Setting up OpenVPN client

[Armandooooo]

Hi all,

I just bought for the first time ever an ASUS router, the GT-AX6000. I am using the release 388_2_2_rog, and I am not familiar with the it yet, hence asking for help.
I have a OpenVPN server in France I want to connect from Australia. It is configured on the server side and I am using OpenVPN GUI from my laptop if I need to establish the connection and is working properly, no issue. My wish is to use the Asus router to connect as a client so I don't need to install OpenVPN GUI everywhere.

It seems at first that the connection is established, because in VPN status tab I get OpenVPN OpenVPN Bridge Freebox - Connected (xx.xx.xxx.xxx tcp-client:60448).
However just below in statistics I see:

• Public IP "blank"
• Local IP 0.0.0.0

On the VPN Client tab, just aside the service state ON it is written Connected (Local: 0.0.0.0 - Public: ) Refresh

I have looked at the systems log and see Initialization Sequence Completed which sounds good.

Below are the logs:

Aug 2 21:59:54 rc_service: httpd 3049:notify_rc start_vpnclient1​

Aug 2 21:59:54 kernel: br0: port 8(tap11) entered blocking state​

Aug 2 21:59:54 kernel: br0: port 8(tap11) entered disabled state​

Aug 2 21:59:54 kernel: device tap11 entered promiscuous mode​

Aug 2 21:59:54 ovpn-client1[11360]: OpenVPN 2.6.3 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]​

Aug 2 21:59:54 ovpn-client1[11360]: library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10​

Aug 2 21:59:54 ovpn-client1[11361]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts​

Aug 2 21:59:54 ovpn-client1[11361]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xxx.xxx:60448​

Aug 2 21:59:54 ovpn-client1[11361]: Socket Buffers: R=[131072->131072] S=[16384->16384]​

Aug 2 21:59:54 ovpn-client1[11361]: Attempting to establish TCP connection with [AF_INET]xx.xx.xxx.xxx:60448​

Aug 2 21:59:54 ovpn-client1[11361]: TCP connection established with [AF_INET]xx.xx.xxx.xxx:60448​

Aug 2 21:59:54 ovpn-client1[11361]: TCPv4_CLIENT link local: (not bound)​

Aug 2 21:59:54 ovpn-client1[11361]: TCPv4_CLIENT link remote: [AF_INET]xx.xx.xxx.xxx:60448​

Aug 2 21:59:55 ovpn-client1[11361]: TLS: Initial packet from [AF_INET]xx.xx.xxx.xxx:60448, sid=4265d38f ea396d0e​

Aug 2 21:59:55 ovpn-client1[11361]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this​

Aug 2 21:59:55 ovpn-client1[11361]: VERIFY OK: depth=1, C=FR, O=Freebox SA, CN=Freebox OpenVPN server CA for c6083f3b97f1eee0acd184d0bc441642​

Aug 2 21:59:55 ovpn-client1[11361]: VERIFY KU OK​

Aug 2 21:59:55 ovpn-client1[11361]: Validating certificate extended key usage​

Aug 2 21:59:55 ovpn-client1[11361]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication​

Aug 2 21:59:55 ovpn-client1[11361]: VERIFY EKU OK​

Aug 2 21:59:55 ovpn-client1[11361]: VERIFY X509NAME OK: C=FR, O=Freebox SA, CN=Freebox OpenVPN server c6083f3b97f1eee0acd184d0bc441642​

Aug 2 21:59:55 ovpn-client1[11361]: VERIFY OK: depth=0, C=FR, O=Freebox SA, CN=Freebox OpenVPN server c6083f3b97f1eee0acd184d0bc441642​

Aug 2 21:59:56 ovpn-client1[11361]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256​

Aug 2 21:59:56 ovpn-client1[11361]: [Freebox OpenVPN server] Peer Connection Initiated with [AF_INET]xx.xx.xxx.xxx:60448​

Aug 2 21:59:56 ovpn-client1[11361]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1​

Aug 2 21:59:56 ovpn-client1[11361]: TLS: tls_multi_process: initial untrusted session promoted to trusted​

Aug 2 21:59:56 ovpn-client1[11361]: PUSH: Received control message: 'PUSH_REPLY,ping 30,ping-restart 120,peer-id 0,cipher AES-256-GCM'​

Aug 2 21:59:56 ovpn-client1[11361]: TUN/TAP device tap11 opened​

Aug 2 21:59:56 ovpn-client1[11361]: TUN/TAP TX queue length set to 1000​

Aug 2 21:59:56 ovpn-client1[11361]: ovpn-up 1 client tap11 1500 0 init​

Aug 2 21:59:56 kernel: br0: port 8(tap11) entered blocking state​

Aug 2 21:59:56 kernel: br0: port 8(tap11) entered listening state​

Aug 2 21:59:56 dnsmasq[3860]: read /etc/hosts - 22 names​

Aug 2 21:59:56 dnsmasq[3860]: using nameserver 111.220.1.1#53​

Aug 2 21:59:56 dnsmasq[3860]: using nameserver 111.220.2.2#53​

Aug 2 21:59:56 dnsmasq[3860]: using nameserver 111.220.1.1#53​

Aug 2 21:59:56 dnsmasq[3860]: using nameserver 111.220.2.2#53​

Aug 2 21:59:56 ovpn-client1[11361]: Data Channel: cipher 'AES-256-GCM', peer-id: 0​

Aug 2 21:59:56 ovpn-client1[11361]: Timers: ping 30, ping-restart 120​

Aug 2 21:59:58 ovpn-client1[11361]: NOTE: unable to redirect IPv4 default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing​

