OpenVPN Support Forum

Hi,

I'm a total VPN noob so I apologize in advance for my stupid question(s)

I have a RT-AC66R

I set up OpenVPN on my router.

I am able to connect to it from another computer outside the network, however, I have an issue.

My local network where the openVPN server is running on the router has an ip of 192.168.x.x

When I connect to the network from another location, I get a n IP of 10.8.x.x

With that IP I can't access any of the resources on that network.

I tried to change the VPN subnet but it can't be the same as my local network.

How can I get OpenVPN to give me a local IP when I connect to it?

I'm just trying to get access to the network so I can use windows remote desktop to connect to PCs on the network.

Thanks for your help!

First of you could do that with TAP adapter instead of tun, however i strongly object that for various reasons

with tun you make a rounting network which means

you have your lan like 192.168.0.x
you have your openvpn server network like 10.10.10.x

now any client connecting to openvpn gets the 10.10.10.x adress
no big deal you just route to your home network.
place in serverconfig that will tell the router to defautl route anything for openvpn network to openvpn
and it will push the route to your local network to the client

since all your local lan client have the asus as their default gateway they will always go to asus first in attemp to reach the 10.. network. asus now knows where to put it because openvpn create an own virtual adapter on the router and with the route command it adds the adapter to the routing table of asus.
so he will know next hop for 10xxx network is that virtual adapter

same other way around. with pushing route to 192 to the client he now has 3 routes
one is default gateway one is 10x and one is 192.... he will try for anythign other then inthe routing tabel to reach defautl gateway
so all 10x and 192x adressed request will go to the virtual adapter of openvpn and redirector to the openvpn server who will redirect it to the router

Thank you so much for your answer!

I understand a little bit from reading that TUN is preferred over TAP in some cases. Basically, I'm just trying to get on my network so I can access the workstations via tightVNC viewer.

I had been trying the set up via TUN settings but it didn't work. It only occured to me that Asus had a TAP option. Once I set that, everything worked.

However, do you think I should try to get TUN to work? I know you said you strongly object to TAP

My concern is just to be as safe as possible when accessing workstations via TighVNC.

definetly go and make tun work
the 2 lines config should do the trick

tun is actually pretty easy, even tap SEEMS easier at start.

Tap is a real problem in my view.tap is a bridge, that means that it is indeed like you connect a local workstation ot your network.
however this brings many problems with it.

with bridging you get all the beautiful ethernet traffic, not only IP but everything.
this brings problems. from slowing down the vpn with garbage till issues on your switches (depending what you have)

not to mention all the broadcastyou dont want or need.
routing is much cleaner and has some additional benefits which might not important for you right now but for example

the real problem arrive once your vpn connetion runs over bad lines, it can easly addup fragementation, it can make problems in your lan with fragmented packages from your vpn line and so on.


TAP is really a speciall purpose thing if you really know WHY you want it.
if you dont have a reason other than i cant get tun to work then dont.


beside tap adapter have notorious issues driver wise.

go for tun and learn a thing or 2 about routing, youll need it at somepoint anyway.

Ok. I'll def try to make it work later this evening.

Appreciate the help!

One last thing:
My settings will look like this with your two lines in the little box at the bottom?

im not really familiar with asus implementation of that interface.

in theory you may nto even need those options since the menue said push local lan to the client
so it should work out of the box

but if you need to set it you need to set but highly possibel asus does that, you may wanna check your routing table after vpn server is started
it should show you the 10.8.0.0 network on that tun adapter


i would activate extra hmac authentication

it would also be interresting what it means with manage client specific settings.

btw, if you use a tun adapter you NEED to execute the openvpn client with administrator rights.
otherweise it can set your routes you need in windows.

if it doenst work make a on your client plus a traceroute to your router and vice versa and post results

I have tried to follow the instructions given here, but it is not working to set up my Asus RT-N66U router. When I apply the settings on the router, I get the following error message:

Routing conflict!
Please check the client's IP address settings from the Advanced Settings page or check the routing table on System log.

The Custom Configuration is set up as follows:

push route 192.168.2.0 255.255.255.0
route 10.8.0.0 255.255.255.0

If I change the command from route 10.8.0.0 255.255.255.0 to route 10.8.0.1 255.255.255.0, the router will create the configuration file. However, since this is not how you suggested doing it, I was wondering if this is okay.

I did not end up needing any of those extras.
I used the general settings and it worked. I also use it with TightVNC to connect from anywhere.

Hi IcarusVPN,

were you able to get your VPN to connect and see your local network computers via TUN? or did you set it up as TAP


thanks in advance

Hi, I too am having some problems getting this working properly. I have two ASUS RT AC5300 routers, At different locations. I have an IP Office and two IP phones. I created an OpenVPN tunnel between the two locations by configuring the router where the phones are as a client, and the router with the IP Office as the server. The phones can see the IP Office and register, but no voice traffic (dial-tones or speech) work from the phones. They do work when they are connected locally however. Is there something I need to add to the configuration to get this to work? The main network is 192.168.1.0/24 and the Remote office is 192.168.50.0/24. Here is a screenshot of the serving router's OpenVPN configuration:

Hey gleckert, did you get it sorted? I've been facing this issue...

Hi terrorfrog,

I got this working with 2 Tomato routers connecting using tun. Works after entering the push and route on the server side.

