What's new

Tutorial How to setup a VPN Server with Asus routers 380.68 updated 08.24

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thanks a lot !! This is the best guide I have seen! Link saved. :)

However it doesn't answer all of my questions. To be more specific:
  • What happens to accesses within my network? I have devices such as cameras, alarms, switches, lamps etc. There are also smart TVs, apple TVs and other similar devices. There is no way I can install a client there.
  • Then there are my two QNAP NASes. I use my old NAS as a file server for backup purposes. My next step is to move my old NAS to my brother-in-law's house a few kms away. He will move his old one to our house. How will VPN affect this setup (using Rsync and RTRR)? What needs to be changed?
  • How will I access the QNAP mobile apps? I use them to access the new NAS from the outside. I have to use QNAPs myqnapcloud as DDNS. I can't use any other DDNS to get it to work (I have tried).
  • How do I handle the manual port forwarding done for my cameras and for the NAS access? For QNAP, UPNP only works for one (1) NAS.
Sorry, I don't have experience with those scenarios to give you an answer. Someone on the NAS thread can probably help with those questions.

On the VPN server page, there is an option to give access to the LAN only, Internet or Both. But it is an all or nothing setting. You can' set it my device.

On one site I support, I needed to access the Windows Server machine. I assigned a static IP to the Windows Server. I then used the Windows Remote Desktop app to connect to it over the VPN connection. You may have to do something similar depending on the OS used by the device. I've seen similar questions posted on the DD-WRT forum site.
 
Thanks a lot !! This is the best guide I have seen! Link saved. :)

However it doesn't answer all of my questions. To be more specific:
  • What happens to accesses within my network? I have devices such as cameras, alarms, switches, lamps etc. There are also smart TVs, apple TVs and other similar devices. There is no way I can install a client there.
  • Then there are my two QNAP NASes. I use my old NAS as a file server for backup purposes. My next step is to move my old NAS to my brother-in-law's house a few kms away. He will move his old one to our house. How will VPN affect this setup (using Rsync and RTRR)? What needs to be changed?
  • How will I access the QNAP mobile apps? I use them to access the new NAS from the outside. I have to use QNAPs myqnapcloud as DDNS. I can't use any other DDNS to get it to work (I have tried).
  • How do I handle the manual port forwarding done for my cameras and for the NAS access? For QNAP, UPNP only works for one (1) NAS.
I had a thought. If you can't talk to your clients, you can try to create the following iptables rule to bridge the server subnet to the lan.

VPN Server 1 to LAN:

Code:
#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE

If it solves the problem, you can use the openvpn-event script I have on my x3mRouting Repo to with a minor edit to execute the iptables during a vpn server up/down event.

I use a similar rule to allow ppl to bridge the vpn server traffic thru one of the vpn clients. I just change the interface name to tun11, tun12, etc..
 
Last edited:
Hello,

I have finally configured the vpn server on an AC86U/merlin, connects no problem but I am unsure how to login to the router GUI. Do I need to enable "web access from WAN" to login to the router? The warning (see attached) recommends a "vpn" which I have setup but cannot get inside the router. Any suggestions?

Thanks in advance.
 

Attachments

  • SCR 2020-06-23 at 1.12.06 AM.jpg
    SCR 2020-06-23 at 1.12.06 AM.jpg
    47.4 KB · Views: 251
Hello,

I have finally configured the vpn server on an AC86U/merlin, connects no problem but I am unsure how to login to the router GUI. Do I need to enable "web access from WAN" to login to the router? The warning (see attached) recommends a "vpn" which I have setup but cannot get inside the router. Any suggestions?

Thanks in advance.

No, you don't need that enabled. That is only for access without VPN, and that should be avoided.
The entire point of the VPN (well, one of them) is that once you connect via the VPN, you can have access to various devices on your internal network as if your were there, including your router GUI.

Under VPN -> VPN Server , in "VPN Details" field, choose "Advanced Settings".
Make sure you have "Push LAN to clients" set to "Yes".
(Edit: I suspect on the newer versions this option might be under:
"Clients will use VPN for". Make sure it includes "LAN", e.g. "BOTH LAN AND INTERNET".)

If you are able to log in to your VPN, you should be able to go to http://192.168.10.1/ (or whatever you might have changed this to from the default values), - the same way as from within your LAN.
 
Last edited:
No, you don't need that enabled. That is only for access without VPN, and that should be avoided.
The entire point of the VPN (well, one of them) is that once you connect via the VPN, you can have access to various devices on your internal network as if your were there, including your router GUI.

