Tomato router behind Edgerouter Lite

Discussion in 'Tomato Firmware' started by eTaurus, Mar 17, 2019.

  1. eTaurus

    eTaurus Connected Client Member

    Hi!
    As the title states I am trying to set up my Asus RT-AC68U running the latest build of FreshTomato behind an Edgerouter Lite.

    The reason is that I got fiber-to-home installed and now I want to connect our guest house to the same line as our main building. I already have a LAN cable running between the two buildings. I could have created two VLAN on my Asus router but because I want the Asus router to exclusively serve my main building I bought an Edgerouter Lite to handle LAN segregation.

    I got it running by setting up the Asus router as access point by disabling DHCP in WAN settings. The main problem I have with this solution is that my OpenVPN server does not work as expected. I forwarded port 1194 in the EdgeOS GUI and succeeded in connecting to the server but I did not get access to any device on the LAN, e.g. my NAS. I might get it running with some more research into firewall rules.

    Another problem with this setup is that I cannot start the OpenVPN server on WANup. How can I get around this in case of a power outage? Setting up OpenVPN server on the EdgeRouter is not really an option because the the router does not handle it very well, resulting in low connection speed.

    I even tried to disable DHCP on the EdgeRouter and enable it on the Asus router but I did not find an option to use the EdgeRouters IP address as gateway in Tomato which resulted in not having internet connection.

    It would be really nice if someone could set me on the right track. I spent several hours searching on the internet without finding a solution.
     
  2. Sean B.

    Sean B. Network Guru Member

    Did you enable the option "Push LAN to clients" for the OpenVPN server?

    This can be done with scripts, once the OpenVPN server is working how you want it.
     
  3. eTaurus

    eTaurus Connected Client Member

    Yes, it is enabled.
     
  4. Sean B.

    Sean B. Network Guru Member

    What subnet did you configure for your VPN ( IE: 192.168.100.0/24 )? And what subnet is configured for your LAN?

    Did you put the LAN interface IP of the EdgeRouter into the "Default Gateway" box that came up after disabling the WAN on the Asus?
     
  5. eibgrad

    eibgrad Network Guru Member

    I'm going to assume your OpenVPN server is configured in routed mode (TUN) and NOT bridge mode (TAP).

    Whenever a routed OpenVPN tunnel is established on something other than the primary router, the tunnel's IP network (e.g., 10.0.8.x) is NOT KNOWN to any of the clients on the local network (e.g., 192.168.1.x). So they forward their replies to their default gateway, which is the primary router. But the primary router doesn't know how to route those packets either!

    None of this is a problem when the tunnel's IP network is known to the primary router, since the primary router is the both the gateway and hosting that network. But once you move to some other device, now you have a routing problem. One way to address it is to add a static route for the tunnel's IP network to the primary router and have it point to the IP address of the AP (the one hosting the OpenVPN server). The other solution is to NAT the tunnel's IP network as packets are dropped on the local network, thereby making it look like the tunnel's packets are coming from the AP on its own local IP. There are advantages and disadvantages to each method. And sometimes only the latter is possible (e.g., your primary router doesn't support static routes).

    Note, use of a bridged (TAP) OpenVPN server exhibits none of these problems since all the clients (remote and local) share the same IP network (e.g., 192.168.1.x).

    As far as starting the OpenVPN server from a script ...

    Code:
    service vpnserver1 start
     
    eTaurus and Monk E. Boy like this.
  6. Sean B.

    Sean B. Network Guru Member

    And once you provide your IP schemes, we can provide the static routes to use on the EdgeRouter.

    @eibgrad , as I don't use VPN connectivity on a regular basis I was curious to see the behavior here but perhaps you know how it will be handled: While the EdgeRouter static route clearly needs to be manually configured, on the Tomato router side with WAN disabled and default gateway entered etc, basically just a switch, will pushing the LAN route to a VPN client still work correctly?
     
  7. eibgrad

    eibgrad Network Guru Member

    Yes. All that pushing the LAN client does is tell the OpenVPN client what is the remote IP network that resides on the OpenVPN server side. IOW, it's just informational and is typically used by the OpenVPN client to add a static route to its local routing table. It's just normal operating procedure to tell the OpenVPN client this information so it knows how to access that remote network.

