What's new

Beta ASUS Instant Guard iOS/Android public beta

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I can appreciate that.

Instant Guard appears as a separate tab, not under VPN Server settings.

I was hoping that it might be a special portal into the router, rather than just a standard VPN Server config. Because Asus is the manufacturer, that should have been possible.
 
I can appreciate that.

Instant Guard appears as a separate tab, not under VPN Server settings.

I was hoping that it might be a special portal into the router, rather than just a standard VPN Server config. Because Asus is the manufacturer, that should have been possible.
Princi,
  • ASUSWRT_2020 did mentioned that Instant Guard is IPSec VPN under the hood, the intention is to make it easier and seamless for simple users who have trouble configuring it correctly themselves the usual way.
  • I have a separate IPSec VPN Server set up together with Instant Guard, I can confirm that they actually share the same secret key (in iOS) and Pre-Shared Key (in ASUS Router GUI). I like to manage my own Key, vs uses cryptic key generated by Instant Guard :)
  • Hope you find a solution for your requirements
 
Thanks LimJK.

I would have thought that IPSec and OpenVPN were able to function side-by-side, unless there is some sort of h/w restriction.

I‘m still hopeful. I‘ve confirmed that there is no issue with the Astrill VPN Router applet, and suspect that Instant Guard „steals“ the TUN device Astrill was using, when you try to establish an IG connection.

The Astrill VPN Router Applet is on shaky ground because it‘s not supported under stock firmware, and uses a sort of backdoor approach under Merlin. RMerlin may choose to correct me here - I don‘t know the full details.

Anyway, I’m in the same boat as you at the moment. Waiting for my wife to stop using the Internet so that I can tinker with it.

UPDATE:

Tried again. This time "User Authentication failed" not "Unable to establish connection"

I'm going to give it a rest until the next release of ASUSWRT / Merlin drops - then I'll try again.
 
Last edited:
Thanks LimJK.

I would have thought that IPSec and OpenVPN were able to function side-by-side, unless there is some sort of h/w restriction.

I‘m still hopeful. I‘ve confirmed that there is no issue with the Astrill VPN Router applet, and suspect that Instant Guard „steals“ the TUN device Astrill was using, when you try to establish an IG connection.

The Astrill VPN Router Applet is on shaky ground because it‘s not supported under stock firmware, and uses a sort of backdoor approach under Merlin. RMerlin may choose to correct me here - I don‘t know the full details.

Anyway, I’m in the same boat as you at the moment. Waiting for my wife to stop using the Internet so that I can tinker with it.

UPDATE:

Tried again. This time "User Authentication failed" not "Unable to establish connection"

I'm going to give it a rest until the next release of ASUSWRT / Merlin drops - then I'll try again.
It's unfortunate because I'd like some sort of easy way to change VPN servers on my XT8. At least the beta Asus Android app allows you to do it from mobile, unfortunately the beta iOS app doesn't.
 
It's unfortunate because I'd like some sort of easy way to change VPN servers on my XT8. At least the beta Asus Android app allows you to do it from mobile, unfortunately the beta iOS app doesn't.
Yes, I’m looking for the same feature.

Interesting that it’s possible on Android. ASUSWRT2020 commented that it’s to do with the respective App Store policies. Anything to do with VPN means it’s more likely to get rejected - and one is more restrictive than the other.
 
I’d like to revisit my attempt to establish an Instant Guard connection - while having an OpenVPN client session active - using the 40997 stock firmware for the AC86U. It’s available for Merlin, but I would like to try stock.

I had very promising results on my AX88U (Merlin) this morning, so this might still be possible.

My AX88U config uses the Astrill VPN Router applet which could either complicate things, or make things possible that you can’t do with stock.
 
