Tutorial How to setup a VPN Server with Asus routers 380.68 updated 08.24

[Xentrk]

Thanks! I did make those changes to upgrade security from password only however I still cannot connect to a local machine. I am using an ip so can't be a DNS issue. Within my local network I can hit the 192.168.1.5 machine from 192.168.3, and both are behind PIA. But when I connect with my cell phone to this OpenVPN server, it connects properly, but I cannot hit 192.168.1.3 from the assigned 10.8.0.2. Is there a manual route that needs added to connect the two?

Can you draw up a simple network diagram and post it here?

 

[madfusker]

Figured it out... Looks like the issue was the router itself was in the PIA VPN policy exception list so I could connect to it on the WAN with PPTP (legacy), otherwise PIA VPN blocked it. I took it out of the exception list and now everything connects! Thanks everyone!

 

[TheUntouchable]

Try changing "Respond to DNS" = Yes.

I also recommend the following changes.
Auth Digest = SHA1
Username/Password Auth only = No
Legacy fallback cipher = AES=128-CBC

You will need to export/download a new ovpn file after making the changes.

Just a question: Should we not switch from SHA1 to anything different? SHA1 is not secure any longer and will not be supported by a lot of software soon

 

[Xentrk]

Just a question: Should we not switch from SHA1 to anything different? SHA1 is not secure any longer and will not be supported by a lot of software soon

You are probably right on that one. I knew Blowfish CBC was vulnerable to birthday and SWEET32 attacks. I looked up SHA1 and see your point. Although it does state that "SHA-1 is no longer considered secure against well-funded opponents". I am surprised how many VPN vendors are still using it.

Sources:
https://en.wikipedia.org/wiki/SHA-1
https://en.wikipedia.org/wiki/Blowfish_(cipher)

 

[TheUntouchable]

Just found that german ubuntu page for the configuration of openvpn:
https://wiki.ubuntuusers.de/OpenVPN/

And it tells you should use the following settings:
cipher AES-256-CBC
auth SHA512

The standard configuration from asus is a little bit confusing as it seems they are first using the weakest ciphers and then the stronger ones, so I changed that to the following:
AES-256-CBC:AES-128-CBC:AES-256-GCM:AES-128-GCM

and used the SHA256 Auth digest, should be enough

 

[RMerlin]

Just a question: Should we not switch from SHA1 to anything different? SHA1 is not secure any longer and will not be supported by a lot of software soon

For HMAC uses, it's still adequate. There's a major performance penalty in switching to SHA256 or SHA512.

Better to upgrade to OpenVPN 2.4, and use AES-128-GCM, which does not require the use of a separate digest.

 

[RMerlin]

AES-256-CBC:AES-128-CBC:AES-256-GCM:AES-128-GCM

I set 128-bit by default because it's nearly twice faster, and secure enough for home usage.

 

[TheUntouchable]

Of course, speed is the other side of the medal! As I am coming from the IT sector and running a gateway with a dedicated SSL card, I totally had forgotten that fact

Anyway I am testing my configuration mentioned above, lets see if it has a big impact in speed Thanks for your information!

 

[Jeffitup]

Figured it out... Looks like the issue was the router itself was in the PIA VPN policy exception list so I could connect to it on the WAN with PPTP (legacy), otherwise PIA VPN blocked it. I took it out of the exception list and now everything connects! Thanks everyone!

Hey mate, I am having the same problem, can you explain in a bit more detail how you got around this problem. I can't wrap my head around what you changed. Thanks in advance

 

[yorgi]

With the latest firmware 380.66.4 You need to enable Respond to DNS and Enable Advertise DNS to clients otherwise you will not be able to connect to your Local Network. This was not the case in the past.

 

[bayern1975]

i need advice if this configuration ok or i need to use username and password? i would like to use without user and pass and like to know if secure or not?

 

[yorgi]

It is very important to have a username and password. Otherwise anyone can log in.

i need advice if this configuration ok or i need to use username and password? i would like to use without user and pass and like to know if secure or not?

