Menu
What's new
By:
Filters Better Search

RT-AC87 - Has anyone gotten OpenVPN running?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

LoneWolf

LoneWolf

Senior Member
I'm trying to set up OpenVPN on my RT-AC87. Currently, I'm using ASUS firmware 2044.

I've used my provider's .ovpn file, as well as a custom one, along with my username and password. I've imported their provided ca.crt file, but also copied and pasted manually. In both cases, I can't connect.

Is there something I need to do on the firewall side? I know the .ovpn file lists the protocol and port number, so I would have thought that would be automatically allowed from LAN to WAN.
 
LoneWolf said:
I'm trying to set up OpenVPN on my RT-AC87. Currently, I'm using ASUS firmware 2044.

I've used my provider's .ovpn file, as well as a custom one, along with my username and password. I've imported their provided ca.crt file, but also copied and pasted manually. In both cases, I can't connect.

Is there something I need to do on the firewall side? I know the .ovpn file lists the protocol and port number, so I would have thought that would be automatically allowed from LAN to WAN.
Click to expand...

The firewall is automatically configured by the firmware once a VPN tunnel is established.

Check System Log, it might contain additional info as to what is going wrong.
 
Here is what I have seen in my log files:

Jul 28 21:17:23 rc_service: httpd 828:notify_rc restart_vpncall
Jul 28 21:17:40 openvpn[1009]: Options error: --crl-verify fails with 'crl.pem': No such file or directory
Jul 28 21:17:40 openvpn[1009]: Options error: Please correct these errors.
Jul 28 21:17:40 openvpn[1009]: Use --help for more information.
Jul 28 21:18:56 rc_service: httpd 828:notify_rc restart_vpncall
Jul 28 21:19:01 rc_service: httpd 828:notify_rc restart_vpncall
Jul 28 21:19:03 openvpn[1133]: Options error: --crl-verify fails with 'crl.pem': No such file or directory
Jul 28 21:19:03 openvpn[1133]: Options error: Please correct these errors.
Jul 28 21:19:03 openvpn[1133]: Use --help for more information.
Jul 28 21:23:39 rc_service: httpd 828:notify_rc restart_vpncall
Jul 28 21:26:44 rc_service: httpd 828:notify_rc restart_vpncall
Jul 28 21:26:45 openvpn[1220]: Options error: No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass
Jul 28 21:26:45 openvpn[1220]: Use --help for more information.
Jul 28 21:27:05 rc_service: httpd 828:notify_rc restart_vpncall
Jul 28 21:35:03 miniupnpd[705]: sendto(udp): Operation not permitted
Jul 28 21:35:53 rc_service: httpd 828:notify_rc restart_vpncall
Jul 28 21:35:54 openvpn[1312]: Options error: --crl-verify fails with 'crl.pem': No such file or directory
Jul 28 21:35:54 openvpn[1312]: Options error: Please correct these errors.
Jul 28 21:35:54 openvpn[1312]: Use --help for more information.

I have both a ca.crt file and a crl.pem file that I can use. I am thinking that I just don't know how to format the .ovpn file properly, as I've tried using "Manual Upload" for both and it hasn't fixed the issue, and then I've tried creating an .ovpn file that embeds the ca.crt file using the following:

<ca>
BEGIN CERTIFICATE ---
(yadayadayada certificate gibberish
END CERTIFICATE ---
</ca>

I'm not very familiar with .ovpn files and their formatting; this was a bit easier on Merlin's firmware when I was using my AC-66R. Does anyone have any helpful advice?
 
Asuswrt isn't designed with CRL support. If you want to use verify-crl then you will have to manually copy the crl.pem file somewhere (such as in JFFS), then provide the full path to it in the router's custom configuration.
 
Merlin,

Is your beta firmware's OpenVPN inferface more similar to that of the RT-AC66? I got things to work fine there through all of the manual input settings, which I don't have with the RT-AC87. My only option with the 87 seems to be to import an .ovpn file.
 
LoneWolf said:
Merlin,

Is your beta firmware's OpenVPN inferface more similar to that of the RT-AC66? I got things to work fine there through all of the manual input settings, which I don't have with the RT-AC87. My only option with the 87 seems to be to import an .ovpn file.
Click to expand...