Instant Guard worked well this morning - but only once. Then I started getting "User authentication failed" again

Nov 23 01:48:50 07[CFG] looking for XAuthInitPSK peer configs matching 101.100.xxx.160...111.65.71.177[100.106.125.65]
Nov 23 01:48:50 07[CFG] selected peer config "Host-to-Net"
Nov 23 01:48:50 07[ENC] generating ID_PROT response 0 [ ID HASH ]
Nov 23 01:48:50 07[NET] sending packet: from 101.100.xxx.160[4500] to 111.65.71.177[8377] (76 bytes)
Nov 23 01:48:50 07[ENC] generating TRANSACTION request 250432604 [ HASH CPRQ(X_USER X_PWD) ]
Nov 23 01:48:50 07[NET] sending packet: from 101.100.xxx.160[4500] to 111.65.71.177[8377] (76 bytes)
Nov 23 01:48:50 06[NET] received packet: from 111.65.71.177[8377] to 101.100.xxx.160[4500] (140 bytes)
Nov 23 01:48:50 06[ENC] parsed TRANSACTION response 250432604 [ HASH CPRP(X_USER X_PWD) ]
Nov 23 01:48:50 06[IKE] no XAuth secret found for '101.100.xxx.160' - '6FB5B59C452A4EEF8A18BFBB28B3EA00'
Nov 23 01:48:50 06[IKE] XAuth authentication of '6FB5B59C452A4EEF8A18BFBB28B3EA00' failed

This is of course after rebooting the router, and attempting to reset everything. The xxx's are there just to protect my public IP address

Please let me know if having the incorrect timezone on the router could cause this problem.
 
Instant Guard worked well this morning - but only once. Then I started getting "User authentication failed" again

Nov 23 01:48:50 07[CFG] looking for XAuthInitPSK peer configs matching 101.100.xxx.160...111.65.71.177[100.106.125.65]
Nov 23 01:48:50 07[CFG] selected peer config "Host-to-Net"
Nov 23 01:48:50 07[ENC] generating ID_PROT response 0 [ ID HASH ]
Nov 23 01:48:50 07[NET] sending packet: from 101.100.xxx.160[4500] to 111.65.71.177[8377] (76 bytes)
Nov 23 01:48:50 07[ENC] generating TRANSACTION request 250432604 [ HASH CPRQ(X_USER X_PWD) ]
Nov 23 01:48:50 07[NET] sending packet: from 101.100.xxx.160[4500] to 111.65.71.177[8377] (76 bytes)
Nov 23 01:48:50 06[NET] received packet: from 111.65.71.177[8377] to 101.100.xxx.160[4500] (140 bytes)
Nov 23 01:48:50 06[ENC] parsed TRANSACTION response 250432604 [ HASH CPRP(X_USER X_PWD) ]
Nov 23 01:48:50 06[IKE] no XAuth secret found for '101.100.xxx.160' - '6FB5B59C452A4EEF8A18BFBB28B3EA00'
Nov 23 01:48:50 06[IKE] XAuth authentication of '6FB5B59C452A4EEF8A18BFBB28B3EA00' failed

This is of course after rebooting the router, and attempting to reset everything. The xxx's are there just to protect my public IP address

Please let me know if having the incorrect timezone on the router could cause this problem.
I don't think incorrect timezone will cause Instant Guard connection issue. will check logs and let you know if any updates.
 
ASUSWRT_2020,

For me, iOS Instant Guard works most of the time for me, when I am outside of my home network over WiFi or Cellular Network for the last few FW releases. However, I have some occasions where I get similar "User authentication failed" message as Princi too.

My workaround (not sure if it is a proper way) is to start an iOS OpenVPN Connect session with my router, once established, I run iOS Instant Guard and connection will be successful. Once done, I can disconnect my OpenVPN session and Instant Guard will run after that.

I will PM you my Instant Guard log (over the last 48 hours since I use FW 9.0.0.4_386_41157) for you to see if there is something useful. By the way I have IPSec VPN Server setup before setting up Instant Guard, as I wanted to set my own Secret Key / Pre-Shared Key by myself vs using the one auto generator by Asus; not sure does that interfere with Instant Guard.

