asuswrt merlin openvpn tunnel site to site
This took quite a lot of finagling, so documenting what worked:
Goals: One certificate-only VPN tunnel for two LANs to access each other, minimizing NAT, etc. Any local IP in subnet A can get to any local ip in subnet B, through the router, without needing to know it is a vpn tunnel. And vice versa.
Both Routers
VPN Type: TUN (TAP seemed overkill for this case)
Protocol: UDP
Match ip/address, port, other non asus-specific openvpn settings
Enable Static Routes in (both?) router settings
When you export the openvpn certificates from the router (as opposed to supplying your own), they have the CN set as ‘client’. This is relevant/confusing for the server config, as our other router is a client named client.
Server
Example: Asus RT-AC86U with LAN 10.36.5.1/24
VPN Subnet / Netmask: pick something new that doesn’t conflict (for the internal vpn interface)
Manage Client-Specific Options: yes
Allow Client <-> Client: yes
Special config for client named ‘client’ (the other router). This may be redundant with one of the custom config lines… not sure
Custom config:
reneg-sec 432000 #optional, not sure tbh
push "route 10.36.5.0 255.255.255.0" #server LAN IP
route 10.43.65.0 255.255.255.0 #client LAN IPClient
Example: Asus RT-AX3000 with LAN 10.43.65.1/24
- Import .ovpn config file exported from server, to set the certificates and some of the basic settings.
- Inbound Firewall = Allow
- Create NAT on tunnel = No
- Leave Username/Password authentication disabled
After connecting, you can see the route pushed from the openvpn config to the routing tables in each router’s settings
And on the server status page:
References:
https://www.senia.org/2018/03/12/router-to-router-vpn-tunnel-using-asus-routers/
