Instructions for using custom configuration openvpn server 380.66_2

[eastavin]

First time using an Asus router. Where would one find the instructions for how to use the custom configuration window on the advanced settings page? A list of available commands would be helpful as well.

Many thanks

Edward

 

[Xentrk]

Instructions are here. Some required updates are posted at the end of the thread.
https://www.snbforums.com/threads/how-to-setup-a-vpn-server-with-asus-routers.33638/

 

[RMerlin]

A list of available commands would be helpful as well.

It's all in the OpenVPN manual: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

 

[eastavin]

Thank you both. I have the Openvpn server running. Both of your inputs have been useful. I am still a little stumped about the custom configuration window though. I read the entire manual and found no reference to the Asus custom configuration window. I did find a page that talks to modifying a live server and tried the telnet command there as suggested https://community.openvpn.net/openvpn/wiki/HOWTO#Modifyingaliveserverconfiguration . However it does not work. no response on 127.0.0.1:7505 even though I see it in the log file after using their command.

Are there any instructions you know of that will list the syntax to be used and what commands the custom configuration window will accept? for example: help does nothing. So I think I need at least 1 or 2 more documents to understand fully how to use this.

Many thanks.

Edward

 

[Martineau]

Are there any instructions you know of that will list the syntax to be used and what commands the custom configuration window will accept? for example: help does nothing. So I think I need at least 1 or 2 more documents to understand fully how to use this.

All of the Server/Client directives are described here:

Usually the 2.4 page is for the most recent firmware although the 2.3 page may still be relevant:
https://openvpn.net/index.php/open-source/documentation/manuals.html

To use them in the custom window on ASUS routers simply remove the '--' prefix

They will then appear at the end of the appropriate active OpenVPN instance e.g. Server 1.

/etc/openvpn/server1/config.ovpn

 

[Jack Yaz]

All of the Server/Client directives are described here:

Usually the 2.4 page is for the most recent firmware although the 2.3 page may still be relevant:
https://openvpn.net/index.php/open-source/documentation/manuals.html

To use them in the custom window on ASUS routers simply remove the '--' prefix

View attachment 9441

They will then appear at the end of the appropriate active OpenVPN instance e.g. Server 1.

/etc/openvpn/server1/config.ovpn

Since im nosy, what do you have in your connect/ disconnect scripts?

 

[Martineau]

Since im nosy, what do you have in your connect/ disconnect scripts?

The 'client-connect' script allows a config file of custom OpenVPN directives to be applied on a Username basis

e.g. My phone 'SGS5' when it connects to either of the Openvpn Servers causes the script to read the appropriate server instance custom config file:

e.g. OpenVPN Server 1

/jffs/configs/openvpn/ccd1/client_SGS5

# Custom CCD directives for single common name 'client' user SGS5 (see /jffs/scripts/VPNClientConnect.sh)

# Assign static I/P xxx.xxx.xxx.22 (Normally assume defaults xxx.xxx.xxx=10.8.0 for VPN Server 1, and xxx.xxx.xxx=10.16.0 for VPN Server 2)
# NOTE: 'staticip' ('staticipv6') is NOT an official OpenVPN directive, but it is an easy to remember psuedo command short-cut!

staticip 22

# User SGS5 will pass-through the router direct via VPN Client 1 (New York) aka ovpnc1
# NOTE: 'passthru' is also NOT an official OpenVPN directive

passthru 1

Effectively (if you know the appropriate OpenVPN syntax) any valid OpenVPN directive can be used in the file or as in the example above, simple custom pseudo commands are replaced by the appropriate OpenVPN directives.

e.g. the IPv4 'staticip' directive will determine the appropriate VPN Server instance subnet prefix (as specified in the GUI) and force the phone to always be assigned the requested I/P address.

Furthermore, the script emails details of the new client connection, and can (if so desired) also reject the client connection request...even if the Username/password combo is still valid!

v3.01 was posted here:
https://www.snbforums.com/threads/how-to-set-a-static-ip-to-openvpn-tun-clients.37983/#post-315194

The 'client-disconnect' script removes any custom configuration (routes etc.) and also generates another statistics email which now includes the duration of the client connection together with the amount of data transferred.

 

[eastavin]

Ok I give up. I guess I cant access the "management interface" as explained in the openvpn documentation because the server is on the router and not on a pc. (keep forgetting that) For that to have a chance of working I would have to have something like Dnsmasq so I can make the router's localhost available to the LAN. Sounds like an unnecessary headache.

Would appreciate any input. Is this management interface feature used on a Asus router? is there another way?

