Site-to-site vpn with asuswrt-merlin

[n0b0dy]

Hi,

i want to create a site to site vpn connection with 2 asus router with asuswrt-merlin 380.58.

1. network = asus rt-ac88u (192.168.1.1 with dhcp on) (OpenVPN server) [VPN IP for clients 10.20.0.X]
2. network = asus rt-ac3200 (192.168.2.1 with dhcp on) (OpenVPN client)

i have a stable vpn connection trought TUN interface. I can ping all ip's inside server's lan from client network (192.168.2.50 can ping 192.168.1.20). If the client is connected, I can ping 10.20.0.2 from server's lan, but i cannot ping or access clients 192.168.2.x which are in the client network. How to do this?

Thank you all very much!

 

[yorgi]

Hi,

i want to create a site to site vpn connection with 2 asus router with asuswrt-merlin 380.58.

1. network = asus rt-ac88u (192.168.1.1 with dhcp on) (OpenVPN server) [VPN IP for clients 10.20.0.X]
2. network = asus rt-ac3200 (192.168.2.1 with dhcp on) (OpenVPN client)

i have a stable vpn connection trought TUN interface. I can ping all ip's inside server's lan from client network (192.168.2.50 can ping 192.168.1.20). If the client is connected, I can ping 10.20.0.2 from server's lan, but i cannot ping or access clients 192.168.2.x which are in the client network. How to do this?

Thank you all very much!

You can do a static route on router 1 which would let you log onto router 2 web interface.
You will not be able to network to other computers because they are 2 separate networks.
the only thing you can really do is to setup an FTP server on router 2 in order to have access to all files from other computers

 

[n0b0dy]

You can do a static route on router 1 which would let you log onto router 2 web interface.
You will not be able to network to other computers because they are 2 separate networks.
the only thing you can really do is to setup an FTP server on router 2 in order to have access to all files from other computers

What if I want to have full access including samba? I have seen that I don't have access to samba file shares trough the VPN! Is TAP and/or 1 subnet the solution?

How to set up the route right?
https://onedrive.live.com/redir?res...authkey=!APSOo_YPhQuUDT8&v=3&ithint=photo,png

Thx!

 

[yorgi]

What if I want to have full access including samba? I have seen that I don't have access to samba file shares trough the VPN! Is TAP and/or 1 subnet the solution?

How to set up the route right?
https://onedrive.live.com/redir?resid=B7D5B868722CF32A!37771&authkey=!APSOo_YPhQuUDT8&v=3&ithint=photo,png

Thx!

Static route will only get you to see the web interface of the other router it wont help you in what you need to do.
You cannot use the samba servers the way you would like. You can access only by FTP
Routers are hardwired devices, it would be nice to have some patch cords with different ins and outs and then we can route as we please like they do with audio consoles
Your setup will not work the way you want it to its just the way it is.

 

[yorgi]

Router 2 can see router 1 but not router 1 seeing 2
if you have 4 routers lan to wan router 4 would be able to see 3,2, 1
but router 1 could see 2,3 but not 4
the last router on the chain can see up but not the other way around.
What you can do is put the samba server and network on router 2 which is your client router which you will still be able to connect to the server but you can access samba and network for the second router.
So basically put your network pcs and samba on the second router 2.1 and use router 1 for your VPN server.

can you paint a better picture of your setup and what you are trying to achieve?
where are the routers? are they in the same room,house,building,? are they in the same city or country?

Because normally one would have 2 modems to achieve this with routers not in the same location.
For example;
Your work is in one area and you setup a VPN server with a network and samba and you want to access your server via a VPN client from another location,
then you would be able to do exactly what you want.
the problem is using the same modem and trying to access a network from the 1st router that will never work.
when you chain router WAN to LAN it is physically impossible to see samba or network of the 1st router
but you can setup an FTP on router 1 and access everything that way which will work with no problems
I don't see why that is an issue as both routers have FTP servers built in and you can access them VIA the VPN as well.
hope that helps

try reversing the setup. Put the VPN server on 2.1 and client on 1.1 and see what happens.
It may work. I am speculating but if you where able to ping the address's when your connected to the tunnel reverse it and see what happens.

 

[n0b0dy]

Router 2 can see router 1 but not router 1 seeing 2
if you have 4 routers lan to wan router 4 would be able to see 3,2, 1
but router 1 could see 2,3 but not 4
the last router on the chain can see up but not the other way around.
What you can do is put the samba server and network on router 2 which is your client router which you will still be able to connect to the server but you can access samba and network for the second router.
So basically put your network pcs and samba on the second router 2.1 and use router 1 for your VPN server.

can you paint a better picture of your setup and what you are trying to achieve?
where are the routers? are they in the same room,house,building,? are they in the same city or country?

