ASUS RT-AC68R and Open VPN @ 2048 cipher.
I hope this works for you.
I want to thank the people that wrote this guide.
http://www.howtogeek.com/60774/conne...pn-and-tomato/
This how-to is for the folks that may not know how to set up a OVPN to use as a proxy.
This is how I set up OVPN that allows my phone to connect to my home router and creates a secure tunnel that allows me to browse the web securely from any free hot spot.
PPTP and L2TP from what I understand are not considered secure anymore so I set out to figure out how to set up OVPN to allow me to tunnel into my router and surf the web and do banking and other stuff from an unsecured wifi location.
First: The process is easy so stop here and stop over thinking the process. That’s what took me the longest so STOP!, Its easy.
VPN Server / Host
Router: ASUS RT-AC68R
With DDNS enabled
Firmware: Merlin 374.42.2
VPN: Open VPN
Client
Android Open VPN Connect 1.1.14 from OpenVPN / Google play.
ATT Samsung Galaxy S5 android KitKat.
What’s needed.
Openvpn install 2.3.4-I001 or later to generate the required certificates.
From: http://openvpn.net/index.php/open-source/downloads.html
Notepad ++ to edit the client.ovpn file.
First: Set up your DDNS if you have not done so, remember 50 billion folks use myddns so think of something unique if you have not done so.
Second: Configure the ASUS router VPN in the VPN details tab as follows.
VPN Server Mode: OpenVPN
Select Server Instance: Server 1
Interface Type: TUN
Protocol: TCP (for security)
Port; 1194
Firewall: Auto
Authorization Mode: TLS (We will add new 2048 bit cipher keys later)
Username / Password Auth: Yes
Username / Password Auth only: No (This will require a log in as well as the certs)
Extra-HMAC auth: Bi-Directional (Just because we can)
VPN Subnet / Netmask: Default 10.8.0.0 / 255.255.255.0
Poll Interval: 0
Push LAN to clients: Yes
Direct clients to redirect internet traffic: No
Respond to DNS: Yes
Advertise DNS to clients: Yes
Encryption Cipher: AES-256-CBC
Compression: Adaptive
TLS Regeneration Time: -1
Manage Client-Specific Options: No
Save the settings.
Now to the VPN Server Tab to add a user ID and password.
Do not start the VPN server at this time.
NOTE: At this point the routers OVPN will export a complete 1024 bit cipher that can be used if you start the server. With a little editing of the cert in notepad++ all traffic from the android device will be forced over the VPN.
If you feel 1024 cipher is good enough then go to Google play and install the Android Open VPN Connect 1.1.14.
Before you move the import the certificate open it with notepad++ and scroll down to the bottom and add the following right under ‘</tls-auth>’ .
I don’t know if the VPN client can use 'auth-nocache' but if I understand the usage it should clear the cache of the user ID and PW.
Continue here if you wish to use 2048 cipher certs.
If you would like to be in alignment with the rest of the industry using 2048 cipher then continue.
Now to install the OpenVPN install and check all the boxes so we have the required components to create the required 2048 cipher certificates.
Accept the default path *\~program files.
Once the install is complete browse into your ‘OpenVPN’ folder, right click on the ‘Easy-RSa’ folder and select open command prompt here.
In the DOS box you should see the path ending in ‘Easy-RSA’. Type the following command and press enter. Keep this DOS window open.
Again, don’t close the DOS window.
Two files will be copied into the Easy-RAS folder, we want the vars.bat file as we need to open it up in Notepad++. What we are looking for is ‘set KEY_SIZE 1024’. We want to edit the 1024 to 2048 so it will read ‘set KEY_SIZE 2048’ without the quotes.
Save the file.
You can also fill out the following so you don’t have to later.
But you don’t have to as all we need in the end is the Begin cert to end cert stuff. It will save time if you do it now.
After saving the changes go back to the command prompt and type
and hit enter, but not too hard as you don’t want to break your keyboard.
Once that’s done, type
, and enter again.
Now we start building the certificates.
