Tutorial How to setup a VPN Server with Asus routers 380.68 updated 08.24

[maxbraketorque]

ok. It seems to me that there is a lot of gray area or opinion on what's considered a reasonable set of security parameters, so thanks for confirming.

 

[lorde73]

One question please ...
It is not very clear, static IP addresses shall be included inside DHCP IP pool list, or they shall be outside ?
What I mean is IF 192.168.0.95 - 99 are static IPs ( manual assigned) , DHCP shall start from 95 or from 100 ???
What about the APs inside network ? Shall them be inside or outside ?

 

[bblicke1]

@yorgi Fantastic post... I've read 10 pages of mind numbing vpn settings.

I just purchased an ASUS RT-AC5300 after returning a TP-LINK Archer C-5400 because of the very issue I'm now still having. I've been able to configure OpenVPN no problem. Server is running and accepting successful connections from client.

Scenario:
VPN Client-
LAN Subnet 192.168.1.0

VPN Server-
LAN Subnet 192.168.10.0
VPN Subnet 10.8.0.0

Behind VPN server exists a Drobo5N2 NAS that has a static IP assigned via DHCP of 192.168.10.99 ---- this is the resource I need to access from the vpn client.

I connect from the client successfully.. obtain 10.8.x.x IP address.
I can ping the 10.8.0.1 gateway, I can ping the 192.168.10.1 gateway.
I can log into my router web ui.
I cannot do ANYTHING else.

I had the exact same issue with previous router. I have tested disabling windows firewall client side. I have reconfigured DHCP IP Pool. I have defaulted server 2 and started fresh. Server is responding to DNS requests and Advertising DNS to clients. Push LAN to clients is also enabled.

Server is configured as TUN \ UDP (Tried TCP as well) everything else is default.

I'm at a loss.

 

[yorgi]

@yorgi Fantastic post... I've read 10 pages of mind numbing vpn settings.

I just purchased an ASUS RT-AC5300 after returning a TP-LINK Archer C-5400 because of the very issue I'm now still having. I've been able to configure OpenVPN no problem. Server is running and accepting successful connections from client.

Scenario:
VPN Client-
LAN Subnet 192.168.1.0

VPN Server-
LAN Subnet 192.168.10.0
VPN Subnet 10.8.0.0

Behind VPN server exists a Drobo5N2 NAS that has a static IP assigned via DHCP of 192.168.10.99 ---- this is the resource I need to access from the vpn client.

I connect from the client successfully.. obtain 10.8.x.x IP address.
I can ping the 10.8.0.1 gateway, I can ping the 192.168.10.1 gateway.
I can log into my router web ui.
I cannot do ANYTHING else.

I had the exact same issue with previous router. I have tested disabling windows firewall client side. I have reconfigured DHCP IP Pool. I have defaulted server 2 and started fresh. Server is responding to DNS requests and Advertising DNS to clients. Push LAN to clients is also enabled.

Server is configured as TUN \ UDP (Tried TCP as well) everything else is default.

I'm at a loss.

Hi,
when you network you cannot do it the old fashioned way with windows.
you have to do it like this.,
\\computer IP\fileshare
I recommend you have your Router do the static IP via DHCP.
if you have 3 computers use IP pool like this
192.168.1.97 - 192.168.1.254
in Manually Assigned IP around the DHCP
Look for each computer's MAC and Assign the first computer 192.168.1.99 the next one 192.168.1.98 and the next one 192.168.1.97
leave your clients on DHCP automatic IP and DNS
now the r0uter will control the static IP range
so if you want to connect to a specific computers shares type in example \\192.168.1.98\sharename.
By letting your router control static IP via DHCP the ARP tables are handled by the router thus refreshing them on the fly.
IF you have static IP's that are not controlled by the router they don't get refreshed often and for some reason you can run into these kinds of problems
In today's big servers the DHCP servers control all Static IP traffic this way the admin can do things right from the router instead of going to each computer and there are no problems.
Let me know if this works for you.

 

[jkempton]

This has been an excellent discussion, thanks Yorgi for all your help. I have delved into trying openVPN finally from home to work and have a few things to share.

