vpn problems in asuswrt merlin 3004.388.8
- Thread starter moreamazingnick
- Start date
No. In the highly constructive conversations going on between RMerlin and eibgrad, it sounded like neither had a site to site platform to evaluate their theories. I thought my data point might help them.
eibgrad
Part of the Furniture
Remember, the problem for most ppl is when they attempt to access the OpenVPN client's tunnel from something other than the local LAN (br0), such as an OpenVPN server co-located w/ the OpenVPN client (i.e., chained tunnels). Remote clients of that OpenVPN server can NOT be routed through the OpenVPN client of the site-to-site connection if the ip rules are limited to the LAN (bro) due to the injection of the iif option.
IOW, if you do NOT meet this very specific configuration, you won't be affected. Just having a normal site-to-site configuration where each side addresses the other's IP network(s) from their respective LANs will continue to work normally.
If you do meet this specific configuration, we've since come to learn that the iif option is only injected if you specify No or All for "Redirect internet traffic through tunnel" on the OpenVPN client. Normally you would specify No for a site-to-site configuration since (if configured properly), static routing is used on each side to make the IP networks available across the tunnel known to the routing tables. Use of the VPN Director, while it will still work, is actually superfluous (again, provided you've properly configured the static routing).
Given all the above, we are now recommending the use of the VPN Director as a workaround to those who are affected. So had YOU meet the requirements of this bug, the fact you're already using the VPN Director would have protected you. IOW, you unknowingly inoculated yourself from its effects due to your (imo) misconfiguration (not unless it is your intention to restrict access across the tunnel).
On a side note, I notice that a lot of users who configure site-to-site also mistakenly NAT the tunnel on the OpenVPN client side. Again, this is unnecessary provided you have correctly configured the static routing.
All that said, @RMerlin now has a fix that apparently is working for those who have tried it.
vpn problems in asuswrt merlin 3004.388.8
Based on the original rules, you have Redirection set to "All". In that case, VPNDirector will require you to create the two rules I mentionned in my post, otherwise nothing will be routed through the VPN. EDIT: Tho generally in a site2site tunnel, you don't want to redirect everything - only...
www.snbforums.com
Last edited:
I don't mean to hijack the thread, but I'm not sure if follow the misconfiguration.
Site B client connects to Site A server with no NAT. My VPN director has a rule that specifies that every device that wants to reach the Site A Lan goes over the tunnel. Three more rules specify that specific IPs on Site B route everything over the tunnel. That is to make those devices geolocate to Site A. Another rule specifies that nine devices connect over a different tunnel which is Nat'd to geolocate them to a third site. Everything else at Site B goes out the WAN.
eibgrad
Part of the Furniture
As I said, if your routing is *conditional*, then yes, use of the VPN Director is needed, it makes sense. But for site-to-site, that's often not the case. More typically, if a device wants to access another device across the tunnel, it just does so, and the static routing makes that possible w/ no other changes to the configuration.
What happened w/ this bug is that ONLY those who are NOT restricting access to the tunnel were affected, such as those specifying No for the "Redirect internet traffic through tunnel" option and relying solely on static routing.
Frankly, it's all a bit confusing, esp. since whether you were even affected comes down to very specific configuration options. So confusing, I even questioned whether to respond to your comments at all, esp. if it's working for you. But it also seemed like an opportunity to further clarify exactly what those specific configuration options are, and even though you didn't meet them, others might benefit.
I have this problem but I can't flash the new beta at the moment, really sorry, I need the network and I can't risk breaking everything.
If someone else could test it, that would be great.
Thanks in any case for making the corrections.
Dedel66
Senior Member
Downloaded this file:
Getting this result:
3004.388.8_beta1???
BTW: I´ve got no problem reaching router´s webui via wireguard with an android client and ipv6.
Last edited:
You've either flashed the wrong file, or the flash procedure didn`t complete.
iBest
Occasional Visitor
Hello,
Running all kind of tests with this build, everything looks in order.
Also tried mapping some others problems described with the latest build ... no issues.
I think this can go public as <<Release>> build if everything checks on your end , too.
Have a nice weekend
maxbraketorque
Very Senior Member
I needed this fix for my ASUS router site-to-site bi-directional OVPN to fully work in both directions.
Similar threads
Similar threads
Similar threads
-
Two VPN connections from home network at the same time -> problems
- Started by vrapp
- Replies: 6
-
-
-
VPN "Automatic start at boot time" in a RT-AX58U router
- Started by attilio63
- Replies: 2
-
-
Asus GT-BE98 Pro and Merlin, no internet when VPN disabled
- Started by jbilodea
- Replies: 4
-
-
-
-