.255.0 mtu 1500 broadcast 10.7.1.255

Jan 13 10:43:04 vpnclient5[20658]: /etc/openvpn/ovpn-up tun15 1500 1587 10.7.1.3 255.255.255.0 init

Jan 13 10:43:04 vpnclient5[20658]: Initialization Sequence Completed

 

[CaptainSTX]

There isn't any problem or special setup needed once you have your AX88 double NATed behind you ISPs provided router. My guidelines on doing this are attached.

In looking at your description I think your subnets are not correctly setup.

Also be aware that only devices connected to the AX88 will be able to use the VPN tunnel.

After you get the double NAT working come back to the forum if you are having trouble with the VPN tunnel.

 

[Andorul]

Thank you so much, soon I get home I'll try disable de Bidge on Router 1 and follow your guide the sub-net are already diferent from 192.168.1.x from 192.168.50.x . The AX88U have the Original Firmware at this point after put vpn tunnel operating maybe ill try Merlin for having 2 vpn client connections .

 

[CaptainSTX]

Thank you so much, soon I get home I'll try disable de Bidge on Router 1 and follow your guide the sub-net are already diferent from 192.168.1.x from 192.168.50.x . The AX88U have the Original Firmware at this point after put vpn tunnel operating maybe ill try Merlin for having 2 vpn client connections .

Get the double NAT working then go for the VPN.

Merlin's firmware allows up to five VPN clients however with many VPN providers you can only run instance of a VPN client on your router because they only support one port. The cherry on top of the whipped cream with Merlin's firmware is that you can run policy based routing so some clients go WAN others VPN. With stock firmware it is all or nothing with the VPN.

 

[CaptainSTX]

:''((((
Well i've disabled the Bidge mode in ROUTER 1 now the Router 2 have private ip and the same PUBLIC IP than Router 1
PC and TV connected to Router 2 conects to Router 1 and have internet perfectly but the same thing occurs NO VPN tunnel and in "VPN - VPN CLIENT" Connection Status is ON

The WAN IP on your second router will be an IP will be a private IP in the first router's subnet. It can either be assigned from the DHCP pool or you can assign it a static IP using router one. If this isn't the case then something isn't correct in your setup. Look at my instructions again

I run a double NAT and have no issues. In fact in my lab setup I have even run triple or quad NAT with VPNs running on all the routers.

 

[Andorul]

The WAN IP on your second router will be an IP will be a private IP in the first router's subnet. It can either be assigned from the DHCP pool or you can assign it a static IP using router one. If this isn't the case then something isn't correct in your setup. Look at my instructions again

I run a double NAT and have no issues. In fact in my lab setup I have even run triple or quad NAT with VPNs running on all the routers.

"The WAN IP on your second router will be an IP will be a private IP in the first router's subnet" yes is TRUE but the asus router is coneted to nordvpn and NOTHING goes THROUGH tunnel the PC and TV PHONE still have the ISP IP theres no point of adding VPN CLIENT PROFILE

"Once you have router2 up and running" is with wlan ip given by router 1 I've maded what you said the diferenc is 192.168.75 to 192.168.50

i buy the router just for that reason

 

[CaptainSTX]

Running a VPN on your router does not change the WAN IP shown on your router's network map page. Look at the WAN IP shown on the network map page on your router then go to the site ipinfo.io and see what that returns for an IP and a location. If they don't match then your VPN is working.

If that doesn't work then post a screen shot of your setup for whatever VPN client you are using. Cross out any information that you don't want to be public.

 

[Andorul]

Running a VPN on your router does not change the WAN IP shown on your router's network map page. Look at the WAN IP shown on the network map page on your router then go to the site ipinfo.io and see what that returns for an IP and a location. If they don't match then your VPN is working.

If that doesn't work then post a screen shot of your setup for whatever VPN client you are using. Cross out any information that you don't want to be public.

