Setting up OpenVPN to Netgear R7000 on MT300N-V2

I have a new Mango MT300N-V2 Router.

I am trying to set up a bridge to my home router (A Netgear R7000 Nighthawk router)

Both routers are patched to the latest firmware versions (as of today)

The Netgear router has an option to download the necessary config files for the client as separate ovpn and key files. I have converted these to the “inline” version needed for upload to the Mango.

THIS OVPN FILE WORKS PERFCECTLY WHEN CONNECTING FROM THE WINDOWS OPENVPN CLIENT,

However when I upload it into the Mango it fails giving me the following error message:

OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options

I have searched here and the internet and although this is the common error, none of the solutions I have found work. I wish this to be a TAP connection as I need everything to go over the bridge to home (I have the bandwidth in both directions with my ISP).

Has anyone solved this ?

Points to bare in mind:

I can’t/don’t know how to add commands/configs to the Netgear “server” config file
I’m very much a novice at this so need exact instructions as I often don’t really understand what I’m doing

Mango IP range is 192.168.8.x / Gateway 192.168.8.1

Netgear IP Range is 192.168.1.y / Gateway 192.168.1.1

My CLIENT config file (which I can edit) is as follows:

client
dev tap
proto udp
remote [[my public ip ]] 12974
resolv-retry infinite
nobind
persist-key
persist-tun
ca [inline]
cert [inline]
key [inline]

cipher AES-128-CBC
comp-lzo
verb 5

Which is basically the default from the Netgear config files…

What do I need to add to fix this?

PS I found this thread:

GL.iNet 750S Slate Router OpenVPN ‘TAP’ client to Netgear NightHawk OpenVPN server - Technical Support - GL.iNet (gl-inet.com)

and added this:

client
dev tap
proto udp
remote [[mypublicip]] 12974

auth-nocache
route-gateway 192.168.1.1
ifconfig 192.168.1.1 255.255.255.0

resolv-retry infinite
nobind
persist-key
persist-tun
ca [inline]
cert [inline]
key [inline]

cipher AES-128-CBC
comp-lzo
verb 5

With only a minor change in response - now i get “can’t find DNS” or something similar

I connect my Mango to my Asus home router all the time, but I have no experience with Netgear so I’m going to leave you grinding your teeth in frustration with me.

1. TAP is a pain. I’ve only ever found it necessary trying to bonjour between Tivos, which for legal reasons try to stay on the same physical network. TUN is vastly easier and unless you really need TAP, avoid it. That was a really good post you found, and shows the hoops you have to jump through. It will be dead soon anyway.
2. Having the Netgear LAN be on 192.168.1.0/24 is a recipe for problems, because it is so often a default subnet (so is 0.0). Among other things, your Mango is going to connect to something else (another router or a modem), and pass along to something your Netgear is connected to, and if there is another 1.0/24 in the mix there is a chance you will get sidetracked. So it would be a good idea, for starters, to move it to 50.0/24 or something similar.
3. Now, the Netgear router has an address of 192.168.1.1. With your ifconfig statement, you’ve given the Mango that address, and you’ve specified that as the gateway for the route. So, what’s the Mango to do? I think this is why the Mango can’t even find a DNS. Try giving the Mango an address that is not 1.1, and not within the Netgear’s DHCP range (to avoid duplicates). Notice in that post you linked to 0.254 was chosen for that reason.
4. Netgear routers seem to be really locked down and don’t allow a lot of flexibility on the server side. The post you linked to seemed to be able to add routes on top of Openvpn that worked. You might have better luck going the other way, with the Mango as server, since you have a lot more flexibility.

Pls use “dev tun” not “dev tap” which will cause the router try to build bridge.

Pls post Netgear openvpn config UI screenshot.

Is there any ovpn export for Linux or smartphone?

Ernest, Many, many thanks for such a full response - i really hope you don’t mind these follow on questions - as I said this is way out of my comfort zone. I just about understand the basics.

People keep saying that to me - I don’t mind what I use providing all traffic goes through my home router - i need everything to appear as if it is coming from home even while traveling. I was told the only way to achieve that was using TAP

OK - I moved the Netgear router to 192.168.39.0/24 and the Mango to 192.168.83.0/24
Gateways left at 192.168.ZZ.1 in both cases

OK - I modified it to this (and TUN)

auth-nocache
route-gateway 192.168.39.1
ifconfig 192.168.39.254 255.255.255.0

Have I got that right ? Probably not as it still didn’t connect…

(How do I access the full connection log on the Mango ? )

Yes, they are locked down. Other than a couple of radio buttons there’s almost no configurability. (see screen shot in my reply to @alzhao below) I’m hoping to not have to change my main router just yet.

Once again - thank you for your time

Sort of the case, but not really. You can basically think of TAP as layer 2 and TUN as layer 3. In other words, using TAP will make it like you are literally physically plugged in to the network switch on the remote end (and will send a lot of additional stuff across the line) whereas TUN will route outbound traffic to the other side. TUN will be indistinguishable from TAP once you are on the WAN side of the VPN server.

