Menu
What's new
By:
Filters Better Search

OpenVPN, DDNS, PixelServ CA and other basic questions...

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sl4fko

sl4fko

Regular Contributor
Hello world,

I am a very satisfied ASUS router user, in networking and computing generally I am not a beginner, but still...

I have some basic questions aboat using some functions, that are available on it...

DDNS

What is it usable for? Yes, I know, it allows clients to acces home network... But... Isn't that the same as the OpenVPN? I have succesful OpenVPN connection with my router at home, how is DDNS different?


In DDNS settings I saw PixelServ certificate, that allows me to do what? I know, I can install certificate into my browser by installing it like "192.168.1.2/ca.crt". I am running Merlin 384.13 on my AC86U, installed Diversion, so Pixelserv is in it... I know, it has to do something with security but it is not clear to me what... Diversion is great, there are (almost) no adverts, but why Pixelserv...


I am really sorry for my "crazy" questions, but they are bothering me for some time now...


Thank you all for _______ (answers, advices, yelling :D...)!
 
sl4fko said:
DDNS

What is it usable for? Yes, I know, it allows clients to acces home network... But... Isn't that the same as the OpenVPN? I have succesful OpenVPN connection with my router at home, how is DDNS different?
Click to expand...
DDNS (Dynamic DNS) allows you to have a public hostname on the internet that will always point back to your router's WAN IP address from your ISP, even if the IP changes. Without it, you always have to know your WAN IP address when you want to connect remotely to your network. On Asus routers, many use the free ASUS DDNS service so they can use <myhostname>.asuscomm.com and always know it will resolve to their WAN IP. How do you connect to your OpenVPN server today? By IP or a hostname?
sl4fko said:
In DDNS settings I saw PixelServ certificate, that allows me to do what? I know, I can install certificate into my browser by installing it like "192.168.1.2/ca.crt". I am running Merlin 384.13 on my AC86U, installed Diversion, so Pixelserv is in it... I know, it has to do something with security but it is not clear to me what... Diversion is great, there are (almost) no adverts, but why Pixelserv...
Click to expand...
The Pixelserv CA Cert in the router GUI allows you to use an https interface for the router GUI if you enable HTTPS in Administration / System. But you would need to first install that ca.crt on all the browsers you intend to connect to the router GUI from. And you should do this anyway if you use Pixelserv to block HTTPS ads. Without the certificate installed in your browsers, you won't have as clean and fast an ad-blocking experience with Diversion. See https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices
 
dave14305 said:
DDNS (Dynamic DNS) allows you to have a public hostname on the internet that will always point back to your router's WAN IP address from your ISP, even if the IP changes. Without it, you always have to know your WAN IP address when you want to connect remotely to your network. On Asus routers, many use the free ASUS DDNS service so they can use <myhostname>.asuscomm.com and always know it will resolve to their WAN IP. How do you connect to your OpenVPN server today? By IP or a hostname?
Click to expand...


Setup the OpenVPN and exported .ovpn profile. With it, I am connected through my router on internet.

So, if I have a static IP then I do not need DDNS?
 
sl4fko said:
Setup the OpenVPN and exported .ovpn profile. With it, I am connected through my router on internet.

So, if I have a static IP then I do not need DDNS?
Click to expand...
If it's truly a static IP and not a dynamic IP that just hasn't changed in a long long time, I guess you're OK.
 
What aboat pixelserv certificate? If I reset the router, do I have to install a new certificate (192.168.1.2/ca.crt) or only if I also delete jffs partition?
 
DDNS is more human friendly compared to remembering an IP address.
But thats the only thing DDNS offers a static IP user/
 
What is the difference, if I set both custom DNS Server 1 and 2 in WAN DNS Setting or if I configure DNS-over-TLS with SAME DNS providers (Cloudflare for example...)?
 
The WAN DNS servers are used before DNS over TLS gets enabled, as it requires your clock to have been synced before TLS can get used. Regular DNS won't use TLS.
 
I am running NordVPN OpenVPN client on my AC86U, works ok for now. Custom DNSs for NordVPN in both fields, do I have to enable DoT too or is it not necessary?

Now, is it possible to run OpenVPN server also? So that I can connect to my router WHILE the client for NordVPN is running in my case? As I can see, both server and client are both using the same port...
 
sl4fko said:
I am running NordVPN OpenVPN client on my AC86U, works ok for now. Custom DNSs for NordVPN in both fields, do I have to enable DoT too or is it not necessary?

