What's new

How I set up OVPN on my ASUS RT68R for Android.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

cone_head

Occasional Visitor
ASUS RT-AC68R and Open VPN @ 2048 cipher.

I hope this works for you.

I want to thank the people that wrote this guide.
http://www.howtogeek.com/60774/conne...pn-and-tomato/

This how-to is for the folks that may not know how to set up a OVPN to use as a proxy.

This is how I set up OVPN that allows my phone to connect to my home router and creates a secure tunnel that allows me to browse the web securely from any free hot spot.

PPTP and L2TP from what I understand are not considered secure anymore so I set out to figure out how to set up OVPN to allow me to tunnel into my router and surf the web and do banking and other stuff from an unsecured wifi location.

First: The process is easy so stop here and stop over thinking the process. That’s what took me the longest so STOP!, Its easy.

VPN Server / Host

Router: ASUS RT-AC68R
With DDNS enabled
Firmware: Merlin 374.42.2
VPN: Open VPN

Client

Android Open VPN Connect 1.1.14 from OpenVPN / Google play.
ATT Samsung Galaxy S5 android KitKat.

What’s needed.
Openvpn install 2.3.4-I001 or later to generate the required certificates.
From: http://openvpn.net/index.php/open-source/downloads.html

Notepad ++ to edit the client.ovpn file.

First: Set up your DDNS if you have not done so, remember 50 billion folks use myddns so think of something unique if you have not done so.

Second: Configure the ASUS router VPN in the VPN details tab as follows.
VPN Server Mode: OpenVPN
Select Server Instance: Server 1
Interface Type: TUN
Protocol: TCP (for security)
Port; 1194
Firewall: Auto
Authorization Mode: TLS (We will add new 2048 bit cipher keys later)
Username / Password Auth: Yes
Username / Password Auth only: No (This will require a log in as well as the certs)
Extra-HMAC auth: Bi-Directional (Just because we can)
VPN Subnet / Netmask: Default 10.8.0.0 / 255.255.255.0
Poll Interval: 0
Push LAN to clients: Yes
Direct clients to redirect internet traffic: No
Respond to DNS: Yes
Advertise DNS to clients: Yes
Encryption Cipher: AES-256-CBC
Compression: Adaptive
TLS Regeneration Time: -1
Manage Client-Specific Options: No

Save the settings.

Now to the VPN Server Tab to add a user ID and password.

Do not start the VPN server at this time.

NOTE: At this point the routers OVPN will export a complete 1024 bit cipher that can be used if you start the server. With a little editing of the cert in notepad++ all traffic from the android device will be forced over the VPN.

If you feel 1024 cipher is good enough then go to Google play and install the Android Open VPN Connect 1.1.14.

Before you move the import the certificate open it with notepad++ and scroll down to the bottom and add the following right under ‘</tls-auth>’ .

Code:
key-direction bidirectional
route 0.0.0.0 0.0.0.0 vpn_gateway
dhcp-option DNS 192.168.1.1
dhcp-option DNS 192.168.1.1
dhcp-option DOMAIN google.com
auth-nocache

I don’t know if the VPN client can use 'auth-nocache' but if I understand the usage it should clear the cache of the user ID and PW.

Continue here if you wish to use 2048 cipher certs.

If you would like to be in alignment with the rest of the industry using 2048 cipher then continue.
Now to install the OpenVPN install and check all the boxes so we have the required components to create the required 2048 cipher certificates.
Accept the default path *\~program files.

Once the install is complete browse into your ‘OpenVPN’ folder, right click on the ‘Easy-RSa’ folder and select open command prompt here.

In the DOS box you should see the path ending in ‘Easy-RSA’. Type the following command and press enter. Keep this DOS window open.

Code:
Init-config

Again, don’t close the DOS window.

Two files will be copied into the Easy-RAS folder, we want the vars.bat file as we need to open it up in Notepad++. What we are looking for is ‘set KEY_SIZE 1024’. We want to edit the 1024 to 2048 so it will read ‘set KEY_SIZE 2048’ without the quotes.

Save the file.

You can also fill out the following so you don’t have to later.

Code:
Set KEY_COUNTRY= <Your country>
Set KEY_PROVINCE= <your state or prov>
Set KEY_CITY=
Set KEY_ORG=
Set KEY_EMAIL=

But you don’t have to as all we need in the end is the Begin cert to end cert stuff. It will save time if you do it now.

After saving the changes go back to the command prompt and type
Code:
vars
and hit enter, but not too hard as you don’t want to break your keyboard.

Once that’s done, type
Code:
clean-all
, and enter again.
Now we start building the certificates.

Careful as we need to pay attention to the common name.
You have to put something, make it simple and short, no spaces or odd symbol.

First is the CA, so we type
Code:
build-ca
, If you were smart and filled out the stuff in the vars.bat file congrats as it will auto populate.

Remember, go slow and fill in the ‘Common Name’, like ‘CA’. Again short and simple.

Once complete we will move to creating the client.

To create the client key we type in
Code:
build-key client1
, this will create a client key called ‘client1’ and again fill in the common name when it pops up.

