VPN instructions for a newbie

[TheLyppardMan]

Hi everyone.

Can anyone give me simple step-by-step instructions how to set up a VPN on my ASUS RT-AX88U so that my son can access his files on my Synology Diskstation while he is away at university? He doesn't want to just be able to log in to the Diskstation GUI and access the files that way (which can easily be done using the Synology QuickConnect service) but rather through the normal file explorer on his Macbook Pro that can be used at home while connected to the internal network.

Any assistance much appreciated as always.

 

[GSpock]

https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/

 

[martinr]

Hi everyone.

Can anyone give me simple step-by-step instructions how to set up a VPN on my ASUS RT-AX88U so that my son can access his files on my Synology Diskstation while he is away at university? He doesn't want to just be able to log in to the Diskstation GUI and access the files that way (which can easily be done using the Synology QuickConnect service) but rather through the normal file explorer on his Macbook Pro that can be used at home while connected to the internal network.

Any assistance much appreciated as always.

As for the DDNS, if you choose to use Asus’ own DDNS in the router, asuscomm.com, instead of Xentrk’s suggestion, I believe you would not regret it. I’ve used it for 4 or 5 years now and never had a single problem with it - at least none that was their fault, one or 2 of my own doing! The whole setting up process for OpenVPN Server has been made as easy as it possibly could be for us. You really don’t need any knowledge of networking or public key infrastructure to get it working.

EDIT 15 Nov 19. After Asus’ recent mess up with certificates, it’s DDNS no longer works. This will be rectified, eventually, but such unreliability is unforgivable and, despite its ease and convenience, I cannot recommend Asus DDNS any longer. My trust in Asus’ DDNS has been lost.

https://www.snbforums.com/threads/free-ddns-recommendation.59945/#post-523701

 

[martinr]

I remember I put a few notes down here, not exactly a tutorial:

https://www.snbforums.com/threads/portforward.55507/#post-471117

you might want to leave the port at 1194 for now - one less variable if it doesn’t work first time. Xentrk’s guide is the better one to follow but a quick read of my notes might provide a sort of overview.

 

[DocUmibozu]

Is better to leave compression disabled: is a waste of CPU and in any case compression and encryption should be avoided

 

[consorts]

This tutorial shows how to configure an ibVPN OpenVPN on ASUS RT AC 85 / 86 / 87 / 88 U router in 7 easy steps.

https://my.ibvpn.com/knowledgebase/...VPN-on-ASUS-RT-AC-85-or-86-or-87-or-88-U.html

 

[elorimer]

Yes but OP wants a server, not a client.

 

[martinr]

Is better to leave compression disabled: is a waste of CPU and in any case compression and encryption should be avoided

Yes, leave disabled. I don’t know about your reasoning, but I seem to remember that around 18 months or 2 years ago, it became apparent there was a security flaw in the compression system. Hence the default is now Disable.

 

[TheLyppardMan]

Thanks for all the tips and instructions. I haven't had chance to work my way through them yet, but I did try to set up the IPSec VPN for my son while he was here yesterday, but we couldn't get it to work on his Macbook, with ot without DDNS enabled (I have a Plusnet static IP anyway). I tried to connect on my Android mobile earlier this afternoon (following ASUS's instructions from the link in the router GUI), but that wouldn't connect either, so I must be doing something wrong somewhere. I'll have another go either later today or in the morning.

 

[elorimer]

There is a lot of experience here with the OpenVPN server, and you might try that first. It is pretty easy to get going. Start with the default port of 1194.

If you have a static IP you may not need DDNS, which is necessary if your ISP changes your router's IP from time to time. But I think the most important part is that the client needs to reach port 1194 on the WAN side of the Asus ax-88u. If your 88U is reporting a routable IP address on the WAN side, that is the address you want. If it is reporting a non-routable address, like 192.168.1.2, you will need to have the modem or router that the ISP supplies either in bridge mode or forwarding port 1194 to the WAN IP of the 88U.

