1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Unable to reach VPN server in two-router setting

Discussion in 'Other LAN and WAN' started by junk1, May 17, 2018 at 11:56 AM.

  1. junk1

    junk1 New Around Here

    Joined:
    Thursday
    Messages:
    5
    I have a VPN server in a two-router setup, and I can't make it work.

    Router 1 (192.168.0.1) is my main router, connected to my ISP.

    Router 2 (192.168.0.2) is an Asus RT-N66U with Merlin firmware running a VPN server.

    The two routers are hooked up LAN to LAN, to avoid having two different subnets. I have enabled port forwarding in Router 1 to forward the VPN port to Router 2.

    The issue is that I cannot reach the VPN server from outside the LAN. From inside it works; from outside, I don't get a server reply. Other services behind Router 1, for which I am forwarding ports as well, do not have this problem -- they are accessible from the WAN.

    I guess this has to be a firewall or similar issue with Router 2. But I have disabled its firewall, as well as NAT and DHCP, and the problem persists.

    Any suggestions will be highly appreciated.
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,147
    Location:
    UK
    As far as I am aware that is not a valid configuration. The VPN server only listens on it WAN interface, not the LAN. In fact in my particular firmware (John's fork of Merlin) the VPN server refuses to start without a valid WAN connection.
     
  4. junk1

    junk1 New Around Here

    Joined:
    Thursday
    Messages:
    5
    Thanks for your reply.

    Forgive my ignorance -- is this a limitation of the router or the firmware? I am asking because I can set up a VPN server on a PC or a NAS, neither of which has a WAN interface.
     
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,147
    Location:
    UK
    The firmware. The code was written with the expectation (not unreasonably) that incoming VPN connections would be through the WAN interface.

    A PC or NAS doesn't have a LAN interface either, because it's not a router. It just has "an interface".
     
  6. junk1

    junk1 New Around Here

    Joined:
    Thursday
    Messages:
    5
    Colin, thanks for this, you just saved me from wasting a lot more effort.

    I will have to move to a LAN-to-WAN connection among the routers. I presume that I will end up with another subnet (say 192.168.1.x) for Router 2.

    Perhaps you can answer another question then. In that setting, is it still possible to create a bridged VPN, which was my original intent -- bridged with the 192.168.0.x subnet, where all my computers are ?
     
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,147
    Location:
    UK
    With two separate subnets you will have probably have routing (and other) issues to resolve. But you'd have these whether you're using the VPN or not. It depends on exactly what you're trying to achieve (in your network design).
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,147
    Location:
    UK
    @junk1 Thinking about this again and the problems associated with having two subnets...

    It's worth trying the following with your existing (single subnet) setup. Under VPN Server > VPN Details > Custom configuration add the following line:

    local 192.168.0.2

    This assumes that 192.168.0.2 is the LAN IP address of your VPN server. In theory this should make the VPN server listen on the LAN interface rather than the WAN.

    Whether there will be any unforeseen routing issues I couldn't say.
     
  9. junk1

    junk1 New Around Here

    Joined:
    Thursday
    Messages:
    5
    Thanks for the suggestion. Unfortunately it does not work, the server still does not reply.
     
  10. roguetr

    roguetr Occasional Visitor

    Joined:
    May 6, 2018
    Messages:
    23
    Admittedly your setup isn't entirely clear, it just sounds like you are using a router as a VPN server behind another router connected to the internet. From what you've said you can connect to the VPN from the local network the VPN server is connected to, which means this should work if forwarding properly.

    You haven't said what type of VPN. PPTP doesn't work by only port forwarding and with OpenVPN you will need to make sure you are forwarding UDP. For PPTP you have to enable PPTP/GRE passthrough as GRE is a tunneling protocol, not a port.

    Sent from my MI 5 using Tapatalk
     
  11. roguetr

    roguetr Occasional Visitor

    Joined:
    May 6, 2018
    Messages:
    23
    FYI for PPTP, I've never bothered forwarding PPTP with asuswrt and it looks like despite having PPTP as a famous server option, you also need to add GRE.

    https://www.asus.com/us/support/FAQ/1033906/

    Handing off GRE to an internal server is separate from the GRE NAT passthrough option available for outbound clients.
     
    Last edited: May 19, 2018 at 3:10 AM
  12. junk1

    junk1 New Around Here

    Joined:
    Thursday
    Messages:
    5
    Thanks for your input. Yes, my setup has a secondary router with a VPN server behind a primary router that connects to the ISP.

    It really does not seem to matter which type of VPN. Both PPTP and OpenVPN (yes, I am forwarding UDP) work from from inside the network, neither does from outside.

    What really seems to make the difference is whether the routers are connected LAN-to-WAN (then both PPTP and OpenVPN work fine from both inside and outside) or LAN-to-LAN (then the problem arises when trying to access the VPN from outside.).

    I'll be grateful for any other suggestions.
     
  13. roguetr

    roguetr Occasional Visitor

    Joined:
    May 6, 2018
    Messages:
    23
    Ok, so it does service connections when using the WAN port. Sorry, I didn't see you actually confirm that was working from outside your network.

    Unfortunately I've only used asuswrt/merlin stuff with basic home setups. Anything like what you're trying to do I'd be using openwrt, which gives you much more control over how the firewall and switch function (the WAN port is just another switch port, nothing special except internally VLANed).

    It seems strange that you can connect internally but not externally when using a LAN port, the main difference being the originating IP and the requirement to route out the default gateway (you can rule out NAT and PAT if they are working with the WAN port). Assuming you have full internet connectivity from the VPN router when only connected via a LAN port, then I'd have to assume that either the firewall (unlikely on the LAN side) or VPN config are imposing some limitation but I can't imagine what ...

    To me the only real difference between connecting the LAN or WAN port to your internal network would be how the VPN router actually routes. If you you can ping outside to the internet from the VPN router's cli then I'd test port forwarding to a different service just to isolate it to the VPN config.

    Sent from my MI 5 using Tapatalk
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!