Help with StrongVPN configuration

[Alfsu]

Gentlemen,

First of all, I want to apologize in advance for maybe asking something already discussed somewhere else, but I can't find any information thus far.

So here I am, trying to use StrongVPN service in an ASUS RT-AC66U with Asuswrt-Merlin Firmware (tried .32 and .33-Beta1), but running into a couple of problems; I should mention that connection to another OpenVPN service provider is possible with this hardware-software setup.

The issues are:

1. When using the OpenVPN client configuration as provided by StrongVPN, which by the way works fine when used with the OpenVPN client for windows, the following message gets logged in the router:

rc_service: httpd 309:notify_rc start_vpnclient1
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
openvpn[424]: Options error: Unrecognized option or missing parameter(s) in config.ovpn:46: explicit-exit-notify (2.3.2)

the connection is never established.

2. If I remove the instruction "explicit-exit-notify 2" from the configuration file, the connection is established, but it is reset almost immediately, here is the log:

...
openvpn[537]: OPTIONS IMPORT: timers and/or timeouts modified
openvpn[537]: OPTIONS IMPORT: --ifconfig/up options modified
openvpn[537]: OPTIONS IMPORT: route options modified
openvpn[537]: OPTIONS IMPORT: route-related options modified
openvpn[537]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
openvpn[537]: TUN/TAP device tun0 opened
openvpn[537]: TUN/TAP TX queue length set to 100
openvpn[537]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
openvpn[537]: /sbin/ifconfig tun0 10.8.10.110 pointopoint 10.8.10.109 mtu 1500
openvpn[537]: /sbin/route add -net "remote server-ip" netmask 255.255.255.255 gw 192.168.1.254
openvpn[537]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.10.109
openvpn[537]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.10.109
openvpn[537]: /sbin/route add -net 10.8.10.105 netmask 255.255.255.255 metric 1 gw 10.8.10.109
openvpn[537]: Initialization Sequence Completed
openvpn[537]: event_wait : Interrupted system call (code=4)
openvpn[537]: OpenVPN STATISTICS
openvpn[537]: Updated,Fri Sep 13 23:07:18 2013
openvpn[537]: TUN/TAP read bytes,5372
openvpn[537]: TUN/TAP write bytes,0
openvpn[537]: TCP/UDP read bytes,13970
openvpn[537]: TCP/UDP write bytes,20945
openvpn[537]: Auth read bytes,1440
openvpn[537]: pre-compress bytes,0
openvpn[537]: post-compress bytes,0

Unfortunately, StrongVPN does not support this router-firmware combination at this time. I will be extremely grateful for any help and/or guidance on this issue.

Thank you!

 

[whytrigg]

ditto

I'd very much like to get my strong vpn up and running as well.

I would love to be able to route specific traffic to the secure VPN while everything else gets routed through the normal connection. For example, anything to do with netflix, VPN, any peer to peer downloading / uploading VPN, everything else, normal WAN.

Is this possible? if so, can someone please give me some pointers on the setup?

Thanks

David

 

[Alfsu]

Got Connected !

Until after I actually realized that Merlin's firmware is based on Tomato, I was able to setup the AC66U and successfully connect to StrongVPN.

Its been up for a couple of days now.

Next step, find out how to route specific traffic (domains, IPs, etc) through the tunnel.

 

[neverlift]

Can you tell us what you didi to get it to connect? I can press the Service State to ON and it seems to start running but I cant surf anywhere in Safari. Anyone please help . Thanks!!

 

[Alfsu]

Used Tomato Setup

Follow these steps:

- Log into Strongvpn account
- Navigate to VPN Accounts Summary
- Click on 'Get Installers' under the actions column
- Select 'Tomato USB'
- A file with extension .sh will be downloaded to you computer, this file contains all the information required to set up the OpenVPN tunnel, and it can be opened using a text reader program like 'notepad' from windows.
- Identify the different pieces of data from the above file and copy-paste it into the corresponding place in the firmware.

The Strongvpn setup instructions for Tomato help illustrate all this:
http://strongvpn.com/setup_tomato_openvpn.shtml

It is straight forward, less than ten minutes to configure.

I hope this helps and good luck!

 

[neverlift]

@Alfsu Thanks for the quick guide, I'm having issues with connecting to Strong once this is all setup. The on button stays on and appears to be connected but when i go to hit a site it just sits there and hangs until I turn off my vpn and the vpn status is all zeros. Ive looked over the settings a few times so Im now at a loss. Any help would be much appreciated.

Cheers!

 

[neverlift]

@Alfsu Hi I think I finally got it to work, the problem was i went with the Encryption cipher set to Defualt when it was supposed to be set to AES-128-CBC.

Cheers!

 

[neverlift]

One real big problem I am having with the OpenVPN is the speeds have been reduced by 90%. I have a 100meg line and can pull the full amount off usenet but now I only get a solid 5meg down. Any help with this would be appreciated.

