VPN between Asus RT-AC68U & RT-AC1900

[sqk]

Hi all,

I hope that someone here can help me with my issue. I have been struggling for weeks with this issue.

I'm trying to build VPN tunnel from my AC1900 to my AC68U which are both in two different countries. For that, I have registered the DDNS service. I want to use PPTP connecting the two routers (I know that it might not be the safest way to use it).
The thing is, if I connect my Windows computer (only) using PPTP to connect to the AC68U, all is working fine.
However, if the AC1900 (client) is connected, suddenly, the Internet stops working.

Here the basic information:

Country 1 router:

RT68U (192.168.4.1)

Country 2 router:

RT1900 (192.168.50.1)
This router has before it another router that establishes the optic fibre connection (192.168.1.5).


Here the log from my router:

Aug 27 17:07:10 miniupnpd[20910]: version 1.9 started
Aug 27 17:07:10 miniupnpd[20910]: HTTP listening on port 40203
Aug 27 17:07:10 miniupnpd[20910]: Listening for NAT-PMP/PCP traffic on port 5351
Aug 27 17:07:13 openvpn[20925]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 1 2017
Aug 27 17:07:13 openvpn[20925]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Aug 27 17:07:13 openvpn[20925]: Diffie-Hellman initialized with 2048 bit key
Aug 27 17:07:13 openvpn[20925]: WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Aug 27 17:07:13 openvpn[20925]: Socket Buffers: R=[87380->131072] S=[16384->131072]
Aug 27 17:07:13 openvpn[20925]: TUN/TAP device tun21 opened
Aug 27 17:07:13 openvpn[20925]: TUN/TAP TX queue length set to 100
Aug 27 17:07:13 openvpn[20925]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Aug 27 17:07:13 openvpn[20925]: /sbin/ifconfig tun21 192.168.49.1 pointopoint 192.168.49.2 mtu 1500
Aug 27 17:07:13 openvpn[20925]: /sbin/route add -net 192.168.49.0 netmask 255.255.255.0 gw 192.168.49.2
Aug 27 17:07:13 openvpn[20931]: Listening for incoming TCP connection on [undef]
Aug 27 17:07:13 openvpn[20931]: TCPv4_SERVER link local (bound): [undef]
Aug 27 17:07:13 openvpn[20931]: TCPv4_SERVER link remote: [undef]
Aug 27 17:07:13 openvpn[20931]: MULTI: multi_init called, r=256 v=256
Aug 27 17:07:13 openvpn[20931]: IFCONFIG POOL: base=192.168.49.4 size=62, ipv6=0
Aug 27 17:07:13 openvpn[20931]: MULTI: TCP INIT maxclients=1024 maxevents=1028
Aug 27 17:07:13 openvpn[20931]: Initialization Sequence Completed
Aug 27 17:07:14 ddns update: ez-ipupdate: starting...
Aug 27 17:07:14 ddns update: connected to nwsrv-ns1.asus.com (103.10.4.108) on port 80.
Aug 27 17:07:14 openvpn[20941]: Options error: You must define CA file (--ca) or CA path (--capath)
Aug 27 17:07:14 openvpn[20941]: Use --help for more information.
Aug 27 17:07:15 ddns update: Asus update entry:: return: HTTP/1.1 200 OK^M Date: Sun, 27 Aug 2017 08:07:13 GMT^M Server: Apache^M X-Powered-By: PHP/5.6.30^M Content-Length: 0^M Connection: close^M Content-Type: text/html; charset=UTF-8^M ^M
Aug 27 17:07:15 ddns update: retval= 0, ddns_return_code (,200)
Aug 27 17:07:15 ddns update: asusddns_update: 0