 

[Centrifuge]

Thanks for all the tips and instructions. I haven't had chance to work my way through them yet, but I did try to set up the IPSec VPN for my son while he was here yesterday, but we couldn't get it to work on his Macbook, with ot without DDNS enabled (I have a Plusnet static IP anyway). I tried to connect on my Android mobile earlier this afternoon (following ASUS's instructions from the link in the router GUI), but that wouldn't connect either, so I must be doing something wrong somewhere. I'll have another go either later today or in the morning.

Were you accessing the vpn server router remotely or from the LAN when you tested?

 

[Zonkd]

One thought is to check if ISP has enabled CGNAT. Many ISPs will disable CGNAT on request.

 

[TheLyppardMan]

Well I'm happy to report that the OpenVPN option works fine, on my Android mobile at least. I haven't had an opportunity to test it on a Windows laptop or Macbook yet, but it's looking good right now. Thanks everyone for helping me with this.

 

[martinr]

Well I'm happy to report that the OpenVPN option works fine, on my Android mobile at least. I haven't had an opportunity to test it on a Windows laptop or Macbook yet, but it's looking good right now. Thanks everyone for helping me with this.

Told you it was easy! As easy as falling off a log. Thanks for the feedback.

 

[Kingp1n]

Yes, leave disabled. I don’t know about your reasoning, but I seem to remember that around 18 months or 2 years ago, it became apparent there was a security flaw in the compression system. Hence the default is now Disable.

Does leaving it to none same as disabled?

Update: Disregard.

RMerlin said: ↑
OpenVPN's LZO settings are highly confusing... It can be set to "no", and it can be set to "disabled", both of which are different. One will instruct the other end you don't want to use compression right now, without disabling the feature itself. The other will completely disable the feature.

You have unfortunately to match what the server requires, in most cases.

 

[martinr]

Does leaving it to none same as disabled?

Update: Disregard.

RMerlin said: ↑
OpenVPN's LZO settings are highly confusing... It can be set to "no", and it can be set to "disabled", both of which are different. One will instruct the other end you don't want to use compression right now, without disabling the feature itself. The other will completely disable the feature.

You have unfortunately to match what the server requires, in most cases.

Thank you for that. I didn’t know that. It sounds like it’s the sort of thing that could keep you troubleshooting for days and getting nowhere. Probably another example of the benefits of leaving, as far as possible, all settings at their Merlin default setting unless there’s a very good and tried reason for changing it.

 

[elorimer]

I'm thinking it would be worthwhile to freshen the documentation around the ovpn server, given that there are a number of new behaviors like this that aren't covered in the materials referenced in this thread. Another is the LAN/Internet/Both setting and the use of some config parameters to control things on the client side.

A third might be covering the certs. I recently updated my servers from "only user/password" to + certs, and to save myself grief copied over the certs from one server to another to simplify my chromebook setups. But then the exported configurations have some places for "place certs here" that I hadn't realized and I had to do that.

 

[elorimer]

Following on @martinr's notes, I thought I would put down my preferred setup. Comments welcome. I don't have Apple devices, so haven't tried this with them.

OpenVPN server setup

There are a number of ways of setting up the two OpenVPN servers in Merlin, to state the obvious. Here are mine.