Cheers!

 

[RMerlin]

One real big problem I am having with the OpenVPN is the speeds have been reduced by 90%. I have a 100meg line and can pull the full amount off usenet but now I only get a solid 5meg down. Any help with this would be appreciated.

Cheers!

You will never get anywhere near 100 Mbits with OpenVPN on a router. Their CPU is nowhere fast enough to handle that.

 

[MaX PL]

One real big problem I am having with the OpenVPN is the speeds have been reduced by 90%. I have a 100meg line and can pull the full amount off usenet but now I only get a solid 5meg down. Any help with this would be appreciated.

Cheers!

exact same problem I'm having on two of my computers while a third is perfectly normal.

ive tried every firmware with no success in fixing the issue.

 

[A.D.]

You will never get anywhere near 100 Mbits with OpenVPN on a router. Their CPU is nowhere fast enough to handle that.

Maybe this statement should be limited to consumer grade products to be fully valid. Starting in the SOHO market segment, routers with significant hardware acceleration for encryption are available.

In the consumer market segment -- more than two years after the quoted statement -- vendors seem to follow the trend of simply throwing more CPU cores in the direction of their various challenges. I'm sceptical that this will yield the same effect, though, as it's non-trivial to understand how to deploy these efficiently and in a robust manner, and the programming paradigm for professional devices is different in my experience. But since multicore CPUs are cheaper than specialised hardware, it's ddefinitely going to address many people's needs -- while others may feel duped by marketing figures once again.

 

[Chinquapin]

When I was using a low-end (Linksys E300) router overseas with DD-WRT and StrongVPN, the speed reduction for the already slow (~4-5mps!) but "fastest available" connection was about 75% (~1-2mps), which was just on the threshold of usability for my purposes (Netflix). After consulting with StrongVPN, they indicated that my router just didn't have the CPU capacity and indicated that, if I didn't need it (I didn't), disabling encryption would help. It did. But from what you say about consumer grade routers (i.e., my Asus RT-AC56U and RT-N66U), I am inferring that all of the hype about speed for these routers applies to wireless transmission rather than to anything dedicated to encryption. Is that a dumbed-down paraphrase of what you mean? For example, my aging Netgear SRXN3205 seems to have plenty of power for its own VPN, but lags in wireless speed. FWIW, StrongVPN pushes their more expensive pre-configured routers as being more capable of handling the encryption overhead. Thanks.

EDIT: I asked this elsewhere, but what about Asuswrt-Merlin allows the use of the Tomato script, or could the native Asus firmware be used as well? DISCLAIMER: I've not tried either yet. TNX

 

[A.D.]

from what you say about consumer grade routers (i.e., my Asus RT-AC56U and RT-N66U), I am inferring that all of the hype about speed for these routers applies to wireless transmission rather than to anything dedicated to encryption. Is that a dumbed-down paraphrase of what you mean?

Not quite; let me try to put it differently.

In my view, in 2016, I'd call the 66 devices very good access points (if the WiFi standard support is okay for you) and good (USB2) media servers (not: file servers). The idea of routing, for me, might start with the 68.

One needs to study meaningful performance tests to figure which is the "first" device which will provide the desired performance in the relevant use cases. A system which provides full performance under all circumstances (1 VPN server, 1 or more VPN client(s), 100 MBit/s WAN, 4x MU-MIMO, Dual-Band, USB 3 file serving from encrypted file system) would be pretty expensive, and there won't be many consumers who need it.

I'll also call the ASUS high end devices consumer grade because that's what they are. I am absolutely certain that these multicore monsters can handle a lot of scenarios in a very performant way. Still, they aim at the needs of consumers.

Semi-professional/SOHO and professional devices differ in that they guarantee stable performance for scenarios relevant for their customers, e.g. a guaranteed minimum VPN throughput for several parallel VPN connections by hardware acceleration (not bad for remote maintenance of several sites or important connections to several branches) and very robust QoS mechanisms.

My AC66U access point, for example, will let media streams of WiFi clients with a negotiated lower bandwidth almost starve while it primarily serves a client with a higher (unneeded) bandwidth. I'd not be surprised to find similar effects in routing mode, because balancing interests in the presence of limited resources is an art, and its complexity increases drastically the more features get involved. This is more the domain of professional devices.

Unfortunately, finding the right device for one's use cases is also almost an art, especially in the presence of the aggressive marketing fugures and the many questionable tests on the web. Show me a test which shows the difference between routing maximum performance streams through a WAN connection to maximum performance WiFI clients, vs doing that via a VPN WAN, vs adding a gigabit download from an encrypted USB stick to a LAN device.

