OpenVPN Asus RT-AX86U does not work

[bigredfish]

And the NVR uses your Router at 192.168.21.1 as its Gateway?

 

[The Automation Guy]

The NVR is static 192.168.21.xxx

OK. That makes sense.

The VPN can only "see" those local subnets that you have specifically set up. I am unsure of your exact VPN settings, but hopefully there is a setting where you can specify all of the subnets you want to be able to access over the VPN. (192.168.1.0/24 AND 192.168.21.0/24 for example). If there is no setting like this, then the system might simply default to the single subnet that the router is found on (192.168.1.0/24). This would explain why you cannot communicate with the 192.168.21.x devices.

So long story short, review your VPN settings and see if there is a setting that says something like "allowed network" or "local network" that is currently set for 192.168.1.0/24 and modify that field to also include 192.168.21.0/24. Usually you just put a comma in between each subnet you want to enter and you can enter as many as you need for your situation.

 

[BruceWayne007]

Honestly I am a little confused by these subnets. I'm not sure what you have set up on purpose and what might be an error. Is the NVR set up on a different network subnet as the rest of your network? (If so, that is something I address below).

That being said, there are there are three network subnets (more if you use VLANs) in play when you use a VPN and you need to understand how they relate and interact with each other......

First you have your local network. As I noted above I am a little unsure if it is set up as a 192.168.21.0/24 network or a 192.168.1.0/24 network, or both because you have set up a VLAN or are trying to keep your CCTV devices separate from the rest of the network. However if your local network has more than one subnet (which it would if you are using VLANs) you need to specify both/all subnets that you want to be able to access across the VPN. If you only entered 192.168.1.0/24 in this particular setting, then nothing on 192.168.21.0/24 would be available across the VPN, even if you can normally access it from the 1.0 network when you are on the local network. If you aren't intending to use two different network subnets on your local network, then it seems there might be some unresolved core network issues that need to be solved at the "local" level before you attempt to continue with the VPN.

Second you have the "tunnel" subnet. This is a network that is created by the VPN service for the sole purpose of connecting the two ends (local and remote) together. You should be able to enter the subnet you want to use for this "tunnel" as part of the VPN settings.

Third, you have the "remote" network that your device is on. It might be a cellular network, or a network at work, or another house, etc, etc, etc.

All three of these networks have to be on different subnets. You can control the first two subnets, but you really can't control the "remote" network subnet. For example, If you find yourself at someone's home that uses the same network subnet that you use at your home (192.168.1.0/24 for example), you will run into issues. Obviously 192.168.1.0/24 and 192.168.0.0/24 networks are the two most commonly used "default" networks on "residential grade" routers. Therefore it might be smart for you to choose a more random network subnet for your local network to prevent potential conflicts in the future when you find yourself on a residential network that has been set up on it's "default" settings.

I don't follow everything you wrote but I on purpose I changed the configuration of my home network from the default of 192.168.1.1 I have a mixture of static and dynamic and all my devices connect and work with the 192.168.not one network. Not one being that I changed it from the default to what I wanted.

I don't understand the 192.168.1.0/24 what is the 0/24 ?

 

[BruceWayne007]

And the NVR uses your Router at 192.168.21.1 as its Gateway?

Yes, that is correct.

 

[bigredfish]

0/24=
.1 - .254

 

[The Automation Guy]

I don't understand the 192.168.1.0/24 what is the 0/24 ?

/24 is another way of writing the subnet mask. It defines how large a network is. So 192.168.1.1 with a subnet mask of 255.255.255.0 is the same thing as 192.168.1.0/24. It's obviously easier to write out 192.168.1.0/24. A /24 (255.255.255.0) network is the most commonly used size for residential networks and it's the only network size that most non-IT people think exists. Truth is there is a wide range of network sizes.

Also, please note that when I say 192.168.1.0 network, the first useable IP address of that network is 192.168.1.1 which is what most non-IT people think the network is really called. 192.168.1.0 is actually the correct network definition while 192.168.1.1 is just the first usable IP address of that network which is why most people assign their routers to that 192.168.1.1 address.

Because writing it as 192.168.1.0/24 tells the system both the address range and network size, this is generally how you write out network subnets in setup GUIs, etc. Otherwise you would have to write out both the address starting point (192.168.1.1) and the subnet mask (255.255.255.0).

This might help explain it. Subnet Cheat Sheet | Subnet Ninja

 

[BruceWayne007]

OK. That makes sense.

The VPN can only "see" those local subnets that you have specifically set up. I am unsure of your exact VPN settings, but hopefully there is a setting where you can specify all of the subnets you want to be able to access over the VPN. (192.168.1.0/24 AND 192.168.21.0/24 for example). If there is no setting like this, then the system might simply default to the single subnet that the router is found on (192.168.1.0/24). This would explain why you cannot communicate with the 192.168.21.x devices.

So long story short, review your VPN settings and see if there is a setting that says something like "allowed network" or "local network" that is currently set for 192.168.1.0/24 and modify that field to also include 192.168.21.0/24. Usually you just put a comma in between each subnet you want to enter and you can enter as many as you need for your situation.

Answer this please....
Why can I get to the Asus router IP webpage or GUI? Why can I get to my Z wave system GUI? I can ping other devices but not the NVR. Ok, I just tried to ping my desktop and it would not ping.

I changed my Asus Router IP back to 192.168.1.xx and I changed the NVR static IP back to 192.168.1.xx BigRedFish asked about the Gateway and yes I changed that back to 192.168.1.1 Next, I created a new OpenVPN configuration file and loaded on my iPhone and it does the same thing, times out and does not connect. That should tell all of us that my different IP was not causing the issue, correct?