Aug 27 17:07:15 ddns: ddns update ok
Aug 27 17:07:15 rc_service: udhcpc 20814:notify_rc stop_pptpd
Aug 27 17:07:15 rc_service: udhcpc 20814:notify_rc start_pptpd
Aug 27 17:07:15 rc_service: waitting "stop_pptpd" via udhcpc ...
Aug 27 17:07:16 dhcp client: bound 183.99.115.73 via 183.99.115.1 during 3600 seconds.
Aug 27 17:07:17 pptpd[20951]: MGR: Config file not found!
Aug 27 17:07:17 miniupnpd[20910]: shutting down MiniUPnPd
Aug 27 17:07:17 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan2_vlan2)!
Aug 27 17:07:18 miniupnpd[20986]: version 1.9 started
Aug 27 17:07:18 miniupnpd[20986]: HTTP listening on port 52171
Aug 27 17:07:18 miniupnpd[20986]: Listening for NAT-PMP/PCP traffic on port 5351
Aug 27 17:07:24 pptp[20998]: pppd 2.4.7 started by admin, uid 0
Aug 27 17:07:24 pptp[20998]: Connect: ppp10 <--> pptp (223.166.206.87)
Aug 27 17:07:39 pptp[20998]: local IP address 192.168.4.1
Aug 27 17:07:39 pptp[20998]: remote IP address 192.168.4.55
Aug 27 17:08:29 pptp[20998]: Connection terminated.
Aug 27 17:08:30 pptp[20998]: Modem hangup
Aug 27 17:08:37 pptp[21048]: pppd 2.4.7 started by admin, uid 0
Aug 27 17:08:37 pptp[21048]: Connect: ppp10 <--> pptp (223.166.206.87)
Aug 27 17:08:37 pptpd[21047]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Aug 27 17:08:42 pptpd[21047]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Aug 27 17:08:43 pptp[21048]: local IP address 192.168.4.1
Aug 27 17:08:43 pptp[21048]: remote IP address 192.168.4.55
Aug 27 17:08:43 pptp[21048]: MPPE 128-bit stateless compression enabled
Aug 27 17:10:11 rc_service: httpd 20899:notify_rc restart_vpnd;restart_samba
Aug 27 17:10:12 pptp[21048]: MPPE disabled
Aug 27 17:10:12 miniupnpd[20986]: shutting down MiniUPnPd
Aug 27 17:10:12 pptp[21048]: Connection terminated.
Aug 27 17:10:12 pptpd[21124]: MGR: Config file not found!
Aug 27 17:10:12 start_nat_rules: apply the nat_rules(/tmp/nat_rules_vlan2_vlan2)!
Aug 27 17:10:13 pptpd[21047]: CTRL: Unexpected control message 15 in disconnect sequence
Aug 27 17:10:13 miniupnpd[21158]: version 1.9 started
Aug 27 17:10:13 miniupnpd[21158]: HTTP listening on port 40257
Aug 27 17:10:13 miniupnpd[21158]: Listening for NAT-PMP/PCP traffic on port 5351
Aug 27 17:10:13 Samba Server: smb daemon is stoped
Aug 27 17:10:13 kernel: gro disabled
Aug 27 17:11:50 pptp[21187]: pppd 2.4.7 started by admin, uid 0
Aug 27 17:11:50 pptp[21187]: Connect: ppp10 <--> pptp (223.166.206.87)
Aug 27 17:11:51 pptp[21187]: Cannot determine ethernet address for proxy ARP
Aug 27 17:11:51 pptp[21187]: local IP address 192.168.4.1
Aug 27 17:11:51 pptp[21187]: remote IP address 192.168.50.1
Aug 27 17:16:01 pptp[21187]: Connection terminated.
Aug 27 17:16:01 pptp[21187]: Modem hangup
Aug 27 17:16:08 pptp[21308]: pppd 2.4.7 started by admin, uid 0
Aug 27 17:16:08 pptp[21308]: Connect: ppp10 <--> pptp (223.166.206.87)
Aug 27 17:16:08 pptpd[21307]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Aug 27 17:16:13 pptpd[21307]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Aug 27 17:16:13 pptp[21308]: Cannot determine ethernet address for proxy ARP