Under VPN -> VPN Server , in "VPN Details" field, choose "Advanced Settings".
Make sure you have "Push LAN to clients" set to "Yes".
(Edit: I suspect on the newer versions this option might be under:
"Clients will use VPN for". Make sure it includes "LAN", e.g. "BOTH LAN AND INTERNET".)

If you are able to log in to your VPN, you should be able to go to http://192.168.10.1/ (or whatever you might have changed this to from the default values), - the same way as from within your LAN.
Ok, thank you. The settings seem to be as per your recommendations. I don't see this setting:"Push LAN to clients" set to "Yes".
The confusion for me is this: "http://192.168.10.1/ (or whatever you might have changed this to from the default values),"
What is this IP, the router gateway? In my case I did not change this IP for the router which is still 192.168.1.1

So I should use http://192.168.1.1? I am using a DDNS as well if that makes a difference.

Thank you.
buk
 

Attachments

  • asus_vpn-1.jpg
    asus_vpn-1.jpg
    67.4 KB · Views: 273
Last edited:
Ok, thank you. The settings seem to be as per your recommendations. I don't see this setting:"Push LAN to clients" set to "Yes".
The confusion for me is this: "http://192.168.10.1/ (or whatever you might have changed this to from the default values),"
What is this IP, the router gateway? In my case I did not change this IP for the router which is still 192.168.1.1

So I should use http://192.168.1.1? I am using a DDNS as well if that makes a difference.

Thank you.
buk
Ok, I beleive I have solved the issue by setting "allow only specified clients" to No.

Connected as you instructed, thanks str.
 
Hello,
I have 500/500Mbps fiber service and the OpenVPN server i setup on the AC86U achieves only 65Mbps when I connect to it from my other ISP which is 1000/500Mbps fiber service.
If i connect to an OpenVPN service/server half way around the world I easily get 250Mbps.
What can I check to improve the OpenVPN server sppeds on the AC86U?
 
How are you connecting when you're at the other ISP location? Which router, or client device, are you using to connect with?

From which location do you get 250Mbps speeds? Both, or, just one?

Are you using any OpenVPN Server options other than defaults? For both your main location and your secondary one?
 
In this new version 380.68 there are no new features for VPN server.

This guide will show you how to setup a VPN server with your Asus routers
This works with native ASUS firmware or Merlin Firmware

*** I suggest that every time you update to a new firmware do a Default on OpenVPN server then reboot the router and enter the data again. Also export a new .ovpn file and import to your device in order to have smooth results. Otherwise you may get into issues where you cannot see windows shared folders.

With the ASUS router you can have up to 2 separate VPN servers.
In this example I am using VPN server 1
simply enable OpenVPN server and by default the admin username and password is in the list. You can create up to 32 username and passwords in the appropriate fields.

In VPN details click on the advanced menu.
Use the VPN advanced image below and setup the values accordingly.

View attachment 6788

View attachment 9498

***Important***
With the latest firmware 380.66.4 and up You need to enable Respond to DNS and Enable Advertise DNS to clients otherwise you will not be able to connect to your Local Network. This was not the case in the past.

Finally in order for file shares to work properly you need to Have the router DHCP do the static addresses so this way the Arp entries are stored properly and the router can access shares.
in LAN tab, DCHP server, Basic Config

IP Pool Starting Address 192.168.1.97
IP Pool Ending Address 192.168.1.254

and in LAN/DHCP tab enable "Enable Manual Assignment"
Look for a network PC MAC address that you want to manage as Static IP and assign static IP address that are from the static range pool of 192.168.1.99 next PC .98 and .97
For first PC assign .99 and so on.
if you need more PC set the IP pool to reserve all the PC's you want and do them one by one to make sure that the PC gets the address you want.
This way you let the router handle the static addresses and you will have any problems sharing files via the VPN. If you do not do this and assign IP address manually on the PC's it may happen that you cannot share files because the router ARP tables don't see that computer you are trying to access even though you can Ping that PC. Having the router do the static IP ensures a proper ARP table and making sure you get access to the PC's you want to.
Even if you have the PC have a dynamic IP from the router chances are you may still get into problems where you cannot see the shares because the IP address changed.
In the second part of the tutorial I show you how to setup firewall rules on windows PC in order to access shares properly.
Some features to explore;

Interface Type: TAP or TUN?

TUN is the preferred method because it supports windows, iOS, Android, Linux
You can file share SAMBA, remote desktop, print share etc.
You will have to configure windows firewall explained in the end of this article.

