Looking for some guidance. I’m new to these mini routers and they look like a great bit of kit. I’m trying to establish a connection from a boat to home via openvpn.
I have the gl.inet gl-ar750s-ext on the boat connected via the wan port to a netgear LB2120 modem (LTE) The connection is using gc-nat so I have no way of accessing the boats systems directly… so this is why I have gone with a router capable of openvpn client…
At home I have the AC68u sitting behind a vdsl modem - static IP address and the AC68u is running 2 instances of OpenVPN server one TUN and one TAP…
I have exported the config files and imported them in to the gl.inet gl-ar750s-ext… the TAP basically stops access to the router, the wifi loses its internet connection and nothing works.
The TUN profile sometimes works, can browse the network at the server end (home), has no internet for the local wifi connection and I cannot get to the gl.inet gl-ar750s-ext’s network from the server (home) end…
Has anyone got any hints or tips or can point me in the right direction?.. i’m pulling my hair out with it!
Except for the uncommon bits (boat, LTE modem), this is a common use scenario and should work.
Three suggestions for you. First, I would put Merlin software on the 68U (I suspect you might have already). Second, I would point you to the snb forums for both VPN and Merlin. There is a lot of help there. Third, I find TAP really hard and particularly if you have limited data plan all that L2 traffic is a burden. I’d focus on TUN.
It sounds like you almost have it working except for setting up a route from your home lan to the slate lan.
I agree it should work and the tun profile works fine on my phone, just not on the router (slate)… hence me trying tap which seems even harder…
My end goal is to have the slate auto connect to the home network, but only for lan access, and access the raspberry pi I have on the boat so I can ssh into it if needed… there is also a possibility of an IP cam too we have a 250gb plan so data should not be an issue… .
The main issue I seem to have is accessing home to slate when connected and anything that is connected to the slate via wifi loses internet… which isn’t helpful. I didn’t want to use the VPN for internet access for the local devices on the boat vis the slate
Hope that makes sense,??
I’ve done a heap of searching and really not come up with much but will ask on smb forums… oh and yes running latest Merlin.
Be mindful of the subnets you are traversing. You have one net that is the LAN side of the 68U. You have another net that is the WAN side of the 68U and the LAN side of your home modem. A third net is the LAN side of your LTE modem. A fourth is the LAN side of your Slate. They all need to be different. Be mindful also of the subnet of the OpenVPN server, which is usually 10.0.8.x or 10.0.16.x depending on which server you are connected to. Those should be unique too.
For the lan side of the Slate, when connected, you want the 68U to push to the Slate LAN a route to the server’s LAN, but not push access to the Internet over the tunnel (which means, pushing the default gateway). In Merlin that is the setting in the GUI that is “LAN only” rather than “Internet only” or “both”. If LAN devices connected to the Slate are losing internet, it may be because the default gateway is being changed.
On the sbn forums, pay attention to everything eibgrad says about this. He’s posted dozens of times on routing over the tunnel site to site.
Yes this setting is Lan only… as I mentioned the profile works fine on my phone (i cant prove the return back to the client) but i definitely have internet and lan access via the phone…
I’m just waiting for registration on SNB so will post on there also…
I have tried a number of things and nothing seems to make the slate connect to the lan and still keep internet… seems to be a few similar issues from these modems too…
im very unfamiliar with this kind of thing so just finding my way… but just assume i’m a dummy as a general rule…
If the slate connects to your 68U and you can browse the LAN, but the devices connected to the slate can’t access the internet, then it might be your default gateway is being changed. Look at the client configuration and make sure it doesn’t have something like “redirect-gateway def1”, and look at the server configuration and make sure it doesn’t have something like “push redirect-gateway”. You can find the server configuration at /tmp/etc/openvpn/server1 or /tmp/etc/openvpn/server2.
Thanks again for your continued guidance… so SSH into router…
OK so client ovpn file is…
client
dev tun
proto udp
remote 202.90.246.193 1194
resolv-retry infinite
nobind
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
remote-cert-tls server
-----BEGIN CERTIFICATE-----
Server is…
daemon ovpn-server2
topology subnet
server 10.16.0.0 255.255.255.0
proto udp
multihome
port 1194
dev tun22
txqueuelen 1000
data-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push “route 192.168.0.0 255.255.255.0 vpn_gateway 500”
duplicate-cn
push “dhcp-option DNS 192.168.0.1”
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up ‘ovpn-up 2 server’
down ‘ovpn-down 2 server’
status-version 2
status status 5
Okay, so it isn’t redirecting the gateway. Scratch that idea.
You might try changing your LAN addresses off 192.168.0.x. That’s pretty common. It could be your tunnel is encountering that subnet in its travels. Asus seems to have migrated to 192.168.50.x, and the Slate is on 192.168.8.x.
Two other things, entirely off point: you might sanitize your post to delete your public IP, and if it might change use your Asus DDNS address instead. Also, Compression is now considered a security risk and it is better to have it “Disabled” on both sides.
Re sanitation of the IP address it’s the address of the LTE connection so I believe almost impossible to get to from outside to any device… (my reason for doing this as I’m too dumb to run a VPN on the raspberry pi running victrons software)) it’s also just a test setup so no access to anything
I might give the change of IP a go, however I have all ips reserved for stuff on the home Lan and something like 40 devices, so may take a bit of time! I have recently done it too so it didn’t clash with my home to work VPN…
I also note a new beta Merlin with overhauled OpenVPN… so may try that too!
The new beta Merlin has only changed the client side of things, managing devices connecting to VPN providers, not the server side of things. It may be of use to you for your home to work VPN though.