1. It is a good idea to set up both servers, even if you will only regularly be using one server. This way if for some reason a server goes down, and you do not have access to the admin page, you can connect on the other server to fix the problem. Each server can be used for multiple connections.
2. Some people configure one server as TUN, and the other as TAP, since those two configurations can't be changed client side. TAP generates more traffic and is rarely necessary. A better way is to configure both as TUN interfaces, one on 1194/UDP and the other 443/TCP. This is because some remote locations will block 1194/UDP traffic, but will allow 443/TCP traffic to pass. Because 1194 is the standard VPN port, some people move this to a higher port number.
3. The GUI allows the administrator to identify the server as being for LAN access alone, Internet access alone, or Both. The "LAN" setting causes the server to push to the connected client a route to the LAN. The Internet access alone doesn't push the route (so the LAN is unreachable), but changes the client's default gateway to the OpenVPN server by pushing its own gateway as the default gateway, so all internet traffic goes over the tunnel. "Both" does both of those things. Note that if the default gateway is changed by pushing a new default gateway in this way, when the connection is broken down the old default gateway is restored. Generally, if you are at a secure location, you will only want to use the tunnel to access the LAN (the first setting), and access the Internet directly and not through the (generally slower) tunnel (slower because the download to the client will be limited by the upload speed from the router--I'm 200/30). If you are in an insecure location, like a Starbucks, then you want to access the Internet only through the tunnel; you may also want to deny access to the LAN. Sometimes you want to access everything over the tunnel. A better way to do this is to set the GUI to "Both" and control whether you access the internet through the tunnel or not on the client side using the configuration command "pull-filter ignore redirect-gateway". In this way the server will push the new gateway to the client, and if included the client will ignore it and use a split configuration. You will end up with four configuration files: two for each server; and for each server a secure location and an insecure location. (Note: we do it this way to be compatible with .onc options. If you aren't creating a .onc config file you could also do this by setting the server to "LAN only" and adding in the .ovpn file "redirect-gateway def1" or not.)
4. Generally, you don't want compression enabled. This is because an encrypted connection can be broken by comparing a compressed file with the same file with a word added: the second file will be exactly that much longer, with the added portion being known both encrypted and clear. In any case, many long files, like music or video, are already compressed and won't benefit from tunnel compression. The correct setting is "Disabled" and not "None", which means enabled but not used. If the client doesn't have compression enabled, a connection will be made but no traffic will pass because of the mismatch.
5. Generally, you want to set the servers up as certificate authorization only, or certificate plus password, but not password only. Note also that if you set up user/password enabling, the admin user also has access over the tunnel unless you exclude that user as noted below. If you have multiple users, best practice is to generate unique certificates for each, but you can also differentiate users by including "username-as-common-name" in the custom configuration. This is useful for site-to-site setups.
6. OpenVPN by default binds to all interfaces, and therefore is listening on both the LAN side and the WAN side. It isn't clear to me why anyone would want to access the Openvpn servers from the LAN side--you already have physical access--so use the "local <ddns name>" command in the custom configuration box, which instructs OpenVPN to only bind on the WAN side. This is useful if, for example, you have pixelserv already listening on port 443 on the LAN side and you want one server on port 443. If you don't do this the server will fail to start. Look at @Martineau post here for a visual: VPN instructions for a newbie . Full credit to him for pointing this out to me.

Looking then at the GUI VPN|VPN Server-OpenVPN page:

VPN Details: Basic configuration:

• Server instance: Choose the instance you are configuring.
• Enable OpenVPN Server: On
• Security level 1024 or 2048. Use 2048, probably overkill, but the world seems to be going that way. Note this option may disappear after you select it, so to change it you will need to use the Default button below and start over. (This happens with my 87 on 384.13.1, but not on my 56 with 384.6.)
• Client will use VPN to access: Both [As noted above]
• Leave the two Exports and the Upload settings alone for now.
• Add username and password configurations as you like. The names defined here will apply to both servers.
• The Default button will reset the configuration. Note that this will wipe the users for both configurations, so don't do this if you can avoid it.

