Tutorial How to setup a VPN Server with Asus routers 380.68 updated 08.24

[PolarBear]

Is there any reason to use a server port other than the default 1194? Just wondering if there are certain networks or ISP's that may for some reason block port 1194?

I originally set up OpenVPN Server with the default port 1194. Starting about a year ago, I noticed in the system log that a connection attempt to the OpenVPN server was made at least once every day. Fortunately, I am not using a default admin user id or password, and so the connection attempts failed, but left traces in the system log.

After I changed OpenVPN to use a completely non-standard port, the log entries stopped. Someone here (sorry, I forget who) mentioned that attackers try only the most commonly used ports - it wastes too much of their time to try all ports. So changing OpenVPN to a non-standard port adds an extra layer of security.

Part of my question stems from reading forums that mention that vpn's will not work on the cruise ship that I am going on soon. Wasn't sure how they blocked vpn's. Thanks.

I have never been on a cruise ship, but I imagine that away from the coastline, they will have to use satelite communications. Satelite phone calls tend to be very expensive, and it's probably the same with data. If they block VPN access I would guess it is to reduce the data flow to affordable levels.

If you want to use VPN while on board, it might be good to use it in conjunction with something like Remote Desktop Services, which results in much less data being transmitted to and fro.

RDS itself seems to be quite vulnerable, and there have been several recent high-profile attacks. So IMHO it should only be used through a VPN tunnel.

Hope this helps

 

[doczenith1]

My reason to use a vpn while on the ship other than for privacy is to route my data through my home router (the vpn server that I will be connecting to) to take advantage of the ad blocking that I have added to my router using Diversion.

 

[maxbraketorque]

Using a non-standard port definitely cuts down greatly on unwanted login attempts.

 

[ARKASHA]

I don't know if it's a my VPN server settings I created following your guide, but what are these Warning messages in syslog? More I noticed they appear regularly every hour.

Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx TLS: Username/Password authentication succeeded for username 'merlin'
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1550'
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher AES-128-GCM'
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'

 

[Samir]

I don't know if it's a my VPN server settings I created following your guide, but what are these Warning messages in syslog? More I noticed they appear regularly every hour.

Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx TLS: Username/Password authentication succeeded for username 'merlin'
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1550'
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher AES-128-GCM'
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'

So I'm not familiar with the Asus vpns as I typically work in IPsec tunnels, but it looks like if you have a link established it won't be running 100% right and if you don't have a link the warnings are telling you why.

First it looks like the mtu is set differently on both sides of the link, local being 1558 and remote being 1550. This can cause problems with throughput and potentially packet loss.

Second, it looks like the actual cipher is different between the two ends--local being aes128cbc and the remote aes128gcm. This can keep the link from being established or major problems if it is established.

Third, it looks like the auth between both ends is different--local sha1 and the other having a null value. This will also keep the link from being established or major problems if it is established.

If you can change the local side to match the remote, the warnings should disappear and your link should come up nicely.

 

[RMerlin]

The cipher warning can be ignored, it's generally an artifact introduced with OpenVPN 2.4.x when NCP was added. NCP is probably picking up the correct cipher to use, so whatever is explicitely specified by --cipher is overruled by it. If you want to get rid of the warning, you could still change the cipher to also match theirs.

For the rest, check what you have in your Custom section, make sure you use what is recommended by the server provider.

 

[ARKASHA]

Hi, after installing some scripts, the ones in my signature, I updated the ovpn file, but I cannot ever connect to VPN server on the router. I was able to have back the connection editing the ovpn file indicating as remote my ddns.net address. So it seems VPN working only with this configuration? Suggestions?

 

[CanWestBoss]

I have an issue I can not figure out. Using thhedefault setup should the client be prompted for a username and password when they try to connect to the tunnel.

Mine does not and I can not figure out why. Any help will be gratly appreciated

 

[Chrisgtl]

Has anyone managed to get Plex for Android working using the VPN server?

The only way I can get Plex to work is by opening the port 32400 in WAN > Port Forward

I thought as I am connected to my network via VPN my Plex app would see the server as a local device and all is good but not the case unfortunately.

I see lots of advice on the internet about people connecting to their Plex via a VPN from Nord or Torguard etc but this isn't how I use my VPN so unsure what settings I need to change.

Can anyone help me?

 

[Derek Kerton]

I was able to test my connection from an outside network, and it is working. So, the culprit for the problem was connecting from inside the LAN.
Does anybody know how to enable that? It would be handy for testing a few configuration options without necessity to connect from a few miles away.

Sure, here are two ways:
1
Configure your phone with a OpenVPN client, turn off wifi on the phone, and test from your phone.

2
If you have a mobile hotspot, or can use your phone as one.
On your phone, turn off wifi.
Then turn on the phone's hotspot. (you may need to configure it)
Connect your laptop to the phone's hotspot
Your laptop is now outside your LAN, on the Internet via your phone. Test away.

One caveat, if you have a very weak cellular signal that drops or delays lots of packets, that alone can mess up the VPN connection.

 

[D-clone]

Hello !

