Why Asus Router OpenVPN creates a different subnet?

2

I created an OpenVPN server inside my RT-AC66U Asus Router, running stock firmware, the default OpenVPN configuration creates a subnet under 10.8.0.0 mask 255.255.255.0 and all my devices that access the VPN get their IP from this range (like 10.8.0.6). Thus they can't see other devices in the same network, as they are inside 192.168.1.0 mas 255.255.255.0.

  1. Why does the default OpenVPN configuration creates the VPN under a new subnet? Are there any advantages to this? So far I only had headaches

  2. What's the best way to make a device connected via VPN (10.8.0.0) access the other devices in the same network (192.168.1.0)?

mFeinstein

Posted 2019-07-02T22:28:54.010

Reputation: 153

Just stock firmware – mFeinstein – 2019-07-02T22:41:06.010

Do you know why that's the normal behavior? I have seen some people talking about making a static route, is this what you mean about the firewall? – mFeinstein – 2019-07-02T23:06:41.733

Answers

2

The OpenVPN server acts as a router between the client subnet (10.8.0.0/24 by default) and your local LAN.
Because it is a router (and NOT a bridge) the subnets on both sites have to be different. You can not do routing within a single subnet. TCP/IP doesn't work that way.

From the 10.8.0.* subnet you can access anything in 192.168.1.*, but (depending on protocol/service) you may have to explicitly use the ip-address in stead of a computers name, because the Windows/MacOS/Linux broadcast mechanisms (that normally associate a computer-name with an IP-address) will mostly not work across the OpenVPN connection.
DNS does work, but only if you use the internal DNS service of the Asus and for computers in the local LAN that use DHCP provided by the ASUS.

This is assuming you are using the Asus OpenVPN in its default "Basic Config" mode. If you switch it to "Advanced" you can change the ip-ranges (but it is still a separate range for the clients) and you can forbid access to the local LAN if you want.
Unless you really know what you are doing you best stay away from the "Advanced" mode. It is very easy to mess up the VPN connection completely if you get a little too creative.

Tonny

Posted 2019-07-02T22:28:54.010

Reputation: 19 919

Thats preciselly the problem I am facing, I can't connect to a machine using its name, any way to fix this? – mFeinstein – 2019-07-02T23:09:09.337

You can always place an entry in the hosts file on the client computer. That should work. – Tonny – 2019-07-03T10:04:23.173

I am using an Android phone as the client – mFeinstein – 2019-07-03T17:00:48.630

Asked: 2019-07-02T22:28:54.010

Viewed: 588 times

Active: 2019-07-02T22:57:26.053