In a small business environment without a server doing DNS things will work better if you are sure to enable the Asus router to run DNS (which is off by default) - that way all the devices on your network will have their names and IP in the asus router. So again, be sure and set the DNS setting in the router to its own IP address (usually 192.168.1.1 by default).

I had the same trouble connecting to shares names by using the machine name after getting a successful VPN connection. As Yorgi mentioned, Windows 10 runs a pretty strict firewall that ignores ping requests as well. For Windows 10 (do this on the REMOTE machine that has the shares you want access - obviously when you are onsite lol), i got it working by going to the firewall (just type firewall in the search window) and go to the inbound rules where there is a very large list of rules to modify. Find the 'File and Printer Sharing (SMB-in)' rule (there are 3 - choose the one next to Private). Go to properties and the the SCOPE tab - and in that scope tab at the bottom where it says REMOTE IP you will add the ip address range and subnet that the Asus router gives to VPN clients - which by default is 10.8.0.0/24.

After I did that i can use the UNC name instead of ipaddress of the remote machine to get to the share.

 

[yorgi]

This has been an excellent discussion, thanks Yorgi for all your help. I have delved into trying openVPN finally from home to work and have a few things to share.

In a small business environment without a server doing DNS things will work better if you are sure to enable the Asus router to run DNS (which is off by default) - that way all the devices on your network will have their names and IP in the asus router. So again, be sure and set the DNS setting in the router to its own IP address (usually 192.168.1.1 by default).

I had the same trouble connecting to shares names by using the machine name after getting a successful VPN connection. As Yorgi mentioned, Windows 10 runs a pretty strict firewall that ignores ping requests as well. For Windows 10 (do this on the REMOTE machine that has the shares you want access - obviously when you are onsite lol), i got it working by going to the firewall (just type firewall in the search window) and go to the inbound rules where there is a very large list of rules to modify. Find the 'File and Printer Sharing (SMB-in)' rule (there are 3 - choose the one next to Private). Go to properties and the the SCOPE tab - and in that scope tab at the bottom where it says REMOTE IP you will add the ip address range and subnet that the Asus router gives to VPN clients - which by default is 10.8.0.0/24.

After I did that i can use the UNC name instead of ipaddress of the remote machine to get to the share.

Its exactly how I give the example in the guide, I put a separate page just for windows because its firewall is a pain and there are a few options that need to be enabled to have a flawless experience. Glad you go it working

 

[dagwood08]

I followed the instructions to the letter and cannot connect my Windows 10 PC's to the OpenVPN server on my router. I have a Mac that connects without any issues. The Windows PC's won't connect unless I disable the public network firewall. I added the inbound rule to the firewall settings but it didn't make any difference. It's my understanding that the rule is for accessing shares once connected, but I can't even connect. Any suggestions?

Here's the log from the modem:

Feb 4 13:14:40 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:62899, sid=1973d1f5 8ba6c14c
Feb 4 13:15:36 dnsmasq-dhcp[465]: DHCPREQUEST(br0) 192.168.1.33 e8:ab:fa:1c:72:01
Feb 4 13:15:36 dnsmasq-dhcp[465]: DHCPACK(br0) 192.168.1.33 e8:ab:fa:1c:72:01
Feb 4 13:15:40 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:15:40 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:15:40 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:15:44 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:60203, sid=71548ba5 5afad9c6
Feb 4 13:16:17 kernel: nvram: consolidating space!
Feb 4 13:16:44 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:16:44 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:16:44 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:16:50 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:50628, sid=f030fb85 cde0efad
Feb 4 13:17:50 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:17:50 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:17:50 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:17:55 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:60481, sid=01c6f652 0b57e6b8
Feb 4 13:18:55 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:18:55 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:18:55 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:19:00 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:63535, sid=28a7e6bf 142fb9ef
Feb 4 13:20:00 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:20:00 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:20:00 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:20:10 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:52644, sid=74298ef0 c3e0d77d
Feb 4 13:21:10 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:21:10 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:21:10 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting

Here's the OpenVPN log:

Sun Feb 04 13:14:15 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sun Feb 04 13:14:15 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Feb 04 13:14:15 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Sun Feb 04 13:14:40 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:14:40 2018 UDP link local: (not bound)
Sun Feb 04 13:14:40 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:15:40 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:15:40 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:15:45 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:15:45 2018 UDP link local: (not bound)
Sun Feb 04 13:15:45 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:16:46 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:16:46 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:16:51 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:16:51 2018 UDP link local: (not bound)
Sun Feb 04 13:16:51 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:17:51 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:17:51 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:17:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:17:56 2018 UDP link local: (not bound)
Sun Feb 04 13:17:56 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:18:56 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:18:56 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:19:01 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:19:01 2018 UDP link local: (not bound)
Sun Feb 04 13:19:01 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:20:01 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:20:01 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:20:11 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:20:11 2018 UDP link local: (not bound)
Sun Feb 04 13:20:11 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:21:12 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:21:12 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:21:32 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:21:32 2018 UDP link local: (not bound)
Sun Feb 04 13:21:32 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:22:32 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:22:32 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:23:12 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:23:12 2018 UDP link local: (not bound)
Sun Feb 04 13:23:12 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:24:12 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:24:12 2018 SIGUSR1[soft,ping-restart] received, process restarting

And her's some of my firewall log (a bit later in the day when I tried again to connect):

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2018-02-04 18:39:44 ALLOW UDP 127.0.0.1 239.255.255.250 1800 1900 0 - - - - - - - SEND
2018-02-04 18:39:44 ALLOW TCP 192.168.1.111 192.168.1.111 53394 80 0 - 0 0 0 - - - SEND
2018-02-04 18:39:44 ALLOW TCP 192.168.1.111 192.168.1.111 53394 80 0 - 0 0 0 - - - RECEIVE
2018-02-04 18:39:45 ALLOW ICMP 192.168.1.111 192.168.1.11 - - 0 - - - - 8 0 - SEND
2018-02-04 18:39:45 ALLOW TCP 192.168.1.111 192.168.1.11 53395 80 0 - 0 0 0 - - - SEND
2018-02-04 18:39:46 ALLOW TCP 192.168.1.111 192.168.1.111 53396 80 0 - 0 0 0 - - - SEND
2018-02-04 18:39:46 ALLOW TCP 192.168.1.111 192.168.1.111 53396 80 0 - 0 0 0 - - - RECEIVE
2018-02-04 18:39:47 DROP UDP 192.168.1.62 239.255.255.250 58670 1900 467 - - - - - - - RECEIVE
2018-02-04 18:39:48 DROP UDP 192.168.1.62 239.255.255.250 58670 1900 480 - - - - - - - RECEIVE
2018-02-04 18:39:48 DROP UDP 192.168.1.62 239.255.255.250 58670 1900 547 - - - - - - - RECEIVE

 

[yorgi]

If you disable windows firewall and it works then its obvious the firewall is blocking your connection. Take a look at the second part of the article. it explains in detail how to achieve a connection with rules for windows 10 firewall.

I followed the instructions to the letter and cannot connect my Windows 10 PC's to the OpenVPN server on my router. I have a Mac that connects without any issues. The Windows PC's won't connect unless I disable the public network firewall. I added the inbound rule to the firewall settings but it didn't make any difference. It's my understanding that the rule is for accessing shares once connected, but I can't even connect. Any suggestions?

Here's the log from the modem:

Feb 4 13:14:40 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:62899, sid=1973d1f5 8ba6c14c
Feb 4 13:15:36 dnsmasq-dhcp[465]: DHCPREQUEST(br0) 192.168.1.33 e8:ab:fa:1c:72:01
Feb 4 13:15:36 dnsmasq-dhcp[465]: DHCPACK(br0) 192.168.1.33 e8:ab:fa:1c:72:01
Feb 4 13:15:40 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:15:40 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:15:40 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:15:44 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:60203, sid=71548ba5 5afad9c6
Feb 4 13:16:17 kernel: nvram: consolidating space!
Feb 4 13:16:44 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:16:44 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:16:44 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:16:50 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:50628, sid=f030fb85 cde0efad
Feb 4 13:17:50 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:17:50 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:17:50 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:17:55 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:60481, sid=01c6f652 0b57e6b8
Feb 4 13:18:55 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:18:55 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:18:55 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:19:00 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:63535, sid=28a7e6bf 142fb9ef
Feb 4 13:20:00 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:20:00 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:20:00 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 4 13:20:10 openvpn[967]: 192.168.1.111 TLS: Initial packet from [AF_INET6]::ffff:192.168.1.111:52644, sid=74298ef0 c3e0d77d
Feb 4 13:21:10 openvpn[967]: 192.168.1.111 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 4 13:21:10 openvpn[967]: 192.168.1.111 TLS Error: TLS handshake failed
Feb 4 13:21:10 openvpn[967]: 192.168.1.111 SIGUSR1[soft,tls-error] received, client-instance restarting

