maxbraketorque
Very Senior Member
ok. It seems to me that there is a lot of gray area or opinion on what's considered a reasonable set of security parameters, so thanks for confirming.
Hi,@yorgi Fantastic post... I've read 10 pages of mind numbing vpn settings.
I just purchased an ASUS RT-AC5300 after returning a TP-LINK Archer C-5400 because of the very issue I'm now still having. I've been able to configure OpenVPN no problem. Server is running and accepting successful connections from client.
Scenario:
VPN Client-
LAN Subnet 192.168.1.0
VPN Server-
LAN Subnet 192.168.10.0
VPN Subnet 10.8.0.0
Behind VPN server exists a Drobo5N2 NAS that has a static IP assigned via DHCP of 192.168.10.99 ---- this is the resource I need to access from the vpn client.
I connect from the client successfully.. obtain 10.8.x.x IP address.
I can ping the 10.8.0.1 gateway, I can ping the 192.168.10.1 gateway.
I can log into my router web ui.
I cannot do ANYTHING else.
I had the exact same issue with previous router. I have tested disabling windows firewall client side. I have reconfigured DHCP IP Pool. I have defaulted server 2 and started fresh. Server is responding to DNS requests and Advertising DNS to clients. Push LAN to clients is also enabled.
Server is configured as TUN \ UDP (Tried TCP as well) everything else is default.
I'm at a loss.
Its exactly how I give the example in the guide, I put a separate page just for windows because its firewall is a pain and there are a few options that need to be enabled to have a flawless experience. Glad you go it workingThis has been an excellent discussion, thanks Yorgi for all your help. I have delved into trying openVPN finally from home to work and have a few things to share.
In a small business environment without a server doing DNS things will work better if you are sure to enable the Asus router to run DNS (which is off by default) - that way all the devices on your network will have their names and IP in the asus router. So again, be sure and set the DNS setting in the router to its own IP address (usually 192.168.1.1 by default).
I had the same trouble connecting to shares names by using the machine name after getting a successful VPN connection. As Yorgi mentioned, Windows 10 runs a pretty strict firewall that ignores ping requests as well. For Windows 10 (do this on the REMOTE machine that has the shares you want access - obviously when you are onsite lol), i got it working by going to the firewall (just type firewall in the search window) and go to the inbound rules where there is a very large list of rules to modify. Find the 'File and Printer Sharing (SMB-in)' rule (there are 3 - choose the one next to Private). Go to properties and the the SCOPE tab - and in that scope tab at the bottom where it says REMOTE IP you will add the ip address range and subnet that the Asus router gives to VPN clients - which by default is 10.8.0.0/24.
After I did that i can use the UNC name instead of ipaddress of the remote machine to get to the share.
I followed the instructions to the letter and cannot connect my Windows 10 PC's to the OpenVPN server on my router. I have a Mac that connects without any issues. The Windows PC's won't connect unless I disable the public network firewall. I added the inbound rule to the firewall settings but it didn't make any difference. It's my understanding that the rule is for accessing shares once connected, but I can't even connect. Any suggestions?
Here's the log from the modem:
Feb 4 13:14:40 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:62899, sid=1973d1f5 8ba6c14c
Feb 4 13:15:36 dnsmasq-dhcp[465]: DHCPREQUEST(br0) 192.168.1.33 e8:ab:fa:1c:72:01
Feb 4 13:15:36 dnsmasq-dhcp[465]: DHCPACK(br0) 192.168.1.33 e8:ab:fa:1c:72:01
Feb 4 13:15:40 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:15:40 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:15:40 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:15:44 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:60203, sid=71548ba5 5afad9c6
Feb 4 13:16:17 kernel: nvram: consolidating space!
