GL-MT300N-V2 Openvpn server does not route to LAN nor Internet

beny51 · October 3, 2020, 8:41pm

Hello,

Could someone help me to figure out what is wrong with my openvpn server configuration?

This is my “hardware” config:

Notebook<=WIFI=>MT300N1-(VPN Client)<=LAN:192.168.0.0=>Router1<-----Internet----->Router2<=LAN:192.168.1.0=>MT300N2-(VPN Server)

MT300N1 local ip: 192.168.0.2
VPN Client 10.8.0.3

MT300N2 local ip: 192.168.1.2
VPN Server 10.8.0.1

Both MT300N 1 and 2 are connected to their routers on LAN interface.

What I can:

If I use VPN-Client with proton-vpn settings my notebook can access Internet via the Proton-Server
If I use my own openvpn server on Router2 I can create client-server connection
and ping from the vpn client router MT300N1 the server router. Both local ip (192.168.1.2) and vpn ip (10.8.0.1) are ping-able
on the server MT300N2 I can ping any local network ip and any on internet.
on the server MT300N2 I can resolve any internet name (dns works)

After connecting vpn client to the vpn server I cannot on the MT300N1** and notebook**

ping any active address on LAN (192.168.1.0)
ping any internet ip (e.g. 8.8.8.8)
resolve any internet name

Routing tables:

root@GL-MT300N1:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.8.0.1        128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 br-lan
10.8.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
83.10.69.163    192.168.0.1     255.255.255.255 UGH       0 0          0 br-lan
128.0.0.0       10.8.0.1        128.0.0.0       UG        0 0          0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan


root@MT300N2:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 br-lan
10.8.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun-SERVER
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 br-lan

Client config file

client
dev tun
proto udp
remote remote-domain 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth SHA1 
cipher BF-CBC
comp-lzo adaptive
nice 0
mute 5
verb 3
<ca>
-----BEGIN .......

Server

root@MT300N2:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 94:83:C4:xx:xx:xx
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::9683:c4ff:fe04:3a57/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10917 errors:0 dropped:166 overruns:0 frame:0
          TX packets:10804 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1480431 (1.4 MiB)  TX bytes:1314591 (1.2 MiB)

eth0      Link encap:Ethernet  HWaddr 94:83:C4:xx:xx:xx
          inet6 addr: fe80::9683:c4ff:fe04:3a57/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:290622 errors:0 dropped:0 overruns:0 frame:0
          TX packets:331869 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:39914872 (38.0 MiB)  TX bytes:58600983 (55.8 MiB)
          Interrupt:5

eth0.1    Link encap:Ethernet  HWaddr 94:83:C4:xx:xx:xx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10917 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10972 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1480431 (1.4 MiB)  TX bytes:1323663 (1.2 MiB)

eth0.2    Link encap:Ethernet  HWaddr 94:83:C4:xx:xx:xx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1650 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:262212 (256.0 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:12919 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12919 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1083367 (1.0 MiB)  TX bytes:1083367 (1.0 MiB)

ra0       Link encap:Ethernet  HWaddr 94:83:C4:xx:xx:xx
          inet6 addr: fe80::9683:c4ff:fe04:3a57/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:6

tun-SERVER Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          inet6 addr: fe80::71a1:808b:ef44:be6b/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:9281 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:651385 (636.1 KiB)  TX bytes:1090 (1.0 KiB)

Client:

root@GL-MT300N-V2:~# ifconfig 
br-lan    Link encap:Ethernet  HWaddr 94:83:C4:xx:xx:xx  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23062 errors:0 dropped:5328 overruns:0 frame:0
          TX packets:23075 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3318593 (3.1 MiB)  TX bytes:6236050 (5.9 MiB)

eth0      Link encap:Ethernet  HWaddr 94:83:C4:xx:xx:xx  
          inet6 addr: fe80::9683:c4ff:fe04:3b3d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:41072 errors:0 dropped:78 overruns:0 frame:0
          TX packets:36226 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6884106 (6.5 MiB)  TX bytes:10377849 (9.8 MiB)
          Interrupt:5 

eth0.1    Link encap:Ethernet  HWaddr 94:83:C4:xx:xx:xx  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15045 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14631 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1588308 (1.5 MiB)  TX bytes:2398736 (2.2 MiB)

eth0.2    Link encap:Ethernet  HWaddr 94:83:C4:xx:xx:xx  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:884 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:302328 (295.2 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:19081 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19081 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1397907 (1.3 MiB)  TX bytes:1397907 (1.3 MiB)

ra0       Link encap:Ethernet  HWaddr 94:83:C4:xx:xx:xx  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48310 errors:814 dropped:0 overruns:0 frame:0
          TX packets:35452 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:7164673 (6.8 MiB)  TX bytes:14856423 (14.1 MiB)
          Interrupt:6 

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.3  P-t-P:10.8.0.3  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:6 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8574 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:450 (450.0 B)  TX bytes:582668 (569.0 KiB)

