OpenVPN Networking

I'm wanting to connect 2 subnets via an OpenVPN. The Client Router is running OpenWrt 24.10.0, r28427-6df0e3d02a and is connected to a Virgin Router and is acting as a AP

My local LAN/Wireless subnet is 10.200.0.0 255.255.0.0 - The server VPN address is 10.16.0.1

The Client Router WAN subnet is 192.168.0.0 255.255.255.0 as assigned by the Virgin Router - The client VPN address is 10.16.0.2

What I don't seem to be able to do is ping anything on the 192.168.0.0 subnet from the 10.200.0.0 subnet.

I can ping 10.16.0.2 and SSH to the OpenWRT router from a device on the 10.200.0.0 subnet.

I have added a route custom command to the server ovpn file and have tried

route 192.168.0.0 255.255.255.0

and

route 192.168.0.0 255.255.255.0 10.16.0.2

The server and client routing tables look correct and after SSH to the OpenWRT router I can ping anything on the 10.200.0.0 subnet.

I am using PBR for DNS and also domain based for routing some traffic over the VPN.

I have a suspicion I haven't done something I need to do to allow the traffic in the Firewall settings. Any suggestions?

Most likely some routing asymmetry or misconfigured PBR, we'll need some diagram of the connections and the configs to understand better.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export pbr; \
uci export dhcp; uci export firewall; uci export openvpn; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

To connect from OpenVPN server side to client side you need to use the CCD files with iroute command.

It is much easier and faster to setup a site-to-site connection (two traffic) with WireGuard instead of OpenVPN so consider using WireGuard.

If you really want to use OpenVPN I have to dig up my notes but I am working on other projects so have little time the coming days

For symmetric routing to work when running the VPN server in a machine that is not the network's main router, you have to configure a static route into the main router to tell it how to reach the remote LAN (and road warrior tunnel IPs, if used). This requirement is the same regardless of the VPN program used.

The configuration depends on the main router's OS of course but it would look something like 192.168.0.0/24 via 10.200.a.b where a and b are the local LAN address of the VPN server. It has to be entered by number so set up a DHCP reservation for the OpenWrt box so it stays the same.
If there is more than one remote site do this for each one. The various LAN subnets cannot conflict, although since the first hop is the same VPN server you could have the main router route one larger subnet that covers all the remote sites.

Here is a simple overview of the networks connected via the OpenVPN with the red connections showing the working VPN

Screenshot 2025-03-17 at 09.16.572256×1276 172 KB

The results of the commands on the OpenWRT

{
	"kernel": "6.6.73",
	"hostname": "GL-AR300M",
	"system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
	"model": "GL.iNet GL-AR300M (NOR)",
	"board_name": "glinet,gl-ar300m-nor",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "ath79/nand",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxx'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option isolate '0'
	option ipaddr '10.201.1.254'
	option delegate '0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option ipv6 '0'
	option classlessroute '0'
	option metric '10'
	option delegate '0'
	option hostname '*'
	option peerdns '0'
	list dns '8.8.8.8'

config interface 'wan6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@wan'

config rule 'policy_relay_lo_rt_lan'
	option lookup '16800'
	option in 'loopback'
	option priority '1'

config interface 'tethering6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@tethering'

config interface 'wwan6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@wwan'

config interface 'guest'
	option force_link '1'
	option proto 'static'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option multicast_querier '1'
	option igmp_snooping '0'
	option isolate '0'
	option bridge_empty '1'
	option disabled '1'
	option device 'br-guest'

config interface 'wwan'
	option proto 'dhcp'
	option classlessroute '0'

config interface 'modem_1_1_2_6'
	option proto 'dhcpv6'
	option disabled '1'
	option device '@modem_1_1_2'

config rule 'policy_direct_rt'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule 'policy_default_rt_vpn'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config rule6 'policy_direct_rt6'
	option lookup 'main'
	option suppress_prefixlength '0'
	option priority '1100'

config rule6 'policy_default_rt_vpn6'
	option mark '0x8000/0xc000'
	option lookup '8000'
	option priority '1101'
	option invert '1'

config device
	option name 'br-guest'
	option type 'bridge'

config interface 'openvpn'
	option proto 'none'
	option device 'tun0'
	option delegate '0'
	option force_link '1'

