Asus - OpenVPN Site to Site or Point to Point

ASUS Asuswrt Merlin

Most of the documents online are missing steps or the folks writing the document are assuming that the folks setting this up are network traffic wizards.

GOAL:

With one of the Asus routers being the server and the other being a client, we want to be able from either side hit IPs or hostnames of any of any device.

Both Routers:

VPN Type: TUN as TAP maybe overkill for this case

Protocol: UDP

Static Routes: Both servers

When you export the OpenVPN certificates from the router (as opposed to supplying your own), they have the CN set as ‘client’. This is relevant/confusing for the server config, as our other router is a client named client.

Server:

ASUS RT-AC5300 with 192.168.53.1/24

Interface Type	TUN TAP
Protocol	TCP UDP
Server Port	(Default : 1194)
Authentication Mode	TLS Static Key
Keys and Certificates
Username/Password Authentication	Yes No
TLS control channel security (tls-auth / tls-crypt)	Disable   Bi-directional Auth   Incoming Auth (0)   Outgoing Auth (1)   Encrypt channel
HMAC Authentication	Default None MD 5 SHA 1 SHA 224 SHA 256 SHA 384 SHA 512 RIPEMD 160 RSA MD4
VPN Subnet / Netmask
Advertise DNS to clients	Yes No
Data ciphers
Compression	Disable   None   LZO    LZO Adaptive   LZ4   LZ4-V2
Log verbosity	(Between 0 and 6. Default: 3)
Manage Client-Specific Options	Yes No
Allow Client <-> Client	Yes No
Allow only specified clients	Yes No

Allowed Clients
Common Name(CN)	Subnet	Mask	Push	Add / Delete
			No   Yes

Custom Configuration
reneg-sec 432000 push "route 192.168.53.0 255.255.255.0" route 192.168.51.0 255.255.255.0

Custom Explained:

reneg-sec 432000 #optional
push "route 192.168.53.0 255.255.255.0" #server LAN IP
route 192.168.51.0 255.255.255.0 #client LAN IP

Export the .ovpn files from the new server config

Client:

ASUS RT-AC5300 with 192.168.51.1/24

Import .ovpn config file exported from server, to set the certificates and some of the basic settings.

Select client instance	1: Site-to-Site HOUSE 2: Client 2 3: Client 3 4: Client 4 5: Client 5
Service state
Automatic start at boot time	Yes No
Description
Import .ovpn file

Network Settings
Interface Type	TUN TAP
Protocol	TCP UDP
Server Address and Port	Address:XXXXXXX.asuscomm.com Port:
Create NAT on tunnel	Yes No Routes must be configured manually.
Inbound Firewall	Block Allow
Accept DNS Configuration	Disabled   Relaxed   Strict   Exclusive
Redirect Internet traffic through tunnel	No Yes (all) VPN Director (policy rules)

Authentication Settings
Authentication Mode	TLS Static Key
Username/Password Authentication	Yes No

Crypto Settings
Keys and Certificates
Data ciphers
TLS control channel security (tls-auth / tls-crypt)	Disabled   Bi-directional Auth   Incoming Auth (0)   Outgoing Auth (1)   Encrypt Channel   Encrypt Channel V2
Auth digest	Default None DSA DSA-SHA DSA-SHA1 DSA-SHA1-old ecdsa-with-SHA1 MD4 MD5 MDC2 RIPEMD160 RSA-MD4 RSA-MD5 RSA-MDC2 RSA-RIPEMD160 RSA-SHA RSA-SHA1 RSA-SHA1-2 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 SHA SHA1 SHA224 SHA256 SHA384 SHA512 whirlpool

Advanced Settings
Log verbosity	(Between 0 and 6. Default: 3)
Compression	Disabled   None   LZO    LZO Adaptive   LZ4   LZ4-V2   Stub   Stub-V2
TLS Renegotiation Time	(in seconds, -1 for default)
Connection Retry attempts	(0 for infinite)
Verify Server Certificate Name	No   Common Name   Common Name Prefix   Subject

Custom Configuration
resolv-retry infinite float keepalive 15 60 remote-cert-tls server

Applied the "automatic start at boot time"

Turn on the client VPN

Server Connection:

OpenVPN Server 2 - Running

Clients Common Name Username Real Address Virtual Address MBytes Received MBytes Sent Connected Since client XXX.XXX.XXX.XXX:47361 10.100.100.2 7305.28 2561.14 2024-12-22 09:49:57 Routes Virtual Address Common Name Real Address Last Ref 192.168.51.217C client XXX.XXX.XXX.XXX:47361 2024-12-22 11:03:29 192.168.51.1C client XXX.XXX.XXX.XXX:47361 2024-12-22 11:03:31 192.168.51.15C client XXX.XXX.XXX.XXX:47361 2024-12-22 11:03:36 10.100.100.2 client XXX.XXX.XXX.XXX:47361 2024-12-22 11:03:50 192.168.51.109C client XXX.XXX.XXX.XXX:47361 2024-12-22 11:03:28 192.168.51.145C client XXX.XXX.XXX.XXX:47361 2024-12-22 11:03:50 192.168.51.10C client XXX.XXX.XXX.XXX:47361 2024-12-22 11:03:31 192.168.51.101C client XXX.XXX.XXX.XXX:47361 2024-12-22 11:03:25 192.168.51.140C client XXX.XXX.XXX.XXX:47361 2024-12-22 11:03:40 192.168.51.9C client XXX.XXX.XXX.XXX:47361 2024-12-22 11:03:50 192.168.51.23C client XXX.XXX.XXX.XXX:47361 2024-12-22 11:03:44

Confusion:

The problem is that from the server I cannot access the the LAN on the client side without adding a route vis the JFFS scripts folder using the "nat-start" script.

#!/bin/sh
#https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts
#
DATE=$(date +"%Y-%m-%d-%H%M%S")
echo "deleting the route to router if it exists" $DATE >> /tmp/nat-start.log
route delete -net 192.168.51.0 netmask 255.255.255.0 gw 10.100.100.2
echo "done deleting the route" $DATE >> /tmp/nat-start.log
echo "adding route to router" $DATE >> /tmp/nat-start.log
route add -net 192.168.51.0 netmask 255.255.255.0 gw 10.100.100.2
echo "done adding route to router" $DATE >> /tmp/nat-start.log

References:

https://medium.com/@kylemattimore/asuswrt-merlin-openvpn-tunnel-site-to-site-69b9011b079a

https://www.senia.org/2018/03/12/router-to-router-vpn-tunnel-using-asus-routers/