concise guide to setting up openvpn

[loadyo]

I am running the latest merlin firmware and i am trying to setup openvpn, the best guide i have seen so far and i am trying to decipher is pieced together from different guides and i am having trouble correlating the information to my needs, for example it shows how to set up the server on the router using tomato usb open vpn and the settings look very different, some of which i cant even find, is there a good guide anyone knows that will show it completely using merlin firmware ?

 

[Haggster]

https://github.com/RMerl/asuswrt-merlin/wiki/Configuring-OpenVPN-on-Merlin's-fw

there you go.

OpenVPN is horrible. To set up. Once it's running, it is the best VPN option out of all. Setting it up is indeed a nightmare if you're doing it for the first time, but once you know how to do it, it won't be a big deal anymore. I've switched from PPTP to OpenVPN myself (today, coincidentally) and have my phone, one of my tablets (both Android) and a Chromebook successfully connecting to my router and routing all traffic, including DNS requests, through the VPN tunnel (verified that).

In case that link doesn't answer all your questions, just let us know. For various devices it's necessary to create a .P12 file and I'm not sure if that's covered in the link (but that's easy as well).

 

[RMerlin]

With Asuswrt and Asuswrt-Merlin, all you have to do is start the server, wait for it to automatically generate key/certs, add a username/password at the bottom, then click on the button to export a .ovpn config file for you to use on your client computers. And you're all set.

 

[loadyo]

With Asuswrt and Asuswrt-Merlin, all you have to do is start the server, wait for it to automatically generate key/certs, add a username/password at the bottom, then click on the button to export a .ovpn config file for you to use on your client computers. And you're all set.

really ?...its that simple?...is that made easier by way of your firmware ?

 

[RMerlin]

really ?...its that simple?...is that made easier by way of your firmware ?

No, that automatic key/cert generation and user/password based authentication was developed by Asus after they took the base OpenVPN code from my project. They've done a pretty good job at simplifying OpenVPN.

Of course you can still go down the route of user-assigned certificates if you want optimal security, but for many home users this isn't necessary.

 

[martinr]

really ?...its that simple?...is that made easier by way of your firmware ?

Yes, it truly is as simple as Merlin says. I graduated to Asuswrt-Merlin from DDWRT and was dreading setting up OpenVPN. Not believing it could be so easy and also to get my iPhone client connected, I spent longer trying to convince myself that I was done. I never got round to setting it up with public-private key pairs, just a very strong username and password pair - good enough for my present needs.

I haven't set up my Windows laptop to run as an OpenVPN client; if you do, "Don't forget to run the OpenVPN client with administrator privileges, so it can establish its routes." (RMerlin)

 

[CyberMew]

Since ios couldn't use tap, any idea how to configure it such that my iOS apps can discover network devices while connected to tap? I don't think the app does a scan of IPs (else I would have seen it appear) but rather the network device at home does a broadcast or something perhaps. I'm not quite sure what's going on too. Any ideas?

 

[martinr]

Since ios couldn't use tap, any idea how to configure it such that my iOS apps can discover network devices while connected to tap? I don't think the app does a scan of IPs (else I would have seen it appear) but rather the network device at home does a broadcast or something perhaps. I'm not quite sure what's going on too. Any ideas?

I've only used tun, but given the old adage: " never assume - check", do you really have a specifice need for tap? I ask given: "TUN is fine for your needs. TAP is only needed for very particular scenarios." (Another qoute from RMerlin - http://www.snbforums.com/threads/vpn-server-tun-vs-tap.9164/ )

 

[loadyo]

I'm having trouble exporting the .opvn file from the router to my android device, I am trying to do it remotely so I'm not sure if that's why it keeps saying download unsuccessful on my android. I downloaded openvpn connect for android and tried using that to import by entering my ddns host and user/pass I set on openvpn server page on router but connection get refused.

 

[martinr]

I'm having trouble exporting the .opvn file from the router to my android device, I am trying to do it remotely so I'm not sure if that's why it keeps saying download unsuccessful on my android. I downloaded openvpn connect for android and tried using that to import by entering my ddns host and user/pass I set on openvpn server page on router but connection get refused.

Your OpenVPN client won't be able to coonect to the server on the router until the .ovpn file has been imported into the OpenVPN app, so you can't use the OpenVPN app to import the file. You say you are trying to do this remotely; I assume therefore that you are unable to access your router's webui from the public side otherwise you would have done so and exported the .opvn file that way. (If you had ssh set up and were happy using it, you could have accessed the webui through the secure tunnel.)

 

[loadyo]

i was trying to download it directly to my phone from the router over public, i can connect to the routers GUI...i have just tried it over a public network on a pc and it has downloaded now...must just be an android thing

 

[loadyo]

Of seem to have it connected... but this is a bit embarrassing. .The concept behind me setting up openvpn is that I run an UNraid server which I want to access over the net from anywhere so I can view its gui and shares and I don't want it exposed to threats...how do I go about accessing ?. I don't want to be forwarding ports do I ?

 

[martinr]

Of seem to have it connected... but this is a bit embarrassing. .The concept behind me setting up openvpn is that I run an UNraid server which I want to access over the net from anywhere so I can view its gui and shares and I don't want it exposed to threats...how do I go about accessing ?. I don't want to be forwarding ports do I ?

Not sure of your setup but when you connect to your network via your vpn it's as if you are back home behind your router, so whatever address you'd type into your browser to access that server - assuming that's what you do - try the same thing - same address eg 192.168.....,. One thing to watch for: if, back home your device address is eg 192.168.1.4 and you are currently on a remote
network with similar 192.168.1.x addresses, don't be surprised when you can't connect: the local router can't be sure which network you want - the local client's network or the one at the far end of the vpn tunnel. For that reason you might want to consider changing your home network addresses to something less common eg 192.168.19.... etc. I'm sure you get the idea.

 

[mattiL]

I have set up OpenVPN now on my RT-AC87, and connecting to the router is working well, but routing to nodes in my network seems to be more problematic.
How are you supposed to do to connect to a node on the network, do you have to set up routing?
Are there any guidelines to follow?

I'm using Viscosity on my Macbook Pro to connect to my router.

 

[loadyo]

It worked... so in theory I don't need to port forward things like sonar, sickbed etc running on my server but doing so would need me to be running a openvpn client on what ever I'm connecting from ?