Could anyone help with this? Thank you so much!

 

[helio58]

Hare you using openvpn too?

 

[sqk]

Hi,
I also have set up an Open VPN server at the same time. That's correct.
However, I'm not trying to connect the AC1900 to the AC68.
Is that maybe the better option? If so, how do I have to choose the settings before exporting the file?

 

[martinr]

Go with OpenVPN. I'd say set up OpenVPN server on the remote RT-AC68U and export the OpenVPN config file (.ovpn) and install it on the devices behind the AC1900; you'll then be able to connect remotely via OpenVPN to the AC68U. It's a doddle to set up. If you are under confident, you might want to set it up with password and username only to start with and then when you're happy it works, extend to public key infrastructure (keys and certs). That said, it has been made so simple to set up, you could easily set up PKI and username-password security and it should work first time. Of course, you'd need to install the OpenVPN app/program on each of the devices you want to connect to the remote server.

When you have that working, and that may well do everything you want, you could then experiment with OpenVPN client on the AC1900 if you really need to. (I've never used that so I have no knowledge.)

Start simple and then advance step by step; it makes troubleshooting a lot easier.

 

[sqk]

I have tried the Open VPN option. Quick question: Is it not possible to connect the two routers two each other using OpenVPN so all the traffic from the AC1900 is automatically directed through the RT-AC68U (without having to install the client on each device)?

I have tried to connect both routers.
Internet works but the traffic is not routed through the Country 1 router (RT-AC68U) and the router (192.168.4.1) is also not reachable.

Here the basic information:

Country 1 router:
RT68U (192.168.4.1)


Country 2 router:
RT1900 (192.168.50.1)

This router has before it another router that establishes the optic fibre connection (192.168.1.1).


Let me post the Open VPN log file.
Interface: TAP
Protocol: UDP
Port: 1194
Firewall: Auto
Authorization Mode: Static Key (if I use TLS, it already mentions that the "handshake" has failed)
Username/PW authorizatoin: Yes
Direct clients to redirect Internet traffic: Yes
Respond to DNS: Yes
Encryption cipher: Default
Compression: Disable

System log from AC1900:

Aug 28 22:48:05 openvpn[21741]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 1 2017
Aug 28 22:48:05 openvpn[21741]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 28 22:48:05 openvpn[21741]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 28 22:48:05 openvpn[21741]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 28 22:48:05 openvpn[21741]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 28 22:48:05 openvpn[21741]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Aug 28 22:48:05 openvpn[21741]: TUN/TAP device tap15 opened
Aug 28 22:48:05 openvpn[21741]: TUN/TAP TX queue length set to 100
Aug 28 22:48:05 openvpn[21741]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Aug 28 22:48:05 openvpn[21741]: /sbin/ifconfig tap15 10.8.0.2 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Aug 28 22:48:05 openvpn[21745]: UDPv4 link local: [undef]
Aug 28 22:48:05 openvpn[21745]: UDPv4 link remote: [AF_INET]183.99.115.73:1194
Aug 28 22:48:05 openvpn[21745]: Peer Connection Initiated with [AF_INET]183.99.115.73:1194
Aug 28 22:48:06 openvpn[21745]: Initialization Sequence Completed

Routing table (AC1900):

Destination Gateway Genmask Flags Metric Ref Use Type Iface
192.168.1.1 * 255.255.255.255 UH 0 0 0 WAN0 eth0
192.168.50.0 * 255.255.255.0 U 0 0 0 LAN br0
10.8.0.0 * 255.255.255.0 U 0 0 0 tap15
192.168.1.0 * 255.255.255.0 U 0 0 0 WAN0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 0 WAN0 eth0

System log from AC68:

Aug 28 23:41:35 openvpn[12391]: Peer Connection Initiated with [AF_INET]223.166.204.83:47997 (via [AF_INET]183.99.115.73%vlan2)
Aug 28 23:41:35 openvpn[12391]: Initialization Sequence Completed
Aug 28 23:41:39 openvpn[12391]: WARNING: 'ifconfig' is present in remote config but missing in local config, remote='ifconfig 10.8.0.0 255.255.255.0'
Aug 28 23:46:29 openvpn[12391]: Peer Connection Initiated with [AF_INET]223.166.204.83:46417 (via [AF_INET]183.99.115.73%vlan2)
Aug 28 23:48:05 openvpn[12391]: Peer Connection Initiated with [AF_INET]223.166.204.83:50125 (via [AF_INET]183.99.115.73%vlan2)
Aug 28 23:50:44 pptp[12554]: pppd 2.4.7 started by admin, uid 0
Aug 28 23:50:44 pptp[12554]: Connect: ppp10 <--> pptp (223.166.204.83)
Aug 28 23:50:44 pptpd[12553]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Aug 28 23:50:45 pptp[12554]: Cannot determine ethernet address for proxy ARP
Aug 28 23:50:45 pptp[12554]: local IP address 192.168.4.1
Aug 28 23:50:45 pptp[12554]: remote IP address 192.168.50.1
Aug 28 23:50:45 pptp[12554]: MPPE 128-bit stateless compression enabled
Aug 28 23:51:37 openvpn[12391]: Inactivity timeout (--ping-restart), restarting
Aug 28 23:51:37 openvpn[12391]: Closing TUN/TAP interface
Aug 28 23:51:37 openvpn[12391]: SIGUSR1[soft,ping-restart] received, process restarting
Aug 28 23:51:37 openvpn[12391]: Restart pause, 2 second(s)
Aug 28 23:51:39 openvpn[12391]: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 28 23:51:39 openvpn[12391]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 28 23:51:39 openvpn[12391]: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 28 23:51:39 openvpn[12391]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 28 23:51:39 openvpn[12391]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Aug 28 23:51:39 openvpn[12391]: TUN/TAP device tap21 opened
Aug 28 23:51:39 openvpn[12391]: TUN/TAP TX queue length set to 100
Aug 28 23:51:39 openvpn[12391]: UDPv4 link local (bound): [undef]
Aug 28 23:51:39 openvpn[12391]: UDPv4 link remote: [undef]