Careful as we need to pay attention to the common name.
You have to put something, make it simple and short, no spaces or odd symbol.
First is the CA, so we type
, If you were smart and filled out the stuff in the vars.bat file congrats as it will auto populate.
Remember, go slow and fill in the ‘Common Name’, like ‘CA’. Again short and simple.
Once complete we will move to creating the client.
To create the client key we type in
, this will create a client key called ‘client1’ and again fill in the common name when it pops up.
Once done we then need to sign and commit at the prompts. If I have to tell you to press Y for this then stop the process now and send back your computer.
The last key we need to create is the server key.
To create the server key type the following
this will create a server key called ’server’.
Again, fill anything out and commit if and when prompted.
We are almost done with the certs.
Last but not least is the DF or diffie-hellman parameters.
To create the DH we type
, this will take a bit as we are using 2048 cipher.
Once this is done we are ready for the next step. But first, let’s browse you your ‘Easy-RAS’ folder and open the ‘Keys’ folder. This contains all the stuff we need.
For the server side.
Ca.crt aka Certificate Authority
Server1.crt aka Server Certificate
CA.key aka Serverkey
Dh2048 aka diffie-hellman parameters
For the client.
Client1.crt
Client1.key
We will modify the exported file after we replace the server parameters. All we need from each is the --BEGIN CERTIFICATE to END CERTIFICATE-- portion and populate this in the respective location with the in routers VPN Authorization Mode: TLS link for the server.
Use Notepad ++ to look at each file and copy the from ----BEGIN to END---- for each portion in its corresponding location.
SERVER / ROUTER
Look for the -----BEGIN in each just so you know where it is. Now let’s log into the ASUS and go to the VPN Details tab and click on the Authorization Mode: TLS link. This will bring us to a window with a few boxes already filled out. We need to keep the static key but we need to delete the rest as we will be replacing it with the 2048 stuff we just made.
Again, we only need to copy and paste in from ----BEGIN to END--- for each. So let’s begin.
Again, we only want the ----BEGIN to END---- portion of each, it’s that simple.
Once done, Click ok, then apply and now we are ready to start the VPN server.
Once the server is started click on the ‘Export’ button.
NOTE: This will only export a partial cert, we need to fill in the rest. Again we only need the ----BEGIN to END---- portion of the client.crt and client.key.
CLIENT / Your Android device.
Open the exported .ovpn file as well as the client.crt and client.key in notepad++
Copy and paste the ----BEGIN to END--- portion in to their expected location between the <CERT> and <KEY>.
Once done, save the file. We are almost done.
We now want to force all traffic over the VPN by adding the following.
You can also add
but I don’t know if the client will do anything with it or if this is run from the server side.
Also, If you want to keep the user ID and password but don’t want to type it in you can modify the following line.
To something like
Then create a mylogin.txt file that has the user ID and Password on each line and pop it into the respective/creds path on your device.
The format is just the user ID on line 1 and password on line 2.
The txt file and path can be whatever you want it to be.
Copy the .ovpn file to your device and open the OVPN client and import the file.
Now for the Extra HMAC and setting it to Bi-Directional, I don’t know if this is working as I do not see a line added to the .ovpn file so I added ‘key-direction bidirectional’. If I set the Extra HMAC to either incoming I do get a Key-Direction line added to the export. I don’t know if either is more secured or not but I don’t have any issues with it being bidirectional. The export will not add the bidirectional in so I added it in.
After reading the difference between TCP and UDP I selected TCP for security. You can change this to UDP if you wish.
I hope this works for you.
I want to thank the people that wrote this guide.
http://www.howtogeek.com/60774/conne...pn-and-tomato/
This how-to is for the folks that may not know how to set up a OVPN to use as a proxy.
This is how I set up OVPN that allows my phone to connect to my home router and creates a secure tunnel that allows me to browse the web securely from any free hot spot.
PPTP and L2TP from what I understand are not considered secure anymore so I set out to figure out how to set up OVPN to allow me to tunnel into my router and surf the web and do banking and other stuff from an unsecured wifi location.
