Connecting two ASUS routers together via openvpn - weird result

Toggle sidebar Toggle sidebar
W

whitenack

Distinguished
Jun 26, 2012
177
0
18,680
I'll admit, I'm a complete noob regarding VPNs and just one tier above novice when it comes to networking, but I wanted to share my experience below and see if anyone had a comment.

I'll try to make this as brief as possible while still providing enough details.

I have two locations (home and office) and two asus routers (AC66U & AC68U). I have the AC68U at the office and have it set up as a VPN server. Up to this point, I have just logged into the office router via the computer I am on through the openvpn client software. This has worked fine, but there are reasons that make me want to try making the vpn connection at the router level, and connect both networks together.

So, last night I take my office laptop home with me to help set up the vpn client settings on the home router. I made the connection and was able to ping the office server from home and was pleased with how easy that went.

Then this morning, I come back to the office with my office laptop and something isn't right. I am unable to connect to the office network. I try all the usual troubleshooting techniques, but can't figure it out. Finally I think to check my ip address. After running ipconfig, I see that I have an ip address consistent with my home network (192.x.x.x) instead of my office network (10.x.x.x). I try to log into my office router to check my settings, but it says it can't find that address. So, I enter the ip address of my home router, and it connects right away. I check my network list and see my laptop listed on the list of connected devices. I disconnect the VPN, then go through the troubleshooting steps of reconnecting to my office domain and am successful.

For some reason the laptop held onto its connection to the home network through the VPN to the office. Is this the way it is supposed to be?
 
Solution
B
Adding asus merlin is very easy, you simply download the file, go into the stock firmware, point to the file and install.
Nothing like the kind of hackery you have to do to get dd-wrt working on some routers.

You can get VLANs to work with asusmerlin but it is not very straight forward and since you are talking about company data if you want to go that route the much more reliable route is to use the right "tool" for the job.
With asus merlin though you can seperate those specific systems to use the VLAN over WAN interface.
You will have to SSH (using putty) into the router to create custom firewall rules in asus merlin to block the work computers from home and vice versa
Sort by date Sort by votes
So when you use the Open VPN client you end up getting 2 IP addresses, you get the home network IP and an IP from your office for the VPN connection.

When you use the 2 routers like you are doing your router ends up getting a 10.x.x.x WAN ip address but the computers connected to the home router only get a 192.168.x.x address.

Thus to connect properly to your work network your work laptop needs to get an IP address in the same subnet as your work.
You can either set your home network to use the same subnet (but make sure there is no overlaping address, and make home router be at .254 and not at .1); or you can use VLAN and use static addressing for the router's DHCP to put your laptop into that VLAN (and also best to tell it to use your VPN, and not WAN at home)>
 
Upvote 0 Downvote
Thanks for the reply. If I understand you correctly (again forgive me for being a noob), your first suggestion was to change my DHCP settings on my home router to the same as my office, just not the same set of numbers? So, if my office is 10.x.x.50-254, you suggest doing something like 10.x.x.255-354 .

The reason I am doing this is because I have a mirrored server in my basement at home for disaster planning. That server needs to stay connected to my office network. Before this, I have just connected the mirrored server to the vpn directly, but this can be problematic if there are reboots or connection problems, I have to go back into the mirror server and reconnect. And I don't always know there is a problem, so I have to keep checking periodically. I figured a router-to-router connection would be easier and more reliable. If there is an easier way to do what I am needing, I'l open to suggestions.
 
Upvote 0 Downvote
For the most part yes.

You cant use .255-.354 because each set (called an octet) only goes up to 255. It is called an octet because it is uses 8 binary bits and thus can only go from 0-255.
Since .255 is reserved as broadcast address this means you really only have from .2-.254 as usable addresses.

My advice is to first and foremost have all servers, access points and primary equipment have a static IP (or at least router assigned IP) outside of the DHCP Pool.
So have office router on .1, and that equipment on .2-.49.
Then have office DHCP pool from say .50-.149
Then have home DHCP from .201 to say .229.
Have your home server and laptop in say the .230s
Have your home router as .254

At least with ASUSMerlin (cant remember if you can with factory firmware) you can set which computers use VPN and which ones use WAN, although this will not prevent local traffic from running at the LAN level.
Thus I highly suggest after you everything working you invoke custom firewall rules which have to be done via command line in ASUSMerlin.
Setting it so that IPs from the office can not communicate with ones at home and vice versa (except the specific ones you want to work).


Ideally the proper way to do this is with VLANs. Unfortunately this is one of the few areas where ASUSMerlin is lacking.
One possibility for long term you may look into is using your asus routers as access points and getting ubiquiti edgelite routers at both ends. These are very robust for the price tag and have full business features.
At office you would have the office vlan, and vpn vlan; then at home have your home vlan and vpn vlan (vpn vlan being the same subnet at both).
 
Upvote 1 Downvote


Thanks for the responses and the information. This is helpful. I set up the home network with the same subnet and got things working. Now that things are working, I see what you mean about a vlan being the best suggestion. I'm not sure I like the idea of both networks being completely visible from both sides. Really, all I need is the backup server to connect to the vpn. I had hopes of being able to run all my home traffic through the vpn for privacy, but my internet speeds are too slow to make that work. So, since I just need the home server to be on the VPN, I need to decide whether to just do the ASUSMerlin research (I don't see the option on stock firmware) and leave everything visible on both sides or do the research of vlan to separate everything out.

Thanks again for the information.
 
Upvote 0 Downvote
Adding asus merlin is very easy, you simply download the file, go into the stock firmware, point to the file and install.
Nothing like the kind of hackery you have to do to get dd-wrt working on some routers.

You can get VLANs to work with asusmerlin but it is not very straight forward and since you are talking about company data if you want to go that route the much more reliable route is to use the right "tool" for the job.
With asus merlin though you can seperate those specific systems to use the VLAN over WAN interface.
You will have to SSH (using putty) into the router to create custom firewall rules in asus merlin to block the work computers from home and vice versa
 
Upvote 0 Downvote
Solution
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom