pfSense OpenVPN server, Asus RT-AC66U client

wmcneil · Jul 29, 2020, 9:35 PM

I have a pfSense OpenVPN server set up to provide both local and internet access. It is working well with both a client on my android phone, as well as a windows client. I have a remote Asus RT-AC66U router client that is configured with the same *.ovpn configuration as my android phone. The Asus router appears to be connecting to the server correctly, but it is unable to access either the LAN behind the VPN server, or the internet. I am running newest stable pfSense (2.4.5-p1), as well as the newest firmware on the Asus router (3.0.0.4.382_52272). Client log attached below. I'm posting this in hopes that someone else with a Asus RT-AC66U may have some insight.

ASUS RT-AC66U client log (actual public ip:port changed to <publicIP>:<port>):

Jul 29 14:21:21 rc_service: httpds 349:notify_rc restart_vpncall
Jul 29 14:21:22 vpnclient4[1190]: OpenVPN 2.4.7 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 19 2020
Jul 29 14:21:22 vpnclient4[1190]: library versions: OpenSSL 1.0.2u 20 Dec 2019, LZO 2.03
Jul 29 14:21:22 vpnclient4[1192]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 29 14:21:22 vpnclient4[1192]: Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 29 14:21:22 vpnclient4[1192]: Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 29 14:21:22 vpnclient4[1192]: TCP/UDP: Preserving recently used remote address: [AF_INET]<publicIP>:<port>
Jul 29 14:21:22 vpnclient4[1192]: Socket Buffers: R=[118784->118784] S=[118784->118784]
Jul 29 14:21:22 vpnclient4[1192]: UDPv4 link local: (not bound)
Jul 29 14:21:22 vpnclient4[1192]: UDPv4 link remote: [AF_INET]<publicIP>:<port>
Jul 29 14:21:22 vpnclient4[1192]: TLS: Initial packet from [AF_INET]<publicIP>:<port>, sid=a7dc389c 11aefffd
Jul 29 14:21:22 vpnclient4[1192]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 29 14:21:22 vpnclient4[1192]: VERIFY OK: depth=1, CN=homeRouterVPN, C=US, ST=North Carolina, L=Cary, O=self
Jul 29 14:21:22 vpnclient4[1192]: VERIFY KU OK
Jul 29 14:21:22 vpnclient4[1192]: Validating certificate extended key usage
Jul 29 14:21:22 vpnclient4[1192]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jul 29 14:21:22 vpnclient4[1192]: VERIFY EKU OK
Jul 29 14:21:22 vpnclient4[1192]: VERIFY X509NAME OK: CN=homeRouterVPN, C=US, ST=North Carolina, L=Cary, O=self
Jul 29 14:21:22 vpnclient4[1192]: VERIFY OK: depth=0, CN=homeRouterVPN, C=US, ST=North Carolina, L=Cary, O=self
Jul 29 14:21:23 vpnclient4[1192]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jul 29 14:21:23 vpnclient4[1192]: [homeRouterVPN] Peer Connection Initiated with [AF_INET]<publicIP>:<port>
Jul 29 14:21:24 vpnclient4[1192]: SENT CONTROL [homeRouterVPN]: 'PUSH_REQUEST' (status=1)
Jul 29 14:21:24 vpnclient4[1192]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.55.83.10,redirect-gateway def1,route-gateway 10.55.201.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.55.201.2 255.255.255.0,peer-id 0,cipher AES-128-GCM'
Jul 29 14:21:24 vpnclient4[1192]: OPTIONS IMPORT: timers and/or timeouts modified
Jul 29 14:21:24 vpnclient4[1192]: OPTIONS IMPORT: --ifconfig/up options modified
Jul 29 14:21:24 vpnclient4[1192]: OPTIONS IMPORT: route options modified
Jul 29 14:21:24 vpnclient4[1192]: OPTIONS IMPORT: route-related options modified
Jul 29 14:21:24 vpnclient4[1192]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jul 29 14:21:24 vpnclient4[1192]: OPTIONS IMPORT: peer-id set
Jul 29 14:21:24 vpnclient4[1192]: OPTIONS IMPORT: adjusting link_mtu to 1624
Jul 29 14:21:24 vpnclient4[1192]: OPTIONS IMPORT: data channel crypto options modified
Jul 29 14:21:24 vpnclient4[1192]: Data Channel: using negotiated cipher 'AES-128-GCM'
Jul 29 14:21:24 vpnclient4[1192]: Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Jul 29 14:21:24 vpnclient4[1192]: Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Jul 29 14:21:24 vpnclient4[1192]: TUN/TAP device tun14 opened
Jul 29 14:21:24 vpnclient4[1192]: TUN/TAP TX queue length set to 100
Jul 29 14:21:24 vpnclient4[1192]: /sbin/ifconfig tun14 10.55.201.2 netmask 255.255.255.0 mtu 1500 broadcast 10.55.201.255
Jul 29 14:21:24 vpnclient4[1192]: /etc/openvpn/ovpn-up tun14 1500 1552 10.55.201.2 255.255.255.0 init
Jul 29 14:21:24 vpnclient4[1192]: Initialization Sequence Completed

