Tutorial How to setup a VPN Server with Asus routers 380.68 updated 08.24

[Xentrk]

Hello,

Running 380.65_4 and with everything setup I export the .ovpn file and the cert and key are blank. I assumed it would generate one for the device but it didn't. Without this I am getting: OpenVPN core error : PolarSSL: error parsing ca certificate : X509 - The CRT/CRL/CSR format is invalid.

when trying to connect on Android "OpenVPN Connect" app.

client
dev tun
proto udp
remote xxxxxxxxxx.xxxxxxx.com 1194
float
cipher AES-128-CBC
auth SHA1
comp-lzo no
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
no
</ca>
<cert>
paste client certificate data here
</cert>
<key>
paste client key data here
</key>
resolv-retry infinite
nobind

Any idea how to fix this? On the router I see there is a static key, but no CA.

I had no problem with my ovpn file. One thing I noticed is you have comp-lzo set to no. With my testing, I found I needed to specify some level of compression. None did not work. I ended up going with LZ4 Adaptive. You can refer to a screen print of my configurations in post 56 to see if that helps.

 

[madfusker]

I have mine setup exactly like yours now and when I export the ovpn file in the GUI I still get the empty paste here. In the GUI there is only a static key and no CA. If I try to connect on Android, it gives me the: "OpenVPN core error : PolarSSL: error parsing ca certificate : X509 - The CRT/CRL/CSR format is invalid".

client
dev tun
proto udp
remote xxxx.xxxxx.com 1194
float
cipher AES-128-CBC
auth SHA1
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
adaptive
</ca>
<cert>
paste client certificate data here
</cert>
<key>
paste client key data here
</key>
resolv-retry infinite
nobind​

If I look manually in the router via SSH, i can see the is a ca.crt and server.crt. Shouldn't these cert be showing in the export OVPN file instead of empty and the paste here?

/tmp/etc/openvpn/server1
-rw-rw-rw- 1 admin root 3803 May 10 21:01 01.pem
-rw-rw-rw- 1 admin root 3675 May 10 21:01 02.pem
-rw-rw-rw- 1 admin root 1172 May 10 21:01 ca.crt
-rw------- 1 admin root 916 May 10 21:01 ca.key
-rw-rw-rw- 1 admin root 3675 May 10 21:01 client.crt
-rw-rw-rw- 1 admin root 660 May 10 21:01 client.csr
-rw------- 1 admin root 916 May 10 21:01 client.key
-rw-rw-rw- 1 admin root 307 May 10 21:01 client.ovpn
-rw-rw-rw- 1 admin root 18 May 10 21:07 client_status
-rw------- 1 admin root 349 May 10 21:01 config.ovpn
-rw-rw-r-- 1 admin root 424 May 10 21:01 dh.pem
-rw-rw-rw- 1 admin root 198 May 10 21:01 index.txt
-rw-rw-rw- 1 admin root 21 May 10 21:01 index.txt.attr
-rw-rw-rw- 1 admin root 21 May 10 21:01 index.txt.attr.old
-rw-rw-rw- 1 admin root 100 May 10 21:01 index.txt.old
-rw-rw-rw- 1 admin root 3 May 10 21:01 serial
-rw-rw-rw- 1 admin root 3 May 10 21:01 serial.old
-rw-rw-rw- 1 admin root 3803 May 10 21:01 server.crt
-rw-rw-rw- 1 admin root 664 May 10 21:01 server.csr
-rw------- 1 admin root 916 May 10 21:01 server.key
-rw------- 1 admin root 559 May 10 21:07 status
​

 

[madfusker]

So basically, OpenVPN Connect app on Adroid wants a CA, and errors out with anything less such as the OVPN file. Password only will not work, which is the first step to get it working.