VPN Details: Advanced:

• Interface Type/Protocol/Server Port: TUN/TCP/443 for one, TUN/UDP/1194 for the other. These combinations have to be unique; you can't start a server on a port that is in use already.
• Authorization Mode: TLS
• Keys and Certificates: These will be generated automatically. Note special instructions below if you have Chromebook clients. If you follow those instructions (making the keys the same), check your exported .ovpn files to be sure all the keys are exported; if they are missing from one, copy the keys over to the second .ovpn file.
• Username/Password Authentication: Yes
• Username/Password Autho. Only: No. This means that a connection requires certificates and username/combo. Setting this to Yes means a connection can be made using only a username/password. Generally, only use this if you are trying to debug connection failures by taking the certs out of the picture.
• TLS control channel security: Encrypt channel (to use tls-crypt) or incoming (I couldn't get Bidirectional to work) (but see Chrome notes for ONC problem)
• HMA Authentication: Default
• VPN Subnet/Netmask: Leave at defaults. (The two server instances will be different: the first defaults to 10.8.0.0 and the second 10.16.0.0)
• Advertise DNS to clients: Yes
• Cipher Negotiation: Enable (with fallback) or Enable.
• Negotiable ciphers: Generally leave at defaults, with either AES-256-GCM or AES-128-GCM as the first choice. In several posts it is suggested 128 is sufficient, and the additional protection of 256 isn't worth the performance trade-off. You can edit this line and restart without changing your client configurations if you change your mind. The connection will be negotiated for whichever one is first.
• Compression: Disable. Note that both client and server have to match. If this is "None", and the Client has a different setting, or doesn't enable it, the connection will be made but no traffic will flow.
• Log verbosity: leave at 3.
• Manage Client-Specific Options: No.
• Custom Configuration: Insert into the box these two commands; you can precede them with "--" or not:

local <your ddns  address>  #as noted above.
client-connect /jffs/scripts/ovpn-client-connect.sh # create this script for actions to be performed when the connection is made, such as waking up a web host.  This script has to exist or the server won't start.

Then, hit apply. After the GUI comes back, go to VPN Status to confirm the server instance started.

Ovpn-client-connect.sh:

Create this script if you include the command, making sure it is executable. Include a shebang, and commands like the following:

   [ $username == "whatever your admin name is" ]  && exit 1  #if the admin user connects, this exits and kills the connection
     exit 0

Search on the forum for @Martineau, who has posted other more complicated uses for this script.

Client Configurations

• Back at the Basic page, you can export the configuration for a server in .ovpn format suitable for Windows and Macs. Note below instructions about Chromebook configurations, which require an .onc format.
• Make sure the exported file indicates the host is the ddns address, and not your WAN IP. Save this configuration with something memorable, like "Home redirect 443". Also, make sure that the certificate information was exported as well. Sometimes the second server just has "paste certificate here" instead, and you have to do it manually.
• Now edit the configuration to add near the top "pull-filter ignore redirect-gateway", and save the result as "Home No-Redirect 443" or equivalent.
• Do the same for the other server, so you have 4 configuration files.
• Save these configurations (for Windows) in the OpenVPN/config folder of the Windows client machine.
• Test all 4 configurations from inside your LAN first, and if they do then again from a location outside of your LAN.
• Use tracert in a cmd shell to see if the redirect/no-redirect split is working correctly (tracepath for a chromebook).

Edited 12/28/19 to clarify a few things.

 

[elorimer]

Chromebook Notes.

Chromebooks are a little more complicated to set up as clients. If you just import the certificates, then you can use the native OpenVPN client to make a connection, but you are stuck with the defaults: I'm not sure what you end up with port, redirection, protocol, cipher, compression, etc. If you want to control this, you need to do something more complicated. If the Chromebook supports Android apps, then you can use the unofficial client in the Play store (blinkt.de) and import the four clients directly. The official openvpn client doesn't work well, in my experience. Note the unofficial client has extensive logging but you can filter it to show different levels, so it is very good for debugging. EDIT: as of October 2021, the unofficial client will throw a fatal error with certificates encoded with SHA1. You need to add tls-cipher DEFAULT:@SECLEVEL=0 to the configuration to make it work. Here SHA1 isn't a problem. Note that the Merlin firmware on the 386 branch before 386.4 currently generates new certs with SHA1. Older and newer firmware uses SHA256. This is an error in Asus's code.
If the Chromebook doesn't support Android apps, or you want to set up a native VPN connection, then you need to create .onc files for the four configurations. Follow this post for instructions: Success: Chromebook VPN Client with Merlin. Note that as of 2022 these have changed slightly; the .onc block is imported in a different place (the old place points you to the correct place), and now when you import the block you see a message of how many configs were imported (yay! before it was a silent fail).