Edit: Sorry message I got was
 
Last edited:
Instant Guard worked well this morning - but only once. Then I started getting "User authentication failed" again

Nov 23 01:48:50 07[CFG] looking for XAuthInitPSK peer configs matching 101.100.xxx.160...111.65.71.177[100.106.125.65]
Nov 23 01:48:50 07[CFG] selected peer config "Host-to-Net"
Nov 23 01:48:50 07[ENC] generating ID_PROT response 0 [ ID HASH ]
Nov 23 01:48:50 07[NET] sending packet: from 101.100.xxx.160[4500] to 111.65.71.177[8377] (76 bytes)
Nov 23 01:48:50 07[ENC] generating TRANSACTION request 250432604 [ HASH CPRQ(X_USER X_PWD) ]
Nov 23 01:48:50 07[NET] sending packet: from 101.100.xxx.160[4500] to 111.65.71.177[8377] (76 bytes)
Nov 23 01:48:50 06[NET] received packet: from 111.65.71.177[8377] to 101.100.xxx.160[4500] (140 bytes)
Nov 23 01:48:50 06[ENC] parsed TRANSACTION response 250432604 [ HASH CPRP(X_USER X_PWD) ]
Nov 23 01:48:50 06[IKE] no XAuth secret found for '101.100.xxx.160' - '6FB5B59C452A4EEF8A18BFBB28B3EA00'
Nov 23 01:48:50 06[IKE] XAuth authentication of '6FB5B59C452A4EEF8A18BFBB28B3EA00' failed

This is of course after rebooting the router, and attempting to reset everything. The xxx's are there just to protect my public IP address

Please let me know if having the incorrect timezone on the router could cause this problem.

Already PM you, please check :)
 
ASUSWRT_2020,

For me, iOS Instant Guard works most of the time for me, when I am outside of my home network over WiFi or Cellular Network for the last few FW releases. However, I have some occasions where I get similar "User authentication failed" message as Princi too.

My workaround (not sure if it is a proper way) is to start an iOS OpenVPN Connect session with my router, once established, I run iOS Instant Guard and connection will be successful. Once done, I can disconnect my OpenVPN session and Instant Guard will run after that.

I will PM you my Instant Guard log (over the last 48 hours since I use FW 9.0.0.4_386_41157) for you to see if there is something useful. By the way I have IPSec VPN Server setup before setting up Instant Guard, as I wanted to set my own Secret Key / Pre-Shared Key by myself vs using the one auto generator by Asus; not sure does that interfere with Instant Guard.

Edit: Sorry message I got was

If you got the message"User authentication failed", please try to delete model profile and add it again in Instant Guard app.
OpenVPN server and Instant Guard service should work fine together. But VPN client and Instant Guard can't work at the same time, it is current limitation.

Instant Guard service and IPSecVPN Server share the same Pre-Shared key. After changing new Pre-shared key, please update your router profile with drop down main page in Instant Guard app when device connecting to the router.
 
FYI for anyone using a custom ipsec.conf. It must be removed for Instant Guard to work. I guess this is obvious since Instant Guard is dependent on IKEv2.

I (and many others) used the ipsec.conf script from https://www.snbforums.com/threads/asus-ipsec-vpn-server.44973.

What would be nice is to know what is causing the server auth failures so we could use both our custom ipsec.conf and Instant Guard. I believe it might be the ipsec.conf using the Let's Encrypt certificates:

Code:
pc_append "ca letsencrypt" $CONFIG
pc_append "  cacert=/jffs/.le/$(nvram get ddns_hostname_x)/ca.cer" $CONFIG
pc_append "  leftcert=/jffs/.le/$(nvram get ddns_hostname_x)/my.domain.cer" $CONFIG

I'm unsure of the location of the certs to point to with the new IKEv2 support. I'd rather not use Let's Encrypt anyway since it's always been a pain for renewal and the ASUS certs are good until 2026!
 
Hi All,
iOS Asus Router 1.0.0.6.8 and the new iOS Instant Guard appeared on AppStore today. According to the description, the supported Routers are as follows:
  • RT-AC86U
  • RT-AX68U (Not sure if this is typo, should it be RT-AX86U?)
  • RT-AX88U
  • RT-AX92U
Working in my environment
 
Hi, I didn’t see more information about guest network in aimesh node.

How is it done? VLAN?
Is it possible to do the same for guests 2 and 3, even by CLI?

In the previous version I’m using 3 networks:
- Main one
- Guest
- IoT

Configured in AC68U and AC86U using VLAN. It’s working very well for 1 year, but would be good to have the same configuration by web and show all connected clients in 1 interface.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top