Tutorial How to setup a VPN Server with Asus routers 380.68 updated 08.24

[neednetworking]

I am wondering if someone can tell me how to setup a subnet alias/masq/translation/forwarding/mapped (not sure of the correct term) on the asus firewall.

Here is the scenario
asus stock firmware, openvpn server, workplace subnet is stuck at 192.168.1.x
vpn/rdc works great for remote workers with anything but the same subnet at home
for home users with the same subnet as the workplace (192.168.1.x) they can connect to vpn, but of course can't rdc to their desktop.

Restrictions:
I don't have permission to renumber the workplace subnet
I could try renumber the home subnet, but this is less desirable because this will come up again when traveling, etc

Desired solution:
Setup an alias subnet. Using other better/higher end firewalls, I was able to setup an "alias" subnet. I don't know how to do this with asus. Basically I need the vpn client to rdc to 192.168.88.x and it get translated after going over vpn to 192.168.1.x, and vice versa. If an alias/forwarding subnet isn't possible, maybe I could setup an alias/forwarder for just one ip?

Thanks!

 

[Mooring]

I have my AC88U router setup with OpenVPN. I can connect sucessfully with a username/password pair, but cannot see any of the resources/devices on the server side. I thought I read the Username and Password for the VPN server must match the Windows logon of the server. Is this true? If it is true I have a space in my Windows logon name "abc eft" (without the quotes). The Asus setup does not allow a space character in the Username table on the OpenVPN setup page.

Is this my problem and if so, how can I get a Username with a space character in the setup?

Thank you.

 

[bnhf]

I thought I read the Username and Password for the VPN server must match the Windows logon of the server. Is this true?

No. The username and password used by Asus OpenVPN is only for OpenVPN.

Are you connecting by tunnel (TUN) or bridge (TAP)? With a TUN connection you'll be able to access devices by IP address. You won't be able to "see" those resources as Windows network browsing doesn't cross subnets.

 

[Mooring]

No. The username and password used by Asus OpenVPN is only for OpenVPN.

Are you connecting by tunnel (TUN) or bridge (TAP)? With a TUN connection you'll be able to access devices by IP address. You won't be able to "see" those resources as Windows network browsing doesn't cross subnets.

Thanks for your help.

Here are my advanced settings:

When I try to access my NAS by IP, I get this:

 

[Mooring]

UPDATE TO PREVIOUS POST

The forbidden error was to my WD MyCloud. Apparently there are some problems with this device being accessed by a VPN.

I tried the IP for the server, but got a "This site can't be reached" error at that IP. How can I get to the C drive on that computer?

I tried the IP for my Seagate Personal Cloud and did get to the login page for the NAS. How can I get to the files on the Personal Cloud and the files on the USB drive connected to the Personal Cloud?

This is from Windows Exploiter on the Server--I want to get to these devices from another computer using OpenVPN. The router show status as connected. Windows Explorer on the Client shows nothing but the host computer.

Thanks for help.

 

[bnhf]

I tried the IP for the server, but got a "This site can't be reached" error at that IP. How can I get to the C drive on that computer?

In Windows File Explorer, on the OpenVPN client, did you type "\\192.168.1.181"? Without the quotes of course...

 

[bnhf]

Thanks for your help.

Here are my advanced settings:

When I try to access my NAS by IP, I get this:

If your NAS has an http:// webpage you're trying to access. Open your favorite browser and type "http://192.168.1.181" or "http://192.168.1.181/ui" if that doesn't work. I'm guessing you're seeing this page because you started in Windows File Explorer and forgot to type the "\\" before the IP.

 

[Mooring]

In Windows File Explorer, on the OpenVPN client, did you type "\\192.168.1.181"? Without the quotes of course...

Sorry, not an expert here. I do not see "OpenVPN client" anywhere in Windows File Explorer. Am I looking in the wrong place?

 

[Mooring]

If your NAS has an http:// webpage you're trying to access. Open your favorite browser and type "http://192.168.1.181" or "http://192.168.1.181/ui" if that doesn't work. I'm guessing you're seeing this page because you started in Windows File Explorer and forgot to type the "\\" before the IP.

Thanks. I was able to get to the Dashboard file successfully. However, I want to get to the files stored on that NAS. Still haven't figured that out yet.

 

[bnhf]

Sorry, not an expert here. I do not see "OpenVPN client" anywhere in Windows File Explorer. Am I looking in the wrong place?

Maybe another (better) way to say it is:

On your OpenVPN client computer, go to Windows File Explorer and enter "\\192.168.1.181" up at the top of the screen where your current file path is showing.