So from what I understand, the OVPN file below should work with basic username and password only, and no CA?

client
dev tun
proto udp
remote xxxxx.xxx 1194
float
cipher AES-128-CBC
auth SHA1
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
adaptive
</ca>
resolv-retry infinite
nobind​

 

[Xentrk]

I have mine setup exactly like yours now and when I export the ovpn file in the GUI I still get the empty paste here. In the GUI there is only a static key and no CA. If I try to connect on Android, it gives me the: "OpenVPN core error : PolarSSL: error parsing ca certificate : X509 - The CRT/CRL/CSR format is invalid".

client
dev tun
proto udp
remote xxxx.xxxxx.com 1194
float
cipher AES-128-CBC
auth SHA1
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
adaptive
</ca>
<cert>
paste client certificate data here
</cert>
<key>
paste client key data here
</key>
resolv-retry infinite
nobind​

If I look manually in the router via SSH, i can see the is a ca.crt and server.crt. Shouldn't these cert be showing in the export OVPN file instead of empty and the paste here?

/tmp/etc/openvpn/server1
-rw-rw-rw- 1 admin root 3803 May 10 21:01 01.pem
-rw-rw-rw- 1 admin root 3675 May 10 21:01 02.pem
-rw-rw-rw- 1 admin root 1172 May 10 21:01 ca.crt
-rw------- 1 admin root 916 May 10 21:01 ca.key
-rw-rw-rw- 1 admin root 3675 May 10 21:01 client.crt
-rw-rw-rw- 1 admin root 660 May 10 21:01 client.csr
-rw------- 1 admin root 916 May 10 21:01 client.key
-rw-rw-rw- 1 admin root 307 May 10 21:01 client.ovpn
-rw-rw-rw- 1 admin root 18 May 10 21:07 client_status
-rw------- 1 admin root 349 May 10 21:01 config.ovpn
-rw-rw-r-- 1 admin root 424 May 10 21:01 dh.pem
-rw-rw-rw- 1 admin root 198 May 10 21:01 index.txt
-rw-rw-rw- 1 admin root 21 May 10 21:01 index.txt.attr
-rw-rw-rw- 1 admin root 21 May 10 21:01 index.txt.attr.old
-rw-rw-rw- 1 admin root 100 May 10 21:01 index.txt.old
-rw-rw-rw- 1 admin root 3 May 10 21:01 serial
-rw-rw-rw- 1 admin root 3 May 10 21:01 serial.old
-rw-rw-rw- 1 admin root 3803 May 10 21:01 server.crt
-rw-rw-rw- 1 admin root 664 May 10 21:01 server.csr
-rw------- 1 admin root 916 May 10 21:01 server.key
-rw------- 1 admin root 559 May 10 21:07 status
​

I went to the AC88U router that has 380.65_4 installed and was able to download the ovpn file with no issues and the certs were in the file. The OpenVPN Server is turned on when I did this. When I go to the /tmp/etc/openvpn/server1/ folder on the router. I see the ovpn file called client.ovpn. So, I can't duplicate the issue. Try to reinstall 380.65_4 and try again. If that does not work, then try a factory reset. You will need to reenter your configs or use John's NVRAM backup and restore utility to do it for you.

 

[Xentrk]

I have mine setup exactly like yours now and when I export the ovpn file in the GUI I still get the empty paste here. In the GUI there is only a static key and no CA. If I try to connect on Android, it gives me the: "OpenVPN core error : PolarSSL: error parsing ca certificate : X509 - The CRT/CRL/CSR format is invalid".

client
dev tun
proto udp
remote xxxx.xxxxx.com 1194
float
cipher AES-128-CBC
auth SHA1
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
adaptive
</ca>
<cert>
paste client certificate data here
</cert>
<key>
paste client key data here
</key>
resolv-retry infinite
nobind​

If I look manually in the router via SSH, i can see the is a ca.crt and server.crt. Shouldn't these cert be showing in the export OVPN file instead of empty and the paste here?

