You can setup two VPN server configuration. We will now setup the Server 1 configuration
The OpenVPN is an open multiplatform VPN solution, which allowing variety of configuration. The standard use-case is client2network setup, allowing the remote client to “dial-in” into network. Other scenario is site2site configuration, allowing seamless communication of each network device across both sites.
I have two Asus RT-AC66U_B1 running Asuswrt-Merlin firmware version 384.9 with following network configuration:
The setup consists of two steps:
Flip Enable OpenVPN Server switch to ON position (will change to green)
You are now in General settings section.
Tick the LAN only radio button
Add some user/password in the table below by entering username and password into text fields and click on the plus button
Then hit Apply, this will take some time
Select Advanced Settings option in VPN Details dropdown box
Set following parameters to:
Interface Type: TUN (routed networks)
Protocol: TCP (do not try UDP, will not work afterwards wit site2site modifications!)
Username/Password Authentication: Yes (for now, we will use simple authentication, reconfiguration for use of cert logins will be discussed in another article)
VPN Subnet/Netmask: is irrelevant, leave the default one
Advertise DNS to clients: No
Compression: Disable (enabling has for sure impact to router utilization and transfer speed – not tested yet)
At Manage Client-Specific Options select Yes – you will get additional input fields
Select Yes at the Allow Client <-> Client option
In the Custom Configuration enter following recommended parameter
reneg-sec 432000
Hit the Apply button – will take some time.
If everything is fine (no fatalities), you should get the General VPN Details page and the Enable OpenVPN Server should be in ON position and green.
Now, you have some new buttons available, hit the first Export button (Export OpenVPN configuration file) – one file named “client1.ovpn” will be downloaded
Open the file as text file and check the first lines: for tun, tcp-client options and the correct DDNS name of the server-side router
client
dev tun
proto tcp-client
remote myprimarysite.asuscomm.com 1194
Configure client side router
Log on to the client-side router (192.168.33.1)
Select VPN from the left-hand menu and click on VPN Client tab and click on OpenVPN switch
Click on Choose File button on Import .ovpn file option, select the previously downloaded “client1.ovpn” file and hit Upload.
Set Automatic start at boot time to Yes
Check the lines Interface Type, Protocol and Sever Address for correct values
Ensure the Username/Password Authentication is Yes
Enter the username and password set on the server-side router
Scroll down to Advanced Settings
Check that Verify Server certificate is set to No
The directives in Custom Configuration are imported from “client1.ovpn” file – don’t touch them
Hit Apply button – takes again some time
Flip the Service state switch to ONIf anything is fine (no fatalities), the Service state switch should be green with yellow Connected message.
At this moment any network device should be able to ping/connect to any network device on the server-side network.
The basic setup for client2network setup or “dial-in” setup if finished, let’s go one step beyond and configure the “return direction”
Modify the connection to site2site setup
Configure server side router
Log on to the server-side router (192.168.22.1)
Select Administration from the left-hand menu and click on System tab
Enable the SSH access as shown:
Check the JFFS2 section
If the config is like shown, no action is needed, otherwise set both parameters to Yes and reboot the server
Use some SSH client (like puTTy – can be downloaded here: https://www.chiark.greenend.org.uk/~sgtatham/putty/) and log in into router
Run following commands to create directory for OpenVPN client specific configuration
(please note: the “ccd1” folder is for Server1 and if you want to use Server2, you need directory “ccd2”)
root@RT-AC66U_B1-5668:/temp/home/root# cd /jffs/configs
root@RT-AC66U_B1-5668:/jffs/configs#
root@RT-AC66U_B1-5668:/jffs/configs# mkdir openvpn
root@RT-AC66U_B1-5668:/jffs/configs# cd openvpn
root@RT-AC66U_B1-5668:/jffs/configs/openvpn# mkdir ccd1
root@RT-AC66U_B1-5668:/jffs/configs/openvpn# cd ccd1
root@RT-AC66U_B1-5668:/jffs/configs/openvpn/ccd1#
Using vi create file called as the entered username, in this case “Remote1”
root@RT-AC66U_B1-5668:/jffs/configs/openvpn/ccd1# vi Remote1
And enter following line, which tells the server-side router that some network exists:
iroute 192.168.33.0 255.255.255.0
Save the file (enter “:wq” command)
Close puTTy and log into router’s web interface
Select VPN from the left-hand menu and click on VPN Server tab
Go to Advanced Settings
Change the content of Custom Configuration to following:
reneg-sec 432000
username-as-common-name
push "route 192.168.22.0 255.255.255.0"
client-config-dir /jffs/configs/openvpn/ccd1/
route 192.168.33.0 255.255.255.0
Hit the Apply button – will take some time
Configure client side router
Log on to the client-side router (192.168.33.1)
Select VPN from the left-hand menu and click on VPN Client tab
In section Network Settings set the parameter Create NAT on tunnel to No
*UPDATE* set the new parameter Inbound Firewall to Allow
Hit the Apply button – will take some time
Final words
After reconnecting the tunnel the communication should be possible in both directions
Disclaimer
This how-to is based on following article: https://openvpn.net/community-resources/how-to/#scope and adopted by me for my two Asus routers running Asuswrt-Merlin firmware.
(c)2019 by zolo