AC680U and Merlin FW question

[taelvin]

Good Afternoon,

I hope this question is permitted in this section of the boards. If it would be better in a different area please let me know and I will move it.

I have been investigating three routers to use at my parent's house. They are the Linksys WRT1900AC, Asus AC680U, and Netgear R7000.

I am a medical student and I live on the opposite coast of my parents and they are not technically savvy but they recently asked if I could help them get high speed internet and a wireless home speaker system that is easy set up for them. They are going to start with a couple Sonos products and their entire music collection is only 60GB so I did not feel like a NAS was necessary for them. Instead, I figured I would just plug in a quality USB 3.0 thumb drive to the router and let Sonos pull from there.

But back to why I posted in this forum....

Since I am on the opposite coast I need to be able to access their router remotely to keep it updated, troubleshoot or change settings for them, and if possibly modify files on the attached USB drive. I also need a router that is stable and doesn't use a FW that I will be constantly troubleshooting. While the WRT1900AC has better storage performance (see link) it seems to be having tremendous stability issues as a new router and, as seen on the SNB reviews, trouble communicating with other Broadcom chips (i.e. all the apple products my parents own).

Then I discovered Merlin's FW for Asus and it seems immensely supported here as stable and a "just works well" piece of FW. Even though the 680U doesn't have a good USB 3.0 performance it should still be enough to stream data to Sonos. Do you guys think it will do what I need in terms of remote management and maintaining their network?

http://www.smallnetbuilder.com/wireless/wireless-reviews/32393-linksys-wrt1900ac-ac1900-dual-band-wireless-router-review?showall=&start=3

 

[Ford Prefect]

IMHO, for streaming music, no matter what quality codec/compression is used for the audio-data, the performance of a USB3.0 disk is not needed at all.

Edit:
in addition, I'd not get a thumb drive but a High-performance SD-Card (SDXC-class10 or better, like UHS-I) along with a USB3-reader.
..and I'd rather get 2 of these (card+reader) in order to being able to move/add/update the collection separately from the "operational" setup

 

[taelvin]

Thank you for your fast reply Ford,

I was thinking the same thing. But I guess I am more concerned at this point about if the FW will support my needs in terms of maintaining the router remotely and managing the USB thumb drive attached to it for my parents.

The AIcloud "Smart Access" is a bit vague at this point and seems more just as a way to access files remotely rather than manage the router remotely and I have read some security issues with the AIcloud but then again there will just be music on the drive.

 

[Ford Prefect]

...you actually don't need to rely on the AICloud feature.
All you need is to enable OpenVPN Server (for security reasons ;-) )and then access the router config (via Web-UI) and data/drive (via the SMB share).

...works like a charm.

 

[taelvin]

Ford P,

That would be excellent. Though, to be honest, I am not familiar with setting up an OpenVPN server. A quick google search seemed to refer me to a corporate .net page and did not seem specific to the Asus running Merlin's FW. The other page I found was for an older version of Merlin's FW and related to windows OS. Is there a spot or guide you might recommend I can look into to learn how to set this feature up on the 680U running the most recent version of MerlinFW? And does this process involve subscribing to a site's service for a host pass through (I think one example that had a Merlin 680U guide was a place called "hidemyass").

Thank you for your help with this!

Chad

 

[Ford Prefect]

...setting up your own OpenVPN Server does not need any subscription to a VPN Service provider.
It will simply enable you to open the Acess to the Router (and the network behind it) in a secure way....you will need to setup and configure the OpenVPN Client on your PC in order to access "your" OpenVPN server, obviously.


OpenVPN (https://openvpn.net/index.php/open-source.html) is faily standardised and almost all guides should work OK.
There is a wiki entry for the Merlin FW, here: https://github.com/RMerl/asuswrt-merlin/wiki/Configuring-OpenVPN.
When I said "secure way", this means with the use of certificates, as described in the wiki.
Do *not* use the username/passwort option that is also available for authentication!!!!