Now, is it possible to run OpenVPN server also? So that I can connect to my router WHILE the client for NordVPN is running in my case? As I can see, both server and client are both using the same port...
Click to expand...
From reports I've seen on the forum, I suspect NordVPN and Express use their DNS as a proxy service to circumvent VPN blocks put in place by paid streaming media services such as Netflix. Very similar to https://www.smartdnsproxy.com/.

You will need to set Accept DNS Configuration = Exclusive to force all clients configured to use the tunnel to use the DNS pushed by the VPN service. Diversion will not work when using Accept DNS Configuration = Exclusive combined with Policy Rules as dnsmasq is bypassed.

You can try setting Accept DNS Configuration = Strict and then adding the line below in the custom config sections:

dhcp-option DNS x.x.x.x

Where x's are the DNS of the provider.

This should force the VPN LAN clients to still use the DNS of the provider with dnsmasq enabled so Diversion will work over the tunnel.

You can have up to 5 vpn clients running at one time. You could also have one vpn client configured for lan clients such as laptops and desktops and another configured for streaming devices that require DNS of the VPN provider.

The Openvpn Client will use the DNS set on the WAN page when Accept DNS Configuration = Disabled. If DoT is enabled, then the DNS traffic is encrypted. dnsmasq is not bypassed and Diversion will work.

As mentioned earlier, DoT can boot later in the process and create NTP issues. I set WAN DNS1 and DNS2 to Cloudflare DNS servers and DoT to the same servers. This allows the router to get WAN DNS until DoT starts-up.

If you don't specify any clients on the OpenVPN Client screen, you need to add a “dummy” VPN Client entry if you require the ability to exploit the Accept DNS Configuration=Exclusive option that only creates the appropriate DNSVPN iptable chain if the table isn't empty. Use a valid IPv4 address for the DummyVPN entry that differs from your LAN IPv4 address range. I recommend using a bogon IP addres for this purpose.

upload_2019-10-13_19-48-10.png


Best practice is to use a different port number for the vpn server and client.

References:
 
What's the point of setting up DoT if "they" can still see my IP? DoT does work (checked via dnsleak homepage, cloudflare dns works, in my case it shows German cloudflare dns) but IP is (of course) still visible.

So, what is the point of Dot?
 
sl4fko said:
What's the point of setting up DoT if "they" can still see my IP? DoT does work (checked via dnsleak homepage, cloudflare dns works, in my case it shows German cloudflare dns) but IP is (of course) still visible.

So, what is the point of Dot?
Click to expand...

To answer your question, right from RMerlin's page: "DNS Privacy allows you to better secure your DNS queries through the use of a secured/encrypted connection."

As you can see, it has nothing to do with hiding your IP. ;)
 
sl4fko said:
So, what is the point of Dot?
Click to expand...

1) To ensure that nobody between you and that server can see what domain names you are resolving. If a site is hosted on AWS for instance, your ISP will only know that you accessed "some site located at AWS", but won't be able to tell exactly which site
2) It ensures that nobody can modify your DNS requests in transit, bypassing (for example) ISP transparent DNS caches
 
You must log in or register to reply here.

Similar threads

M
RT-AC87U & OpenVPN: Using insecure hash algorithm in CA Sig
Replies
11
Views
5K
LucG
L
C
DDNS Update frequency increase for Asus DDNS
Replies
5
Views
989
rung
R
T
Troubles with VPN Client + DDNS Setup on GT-BE98
Replies
5
Views
354
Tuntenfisch
T
XIYO
Questions Regarding acme.sh Cron Job Setup and Directory Linking
Replies
1
Views
210
dave14305
D
A
Command Line Questions for Stock ASUS Firmware - RT AX86U Pro and DDNS
Replies
2
Views
306
AndrewL733
A
Similar threads
Thread starter Title Forum Replies Date
K Asus rt-ax53u disconnect internet when openvpn server is enabled ASUS Wi-Fi 0
M RT-AC87U & OpenVPN: Using insecure hash algorithm in CA Sig ASUS Wi-Fi 11
elrengo RT-AX88U Pro - DDNS has been registered + Asus Android App ASUS Wi-Fi 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 681 (members: 17, guests: 664)
Top