Vpnserver => client connection configuration suggestions

octopus · December 1, 2025, 4:47pm

I have configured a vpn client connected to server on a asuswrt router/server.
Connection working fine and can connect to server from client side.
But not the other way (server => client) get not ping answer either.
I have tried some configurations and still scratching my head.
I think I need som suggestions/help to figured it out.

Firewall:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun21'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq6 '1'
	list masq_src 'fda9:xxxx:f9xx::0/64'
	option masq '1'
	list device 'tun10'
	list network 'wan'
	list network 'wan6'
	list network 'USBWAN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option src 'guest'
	option name 'Allow-DNS-Guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'guest'
	option name 'Allow-DHCP-Guest'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option src 'lan'
	option dest 'wan'
	option name 'Block-8.8.8.8'
	option target 'REJECT'
	option family 'ipv4'
	list dest_ip '8.8.8.8'

config rule
	option src 'lan'
	option dest 'wan'
	option name 'Block-8.8.4.4'
	option target 'REJECT'
	option family 'ipv4'
	list dest_ip '8.8.4.4'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option proto 'udp'
	option dest_port '1234'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option name 'Allow-Wireguard'
	list proto 'udp'
	option dest_port '54321'
	option target 'ACCEPT'

config zone
	option name 'wgserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wgserver'

config forwarding
	option src 'wgserver'
	option dest 'lan'

config forwarding
	option src 'wgserver'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wgserver'

Network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd65:xx:a3xx::/48'
	option packet_steering '1'

config interface 'ignore_eth0'
	option device 'eth0'
	option proto 'none'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.46.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option ipv6 '1'
	option accept_ra '2'
	option peerdns '0'
	option dns_metric '10'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option sourcefilter '0'
	option peerdns '0'

config interface 'TRB140'
	option proto 'static'
	option device '@wan'
	option ipaddr '192.168.25.2'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'

config interface 'tun21'
	option proto 'none'
	option device 'tun21'

config interface 'wgserver'
	option proto 'wireguard'
	option private_key '< key >'
	option listen_port '54321'
	list addresses '172.22.28.1/24'
	list addresses 'fda9:xxxx:f9xx::1/64'

config wireguard_wgserver
	option description 'johan24'
	option public_key '< key >'
	option private_key '< key >'
	option preshared_key '< key >'
	list allowed_ips '172.22.28.2/32'
	list allowed_ips 'fda9:xxxx:f9xx::2/128'
	option endpoint_port '54321'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config wireguard_wgserver
	option description 'johanlaptop'
	option public_key '< key >'
	option private_key '< key >'
	option preshared_key '< key >'
	list allowed_ips '172.22.28.3/32'
	list allowed_ips 'fda9:xxx:f9xx::3/128'
	option route_allowed_ips '1'
	option endpoint_port '54321'
	option persistent_keepalive '25'

config wireguard_wgserver
	option description 'johanpc'
	option public_key '< key >'
	option private_key '< key >'
	option preshared_key '< key >'
	option route_allowed_ips '1'
	option endpoint_port '54321'
	option persistent_keepalive '25'
	list allowed_ips '172.22.28.4/32'
	list allowed_ips 'fda9:xxxx:f9xx::4/128'

config wireguard_wgserver
	option description 'rt-ax86u'
	option public_key '< key >'
	option private_key '< key >'
	option preshared_key '< key >'
	list allowed_ips '172.22.28.5/32'
	list allowed_ips 'fda9:xxxx:f9xx::5/128'
	option route_allowed_ips '1'
	option endpoint_port '54321'
	option persistent_keepalive '25'

config wireguard_wgserver
	option description 'reserv1'
	option public_key '< key >'
	option private_key '< key >'
	option preshared_key '< key >'
	list allowed_ips '172.22.28.6/32'
	list allowed_ips 'fda9:xxxx:f9xx::6/128'
	option route_allowed_ips '1'
	option endpoint_port '54321'
	option persistent_keepalive '25'

config interface 'USBWAN'
	option proto 'dhcp'
	option device 'usb0'
	option dns_metric '40'

config interface 'VpnClient1'
	option proto 'none'
	option device 'tun10'