Because normally one would have 2 modems to achieve this with routers not in the same location.
For example;
Your work is in one area and you setup a VPN server with a network and samba and you want to access your server via a VPN client from another location,
then you would be able to do exactly what you want.
the problem is using the same modem and trying to access a network from the 1st router that will never work.
when you chain router WAN to LAN it is physically impossible to see samba or network of the 1st router
but you can setup an FTP on router 1 and access everything that way which will work with no problems
I don't see why that is an issue as both routers have FTP servers built in and you can access them VIA the VPN as well.
hope that helps

try reversing the setup. Put the VPN server on 2.1 and client on 1.1 and see what happens.
It may work. I am speculating but if you where able to ping the address's when your connected to the tunnel reverse it and see what happens.

I want to have seperated subnets with a routed vpn (TUN).

I have a stable vpn conncection and the server LAN is pushed to the client, thats nice, also Samba file shares are working (at PC 192.168.10.50, i can open \\192.168.1.20).

Here is the next goal: I will have a QNAP NAS on each side:
NAS @ server side: 192.168.1.20
NAS @ client side: 192.168.10.20 (I changed client LAN-IP from 192.168.2.x to 192.168.10.x during tests)

and i want to sync files between the NAS trough Rsync/RRTR.

From server LAN it is possible to ping 10.20.0.2 (vpn client router) or to open the web interface (http://10.20.0.2). But i cannot connect to 192.168.10.1 (lan adress of client router) or any other device at 192.168.10.x.

I tryed to configure a route at server LAN in the STATIC ROUTE settings from ASUS-WRT. After applying settings i didnt see it in the active routing table, so i have undone this setting. Then i tryed to add a line at the openvpn server user config like in the screenhot. after that i have my entry in the active routing table, but i still cannot ping or connect the client LAN from a server LAN machine.

Info:
10.0.0.1 is the lan adress of my internet modem, wan adress of asus is 10.0.0.2

Do you know what the flags in the routing table means? what is flag "ug" at route 192.168.10.0?

 

[guicho]

Hi Yorgi and nobody,

I hope you don't mind my post as I want to do the same thing. I hope you guys are able to guide me in the right direction.

Here is what I want to do.
I'll be moving so I want to connect my current home network to my new location. New location is 5 minutes away.
I have two Asus Routes, RT-AC3200 and RT-AC66U, running the latest Merlin firmware - 380.59.
Would like to take the AC3200 with me and leave the AC66U at the current location.
At my current home network, I set up a Windows domain, running Windows Server 2012 R2. Have a few PC's, laptops and tablets running Windows 10.
I have set up all the GPO's and everything is working well. This is how I keep the PC's from getting infected with viruses and unwanted software. I also have a member File and Print server, with print services enabled. Have a slaved drive where I store pictures and videos. This I would like to be able to access from both locations.

I have never done this before so I am new to all this. Excuse my ignorance if I ask questions that might be obvious.
The two locations have different modems and different ISPs. Current location has internet speed of 100 Mbps down / 10 Mbps up. New location has 25 Mbps down / 2 Mbps up.
Will probably upgrade the speed of the new location to match the current one in a few months time.

Would it be useful for both networks to use the same subnet? Right now the AC3200 is the main router at my current location and the AC66U is running in AP mode to extend the wireless signal.
The AC3200 DHCP is set from 192.168.1.2 - 192.168.1.50. Is there a guide to follow when configuring the VPN server and client on both routers?

When I set up the VPN between the two routers, would it be useful to have a Domain Controller at both locations or just a member server running the Remote Access role? If the Remote Access role is required, would I need it at both locations or just one?

If you need additional info, let me know. I'd really appreciate any advice you can provide. As I mentioned before, I am new at this and don't even know where to start.
Thanks again!

 

[yorgi]

I want to have seperated subnets with a routed vpn (TUN).

I have a stable vpn conncection and the server LAN is pushed to the client, thats nice, also Samba file shares are working (at PC 192.168.10.50, i can open \\192.168.1.20).

Here is the next goal: I will have a QNAP NAS on each side:
NAS @ server side: 192.168.1.20
NAS @ client side: 192.168.10.20 (I changed client LAN-IP from 192.168.2.x to 192.168.10.x during tests)

and i want to sync files between the NAS trough Rsync/RRTR.

From server LAN it is possible to ping 10.20.0.2 (vpn client router) or to open the web interface (http://10.20.0.2). But i cannot connect to 192.168.10.1 (lan adress of client router) or any other device at 192.168.10.x.

I tryed to configure a route at server LAN in the STATIC ROUTE settings from ASUS-WRT. After applying settings i didnt see it in the active routing table, so i have undone this setting. Then i tryed to add a line at the openvpn server user config like in the screenhot. after that i have my entry in the active routing table, but i still cannot ping or connect the client LAN from a server LAN machine.

Info:
10.0.0.1 is the lan adress of my internet modem, wan adress of asus is 10.0.0.2

Do you know what the flags in the routing table means? what is flag "ug" at route 192.168.10.0?

The only way you can do it is with FTP. router 1 cannot see router 2 NAS

 

[yorgi]

Hi Yorgi and nobody,

I hope you don't mind my post as I want to do the same thing. I hope you guys are able to guide me in the right direction.