Once done we then need to sign and commit at the prompts. If I have to tell you to press Y for this then stop the process now and send back your computer.

The last key we need to create is the server key.
To create the server key type the following
Code:
build-key-server server
this will create a server key called ’server’.

Again, fill anything out and commit if and when prompted.
We are almost done with the certs.

Last but not least is the DF or diffie-hellman parameters.
To create the DH we type
Code:
build-dh
, this will take a bit as we are using 2048 cipher.
Once this is done we are ready for the next step. But first, let’s browse you your ‘Easy-RAS’ folder and open the ‘Keys’ folder. This contains all the stuff we need.

For the server side.
Ca.crt aka Certificate Authority
Server1.crt aka Server Certificate
CA.key aka Serverkey
Dh2048 aka diffie-hellman parameters

For the client.
Client1.crt
Client1.key

We will modify the exported file after we replace the server parameters. All we need from each is the --BEGIN CERTIFICATE to END CERTIFICATE-- portion and populate this in the respective location with the in routers VPN Authorization Mode: TLS link for the server.

Use Notepad ++ to look at each file and copy the from ----BEGIN to END---- for each portion in its corresponding location.
  • Ca.crt aka Certificate Authority
  • Server1.crt aka Server Certificate
  • CA.key aka Serverkey
  • Dh2048 aka diffie-hellman parameters
  • Client1.crt
  • Client1.key

SERVER / ROUTER
Look for the -----BEGIN in each just so you know where it is. Now let’s log into the ASUS and go to the VPN Details tab and click on the Authorization Mode: TLS link. This will bring us to a window with a few boxes already filled out. We need to keep the static key but we need to delete the rest as we will be replacing it with the 2048 stuff we just made.

Again, we only need to copy and paste in from ----BEGIN to END--- for each. So let’s begin.

  1. CA.crt, copy and paste into Certificate Authority.
  2. Server.crt copy and paste into Server Certificate.
  3. CA.key copy and paste into Server Key.
  4. DH2048 goes into Diffie Hellman parameters.

Again, we only want the ----BEGIN to END---- portion of each, it’s that simple.
Once done, Click ok, then apply and now we are ready to start the VPN server.

Once the server is started click on the ‘Export’ button.

NOTE: This will only export a partial cert, we need to fill in the rest. Again we only need the ----BEGIN to END---- portion of the client.crt and client.key.

CLIENT / Your Android device.

Open the exported .ovpn file as well as the client.crt and client.key in notepad++

Copy and paste the ----BEGIN to END--- portion in to their expected location between the <CERT> and <KEY>.

Once done, save the file. We are almost done.

We now want to force all traffic over the VPN by adding the following.

Code:
key-direction bidirectional
route 0.0.0.0 0.0.0.0 vpn_gateway 
dhcp-option DNS 192.168.1.1 
dhcp-option DNS 192.168.1.1 
dhcp-option DOMAIN google.com

You can also add
Code:
auth-nocache
but I don’t know if the client will do anything with it or if this is run from the server side.
Also, If you want to keep the user ID and password but don’t want to type it in you can modify the following line.

Code:
auth-user-pass

To something like

Code:
auth-user-pass /storage/extSdCard/creds/mylogin.txt

Then create a mylogin.txt file that has the user ID and Password on each line and pop it into the respective/creds path on your device.
The format is just the user ID on line 1 and password on line 2.
The txt file and path can be whatever you want it to be.
Copy the .ovpn file to your device and open the OVPN client and import the file.

Now for the Extra HMAC and setting it to Bi-Directional, I don’t know if this is working as I do not see a line added to the .ovpn file so I added ‘key-direction bidirectional’. If I set the Extra HMAC to either incoming I do get a Key-Direction line added to the export. I don’t know if either is more secured or not but I don’t have any issues with it being bidirectional. The export will not add the bidirectional in so I added it in.

After reading the difference between TCP and UDP I selected TCP for security. You can change this to UDP if you wish.
 
Last edited:
Cone_head, thanks immensely for that. It helped me get a setup going using my ASUS AC66R with Merlin's firmware, but that's essentially the same.

It was working great, but now will not connect, and I don't know what happened--but that's not my point here.

Would you discuss a bit about TLS authorization. I have noticed that the server client output has a section
<secret>
-----BEGIN OpenVPN Static key V1-----
4584...a743
-----END OpenVPN Static key V1-----
</secret>

But in my configs, I have
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
4584...743
-----END OpenVPN Static key V1-----
</tls-auth>

I think that I went to the "tls-auth" header when I changed to a full cert and key based setup. I am just confused why the server GUI outputs the file with a different header. Which header should I be using? There is SOoooo much about this I do not understand.
 
Jcarrra

Are you creating certs outside of the router and pasting them in then exporting form the router?

If so, you cannot. If you have the router export the certs then you must use what the router populates for its server.

If you create the certs then you must do so for both the router as well as the client.

And remember, you only want from –Begin to End--, don’t worry about the noise above and below.
 
My statement is incorrect with regards to creating your own certs. You do need to export the cert but replace all –Begin to end—stuff.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top