TAP supports windows but not iOS or Android.
by choosing TAP, you tell the VPN to make remote machines feel like they're on the LAN, with broadcast Ethernet packets and raw Ethernet protocols available for communicating with printers and file servers and for powering their Network Neighborhood display.
Great if you don't want to configure windows firewalls on each PC

Push LAN to clients: allows you to access your network via the tunnel,
such as remote desktop, file sharing and print sharing.

Direct clients to redirect internet traffic: If this feature is enabled all traffic will go via the router and depending on your bandwidth speeds it can be very slow on the clients receiving end.

Ideally the majority of users should keep the Redirect Internet Traffic option disabled. It means the remote client will still use his own WAN access for all Internet traffic, and only use the VPN tunnel when trying to access a resource in the home LAN network. This is what VPNs were originally designed to do.

Respond to DNS: enable this along with Advertise DNS to clients and when you connect you will be using the DNS of the VPN server.

Advertise DNS to clients: this needs to be enabled if you want to have access to file shares and remote computer access.

Manage Client-Specific Options: Using this option, you can have full bidirectional site-to-site TLS VPNs with no Custom Configuration or init scripts. I have never got this to work but here is how it's suppose to work;

Selecting this option displays a table where you fill in the Common Name (from when you generated the TLS certificates), subnet (optional), and netmask (optional). If you fill in the subnet and netmask of the client, your server LAN will be able to communicate with your client LAN whenever it's connected (be sure not to choose the NAT option on the client router). Without this, you're stuck with just client->server communication.

If you select the "Allow Client<->Client" option, another checkbox appears in the table that, when selected, allows other clients (or client LANs) to communicate with this client LAN. So, now you can have multiple sites all connected together with communication between any of them as desired.

An "allow only these clients" option is also present. With this selected, clients that aren't in the table are not allowed to connect. If you want to allow a client that doesn't have a LAN behind it (or you don't want to allow access to it), just put it in the table and leave the subnet/netmask blank.

With these options, this release removed the biggest limitation that's been present since the first release: having the VPN limited to client-initiated connections.

You can further customize the VPN server by changing its server port other than the default 1194 and change the auth digest and encryption cipher to whatever you want
AES-128-CBC and auth digest to SHA1 is sufficient encryption for maintaining a proper security when connecting to your Server. Howerver feel free to change to whatever encryption or cipher that suites your needs.

Now that the server is running you need to setup your devices to use the VPN server.

***it is very important that any device you use to connect to the VPN Server must have a different subnet then the router otherwise you will not be able to see the networks if you enable Push LAN to clients
Example:
Router A VPN Server IP 192.168.1.1
Router B VPN Client IP 192.168.2.1

Look for the Export button under the General menu and click on it.
it will create a .ovpn file which you will need to configure your devices.
This client1.ovpn file contains everything you need including certificates.


For Android:

Download the OpenVPN app and install it on your device.
Teather your Android device to a computer and copy the client1.ovpn file to your device. Preferably the download folder.
Start the OPENVPN app and then on the top right there are 3 vertical dots, click on the dots and choose import then import profile from SD card, use ES file manager, if you don't have that program download it from the playstore and navigate to the download folder and import that client1.ovpn to openvpn app.
Once you have done that, simply hit on connect and you should have connection established to the VPN server.

AUSUS routers with stock firmware:

You can also import the client1.ovpn into another ASUS router with stock or Merlin Firmware VPN client. It will automatically configure everything you need to connect to the VPN Server, including certificates.
Simply go to the VPN client on your ASUS router and look for "Import .ovpn file" use the browse button to find the client1.ovpn file then click on upload.
That's it. you should be ready to connect. Turn the service state button to ON
You can enable start to WAN option if you want the Client to automatically connect to the VPN server when router gets rebooted.
Make sure that the client router has a different IP then the Server Router or you will not be able to see shares or print.

AUSUS routers with Merlin firmware:
Follow the exact steps as with ASUS stock firmware. With Merlin you need to set Accept DNS Configuration to Exclusive.

MAC:

A popular OpenVPN client for MacOSX is Tunnelblick. It can be obtained for free from https://tunnelblick.net. Follow these basic steps to use Tunnelblick with OpenVPN Access Server:

  • Download the Tunnelblick disk image file (a ".dmg" file) from https://tunnelblick.net
  • Open the downloaded disk image file (which mounts the disk image).
  • Double-click the Tunnelblick icon (it may be labelled "Tunnelblick.app") and you will be guided through the installation of the program.
  • Once you have installed Tunnelblick, you can download and install the configuration file. After logging in to the Access Server's Client Web Server, download the client.ovpn file and double-click it. This will launch Tunnelblick if necessary, and Tunnelblick will install and secure the configuration.
  • Run Tunnelblick by double-clicking its icon in the Applications folder. If left running when you logout or shut down your computer, Tunnelblick will be launched automatically when you next log in or start your computer.
The first time Tunnelblick is run on a given Mac, it will ask the user for the an system administrator's username and password. This is necessary because Tunnelblick must have root privileges to run, as it modifies network settings as part of connecting to the VPN.