Routing Table (AC68):


Destination Gateway Genmask Flags Metric Ref Use Type Iface

192.168.50.1 * 255.255.255.255 UH 0 0 0 ppp10
183.99.115.1 * 255.255.255.255 UH 0 0 0 WAN0 vlan2
192.168.4.0 * 255.255.255.0 U 0 0 0 LAN br0
183.99.115.0 * 255.255.255.0 U 0 0 0 WAN0 vlan2
default 183.99.115.1 0.0.0.0 UG 0 0 0 WAN0 vlan2

 

[martinr]

"Here the basic information:

Country 1 router:
RT68U (192.168.4.1)


Country 2 router:
RT1900 (192.168.50.1)

This router has before it another router that establishes the optic fibre connection (192.168.1.5)."

This is beyond my experience level, but alarm bells ring on your last paragraph because you might have to forward - if I've understood correctly - any incoming OpenVPN traffic through router (modem/router in bridge mode?) 192.168.1.5 to router 192.168.50.1.

But I'll leave that to answered or further explored by those more knowledgable than I.

In the meantime it may well help if you clarify the role of 192.168.1.5 (in front of 192.168.50.1): is it a modem, a router in bridge mode (ie a router acting solely as a modem) or is it indeed a router thus possibly giving you double NAT?

Sorry I can't help further, but I might have done a bit of groundwork for others with more experience.

 

[sqk]

Hi martinr,
thank you for the quick reply.

It's a router (hopefully) in bridge mode. The reason is that the AC1900 does not have a fibre optic connection.
Does it help to put the AC1900 (192.168.50.1) into a DMZ?

Thanks again. I'll wait for some further replies to see if we can figure it out.

 

[martinr]

I've never had cause to use a DMZ. But surely if 192.168.1.5 (a modem-router) has been put into bridge (ie modem only) mode, is there such a thing as a DMZ option? I thought a DMZ option would only have meaning if 192.168.1.5 were acting as a modem-router.

Anyway, I'm still not sure I have asked the right questions and understand your needs properly. So check my understanding: devices in Country 2 are behind router 192.168.50.1, which itself is behind modem (modem-router in bridge mode) 192.168.1.5. You want to set up a VPN between Country 2 and Country 1, where you have a VPN server on a router on network address 192.168. 4.1. So far so good?

So are there clients in Country 1 (behind 192.169.4.1 that you want to initiate a connection to Country 2, or will all the connection initiations come from clients in Country 2 (behind 192.168.50.1)?

 

[Xentrk]

I may be able to help on this one. I have a similar situation. I have a modem/router with GPON fiber connection at a school I support. I disabled the router function by placing it in bridge mode. I also disabled DHCP and the radios. I connect an ETH cable from the modem/router LAN port to the WAN port of the AC88U. The AC88U makes the connection to the ISP using the ISP userid and password. Since the WAN IP address assigned by the ISP is dynamic, I use dns-o-matic to update yDNS (yDNS.io is the website to set up the remote domain name) with the IP address when it changes. I then configure the OpenVPN Server on this router using the instructions in the VPN forum. Then, export the ovpn file.

In the ovpn file, you must edit the remote line and replace the IP address with the domain name of the DDNS service:

remote xyzblahblahblah.ddns.dropknox.com 1194

In my example, I save this file to my laptop and use OpenVPN client to connect to the router. For your situation, you would need to import the *.ovpn file to the OpenVPN client on the router that you want to connect from. There may be some adjustments you need to make on the web gui.

