Unable to access OpenVPN server lan from remote Mango client

Hello everyone,

I have recently purchased a GL-MT300N-V2 (Mango) and I have started to configure everything.

My current setup (remote):

1. Asus router with OpenVPN server configured (with DDNS)
2. Windows desktop connected via cable to Asus router with RDP enabled

My current setup (home):

1. Asus router (with DDNS)
2. Laptop with OpenVPN client installed

I have imported same .ovpn config file I have on home.laptop in GL-MT300N-V2 (Mango) and I am able to connect to Asus.router.remote (successful connection and I get remote IP as public IP on my home.laptop), but I am unable to connect to remote.desktop via RDP or access anything on remote.router LAN.

I am able to run OpenVPN client from home.laptop and connect to remote.router and from there to my remote.desktop using RDP.
When I add Mango in the mix between my home.laptop and my home.router I can’t access my remote.desktop using RDP even if I can connect to remote.router VPN from Mango.

My Mango gets an internal LAN IP (via WAN port) from my home.router and my home.laptop gets a Mango internal IP (via LAN port).

OK route:
home.laptop (w. OpenVPN client + RDP) => home.router => remote.router (VPN server) => remote.desktop (RDP server)

Not OK route:
home.laptop (w. OpenVPN client + RDP) => Mango => home.router => remote.router (VPN server) => remote.desktop (RDP server)

Any ideas what i’m doing wrong?

When you add the router in between, you need to deal more with routing.

While I cannot give a simple guide, you can send me a config privately and I will try to solve.

That would be great, thank you.

I have tried to message you, but as I’m a “trust level 0” user, sending messages to other users is not allowed so, when you can, please send me a PM.

In my example, my remote.router can be replaced with any private OpenVPN server or with a commercial OpenVPN server.

If you think it will help other users in future, we can go full details and I can also make it clearer how my network(s) work by doing a diagram, showing the internal IPs. etc.

Any suggestions are welcome.

The problem seems to be that Mango internal lan clients traffic (192.168.8.x) is not directed thru OpenVPN Client (Mango router) in the OpenVPN Server lan network (10.8.0.x) so I can connect via RDP to a desktop pc.

Laptop with OVPN Client (10.8.0.x) → OVPN Server (10.10.10.1 / 10.8.0.1) → desktop PC (10.10.10.20) (OK)
Laptop (192.168.8.x) → Mango with OVPN Client (192.168.8.1 / 10.8.0.10) → OVPN Server (10.10.10.1 / 10.8.0.1) → desktop PC (10.10.10.20) (not OK)

OVPN Client config file (all is good on windows PC, but when I run OpenVPN client on Mango, I can’t connect via RDP)

remote site1.com 1411
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 15 60
comp-lzo adaptive
auth-user-pass
client
auth SHA512
cipher AES-256-CBC
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
MIIEOTCCAyGgAwIBAgIJAM2qDWjRw4T4MA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
-----END CERTIFICATE-----

</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIIEfzCCA2egAwIBAgIBAjANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJUVzEL
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDakw9Vr0w3FIU4
-----END PRIVATE KEY-----

</key>

From Mango router:

1. output from /config/network

root@GL-MT300N-V2:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2b:973d:8580::/48'

config interface 'lan'
        option type 'bridge'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option hostname 'GL-MT300N-V2-322'
        option ipaddr '192.168.8.1'
        option proto 'static'
        option ifname 'eth0.1'

config interface 'wan'
        option proto 'dhcp'
        option hostname 'GL-MT300N-V2-322'
        option ipv6 '0'
        option metric '10'
        option ifname 'eth0.2'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option disabled '1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'guest'
        option ifname 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '94:83:c4:15:c3:22'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '94:83:c4:15:c3:23'

root@GL-MT300N-V2:~#

2.output from /config/firewall

root@GL-MT300N-V2:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '0'
        option flow_offloading_hw '0'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config zone 'guestzone'
        option name 'guestzone'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding 'guestzone_fwd'
        option src 'guestzone'
        option dest 'wan'
        option enabled '0'

config rule 'guestzone_dhcp'
        option name 'guestzone_DHCP'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'guestzone_dns'
        option name 'guestzone_DNS'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config rule 'sambasharewan'
        option src 'wan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'DROP'

config rule 'sambasharelan'
        option src 'lan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'

config zone 'vpn_zone'
        option name 'ovpn'
        option forward 'DROP'
        option output 'ACCEPT'
        option network 'ovpn'
        option masq '1'
        option mtu_fix '1'
        option masq6 '1'
        option device 'tun0'
        option input 'ACCEPT'

config forwarding 'forwarding_vpn1'
        option dest 'ovpn'
        option src 'lan'

config forwarding 'forwarding_guest_ovpn'
        option dest 'ovpn'
        option src 'guestzone'

config forwarding 'forwarding_lan_ovpn'
        option src 'ovpn'
        option dest 'lan'
        option enabled '1'

root@GL-MT300N-V2:~#

Can you confirm that the OpenVPN Client is running on the Mango (as in Post #4 - Mango with OVPN Client (192.168.8.1 / 10.8.0.10)), not on the Home Laptop (as in Post #1 - Not OK route: home.laptop (w. OpenVPN client + RDP))?

If so, then it may be because RDP is bidirectional. You can try Port Forwarding TCP 3389 (maybe also UDP 3389) on the Mango’s Firewall (10.10.10.1) to your Home Laptop (192.168.8.x).

I do not work for and I am not directly associated with GL.iNet

1. What are the lan ranges on the asus routers? Do you have any other network connected to the OVPN Server? Is there another 192.168.8.xx range in the mix?
2. Out of curiosity, what are the asus models?
3. You shouldn’t have to bring port forwarding into the mix. I’m writing this over exactly what you want to do, but with a Beryl.

