Setting Up And Using OpenVPN On ASUS Routers

[Razor512]

http://www.smallnetbuilder.com/secu...-setting-up-and-using-openvpn-on-asus-routers


---------------------------------------------

From what I have seen, at least with using the VPN function on the R7000, the openVPN server only uses a single core, though the extra core can help when most of the normal routing and NAS functions are handled by the other core.

Other than that, I am wondering, how well does it work with android. based on the pre generated configs? I have not tried the VPN on asus routers, but I have tried it on other brands, as well as when it is hosted on a PC running untangle, and there are issues with how some will configure the VPN settings, for example, with pfSense, the automatically generated configs for openVPN, will not automatically force the routing of all traffic through the VPN, and thus some programs will report the VPN's server WAN IP, while others will report the client devices WAN IP, and due to some compatibility issues, checking the option to use the VPN for al traffic, will not correct that behavior.

On the other hand, a VPN server running on untangle, and the config file it generates, will work perfectly with having the android device route all traffic over the VPN.

Has anyone tested if the asus routers also have this issue when it comes to android devices?

 

[Shikami]

There are a couple of issues with the integrated OpenVPN servers on the Netgear routers that I know about. The first is there is no support for iOS and Android devices. The second issue is if the certificate is given to someone you cannot easily revoke the rights to that VPN user by changing certificates, or blocking the user. So, in other words, it needs to be for personal use only.

Also, forgot about the dual core usage. OpenVPN is not multi-threaded as of now.

 

[Razor512]

yep, I wish they would fix it. If they could add a openvpn wizard and controls similar to those found in untangle, that would make the R7000 the ultimate consumer VPN router.

Hopefully dd-wrt or tomato will step up and design an easier to use openvpn setup that will simply generate everything for you based on a few easy questions, then allow you to simply create users and export preconfigured openvpn clients, or config files for each user.

so far, for routers, the Gargoyle firmware seems to be the closest to that ideal.

 

[AdvHomeServer]

I just wrote a three part series on OpenVPN on a DD-WRT server and discovered something odd about OpenVPN / DD-WRT along the way. I'm curious if ASUS and Netgear have the same issues or if their factory configurations take care of the curiosity I discovered with DD-WRT.

To summarize, I discovered that OpenVPN on a DD-WRT server offers NO browsing protection on public wi-fi unless you add a few steps that are 1) not included in a lot of easy to find documentation and 2) If you find those steps you need to make sure you found the right steps as a lot of authors have different ideas on what works. I found that none had it right for me. I had to pick a bit from several articles and use trial and error to create a secure browsing gateway from public wi-fi.

The missing bits were;

The need for a reachable DNS server (I used 8.8.8.8). Otherwise no page will load.
The additional configuration for a remote gateway
The correct POSTROUTING statement in the firewall
Starting OpenVPN client with Administrator privileges, otherwise it only looks like it works.

tracert and whatismyip.com proved the connection went through my home router from a public wi-fi site.

After solving the problem, at least for my setup, I wondered if the advanced router manufacturers have it right with their OpenVPN feature.

 

[sinshiva]

asus will push dns and the default route, np. postrouting is NOT necessary.

the default route pushed is really something like a static route using a /1 mask so it doesn't overwrite the clients' true gateway to the internet.

the way vpn works when routing all the clients traffic down the tunnel is the client receives pushed/pulled new default static route directing traffic through the encrypted ptp tunnel and then out your home connection. you can then use either the ptp IP of the router or the normal LAN IP for DNS. No NAT setup involved

it sounds like you may just need to find a couple hidden switches in the webui or add a PUSH option or so to a custom config field for the openvpn server.

regarding the other posts here; if you use asuswrt-merlin with a dual core router, each of the two available openvpn server instances runs on a different core. absolutely no problems using a TUN config on windows/android/apple

 

[theoski]

Anyone managed to connect to local lan? If I connect through iPhone I can only see the router but not any other ip on the local network.

 

[bukaka19]

Cant get to work on both Android and Windows

Ok so my ultimate goal is to be able to use openvpn on my asus rt-ac68u to be able to connect to home network and browse the internet as well as watch tv on my optimum app remotely on both windows and android clients. So if i follow these instructions on here exactly (http://www.smallnetbuilder.com/othe...-setting-up-and-using-openvpn-on-asus-routers) I can easily connect my android to the router and access internet, my shared servers and home network. It allows me to connect to home router using 192.168.1.1 and also allows me to run the optimum app and makes it think im on my home network, perfect. However this does not allow my windows 8.1 laptop to do the same. If i use the same config file for windows it allows me to connect to home network but does not allow me to have any internet access. If i change the interface to a TAP based tunnel it allows my laptop to connect to everything; internet, home network, optimum app (which thinks im home when im not) and easy pings the router. However android does not support TAP based tunnel so this setup will not work for me either. Is there any settings i can change when in TUN mode to allow my PC to have access to the internet as well as home network?

 

[carov2007]

A message to Tim

Tim,

I have no idea if it is a mistake in the article or something else.

At the bottom of page 2, the picture above "OpenVPN client - connecting" has a "WARNING" message saying this configuration may cache passwords in memory - use the autho....

If I were installing this, I'd have thought that I had done something wrong with said message.

Kind regards,

 

[thiggins]

Tim,

I have no idea if it is a mistake in the article or something else.

At the bottom of page 2, the picture above "OpenVPN client - connecting" has a "WARNING" message saying this configuration may cache passwords in memory - use the autho....

If I were installing this, I'd have thought that I had done something wrong with said message.

There is no mistake in the article. The behavior is by design.

I asked RMerlin for an explanation. His response:

OpenVPN can apply authentication in two different ways:

1) The most secure, but more complex way, is to generate client certificates that are unique to each user. This acts pretty much like a 2048-bit security password.

2) The simple way, which is the default behaviour with the stock Asus firmware, is to authenticate with a username and password.

With the second method, by default the client will keep the username/password in memory, so if the connection drops, it can automatically re-establish itself without reprompting the username/password. This implies the password is kept in memory, so it can be re-sent.

OpenVPN being developed with security in mind before anything else, they issue a warning to let you know that, in theory, someone could run a program on your client computer that would dump the content of RAM, and potentially recover the password.

The idea solution is to switch to certificate based authentication. Someone who isn't looking after corporate-level security (i.e. your average home user) can use the password-based authentication without too much worry. And if they wanted to retain the ease of password-based authentication, they can add the "auth-nocache" keyword to their OpenVPN config file, which means whenever the connection drops and has to be re-established, the password will be re-asked again.

 

[oneurt]

Hi I followed the setup on my RT-N66u, but I still have not had any success being able to connect my android device to my VPN,

I take my exported .opvn file do I need to copy in the cert and key into my clients.opvn file? or keeping this untouched? I just feel like I'm missing one small step.

Thanks,