    Of course, if I'm right about the source of the OP's problem, those remote devices don't know how to route back to the OpenVPN client w/o the static route.
     
    eTaurus likes this.
  8. Monk E. Boy

    Monk E. Boy Network Guru Member

    He could also implement OpenVPN on the EdgeRouter (its their VPN solution), although he'll want to enable hardware offloading first, particularly crypto offload. That will limit him to a group of cyphers that vary depending on the model, and I'm not familiar with the Lite's list, but they all seemed relatively secure on the EdgeRouter models (X/Pro) I interact with. Of course VPN isn't implemented on mine so I don't have much advice beyond enabling offload, I just looked into it in case it was needed.

    Hardware offload can only be enabled via SSH/Telnet, you can't do it through the GUI.
     
    Sean B. likes this.
  9. eTaurus

    eTaurus Connected Client Member

    Thank you for your answers! I didn't have the time to look into the matter and therefore didn't answer, but tonight I'm going to read all your replies and try out your suggestions.
     
  10. eTaurus

    eTaurus Connected Client Member

    Your assumption is right. I had to configure it in routed mode because I want to be able to access the OpenVPN server with non-rooted Android devices with the app "OpenVPN for Android".
    Where do I put this command? In init.d?

    The EdgeRouters LAN interface is 192.168.1.1 which I put in the gateway box of my Asus router which I set to DHCP disabled and which now has the IP address 192.168.1.2. I even disabled DHCP in the LAN section.
    My OpenVPN server is configured to use the standard IP 10.6.0.0/24. Should I change this?
    Yes, I read about hardware offloading but I also read that even with it enabled the ERL (EdgeRouter Lite) performance concerning throughput is abysmal. My RT-AC68U is giving me 30/30 Mbit/s on my 100/100 line. I would like to know if the ERL could give me a similar throughput as I would make things much easier, I guess, to have the VPN server running on my gateway.
     
  11. eibgrad

    eibgrad Network Guru Member

    Then add a static route on the Edgerouter that specifies a network of 10.6.0.0/24 (or 10.6.0.0/255.255.255.0) and a gateway of 192.168.1.2.

    Regarding ...

    Code:
    service vpnserver1 start
    I assume the Init script (see Administration->Scripts) would be the most logical place. Might want to add a small time delay preceding the command just to make sure the AP has a chance to come fully up.

    Code:
    (sleep 30 && service vpnserver1 start) &
     
    eTaurus likes this.
  12. Monk E. Boy

    Monk E. Boy Network Guru Member

    The best place to ask questions about Ubiquiti gear is in their forums since they know it a lot better than I ever will. On the Pro & X the performance hit is minimal unless you're maxing the routing capabilities of the hardware (and if you are, you really should get a beefier router).

    Keep in mind there's a wide amount of information on the internet that simply no longer applies to EdgeOS equipment. When the ER-X was first introduced it was like Tomato, routing & everything else driven by the SoC CPU purely in software. As time went by though they enabled hardware offloading and other optimizations and performance went way way up. With 2.0 the cycle seems to be repeating a bit since on some models they can't enable some forms of hardware offload so performance has dropped again, but if you stay on the 1.x code base for now you can avoid those teething pains (only major difference is its based on a newer Linux distro).
     
  13. eTaurus

    eTaurus Connected Client Member

    Okay, it seems to work as expected. Connecting to my OpenVPN server over mobile broadband now gives me access to my NAS, Edgerouter, Pi-Hole.
    This is a thing I have not tested yet.

    Thank you very much for helping me out with this. My internet connection seems to be faster now in terms of response time, as a matter of fact

    I am wondering about network topology. My RT-AC68U should work as a switch now but I do not see all devices connected to it over a unmanaged switch . Should I buy a managed or unmanaged switch and place it between the EdgeRouter and my access point and plug everything into it and not use the LAN ports in my RT-AC68U at all? The worst thing is that I do not see my Pi-Hole, although I can access it, and cannot point the EdgeRouter to it.
     
  14. eibgrad

    eibgrad Network Guru Member

    I assume by "seeing" what you mean is network discovery. That's what automatically populates something like Windows Explorer and lists available resources (e.g., shares). Network discovery does NOT work across network boundaries (e.g., when you're routing from the OpenVPN server's tunnel network, and over to the remote network on which the OpenVPN server is running). If you want that kind of capability, you have to configure a bridged (tap) tunnel w/ OpenVPN server. That places the OpenVPN client directly on the remote network w/ the same IP scope (e.g., 192.168.1.x). Now network discovery will work over the VPN. Of course, as you mentioned previously, a bridged VPN makes it incompatible w/ mobile devices. So there's no perfect solution.
     
    eTaurus likes this.
  15. eTaurus

    eTaurus Connected Client Member

    No, I mean that it does not show up in the Edgerouter DHCP section but putting the Pi-holes IP address in the right place leads to working ad filtering. It had nothing to do with VPN.
    But I probably should stop asking questions about Ubiquity products on this forum. Thanks for the help.
     