Does the Preferred DNS and Alternate DNS play a role in this? What should they be set to?

 

[Sybertiger]

You'd have to draw a diagram for me to understand your setup. LOL.

I hate to be such a simpleton but my router's LAN IP is 192.168.1.1 and my devices are all automatically assigned an IP address between 192.168.1.100 - 199 unless I use DHCP to set a static address for them starting at 192.168.1.200. My BI computer (my NVR if you will) is set to 192.168.1.200.

 

[Mike A.]

Answer this please....
Why can I get to the Asus router IP webpage or GUI?

Haven't followed the rest of the thread, but generally you need to have remote admin turned on in the router's set up in order to access it remotely. But in most cases you don't want to leave things set that way. There have been some exploits that take advantage of that.

The way that the Asus (and others) firewall works re VPN is that you don't truly have an internal IP. You have what's typically a 10.x.x.x address that the router internally routes to the 192.168.x.x subnet. The firewall evaluates the IP address before that routing so it sees the remote VPN address as external traffic vs internal. Same will apply if you block your cam from the Internet. You won't be able to access them remotely even with a 192.168.x.x address for the same reason.

 

[Sybertiger]

Using my example above I am able to open the router's GUI in a browser by going to 192.168.1.1 while connected to my local network. And if I'm on the cell phone network (WiFi turned off) I would turn on OpenVPN to connect to my local network then open a browser on my cell phone and go to 192.168.1.1 to open the router's GUI and if you can do that we can say that OpenVPN is working just fine.

 

[The Automation Guy]

@BruceWayne007 Is this what your VPN Gui looks like? [VPN] How to set up a VPN server on ASUS router – OpenVPN | Official Support | ASUS Global

Those seem like pretty easy instructions. I would ask that now that you have everything on a 192.168.1.1 network, that you restart the VPN process from scratch following those instructions and see if it works.

 

[BruceWayne007]

Does this help?

 

[The Automation Guy]

Well you definitely want to be using an encryption cypher. It's what provides all the security.

 

[BruceWayne007]

@BruceWayne007 Is this what your VPN Gui looks like? [VPN] How to set up a VPN server on ASUS router – OpenVPN | Official Support | ASUS Global

Those seem like pretty easy instructions. I would ask that now that you have everything on a 192.168.1.1 network, that you restart the VPN process from scratch following those instructions and see if it works.

Please see post #47



Interface 1 : Please refer to the following steps to set up OpenVPN Server (support routers with firmware later than 3.0.0.4.388.xxxx (including))

 

[The Automation Guy]

Please see post #47



Interface 1 : Please refer to the following steps to set up OpenVPN Server (support routers with firmware later than 3.0.0.4.388.xxxx (including))

I think MikeA's answer to that post is probably the most accurate. It sounds like he has first hand knowledge about the ASUS device and how it handles VPNs.

I haven't followed the rest of the thread, but generally you need to have remote admin turned on in the router's set up in order to access it remotely. But in most cases you don't want to leave things set that way. There have been some exploits that take advantage of that.

The way that the Asus (and others) firewall works re VPN is that you don't truly have an internal IP. You have what's typically a 10.x.x.x address that the router internally routes to the 192.168.x.x subnet. The firewall evaluates the IP address before that routing so it sees the remote VPN address as external traffic vs internal. Same will apply if you block your cam from the Internet. You won't be able to access them remotely even with a 192.168.x.x address for the same reason.

Unfortunately I don't have any experience with the ASUS devices and it is clear that they have "dumb down" the options in an effort to keep everything simple. The downside to this simplicity is that the system is making assumptions that might be preventing you from using the VPN as you desire.

However Mike's post does remind me that for devices that have a sudo-firewall built into them, you may have to put in the VPN tunnel's address in order to access the device over the VPN. For example, BIueIris has an optional safety feature that blocks outside connections. If this is turned on, and you haven't added the VPN tunnel network as an "allowed" network connection, you cannot access BI over the VPN. If you add the tunnel network to the allowed list or turn that feature off completely, then it works just fine. It's possible that your NVR has a similar safety feature.

 

[Mike A.]

It's been forever since I've done anything with the Asus so don't put too much faith in that. That was how it worked in the past. Not sure about now. That said, you should not have to explicitly open ports or anything for the VPN itself. Asus does that when you turn on the VPN based on whatever port you enter on that setup page. From there once connected, you should be able to hit any internal address unless it's otherwise blocked in some way, either on the network or device side. You shouldn't have to explicitly OPEN anything on the router to access local clients. At least that's how it was and I'm pretty sure that much has stayed. Unfortunately I no longer have an Asus router working now to check things against.

 

[BruceWayne007]

I have changed the Router and Router VPN settings and tried different things and eventually I could not get the OpenVPN app on my iPhone to connect, so I reset the Asus Router. I configured the wireless and a few things but left all the other settings factory, made a new OpenVPN configuration file and I connected.

It does the same thing, times out when off my local network and connected with OpenVPN.

 

[Mike A.]

Reading back through the thread, so it's only your iPhone that has a problem? Other clients connecting over the VPN remotely work OK?

 

[Sybertiger]

Welp, if you want to try one more time a different way then....

(1) Factory reset it
(2) Install the latest Merlin f/w
(3) Setup WiFi network so you can connect with your phone
(4) Setup your DDNS for your ISP's dynamic IP assignment
(5) Setup your OpenVPN (already posted screenshots) on your router and of course your phone
(6) Try THIS

 

[BruceWayne007]

Reading back through the thread, so it's only your iPhone that has a problem? Other clients connecting over the VPN remotely work OK?

Nope, my iPhone and MacBook cannot communicate with the NVR using the VPN.