Openvpn:

config openvpn 'GLMT6000'
	option enabled '1'
	option dev 'tun10'
	option proto 'udp'
	option nobind '1'
	option float '1'
	option client '1'
	option reneg_sec '3600'
	option verb '3'
	option mute_replay_warnings '1'
	option replay_window '256'
	option auth_nocache '1'
	option allow_compression 'no'
	option route_nopull '1'
	list route '192.168.50.0 255.255.255.0'
	option persist_tun '1'
	option fast_io '1'
	option verify_x509_name 'xxxxxxx.xxxxx.se name'
	option remote_cert_tls 'server'
	list remote 'xxxxxxx.xxxxx.se'
	option port '1234'
	option cipher 'AES-256-GCM'
	option tls_crypt_v2 '/etc/openvpn/GLMT6000/tls-crypt-v2-client.key'
	option ca '/etc/openvpn/GLMT6000/gl-mt6000-ca.crt'
	option key '/etc/openvpn/GLMT6000/gl-mt6000.key'
	option cert '/etc/openvpn/GLMT6000/gl-mt6000.crt'
	option log '/var/log/client-openvpn-1.log'
	option script_security '2'

egc · December 1, 2025, 5:02pm

Add device 'tun10' to the LAN firewall zone instead of the WAN zone

But the real difficulty is on the server side you have to use CCD files and iroute command, as the server is asuswrt we cannot help you but the asuswrt forum is also very helpful so ask there

WireGuard is way easier

octopus · December 1, 2025, 5:49pm

Thanks for your reply.
Yes I know Wireguard is easyier but that is next projekt.
Missed that to put tun10 in firewall instead.

On server side I have a CCD file:

iroute 192.168.46.0 255.255.255.0

Can't still not reach server from client side.

and sever config:

daemon ovpn-server1
topology subnet
server 10.8.44.0 255.255.255.0
proto udp4
multihome
fast-io
port 1234
dev tun21
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
data-ciphers-fallback AES-128-CBC
keepalive 15 60
verb 3
push "route 192.168.50.0 255.255.255.0 vpn_gateway 500"
client-config-dir ccd
client-to-client
route 192.168.46.0 255.255.255.0
push "dhcp-option DOMAIN home.lan"
push "dhcp-option DNS 192.168.50.1"
push "redirect-gateway def1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
tls-crypt-v2 /jffs/openvpn/vpn_crt_server1_static
script-security 2
up 'ovpn-up 1 server'
down 'ovpn-down 1 server'
status-version 2
status status 5

# Custom Configuration
ifconfig-pool-persist /jffs/configs/openvpn/server1/ipp.txt
allow-compression no
log /tmp/vpnserver-1.log

egc · December 2, 2025, 8:43am

I am sorry I can only help you with OpenWRT or DDWRT, and not with asuswrt you have to ask in their forum.
These are the instructions for OpenWRT:

Site-to-site
In a setup where a single server can handle many clients, it is sometimes necessary to set per-client options that overrule the global options, or to add extra options to a particular client. The option client-config-dir is very useful for this. It allows the VPN administrator to assign a specific IP address to a client, in order to push specific options such as a DNS server to a particular client or to temporarily disable a client altogether. 
This option is also vital if you want to route a subnet from the server side to the client side.

Add to the OpenVPN servers config file:

#set option for CCD dir in openvpn config:
client-config-dir /etc/openvpn/ccd

This example has the LAN subnet of the server to be 192.168.6.0/24, the LAN subnet of the client is 172.18.18.0/24
#Push server side LAN subnet  to clients by adding redirect default gateway or 
push "route 192.168.6.0 255.255.255.0 vpn_gateway"

#Instruct server to add a route to the client-side LAN for all local server side clients:
route 172.18.18.0 255.255.255.0 vpn_gateway

From Command line:
#Make ccd directory
mkdir /etc/openvpn/ccd

#Make DEFAULT file which is used if no named file is used so only suitable if there is just one VPN client, If the server serves multiple clients, certificate authentication must be used with a unique certificate for each client. The CN of the certificate matches the file name for that client in the ccd. 
touch /etc/openvpn/ccd/DEFAULT

Add iroute to DEFAULT ccd file:
echo "iroute 172.18.118.0 255.255.255.0" > /etc/openvpn/ccd/DEFAULT

Also add to the OpenVPN servers config file:
#for easy client-to-client traffic bypassing the kernel:
client-to-client

Firewall
The firewall on the Client side must be setup as if it is a OpenVPN Server, so with ACCEPT on INPUT and FORWARD and no Masquerading.

For DDWRT: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1157344

octopus · December 4, 2025, 5:07pm

Thanks for your help.

I think I get it to work, haven't tested all funktion yet.

Q: Is there any guide on openwrt (client => server) or other setup so I can compare mine setup?

egc · December 4, 2025, 5:16pm

Sort of, see:

In case you want to use WireGuard instead of OpenVPN:
WireGuard Server Setup Guide
WireGuard Client Setup Guide

octopus · December 4, 2025, 5:21pm

That is next project to setup wireguard and vpnclient to vpnprovider with policy base routing.

Thanks for links!

system · December 14, 2025, 5:21pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.