Menu
What's new
By:
Filters Better Search

vpn problems in asuswrt merlin 3004.388.8

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I don't know if your help was intended for me, but thanks anyway, except that I only use one router...
My use is very simple. I'm just reporting the problems I have with the 388.8 (see my post above).
I hope this can be resolved.
 
Unetwork said:
don't know if your help was intended for me,
Click to expand...
No. In the highly constructive conversations going on between RMerlin and eibgrad, it sounded like neither had a site to site platform to evaluate their theories. I thought my data point might help them.
 
elorimer said:
This may help. My site to site setup seems to be working:

Site A: Ax88 with 388.7 with OpenVPN server. 192.168.50.0/24 LAN. (I don't have physical access to this router so I'm not updating it to .8 yet)
Site B: AX86U Pro with 388.8 (and also the test build). 192.168.10.0/24 LAN.

Site B connected to Site A, site to site, over OVPNC2, no killswitch, with a VPN director rule directing any traffic to 192.168.50.0/24 over the tunnel.
Site B two specific devices with everything directed over OVPNC2, no killswitch, seems to be working.
Site B nine specific devices with everything directed over OVPNC3, killswitch, seems to be working but I can't really tell (air conditioners).
Site B, everything else over WAN. Seems to be working.

Access to Site A router at 192.168.50.1 from Site B, no issues. GUI is set to LAN access only and not reachable from the public IP or DDNS address. Devices on Site A or Site B can reach devices on the other, including the Site B GUI.

Not sure it is relevant, but the upgrade of the AX86 Pro from .7 to .8 required a reset, probably because of the killswitch in .7 for the nine device rule.
Click to expand...

Remember, the problem for most ppl is when they attempt to access the OpenVPN client's tunnel from something other than the local LAN (br0), such as an OpenVPN server co-located w/ the OpenVPN client (i.e., chained tunnels). Remote clients of that OpenVPN server can NOT be routed through the OpenVPN client of the site-to-site connection if the ip rules are limited to the LAN (bro) due to the injection of the iif option.

IOW, if you do NOT meet this very specific configuration, you won't be affected. Just having a normal site-to-site configuration where each side addresses the other's IP network(s) from their respective LANs will continue to work normally.

If you do meet this specific configuration, we've since come to learn that the iif option is only injected if you specify No or All for "Redirect internet traffic through tunnel" on the OpenVPN client. Normally you would specify No for a site-to-site configuration since (if configured properly), static routing is used on each side to make the IP networks available across the tunnel known to the routing tables. Use of the VPN Director, while it will still work, is actually superfluous (again, provided you've properly configured the static routing).

Given all the above, we are now recommending the use of the VPN Director as a workaround to those who are affected. So had YOU meet the requirements of this bug, the fact you're already using the VPN Director would have protected you. IOW, you unknowingly inoculated yourself from its effects due to your (imo) misconfiguration (not unless it is your intention to restrict access across the tunnel).

On a side note, I notice that a lot of users who configure site-to-site also mistakenly NAT the tunnel on the OpenVPN client side. Again, this is unnecessary provided you have correctly configured the static routing.

All that said, @RMerlin now has a fix that apparently is working for those who have tried it.

www.snbforums.com

vpn problems in asuswrt merlin 3004.388.8

Based on the original rules, you have Redirection set to "All". In that case, VPNDirector will require you to create the two rules I mentionned in my post, otherwise nothing will be routed through the VPN. EDIT: Tho generally in a site2site tunnel, you don't want to redirect everything - only...
www.snbforums.com www.snbforums.com
 
Last edited:
eibgrad said:
IOW, you unknowingly inoculated yourself from its effects due to your (imo) misconfiguration (not unless it is your intention to restrict access across the tunnel).
Click to expand...
I don't mean to hijack the thread, but I'm not sure if follow the misconfiguration.

Site B client connects to Site A server with no NAT. My VPN director has a rule that specifies that every device that wants to reach the Site A Lan goes over the tunnel. Three more rules specify that specific IPs on Site B route everything over the tunnel. That is to make those devices geolocate to Site A. Another rule specifies that nine devices connect over a different tunnel which is Nat'd to geolocate them to a third site. Everything else at Site B goes out the WAN.
 
elorimer said:
I don't mean to hijack the thread, but I'm not sure if follow the misconfiguration.