 

[RMerlin]

Would appreciate any input. Is this management interface feature used on a Asus router?

It's not enabled, as the firmware does not use it. If you want to use it, then you will have to enable it and configure it as documented in the OpenVPN manual.

 

[Martineau]

...access the "management interface" as explained in the openvpn documentation because the server is on the router - For that to have a chance of working I would have to have something like Dnsmasq so I can make the router's localhost available to the LAN.

What? dnsmasq is already enabled by default on the router.

So once the directive is enabled on the router

# Custom Configuration
management localhost 7505

then it can be accessed via Telnet once you are connected to the router command line (e.g. telnet router.asus.com assuming Telnet/SSH access is enabled in the router GUI)

admin@RT-AC68U:/jffs/scripts# telnet localhost 7505

>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.4.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 12 2017
Commands:
auth-retry t           : Auth failure retry mode (none,interact,nointeract).
bytecount n            : Show bytes in/out, update every n secs (0=off).
echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
exit|quit              : Close management session.
forget-passwords       : Forget passwords entered so far.
help                   : Print this message.
hold [on|off|release]  : Set/show hold flag to on/off state, or
                         release current hold and start tunnel.
kill cn                : Kill the client instance(s) having common name cn.
kill IP:port           : Kill the client instance connecting from IP:port.
load-stats             : Show global server load stats.
log [on|off] [N|all]   : Turn on/off realtime log display
                         + show last N lines or 'all' for entire history.
mute [n]               : Set log mute level to n, or show level if n is absent.
needok type action     : Enter confirmation for NEED-OK request of 'type',
                         where action = 'ok' or 'cancel'.
needstr type action    : Enter confirmation for NEED-STR request of 'type',
                         where action is reply string.
net                    : (Windows only) Show network info and routing table.
password type p        : Enter password p for a queried OpenVPN password.
remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.
proxy type [host port flags] : Enter dynamic proxy server info.
pid                    : Show process ID of the current OpenVPN process.
client-auth CID KID    : Authenticate client-id/key-id CID/KID (MULTILINE)
client-auth-nt CID KID : Authenticate client-id/key-id CID/KID
client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason
                             text R and optional client reason text CR
client-kill CID [M]    : Kill client instance CID with message M (def=RESTART)
env-filter [level]     : Set env-var filter level
client-pf CID          : Define packet filter for client CID (MULTILINE)
rsa-sig                : Enter an RSA signature in response to >RSA_SIGN challenge
                         Enter signature base64 on subsequent lines followed by END
certificate            : Enter a client certificate in response to >NEED-CERT challenge
                         Enter certificate base64 on subsequent lines followed by END
signal s               : Send signal s to daemon,
                         s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n]             : Show current daemon status info using format #n.
test n                 : Produce n lines of output for testing/debugging.
username type u        : Enter username u for a queried OpenVPN username.
verb [n]               : Set log verbosity level to n, or show if n is absent.
version                : Show current version number.
END

 

[Jack Yaz]

The 'client-connect' script allows a config file of custom OpenVPN directives to be applied on a Username basis

e.g. My phone 'SGS5' when it connects to either of the Openvpn Servers causes the script to read the appropriate server instance custom config file:

e.g. OpenVPN Server 1

/jffs/configs/openvpn/ccd1/client_SGS5

# Custom CCD directives for single common name 'client' user SGS5 (see /jffs/scripts/VPNClientConnect.sh)

# Assign static I/P xxx.xxx.xxx.22 (Normally assume defaults xxx.xxx.xxx=10.8.0 for VPN Server 1, and xxx.xxx.xxx=10.16.0 for VPN Server 2)
# NOTE: 'staticip' ('staticipv6') is NOT an official OpenVPN directive, but it is an easy to remember psuedo command short-cut!

staticip 22

# User SGS5 will pass-through the router direct via VPN Client 1 (New York) aka ovpnc1
# NOTE: 'passthru' is also NOT an official OpenVPN directive

passthru 1

Effectively (if you know the appropriate OpenVPN syntax) any valid OpenVPN directive can be used in the file or as in the example above, simple custom pseudo commands are replaced by the appropriate OpenVPN directives.

e.g. the IPv4 'staticip' directive will determine the appropriate VPN Server instance subnet prefix (as specified in the GUI) and force the phone to always be assigned the requested I/P address.

Furthermore, the script emails details of the new client connection, and can (if so desired) also reject the client connection request...even if the Username/password combo is still valid!

v3.01 was posted here:
https://www.snbforums.com/threads/how-to-set-a-static-ip-to-openvpn-tun-clients.37983/#post-315194

The 'client-disconnect' script removes any custom configuration (routes etc.) and also generates another statistics email which now includes the duration of the client connection together with the amount of data transferred.