I am trying to configure this simple network:

modem (WAN: 192.168.1.1) -- router – (192.168.2.1/24) LAN

I am going to purchase as a router the ASUS RT-AC52U with the stock updated firmware ASUSWRT.

My first problem is that I would like to run simultaneously the VPN server (OpenVPN) and VPN client in the same router (ASUS RT-AC52U).

The LAN consists of several PCS, a smart TV, some Android devices and a IP camera.

Edit: My IP camera (Amcrest ProHD 3MP Wi-Fi Camera (IP3M-941W) is not cloud reliant, but has the option of local storage (microSD card, NAS et) for security reasons, according to the recommendations of this excellent site!​

The main reason I need a VPN tunnel is the IP camera.

I think that for my security reasons the IP camera will have access to the LAN and the WAN only through a VPN tunnel, as a VPN client running in ASUS RT-AC52U router. I would like to have access to my IP camera from PCs and Android devices on the same LAN as well as from PCs and Android devices remotely, through a VPN tunnel in all cases. All these PCs and Android devices must have access to LAN while using the VPN tunnel. In general, I would like make selective routing, in order to select which devices will use the VPN and which devices will go directly to the internet. That is my second problem.

In order to find a solution to my first problem, I think that I have to follow this tip :

I would assume the VPN client service is using 1194 the default port and your server by default is set to the same. You need to change the VPN server port # and regenerate a new OVPN file for the remote user to connect the server. Then you will be able to run the VPN client service and the VPN server at the same time.​

I also have to ensure the VPN server and client are on separate subnets (but I don’t know how to do that)!!! Any ideas ? Perhaps the solution is the static routing as proposed here (point 1.5), according to the proposal 2 of this post ! In this case

FritzBox LAN port IP : 192.168.50.1
Asus WAN port IP : 192.168.50.2
Asus LAN IP : 192.168.51.1​

In order to find a solution to my second problem, I think that I have to make the following settings (main source is this post):

ASUSWRT: Push LAN to clients: enabled
ASUSWRT: Redirect Internet Traffic: disabled
ASUSWRT: Respond to DNS: enabled
ASUSWRT: Advertise DNS to clients: enabled

Windows 10 PC clients: disable the Use Default Gateway on Remote Network setting in the VPN dial-up connection item on the client computer:

In Windows 10 go to Settings > Network and Internet. Select 'Ethernet' on the left and then click 'Change Adapter Options'. VPN's properties? (TCP/IPv4 > Properties > Advanced).​

I don’t know how to make the selective routing with the stock firmware ASUSWRT, perhaps as pointed at this video tutorial. I haven’t bought the ASUS RT-AC52U yet, but the firmware (two screenshots included) of my currently using elsewhere ASUS RT-AC51U seems slightly different and I don’t know how to configure ! Any help?

Another possible solution would be to follow the proposal 1 of this post ! In this case, I could

flip devices between normal local country ISP or the VPN client network so I can surf privately or access other country content via VPN service. So I would manually switch my devices between the 2 wireless networks ​

Thank you in advance,

Dimi

 

[Zonkd]

I don't know if it's a my VPN server settings I created following your guide, but what are these Warning messages in syslog? More I noticed they appear regularly every hour.

Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx TLS: Username/Password authentication succeeded for username 'merlin'
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1550'
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher AES-128-GCM'
Mar 21 07:56:58 ovpn-server1[3458]: client/192.168.x.xxx WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'

My syslog gives identical errors when I connect to my router's OpenVPN server:

WARNING: 'link-mtu' is present in local config but missing in remote config, local='link-mtu 1549'
WARNING: 'tun-mtu' is present in local config but missing in remote config, local='tun-mtu 1500'
WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA256'
WARNING: 'tls-crypt' is present in remote config but missing in local config, remote='tls-crypt'

Just the last 2 errors are of concern to me. They suggest the server config on the router is wrong, but I thought these were correctly set in the web GUI. (see screenshot) Do I need something added in Custom Configuration section as well? Is this a known bug with ASUS not reading server configs properly? Note the VPN connection does still seem to work properly.

Spoiler: See screenshot

Firmware version: Merlin 384.12

 

[Samir]

The problem is that the configurations don't match exactly, which is important for vpn tunnels.

The two problems that make it not work at all is that the encodings are different in the different phases of connection--AES-128-CBC vs AES-128-GCM, and also SHA1 vs nothing. Don't worry about what you want--just get them to connect first.

Find these settings on both devices and get them to match (no more warnings in the logs) and they should connect (unless not having the mtus specified the same on both sides also keeps it from connecting--then make those match too).

Hope this helps!

 

[outlaw78]

So, what is the best OpenVPN server config now for a secure and fast VPN on a RT-5300 running merlin 384.14_2? Currently I am running what is pictured below. However, how does the cipher negotiation with fallback work? Is the legacy/fallback cipher the first one it uses or the first cipher in the negotiable ciphers list?

