NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
OpenVPN client issues / cannot connect remotely / Orbi RBR850
I have a weird issue trying to set up the VPN service my new Orbi RBR850 router. Here's what I have configured so far, following the guide found here: I have enabled the VPN service under Advanced...
SOLVED!
So I decided to go with the latest OpenVPN Connect client that exclusively uses TUN.
https://openvpn.net/downloads/openvpn-connect-v3-windows.msiI then edited the .ovpn config file before importing to change the default to TUN and the port to 12973. See below.
After importing, I connected just fine and am able to connect to all my devices, RDP, and browse internet.
Don't know why Orbi's instructions point to the older 2.5 client, but the latest version is the way to go.
client
dev tun
proto udp
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
dev-node NETGEAR-VPN
remote XXXXXXX.mynetgear.com 12973
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 0
As I undertsand it, OpenVPN client versions prior to 3.x support both TUN and TAP connections. Starting with version 3.0, the client only supports TUN. If you want your device to be able to communicate with other devices on your network when connecting, it must use TAP. TUN is just for access to the Internet it seems, for example if you're traveling in another country and you're tryign to watch Netflix in your own country.
With that said, I'm using OpenVPN client 2.5, which supports both TAP and TUN protocols.
Currently I am physically remote trying to connect back to my router using vpn.
Here's my config (I have X out my DDNS hostname):
client
dev tap
proto udp
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
dev-node NETGEAR-VPN
remote xxxxxxx.mynetgear.com 12974
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 0
route-gateway 192.168.1.1
I forgot to ask that the Orbi is the only router. i.e. the Orbi WAN IP is the public IP?
The Windows ovpn file created by my Orbi looks like this:
client
dev tap
proto udp
dev-node NETGEAR-VPN
remote xxxxxx.mynetgear.com 12974
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 0
sndbuf 393216
rcvbuf 393216
route-method exe
There is no 'gateway' in my ovpn file.
My understanding of the tun/tap difference is that tap puts the VPN client in the same IP subnet as the Orbi LAN, and thus all broadcast messages go across the VPN tunnel (in both directions). Here's how Wikipedia describes it:
https://en.wikipedia.org/wiki/TUN/TAP
Though both are for tunneling purposes, TUN and TAP can't be used together because they transmit and receive packets at different layers of the network stack. TUN, namely network TUNnel, simulates a network layer device and operates in layer 3 carrying IP packets. TAP, namely network TAP, simulates a link layer device and operates in layer 2 carrying Ethernet frames. TUN is used with routing. TAP can be used to create a user space network bridge.
The configuration files Orbi produces for Windows and 'non-Windows' (i.e. Linux) both specify tap as the default. The configuration file Orbi produces for 'smartphones' specified tun because iPhones and Android phones are restricted to using tun. Both tap and tun allow access to devices on the LAN. (I just verified this with my Android phone using tun)
When my Android phone opens a VPN connection to the Orbi, it gets an IP address of 192.168.2.2. The gateway is 192.168.2.1 (the Orbi). However, if I ping 192.168.1.4 (my printer), the printer responds. The Orbi routes between subnets 2.x and 1.x automatically.
Another "gotcha" in the tap/tun situation is that it is essential that the device running OpenVPN not have an IP address in the same subnet as the Orbi LAN. Imagine this:
- A computer is connected to the LAN network of a router and is assigned an IP address of 192.168.1.x1 with subnet mask 255.255.255.0
- OpenVPN is run on the computer and connected to a tap connection on the Orbi router. Orbi assigns an IP address of 192.168.1.x2 with a subnet mask of 255.255.255.0
- Where is subnet 192.168.1.x? Is it on the native ethernet/WiFi port where the computer is 192.168.1.x1, or is it on the OpenVPN port where the computer has IP address 192.168.1.x2?
For me, this has never been an issue because I typically connect to a Hot Spot on my phone, which hands out 192.168.43.x IP addresses. All subnets from 0 through 254 are valid private IP addresses. Maybe some engineer was thining ahead, "what if someone attempts to open a VPN on this phone's Hot Spot?" Or, maybe just dumb luck.
So, when OpenVPN was tested remotely, what was it connected to? What IP address did it have?
SOLVED!
So I decided to go with the latest OpenVPN Connect client that exclusively uses TUN.
https://openvpn.net/downloads/openvpn-connect-v3-windows.msiI then edited the .ovpn config file before importing to change the default to TUN and the port to 12973. See below.
After importing, I connected just fine and am able to connect to all my devices, RDP, and browse internet.
Don't know why Orbi's instructions point to the older 2.5 client, but the latest version is the way to go.
client
dev tun
proto udp
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"
dev-node NETGEAR-VPN
remote XXXXXXX.mynetgear.com 12973
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-128-CBC
comp-lzo
verb 0