Client:

root@GL-MT300N1:~# netstat -l -n -p | grep -e openvpn
udp        0      0 0.0.0.0:37136           0.0.0.0:*                           4476/openvpn
udp        0      0 0.0.0.0:40825           0.0.0.0:*                           1459/openvpn

Server

root@MT300N-V2:~# netstat -l -n -p | grep -e openvpn
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           16897/openvpn

Client: uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan' 'wan6'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].enabled='0'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@include[0].reload='1'
firewall.gls2s=include
firewall.gls2s.type='script'
firewall.gls2s.path='/var/etc/gls2s.include'
firewall.gls2s.reload='1'
firewall.glfw=include
firewall.glfw.type='script'
firewall.glfw.path='/usr/bin/glfw.sh'
firewall.glfw.reload='1'
firewall.glqos=include
firewall.glqos.type='script'
firewall.glqos.path='/usr/sbin/glqos.sh'
firewall.glqos.reload='1'
firewall.mwan3=include
firewall.mwan3.type='script'
firewall.mwan3.path='/var/etc/mwan3.include'
firewall.mwan3.reload='1'
firewall.guestzone=zone
firewall.guestzone.name='guestzone'
firewall.guestzone.network='guest'
firewall.guestzone.forward='REJECT'
firewall.guestzone.output='ACCEPT'
firewall.guestzone.input='REJECT'
firewall.guestzone_fwd=forwarding
firewall.guestzone_fwd.src='guestzone'
firewall.guestzone_fwd.dest='wan'
firewall.guestzone_fwd.enabled='0'
firewall.guestzone_dhcp=rule
firewall.guestzone_dhcp.name='guestzone_DHCP'
firewall.guestzone_dhcp.src='guestzone'
firewall.guestzone_dhcp.target='ACCEPT'
firewall.guestzone_dhcp.proto='udp'
firewall.guestzone_dhcp.dest_port='67-68'
firewall.guestzone_dns=rule
firewall.guestzone_dns.name='guestzone_DNS'
firewall.guestzone_dns.src='guestzone'
firewall.guestzone_dns.target='ACCEPT'
firewall.guestzone_dns.proto='tcp udp'
firewall.guestzone_dns.dest_port='53'
firewall.glservice_rule=rule
firewall.glservice_rule.name='glservice'
firewall.glservice_rule.dest_port='83'
firewall.glservice_rule.proto='tcp udp'
firewall.glservice_rule.src='wan'
firewall.glservice_rule.target='ACCEPT'
firewall.glservice_rule.enabled='0'
firewall.vpn_zone=zone
firewall.vpn_zone.name='ovpn'
firewall.vpn_zone.input='ACCEPT'
firewall.vpn_zone.forward='REJECT'
firewall.vpn_zone.output='ACCEPT'
firewall.vpn_zone.network='ovpn'
firewall.vpn_zone.masq='1'
firewall.vpn_zone.mtu_fix='1'
firewall.forwarding_vpn1=forwarding
firewall.forwarding_vpn1.dest='ovpn'
firewall.forwarding_vpn1.src='lan'
firewall.forwarding_guest_ovpn=forwarding
firewall.forwarding_guest_ovpn.dest='ovpn'
firewall.forwarding_guest_ovpn.src='guestzone'

Server: uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@include[0].reload='1'
firewall.glfw=include
firewall.glfw.type='script'
firewall.glfw.path='/usr/bin/glfw.sh'
firewall.glfw.reload='1'
firewall.glqos=include
firewall.glqos.type='script'
firewall.glqos.path='/usr/sbin/glqos.sh'
firewall.glqos.reload='1'
firewall.mwan3=include
firewall.mwan3.type='script'
firewall.mwan3.path='/var/etc/mwan3.include'
firewall.mwan3.reload='1'
firewall.guestzone=zone
firewall.guestzone.name='guestzone'
firewall.guestzone.network='guest'
firewall.guestzone.forward='REJECT'
firewall.guestzone.output='ACCEPT'
firewall.guestzone.input='REJECT'
firewall.guestzone_fwd=forwarding
firewall.guestzone_fwd.src='guestzone'
firewall.guestzone_fwd.dest='wan'
firewall.guestzone_dhcp=rule
firewall.guestzone_dhcp.name='guestzone_DHCP'
firewall.guestzone_dhcp.src='guestzone'
firewall.guestzone_dhcp.target='ACCEPT'
firewall.guestzone_dhcp.proto='udp'
firewall.guestzone_dhcp.dest_port='67-68'
firewall.guestzone_dns=rule
firewall.guestzone_dns.name='guestzone_DNS'
firewall.guestzone_dns.src='guestzone'
firewall.guestzone_dns.target='ACCEPT'
firewall.guestzone_dns.proto='tcp udp'
firewall.guestzone_dns.dest_port='53'
firewall.glservice_rule=rule
firewall.glservice_rule.name='glservice'
firewall.glservice_rule.dest_port='83'
firewall.glservice_rule.proto='tcp udp'
firewall.glservice_rule.src='wan'
firewall.glservice_rule.target='ACCEPT'
firewall.glservice_rule.enabled='0'
firewall.vpn_server_rule=rule
firewall.vpn_server_rule.name='Allow-OpenVPN-Inbound'
firewall.vpn_server_rule.target='ACCEPT'
firewall.vpn_server_rule.src='wan'
firewall.vpn_server_rule.proto='udp'
firewall.vpn_server_rule.dest_port='1194'
firewall.vpn_server_zone=zone
firewall.vpn_server_zone.name='vpn-server'
firewall.vpn_server_zone.input='ACCEPT'
firewall.vpn_server_zone.forward='DROP'
firewall.vpn_server_zone.output='ACCEPT'
firewall.vpn_server_zone.masq='1'
firewall.vpn_server_zone.mtu_fix='1'
firewall.vpn_server_zone.device='tun-SERVER'
firewall.vpn_server_wan=forwarding
firewall.vpn_server_wan.src='vpn-server'
firewall.vpn_server_wan.dest='wan'
firewall.vpn_server_lan=forwarding
firewall.vpn_server_lan.src='vpn-server'
firewall.vpn_server_lan.dest='lan'
firewall.vpn_server_guest=forwarding
firewall.vpn_server_guest.src='vpn-server'
firewall.vpn_server_guest.dest='guestzone'