First: The process is easy so stop here and stop over thinking the process. That’s what took me the longest so STOP!, Its easy.
VPN Server / Host
Router: ASUS RT-AC68R
With DDNS enabled
Firmware: Merlin 374.42.2
VPN: Open VPN
Client
Android Open VPN Connect 1.1.14 from OpenVPN / Google play.
ATT Samsung Galaxy S5 android KitKat.
What’s needed.
Openvpn install 2.3.4-I001 or later to generate the required certificates.
From: http://openvpn.net/index.php/open-source/downloads.html
Notepad ++ to edit the client.ovpn file.
First: Set up your DDNS if you have not done so, remember 50 billion folks use myddns so think of something unique if you have not done so.
Second: Configure the ASUS router VPN in the VPN details tab as follows.
VPN Server Mode: OpenVPN
Select Server Instance: Server 1
Interface Type: TUN
Protocol: TCP (for security)
Port; 1194
Firewall: Auto
Authorization Mode: TLS (We will add new 2048 bit cipher keys later)
Username / Password Auth: Yes
Username / Password Auth only: No (This will require a log in as well as the certs)
Extra-HMAC auth: Bi-Directional (Just because we can)
VPN Subnet / Netmask: Default 10.8.0.0 / 255.255.255.0
Poll Interval: 0
Push LAN to clients: Yes
Direct clients to redirect internet traffic: No
Respond to DNS: Yes
Advertise DNS to clients: Yes
Encryption Cipher: AES-256-CBC
Compression: Adaptive
TLS Regeneration Time: -1
Manage Client-Specific Options: No
Save the settings.
Now to the VPN Server Tab to add a user ID and password.
Do not start the VPN server at this time.
NOTE: At this point the routers OVPN will export a complete 1024 bit cipher that can be used if you start the server. With a little editing of the cert in notepad++ all traffic from the android device will be forced over the VPN.
If you feel 1024 cipher is good enough then go to Google play and install the Android Open VPN Connect 1.1.14.
Before you move the import the certificate open it with notepad++ and scroll down to the bottom and add the following right under ‘</tls-auth>’ .
Code:
key-direction bidirectional
route 0.0.0.0 0.0.0.0 vpn_gateway
dhcp-option DNS 192.168.1.1
dhcp-option DNS 192.168.1.1
dhcp-option DOMAIN google.com
auth-nocacheI don’t know if the VPN client can use 'auth-nocache' but if I understand the usage it should clear the cache of the user ID and PW.
Continue here if you wish to use 2048 cipher certs.
If you would like to be in alignment with the rest of the industry using 2048 cipher then continue.
Now to install the OpenVPN install and check all the boxes so we have the required components to create the required 2048 cipher certificates.
Accept the default path *\~program files.
Once the install is complete browse into your ‘OpenVPN’ folder, right click on the ‘Easy-RSa’ folder and select open command prompt here.
In the DOS box you should see the path ending in ‘Easy-RSA’. Type the following command and press enter. Keep this DOS window open.
Code:
Init-configAgain, don’t close the DOS window.
Two files will be copied into the Easy-RAS folder, we want the vars.bat file as we need to open it up in Notepad++. What we are looking for is ‘set KEY_SIZE 1024’. We want to edit the 1024 to 2048 so it will read ‘set KEY_SIZE 2048’ without the quotes.
Save the file.
You can also fill out the following so you don’t have to later.
Code:
Set KEY_COUNTRY= <Your country>
Set KEY_PROVINCE= <your state or prov>
Set KEY_CITY=
Set KEY_ORG=
Set KEY_EMAIL=But you don’t have to as all we need in the end is the Begin cert to end cert stuff. It will save time if you do it now.
After saving the changes go back to the command prompt and type
Code:
varsOnce that’s done, type
Code:
clean-allNow we start building the certificates.
Careful as we need to pay attention to the common name.
You have to put something, make it simple and short, no spaces or odd symbol.
