Hello,
i tried a lot and my best but I´m not very fit into that topic. I try to explain as easy as possible and hope I´m not repeating.
1. Goal: I want to have remote control over my camera for surveillance. But I got an LTE Contract and my Provider dont give me an public IP (I dont get the right NAT (I think its NAT 3), IP6 is not available, DNS isnt working also cause of that. DNS on PI-server side is working well)
->So i wanted to setup an openvpn connection through the Asus Router AC86U to get it and can look whats happening with the cam.
2. I setup a VPN-Server with an Rasberry Pi over Pivpn and connected from outside with Openvpn-GUI over my PC. Its working so far and I´m happy thats I did everything right, it seems.
3. I want to do it over the router of course, so I got newest Asus Merlin Firmware and setup everything in different combinations. -> don´t connect in any way. Either its says my client config is wrong, or it tries to connect but stops on a certain point (see pic systemlog).-> So I´ll guess when GUI on PC works, its the special config in the router right? There must be sth different, but I dont know what it is though.
4. In Asus Systemlog it comes to a certain point, then there is blank line and thats it for a while, then its standard TLS-Handshake error and trying again (scrypt-mistake or sth?)
5. I´ll guess its wrong routing or wrong custom settings, but in reality I have no idea. I tested out a lot of different combinations to eliminate, but nothing helped (cause in reality i have no idea -again)
I hope I gathered all information, here it is (CAPITAL LETTERS ARE MY DATA) (but if GUI is working itself why should be a mistake here?)
CLIENT CONF:
client
dev tun
proto udp
remote DNSADRESS SERVER PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_NAME name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
KEY
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
KEY
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
KEY
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
KEY
-----END OpenVPN Static key V1-----
</tls-crypt>
SERVER.CONF:
dev tun
proto udp
port 11948
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_NAME.crt
key /etc/openvpn/easy-rsa/pki/private/server_NAME.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.234.0 255.255.255.0 "
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS LOCAL SERVER IP"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
PS:
The custom settings are different once, I used different suggestions, but maybe you can tell some, that have to be 100% in it. I have the feeling the problem lays here in general. The once in the picture are not made by me but i tried a lot there. In Advanced Settings i tried all different combinations. GUI seems to do sth automated, that the Router doesn´t do...
I´m desperated and my patience is decreasing more and more.
i tried a lot and my best but I´m not very fit into that topic. I try to explain as easy as possible and hope I´m not repeating.
1. Goal: I want to have remote control over my camera for surveillance. But I got an LTE Contract and my Provider dont give me an public IP (I dont get the right NAT (I think its NAT 3), IP6 is not available, DNS isnt working also cause of that. DNS on PI-server side is working well)
->So i wanted to setup an openvpn connection through the Asus Router AC86U to get it and can look whats happening with the cam.
2. I setup a VPN-Server with an Rasberry Pi over Pivpn and connected from outside with Openvpn-GUI over my PC. Its working so far and I´m happy thats I did everything right, it seems.
3. I want to do it over the router of course, so I got newest Asus Merlin Firmware and setup everything in different combinations. -> don´t connect in any way. Either its says my client config is wrong, or it tries to connect but stops on a certain point (see pic systemlog).-> So I´ll guess when GUI on PC works, its the special config in the router right? There must be sth different, but I dont know what it is though.
4. In Asus Systemlog it comes to a certain point, then there is blank line and thats it for a while, then its standard TLS-Handshake error and trying again (scrypt-mistake or sth?)
5. I´ll guess its wrong routing or wrong custom settings, but in reality I have no idea. I tested out a lot of different combinations to eliminate, but nothing helped (cause in reality i have no idea -again)
I hope I gathered all information, here it is (CAPITAL LETTERS ARE MY DATA) (but if GUI is working itself why should be a mistake here?)
CLIENT CONF:
client
dev tun
proto udp
remote DNSADRESS SERVER PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-version-min 1.2
verify-x509-name server_NAME name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
<ca>
-----BEGIN CERTIFICATE-----
KEY
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
KEY
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
KEY
-----END ENCRYPTED PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
KEY
-----END OpenVPN Static key V1-----
</tls-crypt>
SERVER.CONF:
dev tun
proto udp
port 11948
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_NAME.crt
key /etc/openvpn/easy-rsa/pki/private/server_NAME.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.234.0 255.255.255.0 "
# Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS LOCAL SERVER IP"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device.
#duplicate-cn
# Generated for use by PiVPN.io
PS:
The custom settings are different once, I used different suggestions, but maybe you can tell some, that have to be 100% in it. I have the feeling the problem lays here in general. The once in the picture are not made by me but i tried a lot there. In Advanced Settings i tried all different combinations. GUI seems to do sth automated, that the Router doesn´t do...
I´m desperated and my patience is decreasing more and more.
