NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

pandabe4r's avatar
Oct 09, 2021
Solved

OpenVPN client issues / cannot connect remotely / Orbi RBR850

I have a weird issue trying to set up the VPN service my new Orbi RBR850 router. Here's what I have configured so far, following the guide found here:

  1. I have enabled the VPN service under Advanced tab and set everything to default UDP and port 12973 port. Changed last option to "all sites on the Internet & Home network".

  2. Downloaded the latest OpenVPN client (11.25) to my Windows 10 laptop and installed using defaults.

  3. Downloaded the configuration files from my router and unzipped them into both "C:\Programfiles\OpenVPN\config\" and "C:\Users\{userprofile}\OpenVPN\config\client1"

  4. Renamed the VPN network adapter in Windows from " TAP-Windows Adapter" to " NETGEAR-VPN".

  5. Connect laptop to a remote network and launch OpenVPN, connect.

  6. First error indicated that it couldn't find the route gateway and wouldn't connect successfully. Fixed this by adding the following line to the OpenVPN config file "route-gateway 192.168.1.1" which is the default for Orbi routers.

  7. Now the agent will successfully connect, and I can see the device in NAT. In the Orbi app, I can see my device get assigned a private IP from my network. However, I cannot connect with any other devices on the network, including the router. I cannot ping any of them nor browse the Internet. My device is on the same subnet as all my other devices as I only have one subnet.

  8. I have tried turning off my firewall on Windows 10 to test with no luck.

Any ideas what would cause this?

  • SOLVED!

     

    So I decided to go with the latest OpenVPN Connect client that exclusively uses TUN.
    https://openvpn.net/downloads/openvpn-connect-v3-windows.msi

     

    I then edited the .ovpn config file before importing to change the default to TUN and the port to 12973. See below. 

     

    After importing, I connected just fine and am able to connect to all my devices, RDP, and browse internet. 

     

    Don't know why Orbi's instructions point to the older 2.5 client, but the latest version is the way to go.

     

    client
    dev tun
    proto udp
    sndbuf 393216
    rcvbuf 393216
    push "sndbuf 393216"
    push "rcvbuf 393216"
    dev-node NETGEAR-VPN
    remote XXXXXXX.mynetgear.com 12973
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert client.crt
    key client.key
    cipher AES-128-CBC
    comp-lzo
    verb 0

5 Replies


  • pandabe4r wrote:

    I have a weird issue trying to set up the VPN service my new Orbi RBR850 router. Here's what I have configured so far, following the guide found here

    I have enabled the VPN service under Advanced tab and set everything to default UDP and port 12973 port. Changed last option to "all sites on the Internet & Home network".


    I found getting OpenVPN to work very confusing and frustrating.  Eventually, I got OpenVPN working with two separate Orbi systems on Android, Linux, and Windows clients.  in other words..... I am certainly no 'expert', but it does work.

     

    On my Orbi (the older, RBR50 model), VPN listens for connections on two ports:

    • Port 12973 for tun connections
    • Port 12974 for tap connections

    Internet searches (I am trying not to say "Google Search", but it's a hard habit to break) will explain the difference between tun and tap.

    The important part (to me) is that they are different.  If an OpenVPN Client connection designed for tap tries to connect to an OpenVPN host designed for tun, it will fail.  (And the reverse.)

    The client.ovpn file that my Orbi produces for Windows very clearly specifies tap on port 12974.

     


    pandabe4r wrote

    Connect laptop to a remote network and launch OpenVPN, connect.


    Can you be a bit more specific about this? My 'sense' is that the laptop was taken to another place where it could connect to a different network.  Is this correct?  (My own test practice is to disconnect my smartphone from the Orbi WiFi, which causes it to revert to LTE data. Then open a "Hot Spot" and connect the laptop to that.  My point is that this test has the laptop in no way connected to the Orbi network.

     


    pandabe4r wrote First error indicated that it couldn't find the route gateway and wouldn't connect successfully. Fixed this by adding the following line to the OpenVPN config file "route-gateway 192.168.1.1" which is the default for Orbi routers.

    I have never added such a line to my client.ovpn file.

    • pandabe4r's avatar
      pandabe4r
      Tutor

      As I undertsand it, OpenVPN client versions prior to 3.x support both TUN and TAP connections. Starting with version 3.0, the client only supports TUN. If you want your device to be able to communicate with other devices on your network when connecting, it must use TAP. TUN is just for access to the Internet it seems, for example if you're traveling in another country and you're tryign to watch Netflix in your own country.

       

      With that said, I'm using OpenVPN client 2.5, which supports both TAP and TUN protocols.

       

      Currently I am physically remote trying to connect back to my router using vpn.

       

      Here's my config (I have X out my DDNS hostname):

       

      client
      dev tap
      proto udp
      sndbuf 393216
      rcvbuf 393216
      push "sndbuf 393216"
      push "rcvbuf 393216"
      dev-node NETGEAR-VPN
      remote xxxxxxx.mynetgear.com 12974
      resolv-retry infinite
      nobind
      persist-key
      persist-tun
      ca ca.crt
      cert client.crt
      key client.key
      cipher AES-128-CBC
      comp-lzo
      verb 0
      route-gateway 192.168.1.1

      • CrimpOn's avatar
        CrimpOn
        Guru

        I forgot to ask that the Orbi is the only router.  i.e. the Orbi WAN IP is the public IP?

         

        The Windows ovpn file created by my Orbi looks like this:

        client
        dev tap
        proto udp
        dev-node NETGEAR-VPN
        remote xxxxxx.mynetgear.com 12974
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        ca ca.crt
        cert client.crt
        key client.key
        cipher AES-128-CBC
        comp-lzo
        verb 0
        sndbuf 393216
        rcvbuf 393216
        route-method exe

        There is no 'gateway' in my ovpn file.

         

        My understanding of the tun/tap difference is that tap puts the VPN client in the same IP subnet as the Orbi LAN, and thus all broadcast messages go across the VPN tunnel (in both directions). Here's how Wikipedia describes it:

        https://en.wikipedia.org/wiki/TUN/TAP 

        Though both are for tunneling purposes, TUN and TAP can't be used together because they transmit and receive packets at different layers of the network stack. TUN, namely network TUNnel, simulates a network layer device and operates in layer 3 carrying IP packets. TAP, namely network TAP, simulates a link layer device and operates in layer 2 carrying Ethernet frames. TUN is used with routing. TAP can be used to create a user space network bridge.

         

        The configuration files Orbi produces for Windows and 'non-Windows' (i.e. Linux) both specify tap as the default.  The configuration file Orbi produces for 'smartphones' specified tun because iPhones and Android phones are restricted to using tun. Both tap and tun allow access to devices on the LAN.  (I just verified this with my Android phone using tun)

         

        When my Android phone opens a VPN connection to the Orbi, it gets an IP address of 192.168.2.2.  The gateway is 192.168.2.1 (the Orbi).  However, if I ping 192.168.1.4 (my printer), the printer responds. The Orbi routes between subnets 2.x and 1.x automatically.