Here is what I want to do.
I'll be moving so I want to connect my current home network to my new location. New location is 5 minutes away.
I have two Asus Routes, RT-AC3200 and RT-AC66U, running the latest Merlin firmware - 380.59.
Would like to take the AC3200 with me and leave the AC66U at the current location.
At my current home network, I set up a Windows domain, running Windows Server 2012 R2. Have a few PC's, laptops and tablets running Windows 10.
I have set up all the GPO's and everything is working well. This is how I keep the PC's from getting infected with viruses and unwanted software. I also have a member File and Print server, with print services enabled. Have a slaved drive where I store pictures and videos. This I would like to be able to access from both locations.

I have never done this before so I am new to all this. Excuse my ignorance if I ask questions that might be obvious.
The two locations have different modems and different ISPs. Current location has internet speed of 100 Mbps down / 10 Mbps up. New location has 25 Mbps down / 2 Mbps up.
Will probably upgrade the speed of the new location to match the current one in a few months time.

Would it be useful for both networks to use the same subnet? Right now the AC3200 is the main router at my current location and the AC66U is running in AP mode to extend the wireless signal.
The AC3200 DHCP is set from 192.168.1.2 - 192.168.1.50. Is there a guide to follow when configuring the VPN server and client on both routers?

When I set up the VPN between the two routers, would it be useful to have a Domain Controller at both locations or just a member server running the Remote Access role? If the Remote Access role is required, would I need it at both locations or just one?

If you need additional info, let me know. I'd really appreciate any advice you can provide. As I mentioned before, I am new at this and don't even know where to start.
Thanks again!

I suggest you get a better router then the 66U..if you have 25mbps now it will only give you 10-15 mbps in VPN so if you are planning on getting a higher speed make sure you get at least a 68U to replace the 66U otherwise you will not be happy with the results.
When you setup a VPN server/client the internal IP range is or subnet is not relevant.
You have to setup One router as a server preferably the 3200 and the other router as a client. When you connect to the server you can have all your clients traffic directed via the Servers VPN.
here is a guide that can help you setup the VPN server
http://www.smallnetbuilder.com/othe...-up-and-using-openvpn-on-asus-routers?start=1

after you setup the server you may want to look at this guide to setup the client.

http://www.snbforums.com/threads/ho...y-step-how-to-guide-ver-380-58-updated.30851/

If you have a hard time let me know and I will make a how to guide for setting up a VPN server.

 

[guicho]

Thanks for the reply yorgi. I checked the links and it made me understand a bit more

But now that I think of it, in you reply when you say " all your clients traffic can be directed via the VPN" I think would be too much. At my current location there is a lot of video streaming and the new location has a cap of 400 Gigs a month. So that will be gone pretty quickly if all the traffic is redirected that way.

I think it would be best just to have a two machines connected through the VPN. One for access to the other network for assistance and shares and the second a Domain Controller. Have it replicate say once a week at 3AM so that there is minimal impact on the bandwidth.

Is this scenario possible? If yes, I am guessing that policy rules would have to be set up?
Would the RT-AC66U still be OK for this or do you still suggest the AC-68U?

Would you mind creating a how to guide for this, if it's not too much to ask?

Thanks again,

 

[yorgi]

Thanks for the reply yorgi. I checked the links and it made me understand a bit more

But now that I think of it, in you reply when you say " all your clients traffic can be directed via the VPN" I think would be too much. At my current location there is a lot of video streaming and the new location has a cap of 400 Gigs a month. So that will be gone pretty quickly if all the traffic is redirected that way.

I think it would be best just to have a two machines connected through the VPN. One for access to the other network for assistance and shares and the second a Domain Controller.

Is this scenario possible? If yes, I am guessing that policy rules would have to be set up?
Would the RT-AC66U still be OK for this or do you still suggest the AC-68U?

Would you mind creating a how to guide for this, if it's not too much to ask?

Thanks again,

I would not use a 66u unless you don't mind getting 10-15mbps as a VPN client. Its a single core cpu.
If that doesn't bother you then you can use the 66U

In policy rules you can tell the VPN client that specific IP address go via the vpn and everything else goes to local ISP
you can even tell it that specific devices will use the VPN but specific Internet address will use local ISP
so you can have 1 device connected to your VPN Server and have a rule that any traffic to youtube will go via the local ISP.

"Have it replicate say once a week at 3AM so that there is minimal impact on the bandwidth"

I really don't understand what you mean by that.

I will try to write a guide soon. it takes a lot of work to do something like that but I think its needed because many people are asking the same question.

In the meantime look at that other guide I linked for the Server its pretty straight forward.

 

[guicho]

OK sounds good, I will give it a try this weekend and see how it goes. If I have any questions, I will bug you once more
Money is tight right now for a brand new 68U so I am looking at a refurbished one, maybe. If not, then I'll have to wait a few months and suck it up with the 10-15mbps connection.

As for the replication once a week at 3 AM, I was referring to the Domain Controllers. Please take a look at the link below. That is what I want to have in place at both locations:
http://www.rebeladmin.com/2015/02/how-to-setup-active-directory-sites-subnets-site-links/
If you think you can provide any advice, I'd really appreciate it.

Thanks again,