ER605 OpenVPN client - missed routes to remote networks (and DNS server)
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
[2023/06/06] Update: SOLVED! The routes to remote networks are not missing! No issue here.
The issue (that can mislead) is in the routing table shown on the web interface (Transmission / Routing / Routing Table). It doesn't show existing routes that were set by the OpenVPN client!
---
Hi,
I'm trying to setup a OpenVPN client on my ER605.
But the router doesn't seem to "learn" the routes pushed by the VPN server (nor DNS servers). 
My current status:
- I was able to setup the OpenVPN client up to the point that the tunnel gets up!
+ I provided user+pass; server and port; .ovpn file (provided by the OpenVPN server - check bellow), etc...
+ I can se it on "OpenVPN Tunnel List" with traffic on going;
+ I can ping the VPN gateway, 172.16.20.1
(I happen to know the IP of the GW. The router didn't learn! Doesn't have any route with Next Hop to the GW IP)
My issue:
- In the "Routing Table" I can only see the local VPN network (in my case 172.16.20.0/24).
- There are no other routes to remote networks on the VPN server side :(
+ I know that the server is pushing all the information. Routes and DNS servers for local Connection-specific DNS Suffix.
+ I tested before this .ovpn file in a windows PC on my LAN and works (the PC leanrs the routes and DNS). I can access servers on the remote network. (BTW, that's why I knew the IP of the remote GW to ping it)
Anything I missed? Probably something tha should be added to .ovpn file? (check bellow)
Because it seems that there's nothing else I can do (configure).
Thank ou for any support.
BR,
PBraga
PS: I know I can set static routes to the remote networks and probably set hosts (name to IP resolution) on my PCs but that's not a solution! :(
(I will do this anyway as a temporarily solution to the problem, so I can work...)
------------------------------------------------------------------------------------------------
-------------------------------------- more info --------------------------------------------
------------------------------------------------------------------------------------------------
My .ovpn file:
---<START OF OVPN FILE>---
dev tun
client
proto tcp
<ca>
-----BEGIN CERTIFICATE-----
(certifiate...)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(certifiate...)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(certifiate...)
-----END PRIVATE KEY-----
</key>
remote-cert-eku "TLS Web Server Authentication"
remote (x.x.x.x) (port)
remote (y.y.y.y) (port)
persist-key
persist-tun
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
auth SHA256
float
reneg-sec 28800
nobind
mute-replay-warnings
auth-user-pass
tls-version-min 1.2
;remember_connection 0
;auto_reconnect 1
---<END OF OVPN FILE>---
The routing table:
I finally got the issue. I was misled by the ER605's reported routing table. 
Although routes are not shown on the web based interface (in the routing table), they effectively exist and work!
I tried pinging a server on a remote network and the packets followed the right route. I can ping and I'm already using the services on servers on the remote network 
.
@Virgo , thank you very much for your support 
-- (how about DNS server?) --
How I solved (so far) the DNS issue --> the customer has a private DNS server to resolve their domain host names to internal private addresses (10., 172.16-31. and 192.168.).
I just added statically the DNS server in my DHCP DNS information (so my devices on the Net request name resolution to this IP) as the primary server. The secondary DNS server I provided my ISP's DNS (to use when VPN is down).
I did some tests switching off and on the OpenVPN client tunnel and everything works perfectly. Let's see how I can handle DNS issues when I have other customers... I was hoping to have several VPN connections active at the same time.
Probably I will have to setup a dedicated DNS server in a Linux box (some old RaspberryPI) to forward requests to DNS servers based on domains (just using dnsmasq for example).
Meanwhile, let's hope some DNS functionalities will be available on ER605 in the near future... 
Hi @Virgo ,
Thank you very much for you reply.
That's really disappointing news... :/
I already had thought about the logs. When I was having this issue, first reaction that I had was "let's look at the logs..." but I could only find DHCP entries basically :(
So, I guess that this being a professional series, there is not going to be a lot of support for OpenVPN client-server use case.
(unfortunately that is the VPN connection I get from my current customer)
So this triggers two question.
(@Virgo, if you could provide your opinion/answer I would really appreciate)
Question1: if I install the Omada controller, will I have better and more complete configuration options on ER605's remote management?
Question2 :I don't know how to setup static routes for VPN tunnels.
In the static route page I can only set routes for next hops in LAN or in one of the WANs.
I feel on a deadend... :|
I'm feeling like in twilight zone :P kind of... "why the hell is there a menu for OpenVPN if it can't be used?" Probably I'm missing some very basic thing here...
(I did try adding a route to the VPN GW defining the interface as WAN, but as expected it didn't work. The GW is not on the WAN network, but on the tun0 network.)
Again, thank you for your contribution!
BR,
Pedro
As far as I'm concerned, you can use the SNMP and SSH on the controller, check this:
Take a look, this may help you: The difference between Standalone mode and Controller mode
Note that you can not login the standalone web anymore once the router is managed by the controller.
As I see it, it is just the same as you can not choose the OpenVPN tunnel in the policy routing rule, it doesn't support choosing the VPN tunnel on the static routes either.
Hi @Virgo ,
I read your answer and the big question is getting even bigger! :/
«As I see it, it is just the same as you can not choose the OpenVPN tunnel in the policy routing rule, it doesn't support choosing the VPN tunnel on the static routes either.»
HOW can we establish routes to the VPN tunnel?!
That's the B$1 question!
In other words HOW can we use an OpenVPN?
Did TP-Link assumed that the VPN server would have their servers right on the VPN network (the connecting network)?
Do you know if I can I place this question to TP-Link directly?
--
Nothing better than a diagram to illustrate :P
My customer has servers that he is granting remote access via OpenVPN. He has set a "connection VPN network", in this case 172.16.20.0/24, but, OF COURSE, he didn't "place" any servers on that "connection network".
He can then set whatever routing rules between that externally accessible VPN network and his internal networks.
If I'm not able to set routes in my ER605 to the tunnel, then I am not able to reach to my customer remote networks. Only if he had some server on the VPN network, like 172.16.20.2, which of course he doesn't!
I finally got the issue. I was misled by the ER605's reported routing table.
Although routes are not shown on the web based interface (in the routing table), they effectively exist and work!
I tried pinging a server on a remote network and the packets followed the right route. I can ping and I'm already using the services on servers on the remote network .
@Virgo , thank you very much for your support
-- (how about DNS server?) --
How I solved (so far) the DNS issue --> the customer has a private DNS server to resolve their domain host names to internal private addresses (10., 172.16-31. and 192.168.).
I just added statically the DNS server in my DHCP DNS information (so my devices on the Net request name resolution to this IP) as the primary server. The secondary DNS server I provided my ISP's DNS (to use when VPN is down).
I did some tests switching off and on the OpenVPN client tunnel and everything works perfectly. Let's see how I can handle DNS issues when I have other customers... I was hoping to have several VPN connections active at the same time.
Probably I will have to setup a dedicated DNS server in a Linux box (some old RaspberryPI) to forward requests to DNS servers based on domains (just using dnsmasq for example).
Meanwhile, let's hope some DNS functionalities will be available on ER605 in the near future...