  16. eTaurus

    eTaurus Connected Client Member

    I have to submit another question. Now I can connect to the OpenVPN server and to devices on the subnet but I cannot route internet traffic over the VPN connection. Connections to targets on the web time out. I presume the origin of the problem lies here:
    The RT-AC68Us DNS is on 192.168.1.1 (the EdgeRouter). Am I right and if so, how do I change this? Changing the file "config.ovpn" doesn't work because it resets to its default every time I restart the OpenVPN server.
     
  17. eibgrad

    eibgrad Network Guru Member

    If it's a DNS problem, then you should still be able to ping the internet by IP (e.g., ping 8.8.8.8). If you can't even ping by IP, then it's probably NOT a DNS issue. Did you make sure to include the default gateway setting on the WAP (i.e., the router hosting the OpenVPN server)?
     
    eTaurus likes this.
  18. eTaurus

    eTaurus Connected Client Member

    It seems to be a DNS problem then because "ping 8.8.8.8" gives me zero packet loss, but "ping google.com" gives me ping unknown host google.com.
    I looked into config.ovpn, found the line push "dhcp-option DNS 192.168.1.2" and put push "dhcp-option DNS 192.168.1.1" into Custom Configuration under the "Advanced" tab in the OpenVPN configuration page. It kind off solves my problem as I am able to connect to the internet while connected to the VPN with my mobile phone over mobile broadband, but it seems that it circumvents my Pi-Hole which is running at 192.168.1.53.
    Looking into the log I find both dhcp-option DNS 192.168.1.2 and dhcp-option DNS 192.168.1.2.

    Screenshot from my WAP:
    [​IMG]

    Screeshot from the EdgeRouter DHCP page:
    [​IMG]
     
  19. eibgrad

    eibgrad Network Guru Member

    When configured as a WAP, your LAN configuration should always have a STATIC DNS setting, either the primary router, or public DNS server(s). Because the WAP doesn't have a DNS server specified, pushing 192.168.1.2 is pointless. If you did specify a STATIC DNS server of 192.168.1.1, then at least it would get to the primary router, and then to the pihole @ 192.168.1.53. Or you can just push 192.168.1.53 to the OpenVPN clients. IOW, I think you broke the chain between the DNS servers by NOT specifying a STATIC DNS on the WAP.
     
    eTaurus likes this.
  20. eTaurus

    eTaurus Connected Client Member

    The WAPs IP lies outside the DHCPs IP scope the Edgerouter hands out to the clients. The Pi-Hole has a static IP.

    I did not push 192.168.1.2, it is the default configuration that the OpenVPN GUI in FreshTomato generates. I wrote push "dhcp-option DNS 192.168.1.1" into the Custom Configuration which leads to that both IP are being pushed. Pushing the Pi-Holes IP does not work at all, when pushing the routers IP I see ads.

    Maybe I do not understand you. How can I take control over the config file that is generated by FreshTomato?
     
  21. Sean B.

    Sean B. Network Guru Member

    Do not check the box for "advertise DNS" if you're entering your own push line into the custom config box.
     
    eTaurus likes this.
  22. eTaurus

    eTaurus Connected Client Member

    Okay, I am able to set 192.168.1.1 as the DNS and have access to the internet on my mobile while connected to VPN. I begin to understand why I keep seeing ads. My clients does not get an IP in the same subnet as the Pi-Hole. Therefore Pi-Hole cannot block ads on my mobile phone while it is connected over VPN.
    If there is a solution to it I would be glad to try it, otherwise it is no great deal. I am learning a great deal about network, though.
    I am going to try to find a solution at the Pi-Hole website.
     
  23. Sean B.

    Sean B. Network Guru Member

    If you're using DNS records served via your Pi-hole to block ad sights, being on a different subnet will not be a factor providing the DNS query:

    1.) Is properly routed to, and the response properly routed from the Pi-hole

    2.) Is actually being answered by the Pi-hole

    DNS interception is a factor in this situation, as the Pi-hole and client are in different subnets the query is routed. Verify you do not have the option "Intercept DNS" enabled on the Tomato router under Advanced->DHCP/dns, or alternatively set the Pi-hole IP as the static DNS server for the router.
     
  24. eTaurus

    eTaurus Connected Client Member

    Okay, I had to set the Pi-Hole IP as "System name server" in the EdgeRouter system config to get it working. I thought I had done in the past but I must have been wrong. It is working now

    Thank you for your help and patience! This forum rocks!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice