# Asus - OpenVPN Site to Site or Point to Point ASUS Asuswrt Merlin Most of the documents online are missing steps or the folks writing the document are assuming that the folks setting this up are network traffic wizards. ### GOAL: With one of the Asus routers being the server and the other being a client, we want to be able from either side hit IPs or hostnames of any of any device. #### Both Routers: **VPN Type:** TUN as TAP maybe overkill for this case **Protocol:** UDP **Static Routes:** Both servers When you export the OpenVPN certificates from the router (as opposed to supplying your own), they have the CN set as ‘**client**’. This is relevant/confusing for the server config, as our other router is a client named client. #### Server: ASUS RT-AC5300 with 192.168.53.1/24
Interface TypeTUN TAP
ProtocolTCP UDP
Server Port (Default : 1194)
Authentication ModeTLS Static Key
Keys and Certificates
Username/Password AuthenticationYes No
TLS control channel security *(tls-auth / tls-crypt)*
HMAC Authentication
VPN Subnet / Netmask
Advertise DNS to clientsYes No
Data ciphers
Compression
Log verbosity (Between 0 and 6. Default: 3)
Manage Client-Specific OptionsYes No
Allow Client <-> ClientYes No
Allow only specified clientsYes No
Allowed Clients
Common Name(CN)SubnetMaskPushAdd / Delete
client192.168.51.0255.255.255.0Yes
Custom Configuration
reneg-sec 432000 push "route 192.168.53.0 255.255.255.0" route 192.168.51.0 255.255.255.0
Custom Explained: ```bash reneg-sec 432000 #optional push "route 192.168.53.0 255.255.255.0" #server LAN IP route 192.168.51.0 255.255.255.0 #client LAN IP ``` Export the .ovpn files from the new server config #### Client: ASUS RT-AC5300 with 192.168.51.1/24 **Import** .ovpn config file exported from server, to set the certificates and some of the basic settings.
Select client instance
Service state
![](https://b938e6c24dbcfb5e001dbaa8f3eae8ca2.asuscomm.com:8443/switcherplugin/iphone_switch_container_on.png)
Automatic start at boot timeYes No
Description
Import .ovpn file
Network Settings
Interface TypeTUN TAP
ProtocolTCP UDP
Server Address and PortXXXXXXX.asuscomm.com
Create NAT on tunnelYes No Routes must be configured manually.
Inbound FirewallBlock Allow
Accept DNS Configuration
Redirect Internet traffic through tunnel
Authentication Settings
Authentication ModeTLS Static Key
Username/Password AuthenticationYes No
Crypto Settings
Keys and Certificates
Data ciphers
TLS control channel security *(tls-auth / tls-crypt)*
Auth digest
Advanced Settings
Log verbosity (Between 0 and 6. Default: 3)
Compression
TLS Renegotiation Time (in seconds, -1 for default)
Connection Retry attempts (0 for infinite)
Verify Server Certificate Name
Custom Configuration
resolv-retry infinite float keepalive 15 60 remote-cert-tls server
Applied the "automatic start at boot time" Turn on the client VPN #### Server Connection:
OpenVPN Server 2 - Running
Clients
Common Name UsernameReal Address Virtual AddressMBytes ReceivedMBytes SentConnected Since
client XXX.XXX.XXX.XXX:47361 10.100.100.27305.282561.142024-12-22 09:49:57
Routes
Virtual AddressCommon NameReal AddressLast Ref
192.168.51.217CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:29
192.168.51.1CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:31
192.168.51.15CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:36
10.100.100.2clientXXX.XXX.XXX.XXX:473612024-12-22 11:03:50
192.168.51.109CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:28
192.168.51.145CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:50
192.168.51.10CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:31
192.168.51.101CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:25
192.168.51.140CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:40
192.168.51.9CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:50
192.168.51.23CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:44
### Confusion: The problem is that from the server I cannot access the the LAN on the client side without adding a route vis the JFFS scripts folder using the "nat-start" script. ```bash #!/bin/sh #https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts # DATE=$(date +"%Y-%m-%d-%H%M%S") echo "deleting the route to router if it exists" $DATE >> /tmp/nat-start.log route delete -net 192.168.51.0 netmask 255.255.255.0 gw 10.100.100.2 echo "done deleting the route" $DATE >> /tmp/nat-start.log echo "adding route to router" $DATE >> /tmp/nat-start.log route add -net 192.168.51.0 netmask 255.255.255.0 gw 10.100.100.2 echo "done adding route to router" $DATE >> /tmp/nat-start.log ``` #### References: [https://medium.com/@kylemattimore/asuswrt-merlin-openvpn-tunnel-site-to-site-69b9011b079a](https://medium.com/@kylemattimore/asuswrt-merlin-openvpn-tunnel-site-to-site-69b9011b079a) [https://www.senia.org/2018/03/12/router-to-router-vpn-tunnel-using-asus-routers/](https://www.senia.org/2018/03/12/router-to-router-vpn-tunnel-using-asus-routers/) [https://www.asus.com/us/support/faq/1011706/](https://www.asus.com/us/support/faq/1011706/)