/tmp/etc/openvpn/server1
-rw-rw-rw- 1 admin root 3803 May 10 21:01 01.pem
-rw-rw-rw- 1 admin root 3675 May 10 21:01 02.pem
-rw-rw-rw- 1 admin root 1172 May 10 21:01 ca.crt
-rw------- 1 admin root 916 May 10 21:01 ca.key
-rw-rw-rw- 1 admin root 3675 May 10 21:01 client.crt
-rw-rw-rw- 1 admin root 660 May 10 21:01 client.csr
-rw------- 1 admin root 916 May 10 21:01 client.key
-rw-rw-rw- 1 admin root 307 May 10 21:01 client.ovpn
-rw-rw-rw- 1 admin root 18 May 10 21:07 client_status
-rw------- 1 admin root 349 May 10 21:01 config.ovpn
-rw-rw-r-- 1 admin root 424 May 10 21:01 dh.pem
-rw-rw-rw- 1 admin root 198 May 10 21:01 index.txt
-rw-rw-rw- 1 admin root 21 May 10 21:01 index.txt.attr
-rw-rw-rw- 1 admin root 21 May 10 21:01 index.txt.attr.old
-rw-rw-rw- 1 admin root 100 May 10 21:01 index.txt.old
-rw-rw-rw- 1 admin root 3 May 10 21:01 serial
-rw-rw-rw- 1 admin root 3 May 10 21:01 serial.old
-rw-rw-rw- 1 admin root 3803 May 10 21:01 server.crt
-rw-rw-rw- 1 admin root 664 May 10 21:01 server.csr
-rw------- 1 admin root 916 May 10 21:01 server.key
-rw------- 1 admin root 559 May 10 21:07 status
​

You have more files in the /tmp/etc/openvpn/server1/ directory than I do

 

[RMerlin]

Your OpenVPN configuration seem corrupted, as the <ca> block is containing the value of a different parameter (it's the comp-lzo value). I recommend reconfiguring your OpenVPN server instance by clicking on Default and starting over.

 

[madfusker]

Never thought of that, good idea. I went to defaults and when going into the keys and certs window, I still have a Static Key, and nothing else. See output below. Seems like the CA should be populated with a key instead of adaptive as you mentioned.

Should the firmware be generating a CA for me? Which then gets exported into the .OVPN file?

client
dev tun
proto udp
remote xxxxxxxx.com 1194
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
adaptive
</ca>
resolv-retry infinite
nobind


Seems like i should be able to get this thing going with no key, and just username and password which is configured.

Can someone paste me what the export .OVPN file should look like in this config? No keys, just user auth.

 

[RMerlin]

Seems like the CA should be populated with a key instead of adaptive as you mentioned.

I just tracked down the bug causing this in the code. If you don't have any CA defined (or if the router is unable to open the CA file in jffs), then the previous content of a buffer gets written instead. I'll fix that one on my end.

On your end however, your issue is the current lack of any CA. If you start by defaulting the OpenVPN server, it will then automatically generate one for you. You can check the content of the Keys & Certificate pages afterward.

 

[madfusker]

Hmm. I tried to default and then turn OpenVPN server back on, but it still doesn't generate in the GUI Keys Page.

Looking manually I can see the files as mentioned before:

/tmp/etc/openvpn/server1

-rw-rw-rw- 1 admin root 3803 May 10 23:33 01.pem
-rw-rw-rw- 1 admin root 3675 May 10 23:33 02.pem
-rw-rw-rw- 1 admin root 1172 May 10 23:33 ca.crt
-rw------- 1 admin root 916 May 10 23:33 ca.key
-rw-rw-rw- 1 admin root 3675 May 10 23:33 client.crt
-rw-rw-rw- 1 admin root 660 May 10 23:33 client.csr
-rw------- 1 admin root 916 May 10 23:33 client.key
-rw-rw-rw- 1 admin root 347 May 10 23:33 client.ovpn
-rw-rw-rw- 1 admin root 0 May 10 23:34 client_status
-rw------- 1 admin root 386 May 10 23:33 config.ovpn
-rw-rw-r-- 1 admin root 424 May 10 23:33 dh.pem
-rw-rw-rw- 1 admin root 198 May 10 23:33 index.txt
-rw-rw-rw- 1 admin root 21 May 10 23:33 index.txt.attr
-rw-rw-rw- 1 admin root 21 May 10 23:33 index.txt.attr.old
-rw-rw-rw- 1 admin root 100 May 10 23:33 index.txt.old
-rw-rw-rw- 1 admin root 3 May 10 23:33 serial
-rw-rw-rw- 1 admin root 3 May 10 23:33 serial.old
-rw-rw-rw- 1 admin root 3803 May 10 23:33 server.crt
-rw-rw-rw- 1 admin root 664 May 10 23:33 server.csr
-rw------- 1 admin root 916 May 10 23:33 server.key
-rw------- 1 admin root 472 May 10 23:34 status

