What's new

Strange issue with OpenVPN on RT-AX55

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Shaamaan

New Around Here
I'm trying to set up OpenVPN on my Asus RT-AX55 router. It seems fairly easy - enable OpenVPN, download config files, and it should be good to go, right? Well, the initial setup had old and insecure encryption keys, so I had to generate new ones and update those using the GUI. Granted, it WAS possible to override the warnings in client apps, but I've already had done certificate generation for OpenVPN in the past so that wasn't that big of a deal.

With the updated certificates it seemed everything was going fine - I could establish a connection (both from a Windows 10 client as well as my Android phone) and access network resources (routers WOL page + access my PC over RDP). However I also wanted to use this connection to access the internet in a secure way (ex, from an open hotel WiFi or something of the kind). And here, it turns out, the router's not working as it should. The whole thing is VERY strange.

All of the following statements are true when connected to the OpenVPN on the router. I've tested these things mostly on a Windows 10, but similar stuff's happening on the Android phone, which suggests a configuration / router issue.
1) I can resolve DNS names fine (NSLOOKUP points to the router as the DNS source and it responds to queries)
2) I can ping internet addresses (assuming they respond to PINGs; something like MS Azure Portal does not)
3) I can access sites by their IP address (I can open https://1.1.1.1)
4) If I attempt to access a site by URL... I get nothing. Same is true if I attempt to get the raw data using something like Invoke-WebRequest from PowerShell.

The configuration seems fairly standard. The firmware itself recognizes my settings as "Internet and local network" under the "Client will use VPN to access" setting. I've also managed to set up the IPSec VPN, and that works fine all the way through (but I'd rather use OpenVPN since setting it up is much easier).

Did anyone have similar issues with this router model? Or perhaps similar issues in another router model? Any ideas what could be the cause and how to fix this?
 
@Shaamaan,
I'm on Ubuntu 22.04 (client) and I'm using RT-AX55 with factory default firmware (3.0.0.4.386.45934).

The behavior is similar to yours. I'm currently using factory default (weak) SHA1-based certificates with option "Internet and local network" on and I can't reach web pages exept their IP address. So this is mybe a general bug, and not related to replaced certificates.

I want to change my factory default certificates to SHA256. How did you changed your certificates? Can you describe me?
 
Last edited:
I want to change my factory default certificates to SHA256. How did you changed your certificates? Can you describe me?
I did this on Windows, so... not really. But I think it's probably going to be a easier for you as I had to battle a lot of weird tutorials and scripts that didn't seem to fully work (and it was hard to tell if the issue was the script being old / bad or Windows itself).

The top-level tutorial for this is here: https://openvpn.net/community-resources/setting-up-your-own-certificate-authority-ca/

As stated, I suspect you should be able to follow this tutorial and get the new CA, certificate and key done without much hassle. You can then use the OpenVPN advanced settings in the router to copy-paste the new CA/cert/key.

Do know there's ONE issue with this, however; if you update the certificates then the OpenVPN configuration file you can export from the router's web page will be MISSING the client certificate and key. You need to generate those using the same tutorial as above (it has a section for 3 clients - if you're the only VPN user then you only need one and / or you can share the client cert/key) and then manually complete the configuration file (it has very clear sections with something like "CERTIFICATE HERE" and "KEY HERE").
 
Thanks @Shaamaan for your answer. I successfully replaced the default SHA1 certificate with an SHA-256 coded own certificate.

 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top