As elorimer said, for most practical purposes using a TUN network is what you want. The only exception is if you need things like multicast to traverse the VPN, which you almost never do.

I have now tried both TAP and TUN configurations - sometimes I get an apparent connection via the Mango - but I can’t ping anything (local network or internet) and tracert to, say, 8.8.8.8 fails at the first hop

here goes

Netgear OVPN config1785×936 138 KB

Yes - I am using the “non-windows” one as the basis for my ovpn file. The smartphone one just uses TUN instead of TAP

Here’s my full OVPN (with sensitive stuff removed)

(Apologies had to use .# as # alone seems to create bold text)

client
dev tun
remote [mypublicip] 12973

.# dev tap
.# remote [mypublicip] 12974

proto udp

.# Are these correct ?
.# Mango IP range is 192.168.83.0/24 DHCP Scope is 2-199
.# Netgear IP range is 192.168.39.0/24 DHCP Scope is 2-199

auth-nocache
route-gateway 192.168.39.1
ifconfig 192.168.39.254 255.255.255.0

.# mentioned somehwere to try this
.# dhcp-option DNS 192.168.39.254

resolv-retry infinite
nobind
persist-key
persist-tun
ca [inline]
cert [inline]
key [inline]
.# tls-auth [inline] 1
cipher AES-128-CBC
comp-lzo
verb 5
route-noexec

Data removed for security

-----END CERTIFICATE-----

    Data removed for security

-----BEGIN CERTIFICATE-----

Data removed for security

-----END CERTIFICATE-----

Data removed for security

-----END PRIVATE KEY-----

.# Following data not available
.# < tls-auth>
.# -----BEGIN OpenVPN Static key V1-----
.# # insert ta.key
.# -----END OpenVPN Static key V1-----
.#

Instead of doing this, try:

redirect-gateway def1

Also strip out the verb 5 and route-noexec at the end.

OK - with this config,

client
dev tun
remote [[MyPublicIP]] 12973

.# dev tap
.# remote [[MyPublicIP]] 12974

proto udp

.# Are these correct ?
auth-nocache
redirect-gateway def1

.# route-gateway 192.168.39.1
.# ifconfig 192.168.39.254 255.255.255.0

.# mentioned somehwere to try this
.# dhcp-option DNS 192.168.39.254

resolv-retry infinite
nobind
persist-key
persist-tun
ca [inline]
cert [inline]
key [inline]
.# tls-auth [inline] 1
cipher AES-128-CBC
comp-lzo
.# verb 5
.# route-noexec

[[The rest is cut]]

I got this response (Log stopped scrolling at this point)

Mango Connection Log1458×1286 130 KB

The highlighted line intrigued me at it seems to reference an ip address of 192.168.254.2 - where did that come from ??

tbh I have not been following this entire thread closely, but generally speaking OpenVPN (in subnet mode) will assign an address to the client in a particular range. So in this case, my assumption would be that 192.168.254.0/24 is the subnet range for the ovpn server, and the server assigned you the first client address (192.168.254.1 would likely be the server endpoint, 192.168.254.2 would be the first client, 192.168.254.3 the second, and so on).

Can you ping 192.168.254.1, and / or does everything basically work now? (your end goal is to have a “what is my IP” google search show your home IP, basically, right?)

My apologies @jdub I forgot to thank you for jumping in, it is much appreciated.

I’ll stick with TUN from now on - I’m not sure if I need multicast stuff or not. One of the things I want to do is access UK only TV streaming services (as well as access my doctors online services and supermarket order line - all of which fail with the popular public VPN’s)

In my haste I missed this:

Yes, you are correct my end goal is for “WhatsMyIP” to show up as my public IP address.

As to what I can ping (From my Windows 11 PC) - i hope this helps. 192.168.254.1 and .3 ; 192.168.39.1.1 (Gateway on my Netgear) but nothing else on the 192.168.39.x subnet

whatspingable1112×1800 393 KB

can you

tracert 8.8.8.8

Wow, I can!

image1891×717 31.2 KB

Some of the ping times are bit long but it seems to be working

image786×658 20.3 KB

and when i google whatsmyip i get my public IP address!

Many Many Thanks

I’m glad you made progress. I think you can go back and simplify some stuff now.

First, as jdub said, TAP makes it seem to all the devices on your LAN that your remote device is sitting on the LAN. It uses an IP address on the same LAN, and all the networking traffic that goes to all the devices on the LAN goes over the tunnel and vice versa, so it is really noisy, and you have to be really careful in how the addressing is done. TUN, on the other hand, routes the traffic going to and from your remote device over the tunnel.

Now, because you have set that radio button to ‘both internet and LAN’, the server pushes a route to the LAN (so that the Mango knows to route x.x.39.0/24 traffic over the tunnel) and it also pushes a change to the default gateway to the Mango. While the tunnel is up, if the Mango wants to reach something that is not on its local LAN or your home LAN, it sends that traffic to the Netgear router. The Netgear router knows to send that traffic out to the internet (but not over the tunnel), in exactly the same way it sends any other traffic out to the internet. So, as far as the internet is concerned, all the traffic is coming from the Netgear router and your public IP.