On the Server MT300N2 I setup on LAN interface DNS=192.168.1.1 (local router)
On the client MT300N1 I setup on LAN interface DNS=9.9.9.9

Any advice or idea would be very much appreciated - thank you!
B.

alzhao · October 6, 2020, 4:52am

Do you want to achieve something like Site-to-Site Network - GL.iNet

Can you just use our default solution?

We tried using openvpn to do the same thing but not successful.

beny51 · October 8, 2020, 7:00pm

Hi Alzhao,

thanks for answering.

Do you want to achieve something like Site-to-Site Network - GL.iNet

Almost, I’d like to have much simplified version. Let’s say “my home 1” with GL-MT300N connected to the Internet router and “my home 2” with another GL-MT300N connected to internet router.
From Home 2 I’d like to access all systems at Home 1 and potentially use home 1 internet connection.

That’s it. I do not want to use any cloud solution.
What I realize in your standard server configuration you assume that the connection to the internet is realized via WAN network interface. This is not correct for me. The MT300N at home 1 is connected via LAN. This I have to change - I assume in the firewall iptables config - right?

Any idea how to config the two MT300N routers using to create “out-of-the-box” Server-Client config?

Starting from factory settings does not work.

You support is highly apprecuated!
B.

alzhao · October 9, 2020, 6:46am

Understood. but I do not have a simplified version. We want to simplify this so we developed the cloud soltuion.

beny51 · October 9, 2020, 2:52pm

No problem, I configured the system as I wanted. Now is everything working as desired.

Regards
B.

brightstar · November 29, 2021, 1:33am

Hi beny51,
Could you please help by providing details? as you have resolved the situation.
I am describing my situation below. Your response would be highly appreciated.

Per your Concept understood the following:
US HOME SETUP:
US Home ISP Provider → US Home Modem → US Home GL BRUME MV-1000 (to act as VPN Server via Wireguard/OpenVPN Server)

OUT OF COUNTRY TRAVEL SETUP:
Out-of-Country Modem → Out-of-Country Router wired to–> GL-AR750S Travel Router (to act as VPN Client via Wireguard/OpenVPN Client)–> Connect WORK laptop to the GL Travel Router wifi signal

Could you please help me understand a little bit more details on the following?

With the above setup, believe that I do not need to subscribe to any commercial VPN services like ExpressVPN, MullVad etc., as the above solution would act as point to point VPN tunnel. Please confirm if my understanding is correct.
Is there anyway we can test this concept to confirm if it works before traveling out of country?
Will the work laptop show the same “What is my ip?” as if working from home?

alzhao · November 29, 2021, 3:22am

Yes. You are using your own vpn server at home.

You should export vpn config from MV1000, put it on your phone or AR750s. You AR750s should connect to another network, e.g. phone hotspot and check if you can connect to your home.

Yes, this is the correct way to check

brightstar · November 29, 2021, 6:41am

Thanks for your guidance. Will check.

brightstar · November 29, 2021, 6:44am

Hi @alzhao ,
4) Is there anything I have to be aware of regarding static IP’s vs dynamic?
5) Should I leave the router powered on at all times when I travel out of country? If power outages occur, should I have backup?
6) Any other troubleshooting, I should be aware of?

Thanks

alzhao · November 29, 2021, 1:18pm

If you can, use static IP.

Just leave it powered.

Pls read the docs and video.

brightstar · November 29, 2021, 4:19pm

Thanks @alzhao for your guidance. Highly appreciated.
Regarding dynamic IP, is there any expected issues when I am out of country and cannot be resolved till I reach back to the VPN server?

alzhao · November 30, 2021, 1:21am

I suggest you just try out before you leave home. If you have a stable setup in your home it may just work good.

DHCP itself does not have problems.