[Solved]ROUTER ASUS & OpenVPN & Client Server Side

[jamyz]

Hi everybody !!!

I have 2 Router ASUS. One is the RT-AC87U and the other is the RT-AC66U.
I have configured the RT-AC87U like Server. And the RT-AC66U is the client.
Now the RT-AC66U(Client) connect correctly with the RT-AC87U(Server).
From the router client and the all the clients connected to the router client i can ping all clients from server side.
But from the router server and all clients connected from the router server i can't ping nobody connected at the router client.

This is my setup.......

ASUS RT-AC87U (SERVER)
Lan IP = 192.168.1.1
OpenVPN = 10.8.0.1

ASUS RT-AC66U (client)
Lan IP = 192.168.0.1
OpenVPN = 10.8.0.2

Table Route ASUS RT-AC87U (SERVER)

Code: Select all

Destination	   Gateway	Genmask	       Flags	Metric	Ref	Use	Iface
My IP WAN     	*	255.255.255.255	UH	0	         0	0	WAN
169.254.39.0	*	255.255.255.0	U	0	         0	0	LAN
10.8.0.0	        *	255.255.255.0	U	0	         0	0	tun21
192.168.1.0	       *	255.255.255.0	U	0	         0	0	LAN
My IP WAN.0	*	255.255.252.0	U	0	         0	0	WAN
default	My IP WAN	0.0.0.0	UG	0	         0	0	WAN

Table Route ASUS RT-AC66U (CLIENT)

Code: Select all

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
My IP WAN     *               255.255.255.255    UH    0      0        0 WAN
192.168.1.0     10.8.0.1      255.255.255.0       UG    0      0        0 tun11
10.8.0.0          *               255.255.255.0        U     0      0        0 tun11
192.168.0.0     *               255.255.255.0        U     0      0        0 LAN
My IP WAN.0     *               255.255.254.0        U     0      0        0 WAN
default         My IP WAN     0.0.0.0               UG    0      0        0 WAN

The file Client.ovpn to insert in the client.

Code: Select all

client
dev tun
proto udp
remote FAKEIP 1194
float
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
FAKE.....................FAKE
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
FAKE.....................FAKE
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
FAKE.....................FAKE
-----END PRIVATE KEY-----
</key>
resolv-retry infinite
nobind

Test from ASUS RT-AC87U (SERVER) to ASUS RT-AC66U (CLIENT)

Code: Select all

PING 10.8.0.2 (10.8.0.2): 56 data bytes
64 bytes from 10.8.0.2: seq=0 ttl=64 time=21.743 ms
64 bytes from 10.8.0.2: seq=1 ttl=64 time=15.473 ms
64 bytes from 10.8.0.2: seq=2 ttl=64 time=15.380 ms
64 bytes from 10.8.0.2: seq=3 ttl=64 time=15.216 ms
64 bytes from 10.8.0.2: seq=4 ttl=64 time=15.086 ms

Code: Select all

traceroute to 10.8.0.2 (10.8.0.2), 30 hops max, 38 byte packets
 1  10.8.0.2 (10.8.0.2)  17.501 ms  18.578 ms  19.943 ms

Code: Select all

PING 192.168.0.1 (192.168.0.1): 56 data bytes

--- 192.168.0.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Code: Select all

traceroute to 192.168.0.1 (192.168.0.1), 30 hops max, 38 byte packets
 1  10.22.0.1 (10.22.0.1)  12.977 ms  7.059 ms  7.103 ms
 2  *  *  fakeip.static.mundo-r.com (fakeip)  14.845 ms
 3  *  *  *
 4  *  *  *
 5  *  *  *
 6  *  *  *
 7  *  *  *
 8  *  *  *
 9  *  *  *
10  *  *  *
11  *  *  *
12  *  *  *
13  *  *  *
14  *  *  *
15  *  *  *
16  *  *  *
17  *  *  *
18  *  *  *
19  *  *  *
20  *  *  *
21  *  *  *
22  *  *  *
23  *  *  *
24  *  *  *
25  *  *  *
26  *  *  *
27  fakeip.static.mundo-r.com (fakeip)  15.688 ms !H  *  *
28  *  *  *
29  *  *  *
30  *  *  *

I think is because the RT-AC87U (SERVER) don't have the route.
What i need to insert in the route table in the RT-AC86U (SERVER)???