Aug 2 21:59:58 ovpn-client1[11361]: Initialization Sequence Completed​

Aug 2 21:59:59 kernel: br0: port 8(tap11) entered learning state​

Aug 2 22:00:01 kernel: br0: port 8(tap11) entered forwarding state​

Aug 2 22:00:01 kernel: br0: topology change detected, propagating​

Aug 2 22:00:29 dnsmasq-dhcp[3860]: DHCPDISCOVER(br0) 8c:97:ea:0d:aa:35 ​

Aug 2 22:00:29 dnsmasq-dhcp[3860]: DHCPOFFER(br0) 192.168.50.111 8c:97:ea:0d:aa:35 ​

Aug 2 22:00:29 dnsmasq-dhcp[3860]: DHCPREQUEST(br0) 192.168.0.44 8c:97:ea:0d:aa:35 ​

Aug 2 22:00:29 dnsmasq-dhcp[3860]: DHCPNAK(br0) 192.168.0.44 8c:97:ea:0d:aa:35 wrong server-ID​

Aug 2 22:00:29 dnsmasq-dhcp[3860]: DHCPREQUEST(br0) 192.168.0.44 8c:97:ea:0d:aa:35 ​

Aug 2 22:00:29 dnsmasq-dhcp[3860]: DHCPNAK(br0) 192.168.0.44 8c:97:ea:0d:aa:35 wrong server-ID​

A few things I could not figure out from the different things I red:

1. Redirect Internet traffic through tunnel: I don't see the option "VPN Director" despite having set specific rules
2. I tried to put Yes (all) to Redirect Internet traffic through tunnel just to force an see if I will get a local ip adress.
3. I have heard on other places that there is bug with the OpenVPN client that if you don't set it the first time correctly, you have to do a hard reset, not sure if this is true.

As I have the OpenVPN GUI working I am certain it is not the issue of the computer or the server side.

Can anyone help?
Thank you

 

[ColinTaylor]

You cannot use VPN Director with a bridged (TAP) connection. Change your server and client to a routed (TUN) connection.

 

[JEofMPK]

I would just use TailScale or ZeroTier.

 

[Armandooooo]

You cannot use VPN Director with a bridged (TAP) connection. Change your server and client to a routed (TUN) connection.

Hi, I can certainly use my OpenVPN client right now on my laptop for what I need, or maybe I don't fully grasp your statement. Do you mean I cannot use bridged (TAP) connection with the Asus router?

 

[ColinTaylor]

Do you mean I cannot use bridged (TAP) connection with the Asus router?

I mean VPN Director works by selectively modifying the routing between LAN clients and the upstream VPN servers (or WAN). Therefore the router's VPN client must be a routed connection and not a bridged connection. That's why the VPN Director (policy rules) option only appears in the GUI when TUN is selected as the Interface Type.

 

[Armandooooo]

I mean VPN Director works by selectively modifying the routing between LAN clients and the upstream VPN servers (or WAN). Therefore the router's VPN client must be a routed connection and not a bridged connection. That's why the VPN Director (policy rules) option only appears in the GUI when TUN is selected as the Interface Type.

I got you. It does not explain why it does not work, but explain why I don't see using VPN director in the drop down list.
Do you have any clue why my OpenVPN connection does not give me a local IP address?

 

[ColinTaylor]

I don't know why your connection isn't working, but I don't tend to use bridged connections myself. If your ultimate objective is to use policy routing then I suggest you setup a second VPN server on a different port that uses TUN and try to get that to work.

Bear in mind that with a TAP connection both sides of the tunnel must be using the same subnet (e.g. 192.168.50.0/24) and for there to be no IP conflicts. Whereas with a TUN connection each side of the tunnel must be using different subnets (e.g. 192.168.50.0/24 and 192.168.60.0/24).

 

[Armandooooo]

I don't know why your connection isn't working, but I don't tend to use bridged connections myself. If your ultimate objective is to use policy routing then I suggest you setup a second VPN server on a different port that uses TUN and try to get that to work.

Bear in mind that with a TAP connection both sides of the tunnel must be using the same subnet (e.g. 192.168.50.0/24) and for there to be no IP conflicts. Whereas with a TUN connection each side of the tunnel must be using different subnets (e.g. 192.168.50.0/24 and 192.168.60.0/24).

I was able to make it work thanks to you.
Now that I am able to use the tunnel, and because my primary objective is to get access to a single webpage page through the VPN, is there a way to limit the router to go over the tunnel just for that use case?

 

[ColinTaylor]

I think you should be able to create a VPN Director rule that says the IP address of the webpage ("Remote IP") is reachable through the VPN. Then another "catchall" rule that says everything else goes out the WAN as normal. Are you specifically trying to block access to other IP's on the remote network?

VPN Director

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[Armandooooo]

So one part of the LAN is my home and the other part is my mom home. I am in Australia and she is in France. The OpenVPN I want to use is for me to have a French IP address so I can access TV channel replay (please don't judge)

So I want all computers on my home ideally having the ability to stream the replay, but right now all the traffic is sent through my mom VPN which end up to slow down everything. So if I can somehow limit the use of the VPN just for a specific internet web page that would be perfect. Otherwise my only other option is to set a specific machine rule and have to enable/disable whenever required.

I hope that make sense.

 

[ColinTaylor]

That's quite a common use case. The problem some people find is that the "web page" (e.g. Netflix) they're trying to route through the VPN often doesn't have a fixed IP address. In which case perhaps if you defined a static IP address in your local hosts file for the "web page" that might work with VPN Director's rules.