All of this is exactly the same if you were connecting to a public VPN service. The difference is that for folks that have an interest is where the traffic is coming from, you can look up the IP address of where the traffic is coming from to see if it belongs to a public VPN service. That is trivially easy. Because of licensing restrictions, streaming services pay attention to that; people use a VPN service to geolocate themselves in a region they aren’t really in, so if the streaming services sees that the traffic is from a public VPN service they deny the service. Interesting that your doctor and supermarket do the same, probably some package the ISP provides.

Now, in terms of simplifying. If TUN will work for you, you might try exporting a plain vanilla configuration from the Netgear, because you don’t need the ifconfig statement or the route-gateway statement. As @jdub said, those get replaced by the redirect-gateway def1 statement. More particularly, you might try the smartphone config: that specifies TUN because TAP requires root access to the phone.

Not having a Netgear router myself, but instead Asus routers, some of the syntax which you have properly obscured remains a bit obscure to me. Inline certificates don’t appear quite like you have them, and I thought Netgear included the certificates as files in the .zip. But that must not be a problem you have if a connection is being made.

This turned into a pretty long thread and thanks are due to @elorimer @jdub and @alzhao for their help.

To close this out and hopefully summarise the output:

On the Netgear this is my VPN config page:

Netgear OVPN config1785×936 138 KB

I downloaded the “non-windows” configuration files and extracted the contents of the nonwindows.zip file to a new directory.

image1631×294 15.5 KB

I then created the following OVPN File

======

client
dev tun
remote [mypublicip] 12973

proto udp

# MY Mango IP range is 192.168.83.0/24 DHCP Scope is 2-199
# MY Netgear IP range is 192.168.39.0/24 DHCP Scope is 2-199
# Use your own - but try to make sure neither router uses 192.168.0.1 or 192.168.1.1

auth-nocache
redirect-gateway def1

resolv-retry infinite
nobind
persist-key
persist-tun
ca       [inline]
cert     [inline]
key      [inline]

cipher AES-128-CBC
comp-lzo

# The following is data to be found in the client.key , ca.crt , client.crt files downloaded from the VPN page in the Netgear router.  
# Copy paste all the data.  You can open them with any text editor (e.g. Notepad)

<ca>
-----BEGIN CERTIFICATE-----

Data removed for security

-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
    Data:

        Data removed for security

-----BEGIN CERTIFICATE-----

Data removed for security

-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----

Data removed for security

-----END PRIVATE KEY-----
</key>

=====

Copy the above text into a text editor (such as Notepad on windows) and save it in the Directory with the key files as mango.ovpn (it’s not special - I just did it for convenience).

Obviously, the stuff I have removed for security reasons will need to be YOUR data from your key files.

Then go to the OpenVPN Client page in the Mango router and click on the “management” tab.

and click on the “Add a New OpenVPN Configuration” bar - drag the mango.ovpn file from above into the box.

DON’T FORGET to add a description in the box and hit submit.

The configuration you have just created should now be available on the status tab. Select it and hit connect. - hopefully it will now work.

Good Luck

Feedback/correction/improvements should be added here to help the next person in line!

I think you can just drag in the .zip file without messing with the certificates separately; the Gl-iNet interface is smart enough to put them in the right places. I don’t think you need the ca, etc. inline statements if the certificates are there with the delimiters. At least my config files don’t.

Now, just for fun, it may still be possible to do some magic even with the Netgear. With a travel router, in some cases you want your internet traffic to go over the tunnel through the home router. Geolocating for one example, or sitting at a starbucks for another. In other cases, you don’t want folks connected to the Mango to reach your LAN. And in other cases, you want to reach the LAN, but you don’t want the internet traffic to go through the tunnel (with all the encryption, etc., it is very much slower). With the Netgear, you don’t have much control on the server side, because those radio buttons set the behavior in stone as far as the Netgear is concerned. But it sets the behavior by pushing settings to the Mango. You can change the client config in the Mango to ignore the default gateway setting, for example, to do the split tunneling with internet traffic going out full speed. So if you have two configurations loaded, you can pick the full tunnel or the split tunnel dynamically.

I’ve written this up for Asus/Merlin routers, and also how to configure Chromebooks. Most of the writeup won’t apply to the Netgear. VPN instructions for a newbie | SmallNetBuilder Forums

Thanks again Ernest, @elorimer . I’ll play another day… My head is hurting right now.

Thanks for the tip about the zip file. The risk is that the “standard” config files will not address the issues we found here - in the “non-windows” zip there is a default client2.conf file which doesn’t work!

Yes, that you can edit with a text editor and reinsert into the zip file. Then save the zip file someplace easy (but safe!) to reupload whenever you need to fiddle with the configuration.

I understand that, however having spent days on this (and months on a previous occasion with another router) I wanted to provide simple instructions that even i could understand!!!

The details/variations can come later