 

[RMerlin]

There could be security measures in place on the NAS to prevent access from IPs outside of its subnet. That could explain the 403.

 

[Mooring]

UPDATE: I'm in!

I can now see, control, and access the devices on my OpenVPN server as shown from the Client screen capture here:

I needed to turn ON the Network discovery in Advanced Settings of the Network and Sharing Center (Windows 10).

I think I'm "good to go" now.

Thank you for the suggestions.

Two more laptops to connect to server; that will be the test!

 

[Mooring]

UPDATE: I'm in!

I can now see, control, and access the devices on my OpenVPN server as shown from the Client screen capture here:

I needed to turn ON the Network discovery in Advanced Settings of the Network and Sharing Center (Windows 10).

I think I'm "good to go" now.

Thank you for the suggestions.

Two more laptops to connect to server; that will be the test!

UPDATE:

The image i quoted above is incorrect. My MiFi network connection ended due to battery power during my testing/experimenting and my network connection changed to the local network of the OpenVPN server--so of course these devices showed up.

However, I was still able to connect to these devices AND see the file systems for both NAS devices and the USB drive connected to the router. The Windows Explorer listing under network identified these devices by IP AFTER the first connection during a session.

Bottom line, I think I have successful connected and can use the file systems using OpenVPN. Thanks for this forum and the help here. A side comment here is the Seagate PERSONAL CLOUD is much easier to setup and use than the WD MyCloud.

 

[bnhf]

However, I was still able to connect to these devices AND see the file systems for both NAS devices and the USB drive connected to the router. The Windows Explorer listing under network identified these devices by IP AFTER the first connection during a session.

This is standard behavior in Windows File Explorer. Any network file shares you access that aren't found by Windows network browsing (like those on different subnets), e.g. those you access over the VPN by "\\x.x.x.x" will temporarily continue to show in Windows Explorer -- at least for that OpenVPN connection.

 

[Ruigsm]

Hi,
I´m developing a machine based on a plc connected to a HMI interface. The manufacturer of the hmi has apps both for android as for windows to see/control the hmi panel wich in the LAN works fine. Now, i need to do that remotly by internet, and i´m far from dominate networks.
After some search i´m tempted to try an Asus N18UWRT as a openvpn server. My idea: having an isp router, connect a second router, the asus, as a openvpn server, and then connect the HMI console to the asus. So, havinf those ovpn files, connect to the hmi console on android with the openvpn app and then use the manufacturer app to reach and controle the hmi console....and do the same on windows.

What you think? is it possible? Or better forget the idea?

Thank you!

 

[muse95]

Can I use this to connect two sites, one with just a router, no computer present? Same Asus router at both ends.
One site is an active residence, has been set up with an ISP static IP connection, has IP cameras that have been port forwarded and can be viewed from anywhere, Slow satellite connection.
Second site is not occupied. Has a satellite ISP connection with a double NAT that blocks incoming connection requests. All that exists at second site is the modem, an ASUS RT-AC66U router and 4 IP cameras. No permanent computer. ISP refuses to issue a static IP for this site which is on a different satellite than first one, but a faster connection. Customer wants to view cameras located at site 2 when he is at site 1 or elsewhere.
Can I use stock fw in the ASUS? Or do I need something like Merlin?
Is Site 1 set up as VPN server and site 2 VPN client?
Would the computer at site 1 need to be on all the time?
What kind of configuration would be needed on mobile devices to access those site 2 cameras?

 

[japin]

Hi, so I followed this tutorial to a T and I get this error message on OpenVPN.

And since there are no stupid questions, the login the same as my router even if there is no password displayed, right?

 

[Om3r]

Hi, i have RT-AC3100 with latest merlin fw loaded. I tried configuring OpenVPN but since my router WAN is set to Automatic IP. The router have internal IP as WAN. I tried to setup with DDNS still not working. I can’t connect.

 

[maxbraketorque]

For HMAC uses, it's still adequate. There's a major performance penalty in switching to SHA256 or SHA512.

Better to upgrade to OpenVPN 2.4, and use AES-128-GCM, which does not require the use of a separate digest.

How about the RSA key length? I've read that 2048 bit or 2048 bit should be used now.

 

[RMerlin]

How about the RSA key length? I've read that 2048 bit or 2048 bit should be used now.

2048 is the recommended strength, yes. 1024 might be adequate for personal use if you're not a high risk target, but I don't think moving to 2048 will have a significant performance hit, so I recommend going with it.