DaddyGo · Jul 30, 2020, 6:19 PM

@wmcneil said in pfSense OpenVPN server, Asus RT-AC66U client:

The Asus router appears to be connecting to the server correctly, but it is unable to access either the LAN behind the VPN server, or the internet.

Hi,

I haven’t dealt with SOHO Asus stuff in a long time, but...

Your problem is, ....because you are connecting to the VPN server with a router (RT-AC66U)...
so additional routes need to be specified for the network behind Asus to reach the OpenVPN route

or you can follow this link:
(it’s about VPN services, but it’s actually yours too only the pfSense the server)
https://www.vpnuniversity.com/tutorial/how-to-setup-openvpn-asus-routers-asuswrt

wmcneil · Jul 30, 2020, 7:34 PM

@DaddyGo The Asus OpenVPN client implementation is supposed to do everything needed for the router to work properly. I have successfully connected to a different OpenVPN server using the Asus client, with a prior version of Asus firmware. In order for the Asus client to successfully connect to my pfSense server, I had to update the Asus firmware to the newest version. While it is making a successful connection with the newest firmware, it is not routing properly.....The link you referenced does not include any directions to change any router settings other than uploading the *.ovpn configuration file to the router, specifying username and password, and enabling the client. This is expected, since there are no other router settings that should have to be changed.

DaddyGo · Jul 31, 2020, 3:46 PM

@wmcneil said in pfSense OpenVPN server, Asus RT-AC66U client:

The Asus OpenVPN client implementation is supposed to do everything needed for the router to work properly

recommend to your attention

https://community.openvpn.net/openvpn/wiki/BridgingAndRouting?cf_chl_jschl_tk=cacefaaa026f9d4df605e2a238ac3a1fb9202c5a-1596210345-0-AYuEZJ-LahJbSTc8gyAnYLSqL5k1TDssejklGATTkgpPSy3-AbkjqyUzykY17el8SCh1fi9WiZYmG59rWAlX74BL4Fk4tHNIiYx77yVZJNp3U4bk9u_vets8KNuvhIuSPDcoxS9u3LdXDwI3zJ731oSwa-_Mu7aQ9PhLrruCxoCMbJgtG0gEVDfieuFZNMHvW97k2qwbBP5yfwwurtoGuRqgagV1SiqQR_vsSv-h7WbYTjHvi2_poLEZTgTLunezjv0h4cQasdA5kMJmP-smDXT1HkNfqAn7Uqk4HDzzhsCldzpHvHw2kB0Piwkq92wwAA

wmcneil · Aug 1, 2020, 2:28 PM

@DaddyGo Are you aware of a method that allows one to modify the routing rules on a Asus RT-AC66U router running factory Asus firmware, or are you pointing at these links solely as a thought exercise?

DaddyGo · Aug 1, 2020, 2:30 PM

@wmcneil said in pfSense OpenVPN server, Asus RT-AC66U client:

or are you pointing at these links solely as a thought exercise?

I'm just trying to share the train of thought with you (about OpenVPN)...

-you write that when you connect with a client device everything works fine
-if you connect with a router it not work

I will draw the lessons described above from this...
not all the same if you set TUN or TAP mode

f.e.:
as server - client / and for example site to site VPN
True?

++++edit:
ergo, this is not a pfSense issue but an OpenVPN configuration question...
or Asus, but it's also not pfSense....

ReneMG · Aug 1, 2020, 3:08 PM

Try this:

Setting up OpenVPN on PfSense to reach host clients or LAN

DaddyGo · Aug 1, 2020, 3:11 PM

@ReneMG said in pfSense OpenVPN server, Asus RT-AC66U client:

Try this:

appropriate