OOh thank you! Definitely given me some pointers. I like the passthru concept, I shall dig into the OVPN man again (unless it's as simple as redirect-gateway def1 and then use OVPN client policy routing for the required IP?)

Don't suppose there's a copy of the disconnect script you wrote? I won't demand support for it don't worry, I'm trying to brush up on my shell scripting!

 

[Martineau]

Don't suppose there's a copy of the disconnect script you wrote? I'm trying to brush up on my shell scripting!

The 'client-disconnect' script simply consists of a couple of RPDB deletes and the remainder is just the email portion cloned from the 'client-connect' script, albeit with a more comprehensive list (15?) of OpenVPN environment variables, so I seriously doubt it would in any way supplement your current shell scripting skills.

 

[eastavin]

What? dnsmasq is already enabled by default on the router.

So once...
version : Show current version number.
END[/CODE]

Thanks. I will have a look at this. Much appreciated.

 

[Jack Yaz]

The 'client-disconnect' script simply consists of a couple of RPDB deletes and the remainder is just the email portion cloned from the 'client-connect' script, albeit with a more comprehensive list (15?) of OpenVPN environment variables, so I seriously doubt it would in any way supplement your current shell scripting skills.

Thanks, found what I'd like to do, good stuff.

 

[Jeffrey Young]

What? dnsmasq is already enabled by default on the router.

So once the directive is enabled on the router

# Custom Configuration
management localhost 7505

then it can be accessed via Telnet once you are connected to the router command line (e.g. telnet router.asus.com assuming Telnet/SSH access is enabled in the router GUI)

admin@RT-AC68U:/jffs/scripts# telnet localhost 7505

>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
help
Management Interface for OpenVPN 2.4.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 12 2017
Commands:
auth-retry t           : Auth failure retry mode (none,interact,nointeract).
bytecount n            : Show bytes in/out, update every n secs (0=off).
echo [on|off] [N|all]  : Like log, but only show messages in echo buffer.
exit|quit              : Close management session.
forget-passwords       : Forget passwords entered so far.
help                   : Print this message.
hold [on|off|release]  : Set/show hold flag to on/off state, or
                         release current hold and start tunnel.
kill cn                : Kill the client instance(s) having common name cn.
kill IP:port           : Kill the client instance connecting from IP:port.
load-stats             : Show global server load stats.
log [on|off] [N|all]   : Turn on/off realtime log display
                         + show last N lines or 'all' for entire history.
mute [n]               : Set log mute level to n, or show level if n is absent.
needok type action     : Enter confirmation for NEED-OK request of 'type',
                         where action = 'ok' or 'cancel'.
needstr type action    : Enter confirmation for NEED-STR request of 'type',
                         where action is reply string.
net                    : (Windows only) Show network info and routing table.
password type p        : Enter password p for a queried OpenVPN password.
remote type [host port] : Override remote directive, type=ACCEPT|MOD|SKIP.
proxy type [host port flags] : Enter dynamic proxy server info.
pid                    : Show process ID of the current OpenVPN process.
client-auth CID KID    : Authenticate client-id/key-id CID/KID (MULTILINE)
client-auth-nt CID KID : Authenticate client-id/key-id CID/KID
client-deny CID KID R [CR] : Deny auth client-id/key-id CID/KID with log reason
                             text R and optional client reason text CR
client-kill CID [M]    : Kill client instance CID with message M (def=RESTART)
env-filter [level]     : Set env-var filter level
client-pf CID          : Define packet filter for client CID (MULTILINE)
rsa-sig                : Enter an RSA signature in response to >RSA_SIGN challenge
                         Enter signature base64 on subsequent lines followed by END
certificate            : Enter a client certificate in response to >NEED-CERT challenge
                         Enter certificate base64 on subsequent lines followed by END
signal s               : Send signal s to daemon,
                         s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.
state [on|off] [N|all] : Like log, but show state history.
status [n]             : Show current daemon status info using format #n.
test n                 : Produce n lines of output for testing/debugging.
username type u        : Enter username u for a queried OpenVPN username.
verb [n]               : Set log verbosity level to n, or show if n is absent.
version                : Show current version number.
END

I realize that this is a real old thread, but adding "management localhost 7505" to the custom configuration worked like a charm.

Thanks

 

[Martineau]

I realize that this is a real old thread, but adding "management localhost 7505" to the custom configuration worked like a charm.

Sadly you don't win the prize, I think someone resurrected one of my posts that was three years old!, but thank you anyway.