I have a question. I can ping my computers on the server side from the client side but I can't ping the client side from the server side.

Is there a new route I can add to the server router for it to ping the client side?

Server side subnet is 192.168.0.0 and the client side is 10.0.0.0

Thanks,

Stever11

terrorfrog wrote:definetly go and make tun work
the 2 lines config should do the trick

tun is actually pretty easy, even tap SEEMS easier at start.

Tap is a real problem in my view.tap is a bridge, that means that it is indeed like you connect a local workstation ot your network.
however this brings many problems with it.

with bridging you get all the beautiful ethernet traffic, not only IP but everything.
this brings problems. from slowing down the vpn with garbage till issues on your switches (depending what you have)

not to mention all the broadcastyou dont want or need.
routing is much cleaner and has some additional benefits which might not important for you right now but for example

the real problem arrive once your vpn connetion runs over bad lines, it can easly addup fragementation, it can make problems in your lan with fragmented packages from your vpn line and so on.


TAP is really a speciall purpose thing if you really know WHY you want it.
if you dont have a reason other than i cant get tun to work then dont.


beside tap adapter have notorious issues driver wise.

go for tun and learn a thing or 2 about routing, youll need it at somepoint anyway.

I have exact same issue as OP.
Using Asus DSL-AC88U router OpenVPN.

Connect without issue from WAN to my OpenVPN server and can see the client connected WHEN viewing the router gui from a PC on the LAN.

However I cannot browse my LAN when using OpenVPN from WAN.

Spent days trying to resolve this and ended here.

VPN subnet 10.0.8.0
LAN subnet 192.168.2.0

Client shows connected to OpenVPN with ip 10.0.8.2

hope someone can help as all out of ideas at the moment

I've aded to Asus advanced config field:
client-to-client
topology subnet
client-config-dir /jffs/openvpn/conf/
route 192.168.88.0 255.255.255.0

and created /jffs/openvpn/conf/DEFAULT
with entry
iroute 192.168.88.0 255.255.255.0
to add routing inside OVPN

P.S. I'm not shure if /jffs/openvpn/conf/DEFAULT will remain after router reboot
Also route 192.168.88.0 255.255.255.0 did not allways work, but if i configre route manually thought terminal everything works.

Update:
/jffs/openvpn/conf/DEFAULT - did not vanish after reboot
route 192.168.88.0 255.255.255.0 -> route 192.168.88.0 255.255.255.0 10.1.1.2
10.1.1.2 - ip address of ovpn client

UPD:
there was a problem - when a new user connected to the server he used DEFAULT config and the iroute was pointed on the new user, and the old one was without the network, so I had to distinguish users by the certificate.
In Asus certificates are kept in /jffs/openvpn/ directory I've made copies of CA and the key and used them to generate unique certificates for each user with following commands:

openssl genrsa -out user2.key 2048

openssl req -new -subj "/C=RU/ST=City/L=region/O=org/CN=user2" -key user2.key -out user2.csr

openssl x509 -req -in user2.csr -CA vpn_crt_server1_ca -CAkey vpn_crt_server1_ca_key -CAcreateserial -out user2.crt -days 21360

and created for each user in client-config-dir /jffs/openvpn/conf/ file, containing individual options.(iroute, push and etc)

Hi All,

quick question on OpenVPN server config - kinda related to this thread:
- how to configure advance settings in order to allow traffic to LAN only w/o access to WAN
What I'm trying to achieve is to build tunnel to my home network with external drive plugged onto router for few friends however I'd rather not give them access to internet.
Any ideas?

Hello!

I have a Asus RT-AC66U running OpenVPN and with either a Win-PC or an iOS device I would like to access my device that are connected locally on the network. If I change from TUN to TAP it works on the PC but iOS does not support TAP so its not a viable solution.

I have followed the different suggestions from the thread above and other places, including creating the jffs/openvpn/conf/DEFAULT on the router without any success. The closest I have gotten to a working solution is to being able to ping the VPN-server.

I'm lost at what to do in order to get it to work and ANY help is gratefully appreciated!

detalone wrote: ↑

Tue Aug 29, 2017 6:53 pm

Hi All,

quick question on OpenVPN server config - kinda related to this thread:
- how to configure advance settings in order to allow traffic to LAN only w/o access to WAN
What I'm trying to achieve is to build tunnel to my home network with external drive plugged onto router for few friends however I'd rather not give them access to internet.
Any ideas?

I know that this is old question, but maybe someone else will be directed here to find similar solution, so I will post this anyway.

Push LAN to clients: YES
it will allow to access shared folders & drives within primary (original) LAN

Direct clients to redirect internet traffic: NO
Remote clients will be using its own connection/WAN for internet (all external IPs & DNS will be from client's machine)

Hi everyone

I'm using OpenVPN TAP server on my Asus RT-AC86U.

Everything works perfect except one thing.

I can't Connect to the router GUI from LAN to LAN

If I'm using 4g from My cellphone then I'm able to log into Asus router GUI.

But never from WIFI connection from any other location

From both LAN outside my OpenVPN server and 4g cellular I can connect to everything on the servers LAN

Can anyone give me a hint?

--------edit---------

Nothing works LAN to another LAN. Both LAN's using same DHCP spann. 192.168.1.1-192.168.1.254

Is there any solution for that kind of behaviour with OpenVPN TAP???

Thanks