ASUS RT-AC68U in LAN without WAN, how to use OpenVPN?

Question

My setup

Fritz!box 7490

• Main router and modem
• IP: 192.168.178.1

ASUS RT-AC68U (Firmware: Asuswrt-Merlin 380.66_4)

• Connected with LAN port
• Here I disable the DHCP and WAN (the cables is connected on LAN port).
• IP: 192.168.178.2

Conditions

• The devices can connect on Fritz!box and/or on Asus
• The Fritz!box does not have the ability to use OpenVPN.
• The Asus can use OpenVPN Client but can't connect without the WAN (wrong?).
• I don't want to split my lan in two IP family.

Question

I just want some IP pass through VPN (and I know it's possible with the VPN rules of routing). This is the simple rule:

How can I fix the problem of VPN without WAN continuing to say "connecting"? And is this configuration possible? How should I configure it? Thanks !

---

Log

    Jun 17 11:45:05 rc_service: httpd 5645:notify_rc start_vpnclient1
    Jun 17 11:45:08 openvpn[6148]: OpenVPN 2.4.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 26 2017
    Jun 17 11:45:08 openvpn[6148]: library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.08
    Jun 17 11:45:08 openvpn[6149]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jun 17 11:45:08 openvpn[6149]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 17 11:45:08 openvpn[6149]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Jun 17 11:45:08 openvpn[6149]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443
    Jun 17 11:45:08 openvpn[6149]: Socket Buffers: R=[122880->122880] S=[122880->122880]
    Jun 17 11:45:08 openvpn[6149]: UDP link local: (not bound)
    Jun 17 11:45:08 openvpn[6149]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:443
    Jun 17 11:45:08 openvpn[6149]: write UDP: Network is unreachable (code=101)
    Jun 17 11:45:08 openvpn[6149]: Network unreachable, restarting
    Jun 17 11:45:08 openvpn[6149]: SIGUSR1[soft,network-unreachable] received, process restarting

TEST

It seems to work, but I have many doubts that it is correct. In fact, the connection seems unstable (I'm trying for a while), I probably created some loops? But this is the link diagram. Considering that there are many meters between the switch and the ASUS router, and I have only one LAN cable that connects the two rooms.

Ok I can confirm, this test is not working, the connection is unstable.

Answer 1

As far as I know in most router setups the buildin OpenVPN is hardcoded setup to make the outgoing connection on the WAN side.
This is the natural way of doing things for 99.999% of all customers that need a OpenVPN setup on their router so nobody bothers to implement anything else.
Your setup is in that other 0.001%.

Technically it is possible to set this up and because you are running an OpenWRT variant it, most likely can be done by manually changing the config-files in the router. I wouldn't know how. I'm not familiar with OpenWRT at that level of detail.

The only other way of making this work I see is physically swapping both routers and use the Asus as the WAN router.
But, in your case, this isn't possible, because your uplink is ADSL or VDSL, which the Asus can't do.

Answer 2

I have the same configuration.

OpenVPN Server on Router Asus which is in lan.

In the advanced settings of openvpn i have chose tcp instead of udp

From my router which have wan i have did a port forwarding redirecting all traffic that comes on port 1194 to the openvpn server ip on port 1194 ( if you don't know your openvpn server ip you can find into the client.ovpn by open with notepad)