How to implement secure VPN authentication?

[Lossengwath]

What is the disadvantage of TCP vs UDP (latency)?

This article explains it: http://sites.inka.de/sites/bigred/devel/tcp-tcp.html

I'm still hoping to configure OpenVPN on ASUSWRT. A quick review of the tutorials linked in other replies has me wondering how all this configuration is done - I see nothing remotely like this in the web GUI. Is this done with ssh and editing config files with vi?

I have the impression you are using a pure Asuswrt firmware version on your router. Am I right?

And the only terminal skills you need are to create the CA, certs and keys. Once you have them, you can do everything through the GUI.

 

[ags]

I have the impression you are using a pure Asuswrt firmware version on your router. Am I right?

And the only terminal skills you need are to create the CA, certs and keys. Once you have them, you can do everything through the GUI.

Yes, I'm using OEM firmware - I've been asking about how to do this using ASUSWRT (OEM - not Merlin) but most (on this forum at least) seem to be using non-standard firmware (and are answering referring to Merlin (or Tomato)). I'm very comfortable with vi & command line. I just don't see how else to do this other than ssh. When you say (above) you can do most of this using the GUI, do you mean using Merlin or OEM firmware?

 

[Lossengwath]

That's why. OpenVPN is not implemented in the OEM firmware. You read Tomato so much because Merlin's OpenVPN implementation is based on that used by Tomato.

You simply can't do OpenVPN without switching to Merlin's firmware, unless you try and re-port everything (re-make the wheel) or use any other custom firmware (DD-WRT, Tomato, etc).

 

[DavidEBSmith]

OpenVPN is in the .4561 OEM firmware (has been since .2050).

 

[ags]

@Lossengwath - Not sure how to reconcile your statement with this directly from RMerlin:

Asus's OpenVPN code actually came from my firmware (and I originally took that code from Tomato). Thanks to this, most tutorials designed for Tomato will work just as well on Asuswrt-Merlin and Asuswrt.

Asus added a very user-friendly "enable-and-use" level on top of OpenVPN so you don't need to learn how to manage keys and certificates, but you still have the option of using your own keys and certs.

 

[ags]

OpenVPN is in the .4561 OEM firmware (has been since .2050).

Oh, this explains it. Posted too fast.

Edit: I browsed the support.asus.com site and found several firmware updates beyond what I'm running (.374.979). Wonder why having the router check for updates didn't automatically find/notify me of this. (I see one version is listed as beta, but three others are not).

When Asus releases an update, is it generally stable, ready for prime-time? The fact that they weren't detected leads me to believe that they are not necessarily stable, or the update feature is broken.

 

[Lossengwath]

OpenVPN is in the .4561 OEM firmware (has been since .2050).

Thanks for the clarification. Clearly my information was outdated.

 

[ags]

I'm finally making progress understanding the options for deploying VPN.

Note: I'm using OEM firmware (.4561)

It seems like PPTP is not as secure as OpenVPN. It that true? I don't see a way to use PPTP with certificates in the OEM firmware.

If I do use OpenVPN, is there a some way to configure the standard VPN client on Mac OS X Mountain Lion to work, or do I need t install a third-party client (Tunnelblick?).

If I don't need user authentication, just machine authentication, is it possible to rely only on the installed certificates (.ovpn file) and disable username/password? If I'm the only user of the remote machine (VPN client) is there any security risk with this approach (other than if the machine itself is stolen)?

 

[RMerlin]

It seems like PPTP is not as secure as OpenVPN. It that true? I don't see a way to use PPTP with certificates in the OEM firmware.

Consider the encryption scheme used by PPTP as being broken, as of 18 months ago.

If I do use OpenVPN, is there a some way to configure the standard VPN client on Mac OS X Mountain Lion to work, or do I need t install a third-party client (Tunnelblick?).

Install the OpenVPN client from OpenVPN's website.

 

[ags]

Install the OpenVPN client from OpenVPN's website.

OK, I'm sure you are right - by why won't the existing support for L2TP over IPSec already provided as part of Mountain Lion work for OpenVPN? Isn't that the protocol that OpenVPN is using?

 

[elorimer]

I'm trying to set up OpenVPN on an N66U with .40 installed, using name/password. All new to me.

I've exported the pkcs#12 package, emailed it to my android phone and imported it into both the official client and OpenVPN for android. When I do that, though, I get a box asking for the encryption key password (on top of the name/password). Without that, I get a message that no certificate is installed.

I've searched here and at openvpn to no avail. What should I be entering here?