What's new

[Dev] Asuswrt-Merlin 388.1 development

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Status
Not open for further replies.
This question is more towards the OpenVPN people and not directly towards RMerlin:
Is there any QR client setup for OpenVPN, rather than importing/exporting certs?
I found client setup for the WG QR setup convenient.
client is setup, then client scans QR code, and up
No. Openvpn on mobile has two factor authentication which uses QR, but not for client configuration. Asuswrt-Merlin doesn’t use QR either except for I believe in network map to join wifi which isn’t related to vpn configuration.
 
Not necessarily. It can be slightly faster than OpenVPN (which caps at around 220 Mbps on that router), however it will limit your WAN connection to somewhere around 300 Mbps.
ahh shucks.

encryption giveth, and encryption taketh away

really hoping that wireguard is implemented in a more cohesive way soon. it'd be a luxury for me, and i'd love to utilize it, but i don't feel it's quite at the point where i want to totally roll my own pfsense linux box setup
 
Is this a router? I installed 4 on my wife's Jeep. o_O

Here is an article on those hubcaps!

 
No. Openvpn on mobile has two factor authentication which uses QR, but not for client configuration. Asuswrt-Merlin doesn’t use QR either except for I believe in network map to join wifi which isn’t related to vpn configuration.
@shabbs and his Guest WiFi QR Sign started me down this QR path ;)
 
Wait. Wireguard is replacing OpenVPN?

Bah, never mind. Did not see the 'other tab'.
 
WireGuard routing code mostly done now. For now I decided to keep it simple(r), so just like stock firmware only works with VPN Fusion, Asuswrt-Merlin WireGuard routing will only work through VPN Director, and will also always use DNS handling similar to OpenVPN set to "exclusive" mode.

Next step is to implement field validation on the WireGuard client page, as the old "experimental" page I reused from Asus' code had no validation done in it, and the validation they implement on the VPN Fusion page will require a good bit of adjustments to work on that page I'm using.
 
WireGuard routing code mostly done now. For now I decided to keep it simple(r), so just like stock firmware only works with VPN Fusion, Asuswrt-Merlin WireGuard routing will only work through VPN Director, and will also always use DNS handling similar to OpenVPN set to "exclusive" mode.

Next step is to implement field validation on the WireGuard client page, as the old "experimental" page I reused from Asus' code had no validation done in it, and the validation they implement on the VPN Fusion page will require a good bit of adjustments to work on that page I'm using.

So well I haven’t used it because I don’t need a vpn client. I was wondering if it’s possible to have vpn director do something similar with vpn server. Here’s what I mean from your router you run a vpn server anyone connecting to this can access your whole network, but it would be interesting if director could isolate per user to have access to only specific devices or lan ports. That way when they connect and access your network only that specific LAN device or port would be accessible to them. Kind of like a vpn firewall where you “port forward” a user to a device.

My thought is if you want to run a vpn server to be safer at connecting at remote location, but don’t necessarily want them to have access to all devices. Sure you could properly firewall all your devices individually or run a vpn server from say your server on your network but a “vpn firewall” from the router would make the connection not as direct to those devices.
 
Last edited:
So well I haven’t used it because I don’t need a vpn client. I was wondering if it’s possible to have vpn director do something similar to vpn server. Here’s what I mean from your router you run a vpn server anyone connecting to this can access your whole network, but it would be interesting if director could isolate per user to have access to only specific devices or lan ports. That way when they connect and access your network only that specific LAN device or port would be accessible to them. Kind of like a vpn firewall where you “port forward” a user to a device.

My thought is if you want to run a vpn server to be safer at connecting at remote location, but don’t necessarily want them to have access to all devices. Sure you could properly firewall all your devices individually or run a vpn server from say your server on your network but a “vpn firewall” from the router would make the connection not as direct to those devices.
You should definitely be able to designate which devices on your network a remote network can access as well as from which devices using VPN Director -- I do it now.
 
You should definitely be able to designate which devices on your network a remote network can access as well as from which devices using VPN Director -- I do it now

yeah but isn’t vpn director client only. Meaning your router is the client that connects to a vpn server. I’m looking for the opposite where the devices that connect will be pc’s with a open vpn client.

I mean sure if I had two Merlin routers I could figure something out but it’s overkill and I’d rather not have the remote side be able to configure what they see if they enter their router.
 
Last edited:
I was wondering if it’s possible to have vpn director do something similar with vpn server.
No. What you want in your case isn't a routing table configuration but a firewall configuration rather.
 
No. What you want in your case isn't a routing table configuration but a firewall configuration rather.
Yeah as I was explaining it it sounded more and more like a firewall configuration. No idea how to easily do that but yeah.
 
Yeah as I was explaining it it sounded more and more like a firewall configuration. No idea how to easily do that but yeah.
Whilst the OP was about restricting inbound OpenVPN USERs, this might help?

It further describes how I used the OpenVPN event (triggered when a client connects inbound) to apply custom ACL type rules

e.g. see lanonly directive which restricts access to only certain LAN devices using appropriate firewall rules

 
so, are we any close to a alpha version or something?
 
so, are we any close to a alpha version or something?
Not yet. All the recent efforts were on WireGuard, after which I need to go back and finalize some 388 merge portions that I initially skipped.
 
I think RT-AC86U has had it days hasn't it?

No love for the RT-AX86U in the last update.
 
VPN Director mostly done. Just need to clean up the backend code a bit, as I don't like the current implementation.

View attachment 44583
Looks good.

And the choice of dev platforms (AX88U & AX11000) are the two routers I’m most interested in at the moment.

Now, for the all important question, using VPN Director and Merlin 388.1 on an AX88U, can I have more than 2 concurrent WireGuard sessions? Eg. 3 or 4?

That would be a game changer.
 
Now, for the all important question, using VPN Director and Merlin 388.1 on an AX88U, can I have more than 2 concurrent WireGuard sessions? Eg. 3 or 4?
5 WireGuard clients are supported. I haven't tested with more than two however (one to a local RT-AX86U_Pro and one to a VPS).
 
Status
Not open for further replies.

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top