Here's the OpenVPN log:

Sun Feb 04 13:14:15 2018 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sun Feb 04 13:14:15 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Feb 04 13:14:15 2018 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Sun Feb 04 13:14:40 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:14:40 2018 UDP link local: (not bound)
Sun Feb 04 13:14:40 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:15:40 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:15:40 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:15:45 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:15:45 2018 UDP link local: (not bound)
Sun Feb 04 13:15:45 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:16:46 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:16:46 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:16:51 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:16:51 2018 UDP link local: (not bound)
Sun Feb 04 13:16:51 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:17:51 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:17:51 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:17:56 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:17:56 2018 UDP link local: (not bound)
Sun Feb 04 13:17:56 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:18:56 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:18:56 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:19:01 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:19:01 2018 UDP link local: (not bound)
Sun Feb 04 13:19:01 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:20:01 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:20:01 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:20:11 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:20:11 2018 UDP link local: (not bound)
Sun Feb 04 13:20:11 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:21:12 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:21:12 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:21:32 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:21:32 2018 UDP link local: (not bound)
Sun Feb 04 13:21:32 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:22:32 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:22:32 2018 SIGUSR1[soft,ping-restart] received, process restarting
Sun Feb 04 13:23:12 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:23:12 2018 UDP link local: (not bound)
Sun Feb 04 13:23:12 2018 UDP link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sun Feb 04 13:24:12 2018 [UNDEF] Inactivity timeout (--ping-restart), restarting
Sun Feb 04 13:24:12 2018 SIGUSR1[soft,ping-restart] received, process restarting

And her's some of my firewall log (a bit later in the day when I tried again to connect):

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2018-02-04 18:39:44 ALLOW UDP 127.0.0.1 239.255.255.250 1800 1900 0 - - - - - - - SEND
2018-02-04 18:39:44 ALLOW TCP 192.168.1.111 192.168.1.111 53394 80 0 - 0 0 0 - - - SEND
2018-02-04 18:39:44 ALLOW TCP 192.168.1.111 192.168.1.111 53394 80 0 - 0 0 0 - - - RECEIVE
2018-02-04 18:39:45 ALLOW ICMP 192.168.1.111 192.168.1.11 - - 0 - - - - 8 0 - SEND
2018-02-04 18:39:45 ALLOW TCP 192.168.1.111 192.168.1.11 53395 80 0 - 0 0 0 - - - SEND
2018-02-04 18:39:46 ALLOW TCP 192.168.1.111 192.168.1.111 53396 80 0 - 0 0 0 - - - SEND
2018-02-04 18:39:46 ALLOW TCP 192.168.1.111 192.168.1.111 53396 80 0 - 0 0 0 - - - RECEIVE
2018-02-04 18:39:47 DROP UDP 192.168.1.62 239.255.255.250 58670 1900 467 - - - - - - - RECEIVE
2018-02-04 18:39:48 DROP UDP 192.168.1.62 239.255.255.250 58670 1900 480 - - - - - - - RECEIVE
2018-02-04 18:39:48 DROP UDP 192.168.1.62 239.255.255.250 58670 1900 547 - - - - - - - RECEIVE

 

[wyldstallyn]

@yorgi

Thank you for the tutorial, I now have a working VPN server that I can connect my phone when at work or on the road to stream radio and block out ads using ABS.

I'm wondering if you can go into additional detail for a few of your settings?

