Menu
What's new
By:
Filters Better Search

Site-to-site OpenVPN without both sides in the same-numbered IP subnet?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

K

kensey

New Around Here
I'm trying to set up site-to-site VPN between my office and home, but I have a couple of issues that mean I can't set it up in the config the tutorial article for that uses:

  • Office network is not numbered the same as home (192.168.33.0/24 at the office, 192.168.1.0/24 at home). I can't renumber the office network and don't want to renumber home (last time I did that some of our devices had issues for days, I think because they didn't handle DHCP lease changes or ARP or something properly).
  • Office network is not directly connected to the Internet (my office has its own subnet, routed from the building';s core network which, just to note, is also not 192.168.1.0/24).

So what I'm trying to set up is:

Code: 
[192.168.33.0/24] <---> [192.168.19.0/24] <---> (Internet) <---> [192.168.1.0/24]
        ^                                                                ^
        |                                                                |
        +--------------------------- [VPN subnet] -----------------------+

Both routers are Asus -- the home router is an AC3200 and the office is an old N66U, each running latest official Merlin for their respective hardware. (The N66U will probably go to the fork that's continuing support for it soon, but I haven't done that yet.)

My first thought was, just OpenVPN the office router to the home router. That worked, but only one way -- I can access things at home from the office, but not vice-versa, even after setting up routing rules for each side to gateway to the other through the VPN. I can ping the office router's client VPN-side address from home, but not its IP in its own subnet or anything beyond -- those just get dropped. I tried monkeying with the office router's iptables directly to just blanket-allow anything coming from the VPN or the home network, but that didn't work.

  1. It seems like the VPN software itself is just dropping connection-opening incoming packets from the other side of the VPN, regardless of iptables rules or anything else.
  2. Assuming 1) is correct, is there an option or custom config or something I can set that will allow incoming packets to the office side to get through?
  3. If the answer to 2) is "no", what have people done to get past this sort of thing? Running a VPN connection back to the office from home through an SSH tunnel going over the VPN probably would work, but in the same way that driving cross-country in reverse works. I have a DigitalOcean account and I'm not opposed to running VPN traffic through an SSH reverse tunnel from a cloud instance, but that feels like a good way to run up a hefty transfer bill.
 
Last edited:
I'm going to assume you've configured a "routed" (tun) OpenVPN tunnel, and NOT a "bridged" (tap) OpenVPN tunnel.

When configuring for site-to-site, in order for devices behind the OpenVPN server to access devices behind the OpenVPN client, you have to add an iroute directive to the CCD file for that OpenVPN client (based on the common name of the client's cert) that tells the OpenVPN server what network lies behind that particular client (after all, in theory, there could me *many* OpenVPN clients connecting to that server, and the server has no idea what network(s) lie behind any given OpenVPN client). Merlin and similar tomato based routers make this easier to implement by using the "Manage Client-Specific Options" field of the OpenVPN server (enable Advanced Settings). It's there that you specify the network that lies behind the OpenVPN client w/ the specified common name.
 
kensey said:
I'm trying to set up site-to-site VPN between my office and home, but I have a couple of issues that mean I can't set it up in the config the tutorial article for that uses:

  • Office network is not numbered the same as home (192.168.33.0/24 at the office, 192.168.1.0/24 at home). I can't renumber the office network and don't want to renumber home (last time I did that some of our devices had issues for days, I think because they didn't handle DHCP lease changes or ARP or something properly).
  • Office network is not directly connected to the Internet (my office has its own subnet, routed from the building';s core network which, just to note, is also not 192.168.1.0/24).

So what I'm trying to set up is:

[192.168.33.0/24] <---> [192.168.19.0/24] <---> (Internet) <---> [192.168.1.0/24]
^ ^
| |
+--------------------------- [VPN subnet] -----------------------+

Both routers are Asus -- the home router is an AC3200 and the office is an old N66U, each running latest official Merlin for their respective hardware. (The N66U will probably go to the fork that's continuing support for it soon, but I havenn't done that yet.)

My first thought was, just OpenVPN the office router to the home router. That worked, but only one way -- I can access things at home from the office, but not vice-versa, even after setting up routing rules for each side to gateway to the other through the VPN. I can ping the office router's client VPN-side address from home, but not its IP in its own subnet or anything beyond -- those just get dropped. I tried monkeying with the office router's iptables directly to just blanket-allow anything coming from the VPN or the home network, but that didn't work.

  1. It seems like the VPN software itself is just dropping connection-opening incoming packets from the other side of the VPN, regardless of iptables rules or anything else.
  2. Assuming 1) is correct, is there an option or custom config or something I can set that will allow incoming packets to the office side to get through?
  3. If the answer to 2) is "no", what have people done to get past this sort of thing? Running a VPN connection back to the office from home through an SSH tunnel going over the VPN probably would work, but in the same way that driving cross-country in reverse works. I have a DigitalOcean account and I'm not opposed to running VPN traffic through an SSH reverse tunnel from a cloud instance, but that feels like a good way to run up a hefty transfer bill.
Click to expand...

If you add the office 192.168.33.0/24 subnet(s) to your home OpenVPN server does this not work?

upload_2019-3-30_7-2-24.png
 
Great stuff! I don't want to mess with it remotely but as soon as I'm back in the office on Tuesday I'll be checking out what works. Thanks folks!
 
You must log in or register to reply here.

Similar threads

F
OpenVPN client not resolving server local DNS names
Replies
9
Views
3K
felixdd
F
E
Wireguard can't access devices behind asus router
Replies
5
Views
268
ZebMcKayhan
Z
C
Connection to router by ip fails while remote over OpenVPN
Replies
17
Views
446
elorimer
E
D
Asus GT-AX11000 (3004.388.4_beta3) OPENVPN Server help needed vith Site to Site
Replies
14
Views
2K
Martinski
M
S
OpenVPN LAN access + one external IP
Replies
3
Views
275
eibgrad
eibgrad
Similar threads
Thread starter Title Forum Replies Date
M OpenVPN / site to site with special security/routing constraints Asuswrt-Merlin 7
N Wireguard Site to Site problem with clients Asuswrt-Merlin 11
visortgw asuswrt-merlin.net Website Site Down? Asuswrt-Merlin 18
johndoe85 VPN site to site with additional VPN client to hide IP Asuswrt-Merlin 14
S RT-AC68W Firmware Upgrade download site link doesn't work Asuswrt-Merlin 4
PR3MIUM WireGuard removing OpenVPN on ASUS Routers ? Asuswrt-Merlin 2
T [Help] Problems setting up OpenVPN Asuswrt-Merlin 7
N dedicated router for OpenVPN Asuswrt-Merlin 4
N Solved OpenVPN Server split tunnell config Asuswrt-Merlin 5
C Connection to router by ip fails while remote over OpenVPN Asuswrt-Merlin 17

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 616 (members: 23, guests: 593)
Top