Eight things to note:

1. It doesn't appear that a Chromebook can import two .p12 files for the same router. So, when you are setting up the second server, edit the keys by copying each block from the first server to the second server, so they are the same. Check when you export the file for the second server, as it may not include all of the keys in the .ovpn file. In this case you will need to copy the missing keys from the first server's .ovpn file. Or, if the first .ovpn file is working, you can just edit it to correct the port/protocol settings and save it for the second server. Also, I have had it happen that the keys that are exported are not those listed in the GUI, and if you edit the .ovpn file to include the keys listed in the GUI, there is still an authentication hang. If you are having authentication issues, set the servers back to default and start over.
2. Each .onc file has two main sections. The first identifies the keys by a GUID number. This will be the same in all four .onc files. The second section identifies the unique configuration. This has its own GUID number and appears once; in this section the GUID number in the first section appears again twice. You cannot import a configuration unless the second GUID number and the name of the configuration are unique, and an import will fail silently! There isn't magic in this GUID number, though, so for the first configuration file you set up, change the last digit to "1" and give it the name of the equivalent .ovpn file. In the second, change the last digit of the GUID number to "2" and give it the name of the equivalent .ovpn file, and so on for all 4 files. With each .onc file, edit the configuration to change the port and protocol to match the equivalent .ovpn file. For the two configurations that will ignore the server's default gateway, include a line in the second block:

"IgnoreDefaultRoute": true,

Include the quotes, and note the line ends with a comma. Then import the four files. The only way to see an import is successful (other than digging into the Chromebook logs), is that the configs will appear in the VPN settings section or the system tray.
3. The unofficial Android app can save user name and password combinations, so if you do that, make sure you give the Chromebook a secure password, otherwise anyone with possession of the Chromebook will be able to log into your server and access your LAN. The native OpenVPN setup won't use a password even if it is in the .onc file until after you make a connection. That is, if you include them, the connection will fail the first time, and you will have to enter the password. Afterwards it will connect automatically, although my experience varies.
4. If you powerwash the Chromebook (or it resets itself), the VPN configurations are deleted. So you may want to save the configurations on Google Drive or on a thumb drive to reimport them.
5. You can combine the four .onc files into one, if you are careful, and this can be convenient. The second section starts with this line:

"NetworkConfigurations": [ {

, and the whole thing ends with a }]. Each section enclosed in curly brackets is a separate network configuration, with all the network configurations enclosed in the square brackets. So when you have the first configuration done, copy and paste it three times below (with the curly brackets). Because we are declaring a JSON array here, add a comma between the close curly bracket of the first configuration and the open curly bracket of the second configuration, and so on between the second and third, and the third and the fourth. Then edit the other three configurations to specify a different GUID number (1, 2, 3 and 4) and then edit the port/protocol combinations and the friendly names. Then you can import just the one .onc file. You end up with something like this:

{
  "Type": "UnencryptedConfiguration",
  "Certificates": [{
      "GUID": "{FIRSTGUID#}",
      "Type": "Authority",
      "X509": "ONELINECERTIFICATE"
    }
  ],
  "NetworkConfigurations": [
    {
      "GUID": "{SECONDGUID#1}",
      "Name": "Home 443 redir",
      "Type": "VPN",
      "VPN": {
        "Type": "OpenVPN",
        "Host": "YOURSERVERDDNSADDRESS",
        "OpenVPN": {
          "Port": 443,
          "UserAuthenticationType": "Password",
          "Proto": "tcp",
          "RemoteCertTLS": "server",
          "Cipher": "AES-256-GCM",
          "Username": "YOURNAME",
          "Password": "YOURPASSWORD",
          "ServerCARefs": [
            "{FIRSTGUID#}"
          ],
          "ClientCertType": "Pattern",
              "ClientCertPattern": {
               "IssuerCARef": [ "{FIRSTGUID#}" ]
                         },
        }
      }
    },
  {
      "GUID": "{SECONDGUID#2}",
      "Name": "Home 443 no redir",
      "Type": "VPN",
      "VPN": {
        "Type": "OpenVPN",
        "Host": "YOURSERVERDDNSADDRESS",
        "OpenVPN": {
          "Port": 443,
          "UserAuthenticationType": "Password",
          "Proto": "tcp",
              "IgnoreDefaultRoute": true,
          "RemoteCertTLS": "server",
          "Cipher": "AES-256-GCM",
          "Username": "YOURNAME",
          "Password": "YOURPASSWORD",
          "ServerCARefs": [
            "{FIRSTGUID#}"
          ],
          "ClientCertType": "Pattern",
              "ClientCertPattern": {
               "IssuerCARef": [ "{FIRSTGUID#}" ]
                         },
        }
      }
    },
    {
      "GUID": "{SECONDGUID#3}",
      "Name": "Home 1194 redir",
      "Type": "VPN",
      "VPN": {
        "Type": "OpenVPN",
        "Host": "YOURSERVERDDNSADDRESS",
        "OpenVPN": {
          "Port": 1194,
          "UserAuthenticationType": "Password",
          "Proto": "udp",
          "RemoteCertTLS": "server",
          "Cipher": "AES-256-GCM",
          "Username": "YOURNAME",
          "Password": "YOURPASSWORD",
          "ServerCARefs": [
            "{FIRSTGUID#}"
          ],
          "ClientCertType": "Pattern",
              "ClientCertPattern": {
               "IssuerCARef": [ "{FIRSTGUID#}" ]
                         },
        }
      }
    },
    {
      "GUID": "{SECONDGUID#4}",
      "Name": "Home 1194 no redir",
      "Type": "VPN",
      "VPN": {
        "Type": "OpenVPN",
        "Host": "YOURSERVERDDNSADDRESS",
        "OpenVPN": {
          "Port": 1194,
          "UserAuthenticationType": "Password",
          "Proto": "udp",
              "IgnoreDefaultRoute": true,
          "RemoteCertTLS": "server",
          "Cipher": "AES-256-GCM",
          "Username": "YOURNAME",
          "Password": "YOURPASSWORD",
          "ServerCARefs": [
            "{FIRSTGUID#}"
          ],
          "ClientCertType": "Pattern",
          "ClientCertPattern": {
               "IssuerCARef": [ "{FIRSTGUID#}" ]
                         },
        }
      }
    }
    ]
}

6. If you have configurations for two servers, Chrome may pick up the wrong server ca. When you first open the VPN configuration to start, you may have to correct the server ca in two places to identify the correct server. Generally, these are the model numbers of the Asus routers.
7. If you add TLS-auth to the server config, add a line in each individual connection to read:

"TLSAuthContents": "ONELINECERTWITHthe Begin and End Lines",

Note that ONC doesn't understand tls-crypt. This may be a different reason to differentiate the two servers, so that one is tls-auth, and the other the more secure tls-crypt.
8. If you want compression, note that the .onc block descriptions afoot are incorrect in some respects. https://bugs.chromium.org/p/chromium/issues/detail?id=1212518&q=onc&can=2


Edited 12/28/19 to add notes 5 and 6.
Edited 12/7/20 to add note 7.
Edited 6/10/21 to add note 8.
Edited 10/9/21 to reference SHA1 certs in first paragraph.

 

[HardCat]

@elorimer - Great post! IMO this should be in the wiki for sure!

Any specific reason to not use "TLS control channel security:" ?