Specifically why set TLS control channel security to Disable? Would it not be better to Encrypt channel?

Any benefit to changing Auth digest, Negotiable ciphers and Compression for better security / performance? For my situation would I notice a huge impact changing to SHA256 and AES 256?

 

[dagwood08]

If you disable windows firewall and it works then its obvious the firewall is blocking your connection. Take a look at the second part of the article. it explains in detail how to achieve a connection with rules for windows 10 firewall.

I checked all of my settings many times and still couldn't connect. It's my understanding that you should be able to at least connect to the VPN on the router without even modifying your Windows 10 firewall settings and that the firewall setting changes are necessary only to connect to the network shares.

I was finally able to connect with the following firewall rule changes from what is recommended:

- I had to choose UDP for the protocol type instead of TCP.
- for the scope remote IP addresses, I had to include 192.168.1.1 along with 10.8.0.0/24.

With these changes I was able to establish a connection. Should I be OK going forward or could I have issues?

Thanks.

 

[yorgi]

@yorgi

Thank you for the tutorial, I now have a working VPN server that I can connect my phone when at work or on the road to stream radio and block out ads using ABS.

I'm wondering if you can go into additional detail for a few of your settings?

Specifically why set TLS control channel security to Disable? Would it not be better to Encrypt channel?

Any benefit to changing Auth digest, Negotiable ciphers and Compression for better security / performance? For my situation would I notice a huge impact changing to SHA256 and AES 256?

you shouldn't notice a big difference if you use 256 unless you are using Direct clients to redirect Internet traffic, if you use it without this feature then it shouldn't make a huge difference.

 

[yorgi]

I checked all of my settings many times and still couldn't connect. It's my understanding that you should be able to at least connect to the VPN on the router without even modifying your Windows 10 firewall settings and that the firewall setting changes are necessary only to connect to the network shares.

I was finally able to connect with the following firewall rule changes from what is recommended:

- I had to choose UDP for the protocol type instead of TCP.
- for the scope remote IP addresses, I had to include 192.168.1.1 along with 10.8.0.0/24.

With these changes I was able to establish a connection. Should I be OK going forward or could I have issues?

Thanks.

not sure why you had to change it to UDP and why you have to add the router in the remote address. Unless you made changes other changes to the VPN server it should work the way i indicated in the article. Mine works fine like that along with others that have tried.
I would try and take out the ip address of the router from remote address and try TCP again. Did you change protocol to UDP in the VPN server settings?
Not sure why it worked your way. unless I see your advanced settings of the VPN server I cannot really comment.

 

[dagwood08]

not sure why you had to change it to UDP and why you have to add the router in the remote address. Unless you made changes other changes to the VPN server it should work the way i indicated in the article. Mine works fine like that along with others that have tried.
I would try and take out the ip address of the router from remote address and try TCP again. Did you change protocol to UDP in the VPN server settings?
Not sure why it worked your way. unless I see your advanced settings of the VPN server I cannot really comment.

It definitely won't connect unless the firewall settings have TCP for the protocol and the router is in the remote address. Here are my VPN settings in the router:

 

[Richdem]

Hi All,

I have successfully setup my old Asus RT-N66U as an Open VPN server. The reason behind this is so I can access my home security camera server remotely via VPN instead of forwarding ports. My primary router is a TP-Link Archer C3200 which does not support Open VPN but is however a fantastic Tri band router. My setup is currently as follows:

• ISP Modem/WiFi Router in Bridge mode
• TP-Link Router connected to ISP modem (Using Wan port)
• Asus RT-N66U connected to ISP modem (Using Wan port)

Each router has it's own separate WAN IP and my security cameras and the PC running the software (Blue Iris) are only connected to the Asus router. This setup works perfectly and I can VPN in to my cameras and any shared drives on my PC.

The only downside with this setup is that if for any reason I need to reboot the ISP modem getting both the Asus router & TP-Link router online with their own WAN addresses can be quite challenging. Lots of reboots and unplugging cables lol (My wife doesn't have my patience !!)

I was wondering if is possible to keep my TP-Link router as my primary router and use my Asus router behind my primary with the VPN server running? I have read some guides on setting a 2nd router up behind a primary router as a dedicated VPN client but wasn't sure is it is possible as a dedicated VPN server.