Thanks you for the help.............

[Traffic]

You need to implement this in your server config:
HOWTO: Expanding the scope of the VPN to include additional machines

[jamyz]

Thanks for your help.

In Asus RT-AC87U (SERVER) i had,

Code: Select all

client-config-dir /jffs/configs/openvpn/ccd
client-to-client
push "route 192.168.0.0 255.255.255.0"
topology subnet
route 192.168.0.0 255.255.255.0
push "route 10.8.0.0 255.255.255.0"

"/jffs/configs/openvpn/ccd" is because the original in "/etc/openvpn/server1/ccd/client" when i reboot the router he delete "iroute 192.168.4.0 255.255.255.0".

And now work......

[shjips]

Thanks for your help.

In Asus RT-AC87U (SERVER) i had,

Code: Select all

client-config-dir /jffs/configs/openvpn/ccd
client-to-client
push "route 192.168.0.0 255.255.255.0"
topology subnet
route 192.168.0.0 255.255.255.0
push "route 10.8.0.0 255.255.255.0"

"/jffs/configs/openvpn/ccd" is because the original in "/etc/openvpn/server1/ccd/client" when i reboot the router he delete "iroute 192.168.4.0 255.255.255.0".

And now work......

Hey man!

Trying the same setup as yours, but having the exact same issue. The client can connect to the servers network without any issue. But since I will have a DC on both the server network and client network I would like bi-directional communication.
Running two RT-AC66's.

Couple of questions.
Did you use /jffs/... as folder for your CCD files? I'm not able to write to that folder..
What did you name your file to? Your configured username that the client connects with? I have tried both the username (that show in the serverlog when I connect), and "client".
I have the option "duplicate-cn" configured in config.ovpn, which the guide the fella over us linked. I've removed that option, but it shows up again as soon as the router is rebooted. Do you have that option enabled?
How do you keep your config.ovpn "write protected" after a reboot?

I cant get it to work at all. Guessing I'm using the wrong client name in the CCD folder maybe?

Any tips would be highly welcomed. Maybe you can post your working config?

/Shjips

[shjips]

Couldnt figure out how to edit my post...

Well, got it to work by adding a static route on my server router
route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.8.0.2 dev tun21.
10.8.0.2 beeing the client router.

I guess I can make that route persistent (if I can find where Asus put the sysconfig..), but the client router will maybe get another IP if it reboots or something.. Would love to solve it with the CCD folder/file.

/Shjips

[jamyz]

Look here
topic18835-15.html

Maybe help

[shjips]

Look here
topic18835-15.html

Maybe help

Thanks, I'll give that a look!

How about the folders on your router. How was you able to create the CCD files in /jffs? Everywhere I create folders, they get removed after a reboot. And changes in config.ovpn as well. How did you solve that?

/shjips

[jamyz]

I use now the merlin build firmware 380.57 for the RT-AC87U.
Go at your left menu / Administration
- Go Rigth page / Systeme
--Persistent JFFS
--- Disable / Format JFFS partition at next boot (No)
--- Enable / Enable JFFS custom scripts and configs (Yes)

[helio58]

I use now the merlin build firmware 380.57 for the RT-AC87U.
Go at your left menu / Administration
- Go Rigth page / Systeme
--Persistent JFFS
--- Disable / Format JFFS partition at next boot (No)
--- Enable / Enable JFFS custom scripts and configs (Yes)

Please I know this is a old post but could you post your server configuration?
Please