It's just not populating in GUI not matter how many times I Default it. For kicks, I enabled Server 2 and I get the same blanks. Only difference is files are generated in /tmp/etc/openvpn/server2 directory instead of /tmp/etc/openvpn/server1 (as you would expect).

 

[madfusker]

in TOP, i can see the process running:

/etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn​

admin@RT-AC87U-3C98:/tmp/home/root# cat /etc/openvpn/server1/config.ovpn
# Automatically generated configuration
daemon
topology subnet
server 10.16.0.0 255.255.255.0
proto udp
port 1194
dev tun22
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
push "route 192.168.1.0 255.255.255.0"
duplicate-cn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 10

# Custom Configuration​

 

[RMerlin]

I just tested it and it's working for me. The generated content is stored in /jffs/openvpn/ . Make sure that directory exists, otherwise it means something is wrong with your JFFS partition.

 

[madfusker]

I do have that directory.
/jffs/openvpn/
-rw------- 1 admin root 2056 Apr 28 10:03 vpn_crt_client1_ca
-rw------- 1 admin root 1734 May 1 2016 vpn_crt_client2_ca
-rw------- 1 admin root 1416 Jan 16 2016 vpn_crt_client3_ca
-rw------- 1 admin root 1734 May 1 2016 vpn_crt_client4_ca

All are different cert values.

 

[madfusker]

When I export the .OVPN file now (I XXXXX the key):

client
dev tun
proto udp
remote xxxxxxxxx.xxx 1194
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
MIIDNDCCAp2gAwIBAgIJAKV04bD24Kp/MA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV
BAYTAlRXMQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMQ0wCwYDVQQKEwRB
U1VTMREwDwYDVQQDEwhSVC1BQzg3VTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0
Lm15ZG9tYWluMB4XDTE3MDUxMTA0MzMzNVoXDTI3MDUwOTA0MzMzNVowcDELMAkG
A1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxDTALBgNVBAoT
BEFTVVMxETAPBgNVBAMTCFJULUFDODdVMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhv
cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
yrpXR4DG/T7Nb6XfQsKtsJECoSTb1g2111ubhwL+VHxjK6zTwROq5w5Xv8XVkPdC
vApM3hcwE9Jc9191uDK0BQ0prOmdSac+HDn45Ro4MDqWFldi1AeOtRIUlF6ljrGH
3Xb+qLgbAuY=
-----END CERTIFICATE-----
</ca>
<cert>
paste client certificate data here
</cert>
<key>
paste client key data here
</key>
resolv-retry infinite
nobind

 

[Xentrk]

When I export the .OVPN file now (I XXXXX the key):