One remark: using AICloud our direct access to your data drive via a broadband service is/will be not a lot of fun when 60GB of data is involved.
Mind you that broadband bandwidth is different on upload and download side.
When you write to your parents drive it will be your upload that will limit the speed and when you read from that drive, it will be your parents upload bandwitdh that will limit the performance.
I'd pre-load the data locally ;-)

 

[taelvin]

Thanks Ford,

I found an OpenVPN client for Mac (https://code.google.com/p/tunnelblick/) to use once I get the sever set up on the 680U.

I plan on having the router sent to me first for me to configure (set up the SSID, security, etc) and I will load the USB thumb drive with the music in an organized fashion. I am hoping that my parents literally just have to plug everything in at the right spots (which I can help them do over FaceTime) and that when the router boots up it will auto detect and work with their cable modem.

The only issue I am concerned about in terms of setting up the OpenVPN server on the 680U is that I won't know their Dynamic external IP address to set up a hostname at DynDNS.com. Any ideas on how I might work around that? I was thinking I could maybe set up an insecure way to access the router remotely before I ship it to them and then once they plug it in at their home and the internet works I can remote into it and set up the OpenVPN then since I will be able to see what their first Dynamic public IP is issued to the cable modem.

Chad

 

[Ford Prefect]

Yes, DDNS could be a challenge in this.
But AFAIK (don't use it myself) ASUS offers their own DDNS service and I *think* this is tied to the WAN-MAC address of the ASUS.
So when you use that service when setting up the ASUS on your side, it should reconnect at your parents place and will be reachable under the same DDNS name.

...you could test it from a friends place nearby before shipping it across the continent.

 

[Ford Prefect]

...I don't use a MAC but by the looks, "tunnelblick" is not a client, only a GUI frontend.
Maybe OpenVPN can be added or is available in OSX natively?

 

[taelvin]

Also just discovered DynDNS no longer provides a free host service haha. Do you use a paid one or a free one for your set-up?

I might try and get a slightly more technically capable friend to stop by my parents house and plug into the cable modem before I ship it out.

 

[Ford Prefect]

My ISP provides a free DDNS service for their customers.
Also, my setup is even a bit more complicated, as the ASUS is not my main router ;-)

 

[taelvin]

...I don't use a MAC but by the looks, "tunnelblick" is not a client, only a GUI frontend.
Maybe OpenVPN can be added or is available in OSX natively?

I could just be confused since I just learned about OpenVPN today (though I am slightly familiar with the concept as we use one at work) but....it says on openVPN.net that Tunnelblick is their designated Mac client and it has OpenVPN in it? Am I misunderstanding what a client is?

https://openvpn.net/index.php/access-server/docs/admin-guides/183-how-to-connect-to-access-server-from-a-mac.html

 

[Ford Prefect]

Yeah, the google code site also states it does come with all binaries and drivers.
Maybe I was on the wrong track.

...regarding DDNS...I just checked...the ASUS service is included as a standard
in the UI-config of the ASUS...I'd try that first.

 

[taelvin]

That is great! Thank you for checking for me!

Now I just need to select which bottle of wine will get me through the command line work to get the OpenVPN server set up and the certificate files prepared per the guide at http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/

Thank you for all your help today Ford! My parents will be excited to have music in their home and the ability to FaceTime with my siblings. Ever since I moved for school to the East Coast technology in the house sort of withered and died. When I went back home for Winter Break they had the old Pre-N Netgear router as a paperweight in the back office

 

[Ford Prefect]

no worries...it'll work out fine, I am sure.

OpenVPN is very standadized.
I did not set-up OpenVPN server on my ASUS in the first place..I did this on my previous non-ASUS router and simply copied all certs into the ASUS OPENVPN server config via the ASUS UI...it simply worked.

....saying that, I am simply confident that all you have to do is follow any tutorial that will allow you to create server and client certificates...once you have these, locate them and copy them over.

Edit: this explains how to do that: http://www.yasti.be/?p=168 ...part-1 in that blog creates the certs under windows..obviously, you will need to do that using tunnelblick.