On the target router, this is the OpenVPN Server. The one you are connecting from is the OpenVPN Client.

For first time testing, you may want to set up the OpenVPN client on your laptop to get the connection from your laptop to the target router working. Download the openvpn program from the openvpn website. The link is https://openvpn.net/. You can download the correct version for you OS.

 

[martinr]

@Xentrk

"In the ovpn file, you must edit the remote line and replace the IP address with the domain name of the DDNS service:"

I've never had to do that (thankfully). Could it be that if your DDNS address is already stored on the router (in the WAN section), before you export the .ovpn config file, that bit of editing is unnecessary?

 

[Xentrk]

Hi @martinr,

You must have a static WAN IP address. The step is not necessary if the WAN IP address of the VPN server (router) is static. The ovpn export function will use the current WAN address on the router when the ovpn file is created. Using a DDNS service is only required if your ISP assigns dynamic IP address. Over the course of one weekend, I noticed that my WAN IP address changed four times without a reboot before I stopped tracking. This is where dns-o-matic comes in. I have dns-o-matic configured on the DDNS tab on the router. Once the IP address changes, the update is sent to dns-o-matic who then updates the ydns service hostname I created with the IP address. Most of the services are free and I hope they remain so.

For initial testing, I usually use the IP address that was created when I exported the ovpn file before I make the change to use the dynamic DNS service. I had issues with a few of the DNS services before I landed on the one I use. dns-o-matic supports many of these services which is great if one ever decides to go offline. Some that used to be free started charging a small fee. Luckily, there are still free one's available.

The wiki on DD-WRT is similar to the setup on ASUS Merlin and it easy to setup. There is also a youtube video on how to set up for Merlin FW I provided a link to awhile back in one of my forum postings.
http://www.dd-wrt.com/wiki/index.php/DNS-O-Matic

I first learned about dns-o-matic when I setup opendns free web content filtering service I setup for children's home and grade school.

 

[martinr]

Hi @Xentrk

My public IP address does indeed change every few days. I use the Asus dynamic DNS server (on the DDNS tab in the WAN section of the GUI). So my DDNS address is in the *.asuscomm.com domain.

It couldn't be easier to set up an Asus ddns address; I've used the service for several years now and not had ons single glitch in all that time. And within a minute or so of the IP address changing, the new address is linked to my ddns address. It really couldn't be easier.

 

[Xentrk]

Hi @Xentrk

My public IP address does indeed change every few days. I use the Asus dynamic DNS server (on the DDNS tab in the WAN section of the GUI). So my DDNS address is in the *.asuscomm.com domain.

It couldn't be easier to set up an Asus ddns address; I've used the service for several years now and not had ons single glitch in all that time. And within a minute or so of the IP address changing, the new address is linked to my ddns address. It really couldn't be easier.

Thanks for letting me know. I had not tried their service. I was familiar with the one I described as I had first used it on DD-WRT before I drank Merlin's Kool-Aid. So I went with what I knew.

 

[Alfsu]

I have tried the Open VPN option. Quick question: Is it not possible to connect the two routers two each other using OpenVPN so all the traffic from the AC1900 is automatically directed through the RT-AC68U (without having to install the client on each device)?

I have tried to connect both routers.
Internet works but the traffic is not routed through the Country 1 router (RT-AC68U) and the router (192.168.4.1) is also not reachable.

To enable network traffic in both directions the routes between the LANs must be defined; you have to configure the openvpn server to push the server's LAN route, and use the 'client-config-dir' and the 'iroute' commands.

Asuming your RT-AC68U is the openvpn server:

push "route 192.168.4.0 255.255.255.0"       # push route of server LAN to clients
.
.
client-config-dir ccd                        # configure client vpn upon connection in the ccd folder
route 192.168.50.0 255.255.255.0             # route traffic to the client LAN
ifconfig-pool-persist ipp.txt                # Always use the same IP address for clients

Create the 'ccd' folder in /etc/openvpn and create a file in /etc/openvpn/ccd with the same name of the openvpn client, containing:

iroute 192.168.50.0 255.255.255.0

With this configuration, any device connected behind the routers know how to reach each other's LAN.

Good luck!