@wcs2228 & @elorimer thank you for looking at the problem I’m having. As I’m driving, i can’t properly answer yet, so I’ll attach the below pictures, which will answer your questions (at least partially).

Figure 1 - all is working as expected with vpn client on my laptop, laptop can ping other lan machines.

Figure 2 - mango running with vpn client, laptop in mango’s lan, rdp doesn’t work on laptop. Also I’ve ssh’ed on mango and can’t ping other lan machines.

figure1784×723 46.4 KB

figure21298×731 62 KB

Site1 router is Asus ac87u
Home1 router is also asus but something ac3200 (I’ll check the model later)

I can see some problems here, although I’m not sure how your original setup is working, tbh.

You cannot–repeat cannot–have your remote LAN on 10.10.10.xx and your home LAN on the same net. Move one or the other to 10.10.something else.xx.

I think what is happening is that your desktop pc doesn’t have a valid route to reach back to the Mango on 10.10.10.242, because the 87U thinks that is local to its LAN, so it isn’t accepting the route the server tries to create.

Not sure why you are introducing the Mango into the mix rather than using the ac3200 openvpn client. The Mango is single core 580mhz, while the 3200 is dual core 1ghz, and even though Openvpn can only use a single core, the 3200 is still going to be a lot faster.

My 87u is in the bin now because of heating problems. I invite you to have a look at the Merlin software (in this case, John’s fork).

@elorimer thanks for your reply.

Both routers have been setup (originally) with no intention of running OpenVPN (hence the similar configuration). As time passed and requirements changed, i also added OpenVPN serves and clients (i double that using TeamViewer as back-up).

As changes to the configuration brings disruption, i try to avoid that as much as possible, hence only little changes were done (already have static ips, mac whitelisting, etc.)

Also, i don’t have 24/7 physical access to site1.

I recently have started looking at asuswrt (merlin) and i am testing a ac68u on this fw, but for a different need - upgrade my parents home network).

I wanted mango as it would prove extremely useful when travelling (hotels, cafe wifis, etc.) So having mango as a client vpn using only cable connectivity is valuable to me (admin interface is password protected and i can enable vpn configurationonly to my specificmac address) - if i misplace my mango unit i am still ok - security wise.

Basically i want to have a encrypted tunnel from any location to a trusted network and run (for example) my company vpn client thru that trusted tunnel (mango to site1 or my home, etc.)

Once this is sorted, i will probably configure 2-3 more for different use cases (work, home, my parents).

I will also look to replace OpenVPN with WireGuard as it seems to be faster (various reports are suggesting that) - just need to find the time to test it a few weeks.

I believe you are right and using same routers internal network configuration is what is causing me the headaches. My assumption was that the Vpn client (mango) was on 10.8.0.x ip while trying to connect to a 10.10.10.x machine (site1 lan network).

Something like this:
192.168.8.50 (laptop) would connect to 192.168.8.1 (mango which has an internal home1 lan ip 10.10.10.242 from home1 router 10.10.10.1 - ac3200), be bridged to 10.8.0.6 (mango vpn client) which is connected to 10.8.0.1 (site1 vpn server), which is bridged to 10.10.10.1 (site1 ac87u router) and be able to connect via rdp (or ping) 10.10.10.20 desktop pc.

I hope the above make sense (at least a bit).

For the time being i don’t want site to site connectivity, but that’s something i will look at later.

Ps: a big THANK YOU to forum admin who enabled automatic draft message save.

I follow.

1. If you don’t have access to site1, just change home 1 to 10.10.11.xx. You do that by changing the LAN IP of the router, adjusting the DHCP range, and each of your static reservations, and then rebooting that router. While you are at it, do something similar for the 68u.
2. Wireguard is definitely faster, but it is not yet implemented by Asus (still in beta). But it is implemented via Entware on Merlin. One reason it is faster is that it can take advantage of both cores you have in the 3200, 87u and 68u. But bear in mind that you have a hard limit of the upload/download speeds of the ISPs involved.
3. The openvpn server assigns an IP, usually 10.8.0.xx to each client that is connected to it, but the client itself doesn’t know that. You have to be mindful that no other network in the mix has that subnet. Openvpn uses that IP for its internal bridging.
4. After you change the LAN IP of home1, the mango should just work. That is a reasonable test for how the mango will work on the road. To recap:

Laptop 192.168.8.50 (this doesn’t need to be static) connects to 192.168.8.1 either wireless or LAN port. Mango gets a WAN address of 10.10.**11.**242 from home1 router. This doesn’t need to be static either). Home1 router doesn’t need DDNS for this, but it is free from ASUS so why not. Mango connects to the WAN side of the 87U, which does need a DDNS address, and is given a 10.8.0.x address (doesn’t matter what) which is bridged to the 10.10.10.xx Lan network of the 87U. The desktop remains at fixed 10.10.10.20, and the RDP client on the laptop connects to the desktop at that address (no port forwarding).

5. It is a good point you make about physical security of the Mango. It is a reason for having password authentication on top of certificates, and not allowing the Mango to save the password.
6. I don’t think you need different Mangos for different purposes (work, home, parents). You just need different config files. You need different Mangos for different people to use at the same time.
7. I think you would find it helpful to set up the OpenVPN server on the 68u so you can fool with your parent’s network remotely.

Entirely off point, but be very careful if you mean to spoof your location and the company vpn restrictions. There are a lot of reasons why that is a summary firing offence, violation of the EU SCCs being one of them.