Any advice would be greatly appreciated

Regards

Richard

 

[xtropodx]

I was wondering if is possible to keep my TP-Link router as my primary router and use my Asus router behind my primary with the VPN server running? I have read some guides on setting a 2nd router up behind a primary router as a dedicated VPN client but wasn't sure is it is possible as a dedicated VPN server.

I'm starting to wonder if that's the issue with my set up.


@yorgi
I have followed your steps & read the rest of this thread, tried different settings etc, & I'm at an end & feel like smashing my router/phone haha.....

So any advice/input from anyone on following would be much appreciated;
Set up;
ASUS RT-AC3200 FW 380.69 sitting behind a modem in bridge mode. (FW not most recent, once get this to work then maybe update it )
Samsung S7 with "OpenVPN Connect" app:
After importing .opvn file to smartphone it won't connect, no errors at all on either device.
I can securely connect & login to my router via internet/browser on my smartphone, using DDNS/https.

What would be the bare-bones minimum don't care about security settings just to get it to connect?
What other router settings could be preventing a connection?
Any suggestions of another smartphone app that I could try this from?

VPN Server settings;

certificates look like this (taken from google, not mine)

IP Pool start/end is not same as server.

Router system log:
Mar 2 19:53:18 openvpn[1365]: OpenVPN 2.4.3 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 11 2017
Mar 2 19:53:18 openvpn[1365]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.08
Mar 2 19:53:18 openvpn[1366]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mar 2 19:53:18 openvpn[1366]: Diffie-Hellman initialized with 2048 bit key
Mar 2 19:53:18 openvpn[1366]: TUN/TAP device tun21 opened
Mar 2 19:53:18 openvpn[1366]: TUN/TAP TX queue length set to 100
Mar 2 19:53:18 openvpn[1366]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 2 19:53:18 openvpn[1366]: /usr/sbin/ip link set dev tun21 up mtu 1500
Mar 2 19:53:18 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Mar 2 19:53:18 openvpn[1366]: /usr/sbin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Mar 2 19:53:18 openvpn[1366]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Mar 2 19:53:18 openvpn[1366]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Mar 2 19:53:18 openvpn[1366]: setsockopt(IPV6_V6ONLY=0)
Mar 2 19:53:18 openvpn[1366]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Mar 2 19:53:18 openvpn[1366]: UDPv6 link remote: [AF_UNSPEC]
Mar 2 19:53:18 openvpn[1366]: MULTI: multi_init called, r=256 v=256
Mar 2 19:53:18 openvpn[1366]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Mar 2 19:53:18 openvpn[1366]: Initialization Sequence Completed


Thanks

 

[xtropodx]

It's working now. Seems issue was on smartphone side & likely because of having existing VPN in use .

 

[58chev]

@yorgi ,

Thank you for taking the time to put this thread together.
After some tinkering, I am up and running OpenVPN on my RT-AC66U_B1 w/latest Merlin firmware.

Took a bit to figure out that I had to add a route to get to my Surveillance System sitting on 192.168.254.x

Tested streaming a feed from one camera on my phone and running speed test on a PC and there is no slow down whatsoever on my internet connection.

 

[9bryan]

hi i need help,

i have a file server running at 192.168.1.118 static ip in asus router, however i can't get my android client 192.168.2.2 to ping 192.168.1.118

and can't see the file server, help where did i done wrong?

edit added push "route 192.168.2.0 255.255.255.0"
now the client in 192.168.1.0 network can ping 192.168.2.2 already

but still the android ip 192.168.2.2 cannot ping 192.168.1.118 my file server

solved silly me, didn't notice the firewall were set to reject incoming connection from WAN

 

[58chev]

@9bryan

At first my connection would not route me to 192.168.254.x

I added a "PUSH" Command at the bottom of the VPN Server settings.
Hope that helps.

You should also change your Legacy/fallback cipher, I found with the default, it left a couple of port open when I ran a ShieldsUP! scan.

 

[9bryan]

@58chev

solved silly me that the firewall is set to reject incoming request from WAN