My Scenario:
Currently I have T-Mobile broadband, using Carrier Grade NAT (CGNAT), which does not give me any port forwarding options. Behind this, I have an ASUS router running the latest Merlin software. I need port forwarding for remote access to my servers, so I purchased a service from Trust.Zone that gives me a Static Public IP with Port forwarding capabilities. Then, I created an OpenVPN client connection to their service, and have set up rules in Merlin that allow me to port forward from that Public IP to my servers, and all is good.
New desired functionality:
I want to be able to join a remote computer to my home network using VPN. So I turned on the OpenVPN server option in Merlin, which gives me the following message (in yellow):
And that is essentially correct, because other than the VPN client connection, the ASUS router has a non-routable IP address in the 192.168.12.x range. However, I have my public IP address that will happily forward port 1194 (what my VPN Server defaulted to) from my Static Public IP address to the ASUS Merlin's VPN Client address. So, I was expecting that it would either work as-is, or maybe I would have to add an entry into the Start-Nat file to manually forward port 1194 coming from my public static IP to the ASUS's internal address of 192.168.1.1. I have tried both configs (without modifying routing, and also adding an entry into the start-nat file to forward that port's traffic to the ASUS WAN ip (192.168.12.x), and also I tried going to it's LAN IP (192.168.1.1).
I exported the VPN configuration from the ASUS OpenVPN, and imported it into my iPad's OpenVPN client. It fails with a 'peer certificate verification failure' error. I have tried the following:
1. Changed the Security level from "preferred" to "Legacy" and even "Insecure", but no difference
2. in the ASUS router, changed, the HMAC Authentication from "default" to "SHA 256' (no difference) - I also re-exported and imported the config on the client after doing this
Also, one oddity that I can't seem to run down. When I export the "OpenVPN configuration file", then edit it in notepad, it has my custom domain name (let's call it CUSTOM.COM). I don't know where it is getting that from. I need it instead to be VPN.CUSTOM.COM. So in the iPad's Profile, I added vpn.custom.com to the "server override" field. That allowed it to try to connect (if I leave it at custom.com, it just times out, as there is no VPN on the IP that it resolves to), however I still get the peer certificate verification error".
Any pointers on where to look to start troubleshooting this? I found a couple of pointers to forums on OpenVPN's site, but they are apparently having issues, as it shows a database connection error instead of the article, and I'm not sure that would fix it anyway. What logs should I look at, or any ideas on things to check?
I know this is a complicated setup, but I *think* it should work, and I am grateful for any help or suggestions provided!
-randy
Currently I have T-Mobile broadband, using Carrier Grade NAT (CGNAT), which does not give me any port forwarding options. Behind this, I have an ASUS router running the latest Merlin software. I need port forwarding for remote access to my servers, so I purchased a service from Trust.Zone that gives me a Static Public IP with Port forwarding capabilities. Then, I created an OpenVPN client connection to their service, and have set up rules in Merlin that allow me to port forward from that Public IP to my servers, and all is good.
New desired functionality:
I want to be able to join a remote computer to my home network using VPN. So I turned on the OpenVPN server option in Merlin, which gives me the following message (in yellow):
And that is essentially correct, because other than the VPN client connection, the ASUS router has a non-routable IP address in the 192.168.12.x range. However, I have my public IP address that will happily forward port 1194 (what my VPN Server defaulted to) from my Static Public IP address to the ASUS Merlin's VPN Client address. So, I was expecting that it would either work as-is, or maybe I would have to add an entry into the Start-Nat file to manually forward port 1194 coming from my public static IP to the ASUS's internal address of 192.168.1.1. I have tried both configs (without modifying routing, and also adding an entry into the start-nat file to forward that port's traffic to the ASUS WAN ip (192.168.12.x), and also I tried going to it's LAN IP (192.168.1.1).
I exported the VPN configuration from the ASUS OpenVPN, and imported it into my iPad's OpenVPN client. It fails with a 'peer certificate verification failure' error. I have tried the following:
1. Changed the Security level from "preferred" to "Legacy" and even "Insecure", but no difference
2. in the ASUS router, changed, the HMAC Authentication from "default" to "SHA 256' (no difference) - I also re-exported and imported the config on the client after doing this
Also, one oddity that I can't seem to run down. When I export the "OpenVPN configuration file", then edit it in notepad, it has my custom domain name (let's call it CUSTOM.COM). I don't know where it is getting that from. I need it instead to be VPN.CUSTOM.COM. So in the iPad's Profile, I added vpn.custom.com to the "server override" field. That allowed it to try to connect (if I leave it at custom.com, it just times out, as there is no VPN on the IP that it resolves to), however I still get the peer certificate verification error".
Any pointers on where to look to start troubleshooting this? I found a couple of pointers to forums on OpenVPN's site, but they are apparently having issues, as it shows a database connection error instead of the article, and I'm not sure that would fix it anyway. What logs should I look at, or any ideas on things to check?
I know this is a complicated setup, but I *think* it should work, and I am grateful for any help or suggestions provided!
-randy
(presumably that's only if you're running their client software on your PC and using UPNP).