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'dnsmasq.nftset'
	list resolver_instance '*'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	option nft_rule_counter '0'
	option nft_set_auto_merge '1'
	option nft_set_counter '0'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Redacted_Name'
	option dest_addr 'list.of.several.domains'
	option interface 'openvpn'

config policy
	option name 'Forward_DNS'
	option dest_addr '8.8.8.8'
	option chain 'output'
	option interface 'openvpn'

config policy
	option name 'Ignore Local Requests'
	option interface 'ignore'
	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'All_Traffic'
	option src_addr '10.201.1.0/24'
	option interface 'openvpn'
	option enabled '0'

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option rebind_protection '0'
	list server '/vpn.tindalos.net/8.8.4.4'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv4 'server'
	option force '1'
	option start '1'
	option limit '16'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain
	option name 'console.gl-inet.com'
	option ip '10.201.1.254'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'disabled'
	option ra 'disabled'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list network 'openvpn'
	list network 'wan'

config include 'nat6'
	option path '/etc/firewall.nat6'
	option reload '1'

config rule 'block_dns'
	option name 'block_dns'
	option src '*'
	option dest_port '53'
	option target 'REJECT'
	option enabled '0'
	option device 'br-*'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glblock'
	option type 'script'
	option path '/usr/bin/gl_block.sh'
	option reload '1'

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	list network 'guest'

config rule
	option name 'Allow-DHCP'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule
	option name 'Allow-DNS'
	option src 'guest'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

config include 'vpn_server_policy'
	option type 'script'
	option path '/etc/firewall.vpn_server_policy.sh'
	option reload '1'
	option enabled '1'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option verb '3'

config openvpn '20MHR'
	option config '/etc/openvpn/20MHR.ovpn'
	option enabled '1'

Contents of the top of /etc/openvpn/20MHR.ovpn

# Config generated by Asuswrt-Merlin 388.4, requires OpenVPN 2.4.0 or newer.

client
dev tun
proto udp
remote server.public.ip 1195
resolv-retry infinite
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
pull-filter ignore "redirect-gateway"

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.0.118/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.201.1.254/24 brd 10.201.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.16.0.2/24 scope global tun0
       valid_lft forever preferred_lft forever

default via 192.168.0.1 dev eth1 table pbr_wan 
unreachable default table pbr_wwan 
10.201.1.0/24 dev br-lan table pbr_wwan proto kernel scope link src 10.201.1.254 
default via 10.16.0.2 dev tun0 table pbr_openvpn 
default via 192.168.0.1 dev eth1 proto static src 192.168.0.114 metric 10 
10.16.0.0/24 dev tun0 proto kernel scope link src 10.16.0.2 
10.200.0.0/16 via 10.16.0.1 dev tun0 metric 500 
10.201.1.0/24 dev br-lan proto kernel scope link src 10.201.1.254 
192.168.0.0/24 dev eth1 proto static scope link metric 10 
local 10.16.0.2 dev tun0 table local proto kernel scope host src 10.16.0.2 
broadcast 10.16.0.255 dev tun0 table local proto kernel scope link src 10.16.0.2 
local 10.201.1.254 dev br-lan table local proto kernel scope host src 10.201.1.254 
broadcast 10.201.1.255 dev br-lan table local proto kernel scope link src 10.201.1.254 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.0.114 dev eth1 table local proto kernel scope host src 192.168.0.114 
broadcast 192.168.0.255 dev eth1 table local proto kernel scope link src 192.168.0.114 