 

[sqk]

To enable network traffic in both directions the routes between the LANs must be defined; you have to configure the openvpn server to push the server's LAN route, and use the 'client-config-dir' and the 'iroute' commands.

Asuming your RT-AC68U is the openvpn server:

push "route 192.168.4.0 255.255.255.0"       # push route of server LAN to clients
.
.
client-config-dir ccd                        # configure client vpn upon connection in the ccd folder
route 192.168.50.0 255.255.255.0             # route traffic to the client LAN
ifconfig-pool-persist ipp.txt                # Always use the same IP address for clients

Create the 'ccd' folder in /etc/openvpn and create a file in /etc/openvpn/ccd with the same name of the openvpn client, containing:

iroute 192.168.50.0 255.255.255.0

With this configuration, any device connected behind the routers know how to reach each other's LAN.

Good luck!

Hi Alfsu,

what you write makes absolute sense to me. I had the feeling that it was not clearly defined how to manage the incoming traffic.
I would like to follow your advice with the client-config-dir and iroute. However, since I'm not so "capable", I'm not sure how I add these two codes.
Can I add them as a custom configuration to Merlin (I have attached a screenshot). I'm using right now the "export" function on my AC68-U (OpenVPN server) and then import the .ovpn file into the AC1900 (OpenVPN client).

The screenshot is by the way also the settings I have used for the server.

Any "newbie" way to follow your instruction?

Thank you so much.

 

[Alfsu]

Hi Alfsu,

what you write makes absolute sense to me. I had the feeling that it was not clearly defined how to manage the incoming traffic.
I would like to follow your advice with the client-config-dir and iroute. However, since I'm not so "capable", I'm not sure how I add these two codes.
Can I add them as a custom configuration to Merlin (I have attached a screenshot). I'm using right now the "export" function on my AC68-U (OpenVPN server) and then import the .ovpn file into the AC1900 (OpenVPN client).

The screenshot is by the way also the settings I have used for the server.

Any "newbie" way to follow your instruction?

Thank you so much.

sdk,

Only this part of the server configuration could be added via the UI 'Custom Configuration':

client-config-dir ccd                        # configure client vpn upon connection in the ccd folder
route 192.168.50.0 255.255.255.0             # route traffic to the client LAN
ifconfig-pool-persist ipp.txt                # Always use the same IP address for clients

But it won't work without the rest of the configuration, for which you must first learn about accessing the router via an SSH connection. Unfortunately, there is no short cut for adding the required 'ccd' folder and the 'client' file with the iroute instruction to the router's /etc/openvpn/ folder.

WinSCP (https://winscp.net/) has served me well for years.

 

[sqk]

Hi Alfsu,

thank you so much for the useful hints. I'm "studying" now what you have written in your previous post to see if I can get it to work myself.

Alternatively, I'm considering now to "purchase" a VPN access (L2TP) using a 3rd party provider. I got a test account as of now.
Here's the status:

1) I'm connected using my AC1900 (VPN client) to the server
2) If I use the ASUS Merlin system tool to ping Google (I'm actually in China), I receive a reply
3) If I use the computer connected to the AC1900, it does not open Google

Is there are "quick" solution to this using ASUS Merlin (e.g. adding static routing rule, adding DNS server, or similar)?

Thank you so much.

Regards,

sqk

 

[Alfsu]

Hi Alfsu,

thank you so much for the useful hints. I'm "studying" now what you have written in your previous post to see if I can get it to work myself.

Alternatively, I'm considering now to "purchase" a VPN access (L2TP) using a 3rd party provider. I got a test account as of now.
Here's the status:

1) I'm connected using my AC1900 (VPN client) to the server
2) If I use the ASUS Merlin system tool to ping Google (I'm actually in China), I receive a reply
3) If I use the computer connected to the AC1900, it does not open Google

Is there are "quick" solution to this using ASUS Merlin (e.g. adding static routing rule, adding DNS server, or similar)?

Thank you so much.

Regards,

sqk

It depends what is it that you want to do with the traffic from the computer connected to the AC1900 and the rest of your LAN.
In a nut shell, if you want all network traffic from your LAN to go through the VPN server, you must select route all traffic in the VPN client configuration page in the AC1900; otherwise select routing rules and add the IP address of the computer to go through the VPN.


Sent from my ONEPLUS A3000 using Tapatalk