For more information on using Tunnelblick, see the Using Tunnelblick at https://tunnelblick.net/czUsing.html.

Please go to section B of the article for more.


This is very helpful!
 
hi,

I've connected to vpnserver successfully, but unable to route client internet traffic through Asus routers vpnclient(connected to NordVPN 24/7). Could you please help me ?

thanks.
 
Hi! Thank you for this guide. I was wondering what would be the recommended settings for the very latest firmware (386.1). I did follow quite a few guides here which were super helpful so if no one feels like giving full details I’m honestly mostly interested in the HMAC authentication setting which I’ve set to default (but does anyone know what the ‘default’ is?). Also for TLS control channel I’ve chosen bidirectional and it seems to work. Just wondering if that’s good. And finally I disabled compression as I understand that’s more secure despite the default being LZO.
Thank you!
 
The OP was last on this website back in 2018. I don't think they will see your message.
 
I could swear there used to be a way to display OpenVNP Server passwords but can no longer see how. Did that change with a recent OpenVPN upgrade? I understand how that could be a security flaw, but it was handy. I now have no idea one of my passwords is. I hate to add a new userid just because I forgot the password.
 
I could swear there used to be a way to display OpenVNP Server passwords but can no longer see how. Did that change with a recent OpenVPN upgrade? I understand how that could be a security flaw, but it was handy. I now have no idea one of my passwords is. I hate to add a new userid just because I forgot the password.
It used to be here

e.g. RT-AC68U v384.19

1614323737116.png


but on HND RT-AC86U v384.19 (and v386.xx) it is now AWOL.

The OpenVPN passwords are now encrypted in nvram so presumably it is no longer possible/appropriate to decrypt them?

NOTE: The IPSec passwords in nvram are still in clear text?
 
The OpenVPN passwords are now encrypted in nvram so presumably it is no longer possible/appropriate to decrypt them?
That's correct.
 
Actually, I sort of found a way (but my mentioning this may cause a security hole to get plugged). One name and password - the first pair entered, maybe? - are remembered. If you can remember and enter the first character of the password, the password will be auto-populated.

I lucked out. I never would have remembered the password. Now I have it written down (electronically). So much for security.

I think the decision to make these passwords inaccessible is a bit misplaced. It isn't like the name and password can be saved in a password manager (unless the password manager can spit back the password in clear text). That clear text password has to be available. It's needed when setting up the VPN client. And anybody with the admin credentials for the router and with nefarious intent could easily add a new userid and password to the VPN server. Nothing is served by hiding the password.
 
That clear text password has to be available.

No, it doesn`t. It`s actually a well known best practice to NEVER store plaintext passwords on any device. Any other security device I have encountered will not allow you to retrieve the stored passwords. If you lose it, then reset it.

It`s not about hiding it from the webui, it`s about not making it accessible by anything that could compromise the device.
 
No, it doesn`t.
Hmm. I don't find the OpenVPN doc the clearest in the world so I may have missed this, but I see no way to include credentials in the server's export function. (Or perhaps I see no way to get the client to use credentials included in the exported config.) As far as I can see, the userid and password has to be included in the first connection made by the OpenVPN client. And configuring that client may happen years after the userid and passwords were set in the server.

If this is correct (and I admit I may have missed something), the password has to be maintained somewhere in clear text (unless you have photographic memory).

It`s actually a well known best practice to NEVER store plaintext passwords on any device. Any other security device I have encountered will not allow you to retrieve the stored passwords. If you lose it, then reset it.
If you reset an OpenVPN password you've just broken existing clients using that userid/password. I assume it's standard procedure to have each client have its own userid/password, but that may not always be the case.

I agree that it is well know best practice to not store passwords in plaintext. But that also assumes there is a reasonable password management system in place. If there is an export/import function for OpenVPN client credentials then I retract my complaint. I've searched, but I've not found this function. I'll keep looking. The alternative is saving the passwords in plaintext somewhere, and that "somewhere" may be less secure than the router.
It`s not about hiding it from the webui, it`s about not making it accessible by anything that could compromise the device.
I can't think of a good argument against that ... but I'll work on it. :)
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top