0:	from all lookup local
1:	from all iif lo lookup 16800
1100:	from all lookup main suppress_prefixlength 0
1101:	not from all fwmark 0x8000/0xc000 lookup 8000
29996:	from all fwmark 0x30000/0xff0000 lookup pbr_openvpn
29998:	from all fwmark 0x20000/0xff0000 lookup pbr_wwan
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:	from all lookup main
32767:	from all lookup default

From the Asus Router (The above commands don't work)

Route Table

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.16.10.249   0.0.0.0         UG    0      0        0 ppp0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun21
10.16.0.0       *               255.255.255.0   U     0      0        0 tun22
10.200.0.0      *               255.255.0.0     U     0      0        0 br0
x.x.x.x         172.16.10.249   255.255.255.255 UGH   1      0        0 ppp0
x.x.x.x   172.16.10.249   255.255.255.255 UGH   1      0        0 ppp0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
169.254.0.0     *               255.255.0.0     U     0      0        0 eth4
172.16.10.249   *               255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     10.16.0.2       255.255.255.0   UG    0      0        0 tun22

Contents of the OpenVPN server Configuration File

daemon ovpn-server2
topology subnet
server 10.16.0.0 255.255.255.0
proto udp6
multihome
port 1195
dev tun22
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
data-ciphers-fallback AES-128-CBC
keepalive 15 60
verb 3
push "route 10.200.0.0 255.255.0.0 vpn_gateway 500"
duplicate-cn
push "redirect-gateway def1"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 2 server'
down 'ovpn-down 2 server'
status-version 2
status status 5

# Custom Configuration
route 192.168.0.0 255.255.255.0 10.16.0.2

The OpenVPN is established and functioning.
The PBR traffic routes correctly.
Non PBR traffic routes via eth1 to the internet via the Virgin Router
From the OpenWRT router I can ping anything on the 10.200.0.0 subnet
I can http, SSH pint trace route to 10.16.0.2

What I cannot do is ping, trace route or http to 192.168.0.1 (The virgin router)

I suspect the Virgin Router needs a route adding to route 10.200.0.0 255.255.0.0 via 192.168.0.114 otherwise any packets returned from the Virgin router will be sent via the default gateway to the internet. I don't think I have the options to configure that on the Virgin Router

I did not look at your settings but I dug up my notes about a site-to site setup.

The "problem" with a site to site setup is the routing from server side to client side that needs some special settings, in particular the use of CCD files with iroute:

Site-to-site

In a setup where a single server can handle many clients, it is sometimes necessary to set per-client options that overrule the global options, or to add extra options to a particular client. The option client-config-dir is very useful for this. It allows the VPN administrator to assign a specific IP address to a client, in order to push specific options such as a DNS server to a particular client or to temporarily disable a client altogether.
This option is also vital if you want to route a subnet from the client side to the server side.

Add to the OpenVPN config file:
#set option for CCD dir in openvpn config:
client-config-dir /etc/openvpn/ccd

This example has the LAN subnet of the server to be 192.168.6.0/24, the LAN subnet of the client is 172.18.18.0/24
Push server side LAN subnet to clients by adding redirect default gateway or
push "route 192.168.6.0 255.255.255.0 vpn_gateway"

Instruct server to add a route to the client-side LAN for all local server side clients:
route 172.18.18.0 255.255.255.0 vpn_gateway

From Command line:
#Make ccd directory
mkdir /etc/openvpn/ccd

#Make DEFAULT file which is used if no named file is used so suitable for just one VPN client
touch /etc/openvpn/ccd/DEFAULT

#Add iroute to DEFAULT ccd file
echo "iroute 172.18.118.0 255.255.255.0" > /etc/openvpn/ccd/DEFAULT

It looks like you are using vendor forks of OpenWrt and not the generic OpenWrt which is available from downloads.openwrt.org. There is a big spiel somewhere that explains how only the latter is supported in this forum.

With that said I'll point out a few things on site to site VPN in general. I'm going to call the site with the Asus Site A and the one with the GL Site B.