 

[bayern1975]

It is very important to have a username and password. Otherwise anyone can log in.

what did you mean with anyone can log in? if client.ovpn file have just me?

Poslano z mojega EVA-L09 z uporabo Tapatalk

 

[Jeffitup]

With the latest firmware 380.66.4 You need to enable Respond to DNS and Enable Advertise DNS to clients otherwise you will not be able to connect to your Local Network. This was not the case in the past.

Thanks yorgi, I appreciate all the help you have provided me so far with the guides.
My setup as per attached works for accessing computers not behind the PIA VPN but not the ones on it.
I also have ncp-disable in the custom area, not sure if this is still needed or not

 

[yorgi]

Thanks yorgi, I appreciate all the help you have provided me so far with the guides.
My setup as per attached works for accessing computers not behind the PIA VPN but not the ones on it.
I also have ncp-disable in the custom area, not sure if this is still needed or not

Disable redirect clients to redirect internet traffic if you don't want your internet traffic to go via your VPN server at home and then back to you.
If you disable this feature whatever you do on your network will be via the vpn and when you surf it will be from the local ISP
Unless you have a lot of bandwidth to spare, its not advised to redirect your internet traffic back to your server.
If you need to access a PC that is on a VPN the only way you can do this is to remote desktop to a PC that is not on a VPN and then from that PC remote desktop to the VPN PC which is on the same network. You cannot reach a VPN PC from PIA server. its the way it is.

 

[Jeffitup]

Disable redirect clients to redirect internet traffic if you don't want your internet traffic to go via your VPN server at home and then back to you.
If you disable this feature whatever you do on your network will be via the vpn and when you surf it will be from the local ISP
Unless you have a lot of bandwidth to spare, its not advised to redirect your internet traffic back to your server.
If you need to access a PC that is on a VPN the only way you can do this is to remote desktop to a PC that is not on a VPN and then from that PC remote desktop to the VPN PC which is on the same network. You cannot reach a VPN PC from PIA server. its the way it is.

Ah ok, thanks a lot for explaining this. I wasn't sure if it was possible due to the router running everything. Previously I used to pptp in to a machine and could access everything from there, so was hoping this was the same. Thanks again

 

[aabs]

I am trying to get OpenVPN server running on a Asus DSL-AC88U

I can connect to the vpn server and client given 10.8.0.2 ip
Local subnet is 192.168.2.0/24
However I cannot access my local NAS or NVR when connect via VPN

A few screen shots of my config to help trouble shoot.
I'm configured to TCP 443 at the moment as UDP1143 won't connect

 

[yorgi]

I am trying to get OpenVPN server running on a Asus DSL-AC88U

I can connect to the vpn server and client given 10.8.0.2 ip
Local subnet is 192.168.2.0/24
However I cannot access my local NAS or NVR when connect via VPN

A few screen shots of my config to help trouble shoot.
I'm configured to TCP 443 at the moment as UDP1143 won't connect

Try setting firewall to Auto and compression to LZO also go back to TUN UDP 1194
I would also try it with AES-128-CBC
I had some issues as well with the latest version of the Server took me a while to get it up and running but its working with no issues on my end. Don't forget that every time you make any changes in the advanced configurations you need to export a new .ovpn file to load on your devices. Also if you have any windows 10 devices you need to setup a firewall rule to allow shares from other computers that are from the VPN server. I explain that in the article. Let me know if that helped.

 

[aabs]

Hi Yorgi,
Thanks for helping. I got it up and running eventually with your help on UDP.
Only difference was I had to set firewall to external only.
Think this maybe due to Asus DSL-AC88U having inbuilt modem.

Screen shot to help others struggling to get OpenVPN running on this new model.

 

[yorgi]

With the latest version 380.66.6 using my U87 I am not able to establish network shares from win 10 pc's
Even if I disable windows firewall i get the same issue. I went back to 380.66.4 and it everything works fine.
Could be a bug with my U87 but if anyone has problems with VPN server and connecting to win 10 shares I would advice to roll back until this issue is fixed. I will make some more tests now that I am back on .4 and saved my cfg file.
Keep you all posted!