++My problem is VPN not working I have internet in router 2 and everything works perfect except AX88U DOES NOT SEND TRAFFIC BY VPN my ip is the same as with OR without VPN CLIENT connected in ASUS RT-AX88U (My Router 2)
i want to vpn all trafic of all devices connected to asus rt-ax88u (router 2) the problem i thinks is AX88U doesnt send the internet traffic to nord vpn

 

[CaptainSTX]

Send a screen shot of your settings.

 

[Andorul]

Send a screen shot of your settings.

https://photos.app.goo.gl/KENrBs6NckXpn8YH6
Does the debug file of RT-AX88U help?

The problems still remains ASUS ROUTER CLIENTS DOES HAVE VPN TUNNEL

 

[CaptainSTX]

Based on the photos you sent the main problem is that you have set up a VPN SERVER instead of what you said you wanted to do and run NordVPN on your router as a VPN CLIENT.

A VPN SERVER will let you connect to your router from outside your home on the WAN. To make it work on your double NATed router you will need to set up a port forward on your first router.

OTHER RECOMMENDATIONS:

1. disable UPNP (Security)

2. Set connect DNS server as AUTO

3. Shrink your IP pool from for assignment so if you choose to use manual IPs you have some available 192.168.50.100 -192.168.50.200 is more than enough.

4. Delete 1.1.1.1 from DNS & WINS

5. Enable DHCP Manual (If you want the ability to assign manual/static IPs.) If your run Merlin and policy based routing you need to assign devices static IPs.

If you Turn on the VPN client and upload the OVPN file from NordVPN you should be able to get it working on your router. Check to see if NordVPN has FAQ section where they show you step by step what you have to do. For most providers the setup is simple.

 

[Andorul]

Based on the photos you sent the main problem is that you have set up a VPN SERVER instead of what you said you wanted to do and run NordVPN on your router as a VPN CLIENT.
...
If you Turn on the VPN client and upload the OVPN file from NordVPN you should be able to get it working on your router. Check to see if NordVPN has FAQ section where they show you step by step what you have to do. For most providers the setup is simple.

Sorry, but how is that possible in photos I'm in VPN CLIENT tab. It says VPN Client are often used to connect to VPN SERVER .
"The AsusWRT VPN FEATURE provide ACCESS to all devices in a home network WITHOU HAVING TO INSTALL VPN software

IM IN VPN CLIENT WITH NORDVPN PROFILE CREATED WITH LOGIN AND OVPN FILE UPLOADED

I kwon what a VPN SERVER is I already made one in my NAS and it work perfectly now i just want Asus Ax88u to vpn all my internet trafic to nordvpn.

 

[CaptainSTX]

OK I enlarged the picture and while it looks like the VPN server page on an AC1900 or AC86 you actually have set up a client. Sorry, never seen a screen shot from an AX88.

Send a picture of where you set up the client showing your settings and I will take a look at them and see if I can offer any suggestions.

Also to get the VPN to work you probably need to make some of the other changes I suggested.

 

[Andorul]

Im not at home right now but the VPN CLIENT CONFIGURATION I MADE was like i saw in this ASUS TUTORIAL https://www.asus.com/US/support/FAQ/1011232?SearchKey=Vpn client/

 

[CaptainSTX]

Im not at home right now but the VPN CLIENT CONFIGURATION I MADE was like i saw in this ASUS TUTORIAL https://www.asus.com/US/support/FAQ/1011232?SearchKey=Vpn client/

I looked at the tutorial and it was fine for PPTP. Nothing about OpenVPN and where to import certificates or paste them or any custom settings required for OpenVPN from NordVPN.

How do you know that you have a VPN tunnel up and running? I have attached a screen shot from my AC86 showing what I see for one of my VPN clients when it is running. Where the blue is on my screen shot, is where the public IP assigned by NordVPN to you would appear. To the right is the Private IP assigned by the router to clients on your LAN Also I have attached a copy of what my settings page looks like using Merlin on an AC86.

 

[Andorul]

Weel I flash Asus Merlin and solved the issue looks like the official Asus wrt only have PPTP client compared to Merlin now it's all working fine