Migrating OpenVPN and DDNS from old Asus Router to new Asus Router

[bnhf]

So I'm going to be upgrading an existing OpenVPN Server setup from an Asus RT-N66U to an Asus RT-AC68U. Both are running the latest AsusWRT-Merlin. I'm wondering what the best approach is as far as dealing with certificates and an Asus DDNS (asuscomm.com) goes...

Does it make sense to use the same certificates generated by the RT-N66U and move them to the new RT-AC68U, or should I let the router generate new certificates?

As far as the Asus DDNS is concerned is it best to abandon the old name (let's call it myserver.asuscomm.com) and setup a new one with Asus (like myserver2.asuscomm.com)? Do I need to disable DDNS on the old router before I can enable it on the new -- assuming I can keep the old name?

I guess my preference would be to move the certs so that I don't need to update the clients and keep the DDNS name for the same reason -- but not if it's more trouble than it's worth. Has anyone gone through this process and have a recommendation?

 

[martinr]

Coincidentally, I've just done this....or attempted to. Merlin put me right; you cannot migrate the old DDNS address to the new router: asuscomm.com links the MAC address of the old router with the DDNS address. (I did try cloning the old router's MAC address into the new router, but that didn't fool anyone, which is reassuring.) So get a new asuscomm.com DDNS address - excellent service, isn't it. And yes, using John's nvram save and restore utility, I migrated all the certs and keys across (using the migrate command). So once you've got a new DDNS address on the new router, you can export the new .ovpn config file to the clients (which will differ from the old config file only in the asuscomm.com DDNS address).

 

[bnhf]

Too bad about the DDNS -- but it makes sense, given that it doesn't require any kind of an account to be created like the other DDNS options I've used.

Did you feel like it was worth it to migrate the certs and keys, or would it just be easier (given the required client update to the OpenVPN server address) to start fresh?

 

[martinr]

It would only have been worth it if the DDNS address had migrated across because that would have saved my sending a new .ovpn file to my brother who lives abroad and who uses my vpn (but is blocked from my LAN).

As I have to create a new .ovpn file anyway because of DDNS, I will now start afresh for security reasons: I don't want to leave current keys and certs and a valid DDNS address on my spare router, which might just end up getting put aside and maybe forgotten about or lost.

As you have to create a new .ovpn file, anyway, I think it makes sense to start afresh. It's worth examining the .ovpn file after creating it to see that the relevant keys and certs are there: I recently had to try 3 or 4 times to export the config file because for some unknown reason, and without touching the settings, there were items missing from the file. It saves a lot of troubleshooting later when the client can't connect to the server.

 

[elorimer]

I've migrated DDNS names in the past from one router to another. I did it by de-registering the name on the old router, and then reregistering it on the new one. There is part of a thread here in which I think Merlin described that.

Also, you can edit the .ovpn file directly to specify a new DDNS address.

One thing that is unclear to me, is that on occasion when I've exported the .ovpn file from the router, it has included all three certs, but usually includes only one. That slightly complicated things setting up a Chromebook to VPN into the router.

 

[martinr]

I've migrated DDNS names in the past from one router to another. I did it by de-registering the name on the old router, and then reregistering it on the new one. There is part of a thread here in which I think Merlin described that.

Also, you can edit the .ovpn file directly to specify a new DDNS address.

One thing that is unclear to me, is that on occasion when I've exported the .ovpn file from the router, it has included all three certs, but usually includes only one. That slightly complicated things setting up a Chromebook to VPN into the router.

That makes sense. In my case I wanted not just to migrate the settings and retire the old router but to keep a spare router ready to swap over in case I messed up an update etc. Otherwise it sounds like a great idea.

Ages ago, to try and make sense of how it all works, I created 2 .ovpn files, one with username and password auth only (so no public-private keys) and the other with username and password auth as well as key pairs. The first file had only one cert (and 2 empty spaces) and the second had all 3 areas populated (2 certs and one key?). Anyway, I always use username and password auth together with key pairs (ie username and password auth = Yes; username and password auth only = No). But on occasion there's been only one cert and 2 empty spaces where certs should have been. I discovered this when troubleshooting a failure to connect, so now I try and remember to check the .ovpn file first; problem is, it's such an infrequent procedure - once set up you leave it alone - that one forgets in the intervening years. Anyway, if I do spot a dodgy .ovpn file (2kb instead of 4kb on my iPhone or by opening it in Notepad++), I just keep on trying and soon enough, the router exports the fully populated config file.

 

[martinr]

..... I did it by de-registering the name on the old router, and then reregistering it on the new one.

@elorimer I just experimented; I hadn't realised that by simply disabling the DDNS client (ie set to No and Apply), that's enough to deregister it. Then you'd simply enable the DDNS client on the new router and use the same DDNS name. Clever. Now it's all the more clear to me why it has to be tied to the MAC address.

I may have to use the mirror-image migration method after all because of a glitch at my brother's end whereby his OpenVPN profile defaults to autologin instead of standard so it tries to bypass the username-password authentication and gets stuck.

Your deregistering of the DDNS name and then re-registering on the new router is suddenly looking all the more appealing.

 

[martinr]

Successfully finished my migration. Disabled DDNS on the old router and enabled it on the new one using the same DDNS address, and used the same certs and public key. Works a treat. Many thanks, @elorimer for the nudge on such a simple trick with Asus' excellent DDNS.

 

[elorimer]

You will laugh, but it was Merlin's response in April 2015 to one of your posts that had me try it when I went from my N66 to an 87U...

 

[martinr]

Laugh indeed! Sometimes I come across my old posts and think, "I had exactly the same thing.", then I see who posted it! There's just no hope for some people.