The ASUS product portfolio certainly provides devices which offer excellent performance for many scenarios, but the lower the CPU power, the fewer CPU hungry features it will serve with high performance at the same time. Once the load is at 100 %, you'll also have to live with the balancing it offers, with the choice of using a diffferent firmware of course. But I did not find many resourcing going about these topics in a systematic manner.

For example, my aging Netgear SRXN3205 seems to have plenty of power for its own VPN, but lags in wireless speed.

That's a professional device; I wouldn't be surprised if it had hardware acceleration for VPN ciphers. But once again, ASUS does have excellent products, and in fact they may focus a bit on the WiFi side, but as long as CPU cycles are available, there's nothing from keeping them from performing well on the WAN side as well.

But I myself use a professional VPN router and the AC66U as an access point behind it, because the professional WiFi solutions are a bit behind the curve and I don't exactly need the professional WiFi features such as VLAN tagging, central management etc.

 

[Chinquapin]

Thanks for the extended and interesting perspective. One suspects that the comparisons are—from the vendors' perspectives—conveniently if not deliberately bewildering. BTW: have YOU any idea if the native Asus firmware be used with StrongVPN? Another thread indicates that Asuswrt-Merlin can be used coaxed into working by using StrongVPN's Tomato configuration, but I'm guessing that firmware variant has features the stock Asus firmware lacks.

 

[A.D.]

One suspects that the comparisons are—from the vendors' perspectives—conveniently if not deliberately bewildering.

Well put. In the end, most decisions are probably made implicitly by choosing the "most suitable" distribution channel.

have YOU any idea if the native Asus firmware be used with StrongVPN?.

Haven't looked at it with that question on my mind, but there's a dummy live config UI online which might give you more hints and help you to avoid all the flashing and resetting procedures.

 

[Chinquapin]

Thanks. Turns out that ExpressVPN has a configuration file that will load directly into the unmodified Asus firmware. And, perhaps ExpressVPN is giving better service than some of the competition. What is likely to drive me to a custom firmware is my need to assign a separate SSID to my VPN so that I can selectively connect to it and avoid using a second router. AFAIK, the stock firmware won't support that, though I hope I'm mistaken.

 

[A.D.]

What is likely to drive me to a custom firmware is my need to assign a separate SSID to my VPN so that I can selectively connect to it and avoid using a second router.

Why do you want to get rid of your SRXN3205?

I would only expect DD-WRT to be able to configure a strict isolation of a SSID <-> VPN pair via GUI, and at the same time I'd expect it to be slower than all other possible firmwares.

But there's this other thread about strictly (or not so strictly) isolating a guest WiFi from the whole LAN when the ASUS is in access point mode, and while only DD-WRT seems to be capable of configuring port groups and VLAN tagging and all other professional stuff, in the asuswrt-based FWs the ebtables appear to open a door there by being able to handle traffic depending on the source interface.

Interface names can be determined by nvram show commands. Looks like the guest networks have names like wl0.1 to wl0.3 / wl1.1 to wl1.3 and in this way, the routing of the packets can be corrected either internally if the ASUS is in router mode -- or the traffic can be marked by MAC NATting if the ASUS is an access point (then all routers must isolate traffic based on that MAC address).

You shouldn't need a custom FW for that. The stock FW is supposed to execute a startup script from any USB media. It should be possible to insert the required ebtables rules from there. However, e.g. asuswrt-merlin provides a persistent storage partition so no USB drive is required, but you're advised to save the contents and possibly restore them on FW upgrade.

 

[Chinquapin]

"Why do you want to get rid of your SRXN3205?" — I didn't want to, and tried my best not to. But, it could not pickup an IP address from my FiOS box. I have my FiOS configured to Ethernet, not cable, since I don't use or want the TV service, and didn't want the Verizon router. But, try as I might, I could not get the SXRN3205 to snag an IP address. I tried everything I knew multiple times, including having the FiOS release/renew from the Verizon side, resetting the router to default. Everything. But every OTHER router I had worked w/o any problem. So, I've had it in a box for the last 18 months. I really LIKED that router, but not when it couldn't get an IP address. Never had issues with it before, and still don't know what happened. All suggestions from official and non-official Netgear sources weren't helpful.

Thanks for the detail on using OpenVPN w the stock Asus firmware. That's welcome news. I'll try to get my self educated on this and make it work.

 

[CrazyCanuck]

I have merlin working with strong vpn. You simply upload the configuration file. The keys will be loaded automatically. You will have to manually edit the rest. Custom configuration maybe left alone. You can use this as a guide. It does take a little extra work however it only takes about 5 minutes. http://strongvpn.com/setup_tomato_openvpn.html

 

[Chinquapin]

Thanks, CrazyCanuck. Glad to know StrongVPN can be made to work. But, I've decided to try ExpressVPN, which supports Asus directly, with no extra work. I've enough work sorting how to restrict tunneling to a separate SSID. The links here are useful, but it entails more fiddling than I've done with that stuff.