1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Unable to reach VPN server in two-router setting

Discussion in 'Other LAN and WAN' started by junk1, May 17, 2018.

  1. junk1

    junk1 New Around Here

    Joined:
    May 17, 2018
    Messages:
    5
    I have a VPN server in a two-router setup, and I can't make it work.

    Router 1 (192.168.0.1) is my main router, connected to my ISP.

    Router 2 (192.168.0.2) is an Asus RT-N66U with Merlin firmware running a VPN server.

    The two routers are hooked up LAN to LAN, to avoid having two different subnets. I have enabled port forwarding in Router 1 to forward the VPN port to Router 2.

    The issue is that I cannot reach the VPN server from outside the LAN. From inside it works; from outside, I don't get a server reply. Other services behind Router 1, for which I am forwarding ports as well, do not have this problem -- they are accessible from the WAN.

    I guess this has to be a firewall or similar issue with Router 2. But I have disabled its firewall, as well as NAT and DHCP, and the problem persists.

    Any suggestions will be highly appreciated.
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,049
    Location:
    UK
    As far as I am aware that is not a valid configuration. The VPN server only listens on it WAN interface, not the LAN. In fact in my particular firmware (John's fork of Merlin) the VPN server refuses to start without a valid WAN connection.
     
  4. junk1

    junk1 New Around Here

    Joined:
    May 17, 2018
    Messages:
    5
    Thanks for your reply.

    Forgive my ignorance -- is this a limitation of the router or the firmware? I am asking because I can set up a VPN server on a PC or a NAS, neither of which has a WAN interface.
     
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,049
    Location:
    UK
    The firmware. The code was written with the expectation (not unreasonably) that incoming VPN connections would be through the WAN interface.

    A PC or NAS doesn't have a LAN interface either, because it's not a router. It just has "an interface".
     
  6. junk1

    junk1 New Around Here

    Joined:
    May 17, 2018
    Messages:
    5
    Colin, thanks for this, you just saved me from wasting a lot more effort.

    I will have to move to a LAN-to-WAN connection among the routers. I presume that I will end up with another subnet (say 192.168.1.x) for Router 2.

    Perhaps you can answer another question then. In that setting, is it still possible to create a bridged VPN, which was my original intent -- bridged with the 192.168.0.x subnet, where all my computers are ?
     
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,049
    Location:
    UK
    With two separate subnets you will have probably have routing (and other) issues to resolve. But you'd have these whether you're using the VPN or not. It depends on exactly what you're trying to achieve (in your network design).
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,049
    Location:
    UK
    @junk1 Thinking about this again and the problems associated with having two subnets...

    It's worth trying the following with your existing (single subnet) setup. Under VPN Server > VPN Details > Custom configuration add the following line:

    local 192.168.0.2

    This assumes that 192.168.0.2 is the LAN IP address of your VPN server. In theory this should make the VPN server listen on the LAN interface rather than the WAN.

    Whether there will be any unforeseen routing issues I couldn't say.
     
  9. junk1

    junk1 New Around Here

    Joined:
    May 17, 2018
    Messages:
    5
    Thanks for the suggestion. Unfortunately it does not work, the server still does not reply.
     
  10. roguetr

    roguetr Regular Contributor

    Joined:
    May 6, 2018
    Messages:
    63
    Admittedly your setup isn't entirely clear, it just sounds like you are using a router as a VPN server behind another router connected to the internet. From what you've said you can connect to the VPN from the local network the VPN server is connected to, which means this should work if forwarding properly.

    You haven't said what type of VPN. PPTP doesn't work by only port forwarding and with OpenVPN you will need to make sure you are forwarding UDP. For PPTP you have to enable PPTP/GRE passthrough as GRE is a tunneling protocol, not a port.

    Sent from my MI 5 using Tapatalk
     
  11. roguetr

    roguetr Regular Contributor

    Joined:
    May 6, 2018
    Messages:
    63
    FYI for PPTP, I've never bothered forwarding PPTP with asuswrt and it looks like despite having PPTP as a famous server option, you also need to add GRE.

    https://www.asus.com/us/support/FAQ/1033906/

    Handing off GRE to an internal server is separate from the GRE NAT passthrough option available for outbound clients.
     
    Last edited: May 19, 2018
  12. junk1

    junk1 New Around Here

    Joined:
    May 17, 2018
    Messages:
    5
    Thanks for your input. Yes, my setup has a secondary router with a VPN server behind a primary router that connects to the ISP.

    It really does not seem to matter which type of VPN. Both PPTP and OpenVPN (yes, I am forwarding UDP) work from from inside the network, neither does from outside.

    What really seems to make the difference is whether the routers are connected LAN-to-WAN (then both PPTP and OpenVPN work fine from both inside and outside) or LAN-to-LAN (then the problem arises when trying to access the VPN from outside.).

    I'll be grateful for any other suggestions.
     
  13. roguetr

    roguetr Regular Contributor

    Joined:
    May 6, 2018
    Messages:
    63
    Ok, so it does service connections when using the WAN port. Sorry, I didn't see you actually confirm that was working from outside your network.

    Unfortunately I've only used asuswrt/merlin stuff with basic home setups. Anything like what you're trying to do I'd be using openwrt, which gives you much more control over how the firewall and switch function (the WAN port is just another switch port, nothing special except internally VLANed).

    It seems strange that you can connect internally but not externally when using a LAN port, the main difference being the originating IP and the requirement to route out the default gateway (you can rule out NAT and PAT if they are working with the WAN port). Assuming you have full internet connectivity from the VPN router when only connected via a LAN port, then I'd have to assume that either the firewall (unlikely on the LAN side) or VPN config are imposing some limitation but I can't imagine what ...

    To me the only real difference between connecting the LAN or WAN port to your internal network would be how the VPN router actually routes. If you you can ping outside to the internet from the VPN router's cli then I'd test port forwarding to a different service just to isolate it to the VPN config.

    Sent from my MI 5 using Tapatalk
     
  14. eibgrad

    eibgrad Occasional Visitor

    Joined:
    Feb 20, 2017
    Messages:
    34
    I've been working w/ dd-wrt and tomato OpenVPN implementations for many years. And there's usually no problem in using a bridged (LAN to LAN) configuration on a secondary router. It would be a pretty odd situation when the OpenVPN server could only be bound to the WAN's network interface. But to be fair, I'm much less familiar w/ Merlin, although it's my understanding it shares a lot w/ tomato firmware.

    One possible explanation for it not working when remoting accessed is perhaps the secondary router doesn't have a gateway IP specified. In a routed (WAN to LAN) config, this is normally configured automatically over the WAN via DHCP. But when using a LAN to LAN config, there is no WAN. And if you expect that secondary router to have internet access, you need to manually configure a gateway IP. Sometimes ppl forget and only assign a LAN ip and netmask. Which can explain why it works locally, but NOT remotely.

    Another potential problem is the OpenVPN tunnel network. When the OpenVPN server is running on the local network's gateway, the tunnel network (e.g., 10.8.0.0/24) is hosted on the same device. So routing between the tunnel and the local network just works. But if the OpenVPN server is on some other LAN device, the tunnel network is NOT known to the default gateway. And now when OpenVPN clients connect to the OpenVPN server using the 10.8.0.0/24 network (in my example), and need to access local devices or the internet, there is no routing information available to route back the replies. That information is isolated on the hosting device. To fix the problem, you need a static route on the default gateway that tells it where that tunnel is located, which is the LAN ip of that second router.

    All that said, I have seen a few cases where some routers when configured LAN to LAN simply can't be reached remotely, for unknown reasons. I have my suspicions why, but can't prove it.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!