Yes, I've kept the advanced OpenVPN Client page the same as I always had, except I've also added Asus's own ovpn importer.

I think Asus did keep the advanced client settings page, however it's either hidden or hard to find.
 
Having same issues. I decided it might be smart to go through VPN, but whatever I try and put into the VPN fields, it won't connect. I am definitely no expert when it comes to VPN. Is it an ASUS bug? or am i doing it incorrectly (which is totally plausible)
 
Lonewolf, and RMerlin, you guys are discussing what I think MANY people are puzzled about. I have an N66U doing DLNA, OpenVPN client, NAS, aicloud sync, dhcp, download manager, FTP and god knows what else...
Poor little 600 Mhz CPU...

Lonewolf, I noticed from another thread you mentioning the reason for your upgrade is OpenVPN client performance having a 30% hit on your bandwidth...
I have a 20 Mb down internet link, which works full tilt without VPN client running, but down to 8.5 Mb with the client running. Running TOP during a speedtest shows the CPU maxing out with the VPN client.

I searched the forums, and came across you having a hard time with enabling the client, so now I am really glad I didn't pick up the router right away.
Speaking of which, was the AC87R early released only in the USA?
I called around Best Buys in Canada, and nothing yet.
I am 45 minutes away from the state of NY, so my new USB3 HDD, and router is ALL depending on yourself and RMerlin's findings... LOL. No pressure. :p

Questions;
Can you let us know what your setup is? Ie: ISP speed, then speed with and without VPN client? Also, which VPN provider are you with? I am on PIA.
If you want to test with PIA, that can be arranged by PM.
Last but not least (seriously), When openVPN client is connected, can you access your router from remotely using a dynamic DNS service? Specifically with asuscomm? (My WAN IP stays as the one from the cable modem, not from the tunnel. So Mine on the N66U doesn't work.

RMerlin, it has been 2 years that I have been reading your posts, and never took the time to officially thank you for all that you do. You helped me through my N66U troubleshooting greatly, without me even needing to join a forum... (Until my newest issue which I posted yesterday on SNB)

I will be keeping a close eye here, and thank you both for anything you can (or are willing) to share.
 
The OpenVPN implementation is exactly the same on the RT-AC87 as on other Asus routers. So if you have it working on an RT-N66, you can just apply the exact same settings to the RT-AC87.

Best Buy Canada should have the router in stock early August, with other Canadian retailers getting it by the end of August.
 
Nish,

I am also using PIA. I tried multiple different ways of doing it, but without success. However, on the Advanced mode that was available on the RT-AC66R, it worked without issue. The RT-AC87R does not have the Advanced mode available; I think like Merlin said, that ASUS hid it from the GUI.

Extremely frustrating, as when using Merlin's firmware on the 66R, other than poor speeds, it works as intended. In fact, PIA's forums have posts on exactly how to do it. I think all it would take to fix it is having access to the right screen, rather than the Easy mode.
 
I got mine working on regular asus firmware. Steps I did.

1.)The opvn file you get open up in text editor and remove all references to the ca file. Mine had two different lines. One at the end and one in middle.
2.)Upload the edited file in the OpenVNP screen.
3.)Check the edit CA file manually and upload the cert file as is.
4.) Go into DNS and change it to something else like 8.8.8.8. Mine did not like auto DNS setting.

Then magic happened for mine. I hope that helps. It seems to figure out where the cert file is without any reference in the opvn file.
 
Last edited:
I am using privateinternetaccess if that matters/helpful.

I have a 100mb connection and only get 40-45mb download :/ might bump my plan down if i want to stay "secure" :p
 
Good news Hackintoshsr!
I forgot to mention the google DNS servers as well, mine also caused all kinds of weirdness with auto set for the DNS. Couldn't find USA-EST server causing it to not connect, Netflix "occasionally" showed US content, remote access to the router didn't always work, etc.

Good find about the auto include CA not being 100% compatible, and simply adding it manually works. (After removing the calls from the .opvn)

I am glad that it could handle 40 mb/sec !!!
My CPU is always tapped out on the N66U.
OpenVPN client, Transmission (For downloading shareware of course), and miniDLNA are the most intensive processes. And HDD Scanning/fschk.