Feb 4 13:16:44 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:16:44 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:16:44 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:16:50 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:50628, sid=f030fb85 cde0efad
Feb 4 13:17:50 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:17:50 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:17:50 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:17:55 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:60481, sid=01c6f652 0b57e6b8
Feb 4 13:18:55 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:18:55 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:18:55 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:19:00 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:63535, sid=28a7e6bf 142fb9ef
Feb 4 13:20:00 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:20:00 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:20:00 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:20:10 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:52644, sid=74298ef0 c3e0d77d
Feb 4 13:21:10 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:21:10 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:21:10 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Here's the OpenVPN log:
Sun Feb 04 13:14:15 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sun Feb 04 13:14:15 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Feb 04 13:14:15 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Sun Feb 04 13:14:40 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:14:40 2018 UDP link local: (not bound)
Sun Feb 04 13:14:40 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:15:40 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:15:40 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:15:45 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:15:45 2018 UDP link local: (not bound)
Sun Feb 04 13:15:45 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:16:46 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:16:46 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:16:51 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:16:51 2018 UDP link local: (not bound)
Sun Feb 04 13:16:51 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:17:51 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:17:51 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:17:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:17:56 2018 UDP link local: (not bound)
Sun Feb 04 13:17:56 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:18:56 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:18:56 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:19:01 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:19:01 2018 UDP link local: (not bound)
Sun Feb 04 13:19:01 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:20:01 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:20:01 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:20:11 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:20:11 2018 UDP link local: (not bound)
Sun Feb 04 13:20:11 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:21:12 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:21:12 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:21:32 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:21:32 2018 UDP link local: (not bound)
Sun Feb 04 13:21:32 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:22:32 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:22:32 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:23:12 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:23:12 2018 UDP link local: (not bound)
Sun Feb 04 13:23:12 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:24:12 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:24:12 2018 SIGUSR1[soft,ping-restart] received, process restarting
And her's some of my firewall log (a bit later in the day when I tried again to connect):
#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path
2018-02-04 18:39:44 ALLOW UDP 127.0.0.1 239.255.255.250 1800 1900 0 - - - - - - - SEND
2018-02-04 18:39:44 ALLOW TCP 192.168.1.111 192.168.1.111 53394 80 0 - 0 0 0 - - - SEND
2018-02-04 18:39:44 ALLOW TCP 192.168.1.111 192.168.1.111 53394 80 0 - 0 0 0 - - - RECEIVE
2018-02-04 18:39:45 ALLOW ICMP 192.168.1.111 192.168.1.11 - - 0 - - - - 8 0 - SEND
2018-02-04 18:39:45 ALLOW TCP 192.168.1.111 192.168.1.11 53395 80 0 - 0 0 0 - - - SEND
2018-02-04 18:39:46 ALLOW TCP 192.168.1.111 192.168.1.111 53396 80 0 - 0 0 0 - - - SEND
2018-02-04 18:39:46 ALLOW TCP 192.168.1.111 192.168.1.111 53396 80 0 - 0 0 0 - - - RECEIVE
2018-02-04 18:39:47 DROP UDP 192.168.1.62 239.255.255.250 58670 1900 467 - - - - - - - RECEIVE
2018-02-04 18:39:48 DROP UDP 192.168.1.62 239.255.255.250 58670 1900 480 - - - - - - - RECEIVE
2018-02-04 18:39:48 DROP UDP 192.168.1.62 239.255.255.250 58670 1900 547 - - - - - - - RECEIVE
If you disable windows firewall and it works then its obvious the firewall is blocking your connection. Take a look at the second part of the article. it explains in detail how to achieve a connection with rules for windows 10 firewall.
you shouldn't notice a big difference if you use 256 unless you are using Direct clients to redirect Internet traffic, if you use it without this feature then it shouldn't make a huge difference.@yorgi
Thank you for the tutorial, I now have a working VPN server that I can connect my phone when at work or on the road to stream radio and block out ads using ABS.
I'm wondering if you can go into additional detail for a few of your settings?
Specifically why set TLS control channel security to Disable? Would it not be better to Encrypt channel?
Any benefit to changing Auth digest, Negotiable ciphers and Compression for better security / performance? For my situation would I notice a huge impact changing to SHA256 and AES 256?
not sure why you had to change it to UDP and why you have to add the router in the remote address. Unless you made changes other changes to the VPN server it should work the way i indicated in the article. Mine works fine like that along with others that have tried.I checked all of my settings many times and still couldn't connect. It's my understanding that you should be able to at least connect to the VPN on the router without even modifying your Windows 10 firewall settings and that the firewall setting changes are necessary only to connect to the network shares.
I was finally able to connect with the following firewall rule changes from what is recommended:
- I had to choose UDP for the protocol type instead of TCP.
- for the scope remote IP addresses, I had to include 192.168.1.1 along with 10.8.0.0/24.
With these changes I was able to establish a connection. Should I be OK going forward or could I have issues?
Thanks.
not sure why you had to change it to UDP and why you have to add the router in the remote address. Unless you made changes other changes to the VPN server it should work the way i indicated in the article. Mine works fine like that along with others that have tried.
I would try and take out the ip address of the router from remote address and try TCP again. Did you change protocol to UDP in the VPN server settings?
Not sure why it worked your way. unless I see your advanced settings of the VPN server I cannot really comment.
I was wondering if is possible to keep my TP-Link router as my primary router and use my Asus router behind my primary with the VPN server running? I have read some guides on setting a 2nd router up behind a primary router as a dedicated VPN client but wasn't sure is it is possible as a dedicated VPN server.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!