Site B client connects to Site A server with no NAT. My VPN director has a rule that specifies that every device that wants to reach the Site A Lan goes over the tunnel. Three more rules specify that specific IPs on Site B route everything over the tunnel. That is to make those devices geolocate to Site A. Another rule specifies that nine devices connect over a different tunnel which is Nat'd to geolocate them to a third site. Everything else at Site B goes out the WAN.
Click to expand...

As I said, if your routing is *conditional*, then yes, use of the VPN Director is needed, it makes sense. But for site-to-site, that's often not the case. More typically, if a device wants to access another device across the tunnel, it just does so, and the static routing makes that possible w/ no other changes to the configuration.

What happened w/ this bug is that ONLY those who are NOT restricting access to the tunnel were affected, such as those specifying No for the "Redirect internet traffic through tunnel" option and relying solely on static routing.

Frankly, it's all a bit confusing, esp. since whether you were even affected comes down to very specific configuration options. So confusing, I even questioned whether to respond to your comments at all, esp. if it's working for you. But it also seemed like an opportunity to further clarify exactly what those specific configuration options are, and even though you didn't meet them, others might benefit.
 
Does this update also address the issues some were having in reaching the router's webui?
 
RMerlin said:
Does this update also address the issues some were having in reaching the router's webui?
Click to expand...
I have this problem but I can't flash the new beta at the moment, really sorry, I need the network and I can't risk breaking everything.
If someone else could test it, that would be great.
Thanks in any case for making the corrections.
 
RMerlin said:
Please try the test builds uploaded here:

OneDrive

www.asuswrt-merlin.net www.asuswrt-merlin.net
Click to expand...
Downloaded this file:

Getting this result:
388.8_beta1.JPG


3004.388.8_beta1???


BTW: I´ve got no problem reaching router´s webui via wireguard with an android client and ipv6.
 
Last edited:
You're right: I mixed up some files so the flash was incomplete. It's too late after a long week of work.

SORRY!!!
 
RMerlin said:
Please try the test builds uploaded here:

OneDrive

www.asuswrt-merlin.net www.asuswrt-merlin.net
Click to expand...

Hello,

Running all kind of tests with this build, everything looks in order.
Also tried mapping some others problems described with the latest build ... no issues.
I think this can go public as <<Release>> build if everything checks on your end , too.

Have a nice weekend
 
I needed this fix for my ASUS router site-to-site bi-directional OVPN to fully work in both directions.
 
You must log in or register to reply here.

Similar threads

RMerlin
  • Locked
Beta Asuswrt-Merlin 3004.388.8 beta is now available
6 7 8
Replies
155
Views
30K
RMerlin
RMerlin
RMerlin
  • Locked
Release Asuswrt-Merlin 3004.388.8_2 is now available
22 23 24
Replies
469
Views
59K
aitor_mtb
A
StephanK
RT-AX88U Pro Wireguard
Replies
5
Views
357
StephanK
StephanK
A
VPN "Automatic start at boot time" in a RT-AX58U router
Replies
2
Views
320
attilio63
A
B
Asus Rog Rapture GT-AX6000. No rog version avalaible in last Merlin 3004.388.8
Replies
13
Views
1K
Ice9
I
Similar threads
Thread starter Title Forum Replies Date
V Two VPN connections from home network at the same time -> problems Asuswrt-Merlin 6
P Accessing remotly Server While Using VPN on Asus Router with Merlin Firmware Asuswrt-Merlin 9
G Using VPN Director to route only torrent traffic through VPN Asuswrt-Merlin 9
B Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14 Asuswrt-Merlin 1
T Wireguard Client VPN not using DNS Asuswrt-Merlin 14
S Wireguard VPN doesn't work, buyer beware Asuswrt-Merlin 6
G VPN director configuration for qBittorrent Asuswrt-Merlin 7
J ASUS GT-AXE16000 CPU usage with VPN on lan machine Asuswrt-Merlin 25
I Wireguard VPN client does not autostart after reboot Asuswrt-Merlin 2
Z Sudden VPN client issues with RX-AX82U Asuswrt-Merlin 5

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 807 (members: 36, guests: 771)
Top