My only remaining issue is to figure out selective routing... I was pointed in the right direction, I understand the concept, but I am surprised no one used it in a simpler manner such as I do. Hence no existing ready to use script that I have come across yet.

All I want is
IF Incoming is from WANIP, then route to TUN.
My issue is I cannot access my router from the internet using asuscomm dynamis DNS once the vpn client is running.
This is due (I think) because the router always keeps track of the ISP WAN IP (from the cable company) as the WAN IP. Either I find a way to replace the WAN IP with the IP from PIA, or I route any incoming connections on the WAN IP, to the TUN. It seems any incoming on the WAN IP is simply dropped right now, as the TUN is configured by default to have all connections go through it. (In and Out) but nothing set to redirect the connection request tot he WAN IP.

The way I understand it, selective routing = 2 or more routing tables.

Couldn't I just set a static route, or a type of port forward?


Once I have this figured out, I will have an entire "Infrastructure" (term used loosely) that runs on < 100watts, and no need for a computer to be running :)

Thank you RMerlin, Hackintoshr, and Lonewolf!
I will now place my order for an ac87, and a new USB3 HDD.
This system should accomplish more than the entire server rack of equipment I support at work with 260k of equipment in it. And use under 100 watts! :)
 
Can one of you copy/paste the text of your .ovpn file here, minus any relevant security information?

I am still trying different .ovpn files, without success. I have been using Google DNS servers all along (no automatic), and have tried uploading my ca.crt and pasting it in as text.

Attempting to connect to the US Midwest server. Fail every time, just a blue x-ed out circle.
 
client
dev tun
proto udp
remote 50.7.30.34 1194
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
 
Thanks, hack, I will try this tonight. Would much rather connect off the router than use PIA's client, and I'd like to compare to my AC66, which really slowed down when enabled.
 
Finally got this working. Thanks, everyone!

EDIT: I have to add, performance with OpenVPN set up is significantly faster with the RT-AC87R than it was with the RT-AC66R. I am seeing little to no loss of speed, indicating to me that the AC66R was definitely having issues with its CPU handling OpenVPN encryption.
 
Last edited:
LoneWolf said:
EDIT: I have to add, performance with OpenVPN set up is significantly faster with the RT-AC87R than it was with the RT-AC66R. I am seeing little to no loss of speed, indicating to me that the AC66R was definitely having issues with its CPU handling OpenVPN encryption.
Click to expand...

In my benchmarks, the single core 600 MHz CPU on the AC66 was giving me around 20 Mbits of max throughput. The 800 MHz dual core AC68 was giving me close to 60 Mbps, so I suspect the 1 Mhz AC87 should be hitting close to 80 Mbps (I haven't tested it).
 
hackintoshsr said:
I wasn't seeing that when I was connected. Maybe I should try a different VPN provider hmmmm
Click to expand...

A lot of factors can come into play. My tests were done running iperf through a VPN tunnel running within my network (with the router as a server and Windows as a client), so that's without ISP latency. Performance can be affected by the tunnel provider, what else is running on your router, whether HW acceleration is enabled or not, the cipher used, etc...
 
You must log in or register to reply here.

Similar threads

T
[Help] Problems setting up OpenVPN
Replies
7
Views
307
Thookie
T
B
Unable to establish VPN connection to my PiVPN (ovpn) from my Asus RT-AC86U running Asuswrt-Merlin 386.14
Replies
1
Views
217
eibgrad
eibgrad
K
Dropouts on ASUS RT-AX86U
Replies
5
Views
344
kram66
K
N
RT-AX86U-Pro, WAN disconnect every 36 hours
2
Replies
25
Views
2K
Nick24
N
eibgrad
OpenVPN Client: mishandled route directives
Replies
7
Views
786
eibgrad
eibgrad
Similar threads
Thread starter Title Forum Replies Date
N [USA] Considering a move to ATT Fiber. Anyone use this setup and willing to answer a few questions? ASUS AC Routers & Adapters (Wi-Fi 5) 12

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 674 (members: 13, guests: 661)
Top