Neither site actually holds an IP address belonging to the other site. They have routes to it. It can all be done with regular destination-based routing; pbr is not needed.

If you can't install routes in the B main router you can still make B LAN IPs accesible from A by using NAT in the GL router to make the B network see access from something at A as apparently coming from the GL's LAN IP instead of a 10.200 IP. The drawback is that B devices cannot initiate a connection to anything at A due to the one-way nature of NAT. That can be somewhat worked around by forwarding individual ports.

Hi.

I'm pretty sure I replaced the vendor fork with a generic OpenWrt download. None of the original vendor front-end garbage is showing now.

You are correct, in that the B main router (The Virgin one) isn't accessible - The only practical solution will in fact be port forwarding, since I want B devices to be able to initiate a connection to A.

I need the PBR for other things, which aren't necessarily relevant to this discussion and it is working as I need it.

Basically, I'm pretty sure that anything that is connected directly to the OpenWrt B router (GL) and has been give addresses in the 10.201.0.0 subnet via the DHCP on get GL devices will be accessible from A, as all those routes are within my control.

Anything on the 192.168.0.0 subnet, as managed by the B Main or Virgin router will only be accessible in reality by a port forward.I've been using SSH port forwarding as a temporary measure to access the Virgin Router Web UI, which is extremely limited in it's options.

It used to be the case that you switch the Virgin Router into Modem Only mode, which would have been a solution, and that would leave the GL router as the only "local" network, but the Modem option is no longer available from newer Virgin routers.

Thanks everyone for you help and assistance, I think we can mark this thread as closed.

Why do my post keep getting removed?

This problem cannot be solved with a conventional VPN.

A Community member flags my post as spam and someone from OpenWrt just blindly removes my posts????

You can build a complex conventional VPN or use NAT Traversal and build a simple Wireguard Mesh VPN.

At the end of the day it should be your choice on available options and not the filtered options based on the wim of one or two Community Members.

The specific vpn method used (be it OpenVPN, wireguard, zerotier, tailscale, or others) cannot resolve the issue that the op doesn’t have access to the main router to configure static routes. The result is that symmetric site-to-site routing cannot be achieved because the gateway on at least one side doesn’t have a route back to the other network (via the tunnel). .

I have not seen your post, but I can imagine what is in it as you are constantly spamming the forum with it.

A third party to access your home can be necessary if you are behind CGNAT or do not have IPv6, but in this case there is already access only not two way access.

So I can understand why your post is flagged as spam.

I do not know what your incentive is for constantly doing this but please stop it.

That is incorrect, Tailscale does not need access to the Virgin Router to establish a VPN.

That is the very reason I use Tailscale.

Please explain how a host on network b will be able to reach a host on the remote network if network b’s router is unaware of the tunnel/route?

Are you the person deleting my posts?

Have you done any reading on how Tailscale works?

It is very likely that you have either misunderstood the challenge posed in this thread, or you don’t understand how routing works if the vpn is not on the network’s main router. It is simply not possible for a host on a network to reach a host on a different network if the main router is not aware the tunnel exists.

@psherman is one of the most knowledgeable forum members with endless patience who has helped thousands of forum members.

So if he did this he must have had good reason and seeing your recent spamming and some bad advice in other postings, I can understand that your posting was removed.

You might want to start here.

Tailscale: How it works

A Tailscale Tailnet is not bound by geography or control of Routers

Symmetric routing only works if the each main router is aware of the route to the other network. This can be achieved in two ways:

1. vpn runs on the main router
2. vpn runs on a different host behind the main router, AND a static route is added to the main router to allow the router to properly direct the traffic.

I can guarantee to you that tailscale will not allow symmetric routing in the op’s situation because they don’t have the ability to satisfy either of the above conditions.

Symmetric routing cannot be achieved with the Virgin Router.

What I find difficult to believe it that alternative solutions are being blocked.

Information is being controlled by a select few who sit on these forums 24/7.