First is the CA, so we type
Code:
build-caRemember, go slow and fill in the ‘Common Name’, like ‘CA’. Again short and simple.
Once complete we will move to creating the client.
To create the client key we type in
Code:
build-key client1Once done we then need to sign and commit at the prompts. If I have to tell you to press Y for this then stop the process now and send back your computer.
The last key we need to create is the server key.
To create the server key type the following
Code:
build-key-server serverAgain, fill anything out and commit if and when prompted.
We are almost done with the certs.
Last but not least is the DF or diffie-hellman parameters.
To create the DH we type
Code:
build-dhOnce this is done we are ready for the next step. But first, let’s browse you your ‘Easy-RAS’ folder and open the ‘Keys’ folder. This contains all the stuff we need.
For the server side.
Ca.crt aka Certificate Authority
Server1.crt aka Server Certificate
CA.key aka Serverkey
Dh2048 aka diffie-hellman parameters
For the client.
Client1.crt
Client1.key
We will modify the exported file after we replace the server parameters. All we need from each is the --BEGIN CERTIFICATE to END CERTIFICATE-- portion and populate this in the respective location with the in routers VPN Authorization Mode: TLS link for the server.
Use Notepad ++ to look at each file and copy the from ----BEGIN to END---- for each portion in its corresponding location.
- Ca.crt aka Certificate Authority
- Server1.crt aka Server Certificate
- CA.key aka Serverkey
- Dh2048 aka diffie-hellman parameters
- Client1.crt
- Client1.key
SERVER / ROUTER
Look for the -----BEGIN in each just so you know where it is. Now let’s log into the ASUS and go to the VPN Details tab and click on the Authorization Mode: TLS link. This will bring us to a window with a few boxes already filled out. We need to keep the static key but we need to delete the rest as we will be replacing it with the 2048 stuff we just made.
Again, we only need to copy and paste in from ----BEGIN to END--- for each. So let’s begin.
- CA.crt, copy and paste into Certificate Authority.
- Server.crt copy and paste into Server Certificate.
- CA.key copy and paste into Server Key.
- DH2048 goes into Diffie Hellman parameters.
Again, we only want the ----BEGIN to END---- portion of each, it’s that simple.
Once done, Click ok, then apply and now we are ready to start the VPN server.
Once the server is started click on the ‘Export’ button.
NOTE: This will only export a partial cert, we need to fill in the rest. Again we only need the ----BEGIN to END---- portion of the client.crt and client.key.
CLIENT / Your Android device.
Open the exported .ovpn file as well as the client.crt and client.key in notepad++
Copy and paste the ----BEGIN to END--- portion in to their expected location between the <CERT> and <KEY>.
Once done, save the file. We are almost done.
We now want to force all traffic over the VPN by adding the following.
Code:
key-direction bidirectional
route 0.0.0.0 0.0.0.0 vpn_gateway
dhcp-option DNS 192.168.1.1
dhcp-option DNS 192.168.1.1
dhcp-option DOMAIN google.comYou can also add
Code:
auth-nocacheAlso, If you want to keep the user ID and password but don’t want to type it in you can modify the following line.
Code:
auth-user-passTo something like
Code:
auth-user-pass /storage/extSdCard/creds/mylogin.txtThen create a mylogin.txt file that has the user ID and Password on each line and pop it into the respective/creds path on your device.
The format is just the user ID on line 1 and password on line 2.
The txt file and path can be whatever you want it to be.
Copy the .ovpn file to your device and open the OVPN client and import the file.
Now for the Extra HMAC and setting it to Bi-Directional, I don’t know if this is working as I do not see a line added to the .ovpn file so I added ‘key-direction bidirectional’. If I set the Extra HMAC to either incoming I do get a Key-Direction line added to the export. I don’t know if either is more secured or not but I don’t have any issues with it being bidirectional. The export will not add the bidirectional in so I added it in.
After reading the difference between TCP and UDP I selected TCP for security. You can change this to UDP if you wish.
Last edited:
