I joined these forums in my frustrating journey to try and get OpenVPN server working on my RT-AC68U. In case anyone else stumbles on this post, I may have some information to save you time:
1. I tried following the guide here: http://www.smallnetbuilder.com/othe...-setting-up-and-using-openvpn-on-asus-routers . I could not get this to work, using the step-by-step method here. Through google research, I discovered that the likely issue with the error I was getting (TLS handshake) was that the ASUS router was trying to use 1024 TLS encryption, but that the new OpenSSL library and the newest versions of OpenVPN require 2048 encryption. So it is a "bug" that the generated VPN server creates a 1024 encryption protocol.
2. Okay, time to try and trouble-shoot the issue:
i) This link suggests manually going into the OpenVPN Advanced Server Settings and inputting a 2048 DH key. You could either generate one yourself (more complicated, see below) or use a generated on that they link you to. The thread is here: http://www.snbforums.com/threads/as...-fails-diffie-helmann-dh-key-too-small.25326/ , and the key they point you to is: https://raw.githubusercontent.com/R...ster/release/src/router/rom/others/dh2048.pem
ii) I tried copying the pre-generated link, but that gave me an error message regarding the DH key. I figured it might be "more secure" to generate my own DH key, though in the thread RMerlin states "No. In fact, that DH came from an RFC, and is used by various applications following that RFC. You just need to ensure that the DH is based on a prime number that can't be trivially cracked back - that's why I went with 2048-bit, and also for one from an RFC rather than one randomly generated."
iii) Time to try generating my own DH key. The first method I was going to try (I am on a Windows 8.1 machine) was to install OpenSSL and then use the windows command prompt to generate a key. The following blog had a nice guide on how to try and attempt this: https://jchornsey.wordpress.com/2015/03/17/installing-openssl-in-windows-8-1/ . Make sure if you try this method that you disable UAC, otherwise the command prompts won't work: http://superuser.com/questions/464758/how-do-i-disable-administrator-prompt-in-windows-8 , http://www.eightforums.com/system-s...e-windows-8-understand-you-administrator.html . I wasn't having much luck, and through searching found the next, and following guide:
iv) http://www.snbforums.com/threads/how-i-set-up-ovpn-on-my-asus-rt68r-for-android.17644/ ; although intended for Android use, it showed you how to create your own certificate, keys, etc using the OpenVPN software (make sure to download the program and check that you install ALL components). Was having some issues with some of the steps, but these primarily resolved once I disabled UAC completely (see previous step).
v) So I went through the whole guide above, got my keys and certs set up, and was ready to try inputting them into the router. After I did all that, and hit save, I got an error about the DH key again. When I went back to the section where I inputted all the certificates, I noticed everything was blank. Interesting. I also looked at the error log in the router, and it had something to do with generating the dh.pem file.
vi) Interestingly, when I visited ASUS Firmware page: https://www.asus.com/us/Networking/RTAC68U/HelpDesk_Download/ , 3.0.0.4.378.4850 is listed as the most current version. Within the Router GUI, .4850 was considered the most up to date. However, I saw some posts in this thread suggesting webserver is out of sync. Okay, I downloaded this one-two days ago, maybe since then there were some sync issues. Anyway, when I revisited the change-log for this version (Original Post):
However, I wonder if the issue was truly fixed?! I certainly seemed to be having save issues of the keys and certs on this version of the firmware, and still can't get OpenVPN server to run on this router (talk about a long process/nightmare!)
Collection of Random Helpful Posts:
* http://www.snbforums.com/threads/asuswrt-merlin-378-54_2-is-now-available.24902/page-12#post-188181
* https://forums.openvpn.net/topic12096.html (regarding UAC)
* https://board.perfect-privacy.com/threads/openvpn-client-with-perfect-privacy-on-asus-rt-ac66u.302/
* http://www.sparklabs.com/forum/viewtopic.php?p=5307#p5307 :
this site actually has really good discussion. Upon re-visiting it, I wonder if this was my issue:
I did try to "Paste as Plain Text", and I don't think I saw linefeed keys (as I was pasting from Notepad++), but I do want to try again and see if I was pasting with line-feeds.
Otherwise, I think this is ALL a bug with a REVOKED firmware version because they did not fix an error they claim in the changelog!
I wonder what anyone else's experience is ? Thanks!!
1. I tried following the guide here: http://www.smallnetbuilder.com/othe...-setting-up-and-using-openvpn-on-asus-routers . I could not get this to work, using the step-by-step method here. Through google research, I discovered that the likely issue with the error I was getting (TLS handshake) was that the ASUS router was trying to use 1024 TLS encryption, but that the new OpenSSL library and the newest versions of OpenVPN require 2048 encryption. So it is a "bug" that the generated VPN server creates a 1024 encryption protocol.
2. Okay, time to try and trouble-shoot the issue:
i) This link suggests manually going into the OpenVPN Advanced Server Settings and inputting a 2048 DH key. You could either generate one yourself (more complicated, see below) or use a generated on that they link you to. The thread is here: http://www.snbforums.com/threads/as...-fails-diffie-helmann-dh-key-too-small.25326/ , and the key they point you to is: https://raw.githubusercontent.com/R...ster/release/src/router/rom/others/dh2048.pem
ii) I tried copying the pre-generated link, but that gave me an error message regarding the DH key. I figured it might be "more secure" to generate my own DH key, though in the thread RMerlin states "No. In fact, that DH came from an RFC, and is used by various applications following that RFC. You just need to ensure that the DH is based on a prime number that can't be trivially cracked back - that's why I went with 2048-bit, and also for one from an RFC rather than one randomly generated."
iii) Time to try generating my own DH key. The first method I was going to try (I am on a Windows 8.1 machine) was to install OpenSSL and then use the windows command prompt to generate a key. The following blog had a nice guide on how to try and attempt this: https://jchornsey.wordpress.com/2015/03/17/installing-openssl-in-windows-8-1/ . Make sure if you try this method that you disable UAC, otherwise the command prompts won't work: http://superuser.com/questions/464758/how-do-i-disable-administrator-prompt-in-windows-8 , http://www.eightforums.com/system-s...e-windows-8-understand-you-administrator.html . I wasn't having much luck, and through searching found the next, and following guide:
iv) http://www.snbforums.com/threads/how-i-set-up-ovpn-on-my-asus-rt68r-for-android.17644/ ; although intended for Android use, it showed you how to create your own certificate, keys, etc using the OpenVPN software (make sure to download the program and check that you install ALL components). Was having some issues with some of the steps, but these primarily resolved once I disabled UAC completely (see previous step).
v) So I went through the whole guide above, got my keys and certs set up, and was ready to try inputting them into the router. After I did all that, and hit save, I got an error about the DH key again. When I went back to the section where I inputted all the certificates, I noticed everything was blank. Interesting. I also looked at the error log in the router, and it had something to do with generating the dh.pem file.
vi) Interestingly, when I visited ASUS Firmware page: https://www.asus.com/us/Networking/RTAC68U/HelpDesk_Download/ , 3.0.0.4.378.4850 is listed as the most current version. Within the Router GUI, .4850 was considered the most up to date. However, I saw some posts in this thread suggesting webserver is out of sync. Okay, I downloaded this one-two days ago, maybe since then there were some sync issues. Anyway, when I revisited the change-log for this version (Original Post):
However, I wonder if the issue was truly fixed?! I certainly seemed to be having save issues of the keys and certs on this version of the firmware, and still can't get OpenVPN server to run on this router (talk about a long process/nightmare!)
Collection of Random Helpful Posts:
* http://www.snbforums.com/threads/asuswrt-merlin-378-54_2-is-now-available.24902/page-12#post-188181
* https://forums.openvpn.net/topic12096.html (regarding UAC)
* https://board.perfect-privacy.com/threads/openvpn-client-with-perfect-privacy-on-asus-rt-ac66u.302/
* http://www.sparklabs.com/forum/viewtopic.php?p=5307#p5307 :
this site actually has really good discussion. Upon re-visiting it, I wonder if this was my issue:
I did try to "Paste as Plain Text", and I don't think I saw linefeed keys (as I was pasting from Notepad++), but I do want to try again and see if I was pasting with line-feeds.
Otherwise, I think this is ALL a bug with a REVOKED firmware version because they did not fix an error they claim in the changelog!
I wonder what anyone else's experience is ? Thanks!!