 

[taelvin]

Do you use yours as a Routed or Bridged VPN? I was thinking if i set it up as a Bridged VPN I could install the Sonos music player on my Mac and when I have the Bridged VPN active I could control my parent's music if they needed help since it would basically be as if I was on that network.

Chad

 

[Ford Prefect]

I use routed (using TUN interface) mode.
Bridge Mode has some advantages, when you rely on protocol parts below IP but it will consume more bandwidth and router CPU resources.
Also you will need to run both sides on the same IP subnet, which introduces the problem - when the VPN-connection that is not always on - to provide two DHCP-Servers and avoiding IP-range/address conflicts.

 

[taelvin]

Ford,

I set up two OpenVPN TUN servers in my parents router. Server1 uses TCP on port 443 (not planning on using AiCloud so figured it would be useful when I am behind "strict" firewalls like some users have described) and Server2 uses UDP on port 1194. I was able to connect from school to the router administration page using both with my Windows OpenVPN 2.3.4 client this morning.

One thing I was wondering about though, when I typed the routers IP (the generic 192.1...) to access the Administration interface I noticed that Windows IE was displaying the address as http://192.....

As a result, when the login prompt displayed asking for the router username and password it said that the information was going to be sent using basic encryption (or something like that).

Should I be setting it up to use https://192... ? It was my understanding that even if I am using a public wifi for internet access that when I connect using OpenVPN client and then access the router through the browser (as if I were at home on the LAN) it is basically a private exchange.

My other question was more general. Now that I have set up the Wireless broadcasts and OpenVPN servers...can you think of any other settings I should change or check out before I sent the router to my parents?

For instance, under Administration tab i have left alone the "Enable Telnet, Enable SSH, Allow SSH Port Forwarding, SSH service port, Allow SSH access from WAN, etc" to the defaults (which is all "No").

 

[Ford Prefect]

congrats!...That looks good, doesn't it?

...about Windows complaining that the http://192..... connection is insecure, is - from the point of windows - correct, as Windows does not know that the VPN does exist and is used (with encryption, which is secure).
Going HTTPS://192... is *more* secure because the browser connection/socket will be encrypted as well but you need a sniffer inside the network stack of your PC to get to the password when it is entered (when you stick to using the http:192.....)

...do *not* enable any ports on WAN besides the one for OpenVPN server(s).
There is no need to do that in your scenario, AFAI would tell.
Once you have the VPN connection established, the router sees all connections from LAN side...that is the trick.

What else:
- did you enable TLS auth for the OpenVPN server(s)?...this will secure the open ports even more...use a static 1024bit certificate and test with your client.
Edit: don't get confused with using a static cert for openVPN...this is just for authentication on socket level, before openVPN kicks in...it is an additonal layer of security.
- You also should test access to the attached drive via VPN before shipping the router. AFAIR this is what your efforts were all about.
Edit: also maybe enable FTP (remark: not on WAN!!) as it ill be faster to access the files with as compared to access via SMB.

 

[taelvin]

"...do *not* enable any ports on WAN besides the one for OpenVPN server(s).
There is no need to do that in your scenario, AFAI would tell."

I have pretty much left the WAN tab alone. I am hoping that setting up the VPN configured whatever it needed for ports. I did do a Shield scan of the ports and the only one it says is open is 443 but that is normal I believe. Everything else was stealth.


" did you enable TLS auth for the OpenVPN server(s)?...this will secure the open ports even more...use a static 1024bit certificate and test with your client."

Where do I check this? My cipher is AES-256-CBC and the Authorization Mode is TLS. Do you mean the option next to "Extra HMAC authorization
(tls-auth)"? It is disabled.

One problem I am having a hard time with is I have been googling away for a guide on how to enable the router to mount the USB drive automatically after a reboot. I know I need my JFFS partition enabled and formatted (and it is). But I looked through the README file and I couldn't find the script on doing this. My google search has only come up with example of people writing a script to mount and unmount it at different times of the day (which I didn't need).