Not shown: RSA 2048
Clients will use VPN for: BOTH LAN AND INTERNET

 

[doczenith1]

This is my setup. It has worked well. If you don't have any clients that don't support the GCM cipher I think you can skip the cipher negotiation. Also, with GCM you don't need HMAC Auth as it is included in the cipher.

 

[RMerlin]

This is my setup. It has worked well. If you don't have any clients that don't support the GCM cipher I think you can skip the cipher negotiation. Also, with GCM you don't need HMAC Auth as it is included in the cipher.

It's best to leave Cipher negotiation enabled, and specify a reasonable fallback cipher (like AES-128-CBC). Clients that support it will "upgrade" to AES-256-GCM, while older clients will still be able to connect using AES-128-CBC.

Cipher negotiation allowed me to 100% transparently upgrade a customer's setup. I have a CentOS-based OpenVPN server in their datacenter, which was initially set with OpenVPN 2.3.x and BF-CBC (which wasn't considered obsolete yet at the time the server was configured). After upgrading the server to 2.4.x, their employees who already had an OpenVPN 2.4.x client automatically switched to using AES-256-GCM, leaving only those still on older 2.3 clients to use the obsolete BF-CBC cipher. Zero config change was required for the upgrade, in fact I only realized afterward that a large portion of their employees were now connecting using AES-256-GCM.

NCP was one of the nicest improvement to OpenVPN in many years IMHO.

 

[outlaw78]

This is my setup. It has worked well. If you don't have any clients that don't support the GCM cipher I think you can skip the cipher negotiation. Also, with GCM you don't need HMAC Auth as it is included in the cipher.

View attachment 21148

Does it slow anything down by having cipher negotiation on?

 

[Ola Malmstrom]

Lots of detailed info here but far too much for me.

I need to connect to my router (rt-ac3200 running the latest FW) from the outside. I try to open the WAN port under administration/system/remote access config. I set the radio button to Yes and press Apply. It seems to work, but after a few minuters it is reset to No.

If I re-boot the router immediately after pressning Apply, it also get reset to No.

The optimal solution would be to use VPN but I don’t understand how to do it.

1. Do I need to setup a VPN server on the router and clients on each client? I have about 25 different clients including cameras, IOT stuff etc.
2. Do I only need to set up a VPN client on my router that connects to a VPN server?
3. Can the VPN client in 2. be my HMA server or the VPN server on my router?
4. How will the clients behave? Will I need to re-do port forwarding? Will it be possible to access the NAS shares afterwards? Will my current sync and backup jobs between NASes work? Etc, etc.....

Seems to me that there are far too many things around this that I just don’t understand.

My final question is really: How do I get the access to the router from the WAN to stick?

 

[Xentrk]

Lots of detailed info here but far too much for me.

I need to connect to my router (rt-ac3200 running the latest FW) from the outside. I try to open the WAN port under administration/system/remote access config. I set the radio button to Yes and press Apply. It seems to work, but after a few minuters it is reset to No.

If I re-boot the router immediately after pressning Apply, it also get reset to No.

The optimal solution would be to use VPN but I don’t understand how to do it.

1. Do I need to setup a VPN server on the router and clients on each client? I have about 25 different clients including cameras, IOT stuff etc.
2. Do I only need to set up a VPN client on my router that connects to a VPN server?
3. Can the VPN client in 2. be my HMA server or the VPN server on my router?
4. How will the clients behave? Will I need to re-do port forwarding? Will it be possible to access the NAS shares afterwards? Will my current sync and backup jobs between NASes work? Etc, etc.....

Seems to me that there are far too many things around this that I just don’t understand.

My final question is really: How do I get the access to the router from the WAN to stick?

Don't enable access from the WAN for remote access. Those who have done so have been hacked. Using OpenVPN to connect remotely is the correct method for remote access.

Here is a guide I wrote for VPN Server setup. Some portions need to be updated to reflect changes in the firmware since I first published. But it should be of help and also show how to enable/configure on client devices.

 

[Ola Malmstrom]

Don't enable access from the WAN for remote access. Those who have done so have been hacked. Using OpenVPN to connect remotely is the correct method for remote access.

Here is a guide I wrote for VPN Server setup. Some portions need to be updated to reflect changes in the firmware since I first published. But it should be of help and also show how to enable/configure on client devices.

Thanks a lot !! This is the best guide I have seen! Link saved.

However it doesn't answer all of my questions. To be more specific:

• What happens to accesses within my network? I have devices such as cameras, alarms, switches, lamps etc. There are also smart TVs, apple TVs and other similar devices. There is no way I can install a client there.

• Then there are my two QNAP NASes. I use my old NAS as a file server for backup purposes. My next step is to move my old NAS to my brother-in-law's house a few kms away. He will move his old one to our house. How will VPN affect this setup (using Rsync and RTRR)? What needs to be changed?

• How will I access the QNAP mobile apps? I use them to access the new NAS from the outside. I have to use QNAPs myqnapcloud as DDNS. I can't use any other DDNS to get it to work (I have tried).

• How do I handle the manual port forwarding done for my cameras and for the NAS access? For QNAP, UPNP only works for one (1) NAS.