OpenVPN on Asus RT-N66U

[vulkano]

Hi guys, a complete noob here looking for help.

After reading a lot of posts and trying for nights to get this to work I am hoping to get some advice please.

I have my internet connected through a Billion 7800N (modem/router) and now wish to connect this to the Asus RT-N66U.

I wish to still use the Billion for all wireless connections through my ISP but use the Asus for wired connections through a VPN using OpenVPN.

I have installed Merlin's RT-N66U_3.0.0.4_270.26b.trx on the Asus and connected Billion Lan1 to Asus Lan1. I have also turned off the wireless channels on the Asus and DHCP on the Asus.

A wired PC which is connected to the Asus works fine and even with OpenVPN installed on the PC everything works as it should and my IP address gets changed
My problems start when I try to get OpenVPN to run on the Asus.
I have hopefully entered the correct information in the OpenVPN Client Settings and in OpenVPN Keys and when I start the service it goes green and 'on'. VPN Status also shows 'OpenVPN Client 1- Running'
The problem is when I check my IP address it has not changed

I hope somebody can tell me firstly if my set-up is feasible and can infact work and secondly if it is point me in the right direction.

Many thanks.

 

[CaptainSTX]

Configuration Suggestions

You may find it easier to get OPenVPN to run if you put the ASUS in its own subnet.

On the ASUS set the WAN IP to an IP in the range used by your primary router. If your primary router is 192.168.1.1 you could set the ASUS as 192.168.1.2. Set WAN IP to static.

On the ASUS set the LAN IP to a different subnet. You could use 192.168.199.1.

Turn on the ASUS DHCP server and set a range of IPs. Using the step above the range 192.168.199.100 -.119 would work. You may need to set your DNS servers on the ASUS for better performance. Test using benchmark after you are connected using OpenVPN

Then run an Ethernet cable from a LAN port on your primary router to the WAN port on your ASUS.

The disadvantage of this setup is that you will not be able to share network resources with devices connected to your primary network. If that is important try keeping the ASUS in the same subnet and have its DHCP server assign IP outside the range that the primary router is assigning. If your primary router assigns 192.168.100 -150 then your ASUS could use some range above 150.

 

[vulkano]

Superb CaptainSTX, just the help I needed, many thanks
Up and running now after following your instructions

On the ASUS set the WAN IP to an IP in the range used by your primary router. If your primary router is 192.168.1.1 you could set the ASUS as 192.168.1.2. Set WAN IP to static.

The only bit I couldnt get working was setting the Asus WAN IP to static but it works just fine when left on Automatic IP

The disadvantage of this setup is that you will not be able to share network resources with devices connected to your primary network. If that is important try keeping the ASUS in the same subnet and have its DHCP server assign IP outside the range that the primary router is assigning. If your primary router assigns 192.168.100 -150 then your ASUS could use some range above 150.

Although not essential it would be really nice to share/connect with devices connected to the Billion 7800N (primary router).
I tried it as you suggested but was unsuccessful.
Do you mean, for this to work, I would need to set the Asus LAN IP to an IP within the primary routers range and set the Asus DHCP server to a range slightly higher than the primary routers range??

Many thanks again for getting me going

 

[CaptainSTX]

Superb CaptainSTX, just the help I needed, many thanks
Up and running now after following your instructions


Although not essential it would be really nice to share/connect with devices connected to the Billion 7800N (primary router).
I tried it as you suggested but was unsuccessful.
Do you mean, for this to work, I would need to set the Asus LAN IP to an IP within the primary routers range and set the Asus DHCP server to a range slightly higher than the primary routers range??

Many thanks again for getting me going

My suggestion was to try keeping everything in the same subnet, but be sure they don't overlap. Billion DHCP 192.168.1.100 - 150 and ASUS assign DHCP range 192.168.1.151 - 170 or something similar. If that doesn't work and there are probably several reasons why it won't then you are faced with working with scripts and iptables on either the 7800N and your ASUS. There is probably someone on this forum that can help you with the ASUS, but the 7800N might be the issue. It may not have the flexibility you need and finding someone to help you with programming it might be tough.

The problem is that the two routers are connected LAN to WAN.

I have never tried to link my networks as it is just simpler for me to connect to which ever of my networks that I need using WiFi. My primary network has its own SSID along with SSIDs for two APs used to extend it. I have two other routers set up with VPNs and they also have their own SSIDs allowing me to choose on the fly if I want to connect through Miami, London or Stockholm. In addition I have multiple alternate backup configuration files saved for each of the routers so when it is necessary I can quickly switch to other alternative countries/cities.

 

[-KS-Silence[AU]]

Bridged VPN

You dont need the router to be in a different subnet at all FYI...
It really depends on what the purpose of the VPN is. for me i use it to access my LAN devices outside of home and i would prefer if my laptop when connected to the vpn gets an IP on the same Range as the internal devices which it does without an issue...

Basically to set the VPN up to work in a "Switched" AKA Bridged Mode is rather easy and only a few things have to be changed vs using routed.

For Bridged use the TAP Mode instead of TUN, TCP or UDP it doesnt really matter, im using UDP. In your client .opvn file make sure they are set to use the same protocol and mode settings as the server.

Alright these are the settings i used for my Bridged VPN:

BASIC SETTINGS:

Start with WAN: Yes
Interface Type: TAP
Protocol: <TCP> OR <UDP> DOESNT matter imo as long as client is using the same.
PORT: Specify the port, Default is 1194 , client must know this port to connect.
Firewall: Automatic
Auth Mode: TLS
Extra HMAC Auth: Disabled
Allocate from DHCP: Yes

ADVANCED SETTINGS:

Poll Interval: Leave as is
Tell clients to use VPN for internet: Enable this if you need
Respond to DNS: Default is No, I have it set to Yes and havent noticed any issues
Advertise DNS to Clients: Should be same as above
Encryption Cypher: Default should be fine. What ever you use client must support it.
Compression: Doesnt matter as long as its same on client
TLS Renegotiation time: Leave at default
Manage Client specific Options: No
Allow Client to Client: Enable if VPN devices should be able to interact with LAN devices on internal network, Printers / NAS / Computers you need access to? then use Yes.
Allow only Specified Clients: NO! Im trying to get this to work myself, if you turn it on nothing will connect.....

CUSTOM CONFIGURATION (The settings here are Mine for Demo Purposes, edit as required to suit your network's IP ranges):

persist-key
server-bridge 192.168.2.1 255.255.255.0 192.168.2.60 192.168.2.89

the server bridge command breaks down like so:
server-bridge <routers LAN IP> <subnet mask> <Start of LAN ips you want to assign to devices> <end of LAN ips you want to assign>

If you need any help with this basic setup drop a reply for help here or send me a PM and il get yer goin!