client
dev tun
proto udp
remote xxxxxxxxx.xxx 1194
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
comp-lzo adaptive
keepalive 15 60
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
MIIDNDCCAp2gAwIBAgIJAKV04bD24Kp/MA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV
BAYTAlRXMQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMQ0wCwYDVQQKEwRB
U1VTMREwDwYDVQQDEwhSVC1BQzg3VTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0
Lm15ZG9tYWluMB4XDTE3MDUxMTA0MzMzNVoXDTI3MDUwOTA0MzMzNVowcDELMAkG
A1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxDTALBgNVBAoT
BEFTVVMxETAPBgNVBAMTCFJULUFDODdVMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhv
cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
yrpXR4DG/T7Nb6XfQsKtsJECoSTb1g2111ubhwL+VHxjK6zTwROq5w5Xv8XVkPdC
vApM3hcwE9Jc9191uDK0BQ0prOmdSac+HDn45Ro4MDqWFldi1AeOtRIUlF6ljrGH
3Xb+qLgbAuY=
-----END CERTIFICATE-----
</ca>
<cert>
paste client certificate data here
</cert>
<key>
paste client key data here
</key>
resolv-retry infinite
nobind

Enable jffs partition so you can mimic our setup/config. Go to the Administrative-System Tab.

Format JFFS partition at next boot = Yes
Enable JFFS custom scripts and configs = Yes

Then reboot. Now try RMerlin's recommendation.

 

[RMerlin]

When I export the .OVPN file now (I XXXXX the key):

Now your ovpn is correct, you do have actual valid content in the <ca> block. However you enabled key/cert based authentication, which is why those fields are telling you to paste the content there. This is something you have to create yourself, take a look at the documentation on the Wiki for more info. Otherwise, stick to user/password only authentication, this is a setting on the webui.

 

[Jack Yaz]

Now your ovpn is correct, you do have actual valid content in the <ca> block. However you enabled key/cert based authentication, which is why those fields are telling you to paste the content there. This is something you have to create yourself, take a look at the documentation on the Wiki for more info. Otherwise, stick to user/password only authentication, this is a setting on the webui.

I might put together a guide on this, using easyrsa3 for generation of CA, Server and Client certs + keys. RSA2048 and DH2048 etc. My OVPN server seems pretty stable, though I'm bound to have done something not recommended in there! I'll start work on this and make a thread, for feedback from the community.

 

[madfusker]

Enable jffs partition so you can mimic our setup/config. Go to the Administrative-System Tab.

Format JFFS partition at next boot = Yes
Enable JFFS custom scripts and configs = Yes

Then reboot. Now try RMerlin's recommendation.

JFFS format magic! It's populating the Keys and Certs now, thanks!

 

[madfusker]

It looks like the last barrier is how to access machines behind the other VPN. When I use PPTP Server, I could RDP to any machine inside the PIA VPN running in the other OpenVPN Client tab. Seems like with OpenVPN server it's now allowing the traffic to cross, even with "Push LAN to clients" checked.

Router is handing out 192.168.1.X IPs, while OpenVPN server is handing out 10.8.0.X. I need to get a 10. machine (my phone) to connect to a 192. machine inside my network. Once I figure this part out, I can stop using PPTP Server completely.

See settings below and thanks in advance.

 

[Xentrk]

It looks like the last barrier is how to access machines behind the other VPN. When I use PPTP Server, I could RDP to any machine inside the PIA VPN running in the other OpenVPN Client tab. Seems like with OpenVPN server it's now allowing the traffic to cross, even with "Push LAN to clients" checked.

Router is handing out 192.168.1.X IPs, while OpenVPN server is handing out 10.8.0.X. I need to get a 10. machine (my phone) to connect to a 192. machine inside my network. Once I figure this part out, I can stop using PPTP Server completely.

See settings below and thanks in advance.

Try changing "Respond to DNS" = Yes.

I also recommend the following changes.
Auth Digest = SHA1
Username/Password Auth only = No
Legacy fallback cipher = AES=128-CBC

You will need to export/download a new ovpn file after making the changes.

 

[madfusker]

Thanks! I did make those changes to upgrade security from password only however I still cannot connect to a local machine. I am using an ip so can't be a DNS issue. Within my local network I can hit the 192.168.1.5 machine from 192.168.3, and both are behind PIA. But when I connect with my cell phone to this OpenVPN server, it connects properly, but I cannot hit 192.168.1.3 from the assigned 10.8.0.2. Is there a manual route that needs added to connect the two?