What's new

Feature Request: Running an OpenVPN Server in AP-mode

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

miroco

Regular Contributor
A feature request to Asuswrt-Merlin branch

I've got an rt-ac86u operating in AP-mode behind a firewall. It would be nice to be able to take advantage of the processing power of the rt-ac86u to run an OpenVPN Server on it, even if it's in AP-mode. Requirements that I can think of are a different routing scheme (AP) on the OpenVPN Server and port forwarding on the firewall.

Let's hear what you think guys.

https://www.snbforums.com/threads/openvpn-performance-of-the-rt-ac86u.41217/page-2#post-351407

https://www.google.se/search?dcr=0&...hUKEwi3ps6d2Y_kAhUBxMQBHb4aBdIQ4dUDCAk&uact=5

Edit!

In a broader perspective.

Quite a few people use an open source based firewall to the All-in-One SOHO router in their homes. The system resources on which such a system is based are in many cases quite low to modest. It's also not uncommon for that kind of setup with a surplus SOHO router configured in AP-mode to provide wireless coverage. In order to take full advantage of the system resources on the firewall, the idea of moving a function from the firewall to the AP struck me. My thought was, why run an OpenVPN Server on the firewall when the AP has one already, and idle at that, not breaking a sweat providing WiFi coverage?
 
Last edited:
I believe it already does this. All you need to do is forward the port from the router to the AP.
 
It’s extremely unlikely for the reasons Merlin has set out here:

https://github.com/RMerl/asuswrt-merlin/wiki/FAQ

If memory serve me right, did Merlin implement OpenVPN into the Asuswrt code at a time when Asus only offered PPTP.

An excerpt of the rt-n66u chengelog from 2012.

Code:
3.0.0.3.178.16 Beta:
   - NEW: (RT-N66U, RT-AC66U) Implemented OpenVPN, based on code written by
          Keith Moyer (from the Tomato project).

See also:

https://github.com/RMerl/asuswrt-merlin/wiki/Configuring-OpenVPN-on-Merlin's-fw
 
If I understand you correctly, there are only a few changes to the web gui to make OpenVPN appear and work in AP-mode?
I could be wrong but I seem to remember people mentioning in other posts that they were running an OpenVPN server in AP mode without any problems. I remember being surprised because I knew it wasn't possible with John's firmware (which I use). But it made sense because in John's firmware the OpenVPN server listens only on the WAN interface whereas in Merlin's it listens on all interfaces (including the LAN interface).

I suggest you try it for yourself and see if it works.

EDIT: Sorry, it's just dawned on me that I maybe missing your point? :rolleyes: I guess your main problem is that in AP mode you don't have access to the VPN menus in the GUI? That kinda makes sense because even though it's possible to have the VPN server running it's not possible to have the client running. Perhaps it's reachable directly through its URL, http://router.asus.com/Advanced_VPN_OpenVPN.asp . Or maybe they configured it in "router mode", switched to AP mode, and then started it from the command line (service start_vpnserver1).
 
Last edited:
I could be wrong but I seem to remember people mentioning in other posts that they were running an OpenVPN server in AP mode without any problems. I remember being surprised because I knew it wasn't possible with John's firmware (which I use). But it made sense because in John's firmware the OpenVPN server listens only on the WAN interface whereas in Merlin's it listens on all interfaces (including the LAN interface).

I suggest you try it for yourself and see if it works.

EDIT: Sorry, it's just dawned on me that I maybe missing your point? :rolleyes: I guess your main problem is that in AP mode you don't have access to the VPN menus in the GUI? That kinda makes sense because even though it's possible to have the VPN server running it's not possible to have the client running. Perhaps it's reachable directly through its URL, http://router.asus.com/Advanced_VPN_OpenVPN.asp . Or maybe they configured it in "router mode", switched to AP mode, and then started it from the command line (service start_vpnserver1).

This is a first attempt. Any ideas?

The dates in the log from the iOS OpenVPN Client is out of whack, but that's nothing new. Time doesn't match ether.

The DDNS is on the firewall, picking up the public ip-address for the OpenVPN client.

Code:
2019-50-20 00:50:38 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct  3 2018 06:35:04

2019-50-20 00:50:38 Frame=512/2048/512 mssfix-ctrl=1250

2019-50-20 00:50:38 UNUSED OPTIONS
5 [ncp-ciphers] [AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC]
13 [resolv-retry] [infinite]
14 [nobind]

2019-50-20 00:50:38 EVENT: RESOLVE
2019-50-20 00:50:38 Contacting [115.177.xx.xx]:1194/UDP via UDP
2019-50-20 00:50:38 EVENT: WAIT
2019-50-20 00:50:38 Connecting to [xxxxxxxxxxx.ddns.net]:1194 (115.177.xx.xx) via UDPv4
2019-50-20 00:50:48 Server poll timeout, trying next remote entry...
2019-50-20 00:50:48 EVENT: RECONNECTING
2019-50-20 00:50:48 EVENT: RESOLVE
2019-50-20 00:50:48 Contacting [115.177.xx.xx]:1194/UDP via UDP
2019-50-20 00:50:48 EVENT: WAIT
2019-50-20 00:50:48 Connecting to [xxxxxxxxxxx.ddns.net]:1194 (115.177.xx.xx) via UDPv4
2019-50-20 00:50:58 Server poll timeout, trying next remote entry...
2019-50-20 00:50:58 EVENT: RECONNECTING
2019-50-20 00:50:58 EVENT: RESOLVE
2019-50-20 00:50:58 Contacting [115.177.xx.xx]:1194/UDP via UDP
2019-50-20 00:50:58 EVENT: WAIT
2019-50-20 00:50:58 Connecting to [xxxxxxxxxxx.ddns.net:1194 (115.177.xx.xx) via UDPv4
2019-51-20 00:51:09 EVENT: CONNECTION_TIMEOUT [ERR]
2019-51-20 00:51:09 Raw stats on disconnect:

 BYTES_OUT : 420
 PACKETS_OUT : 30
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 2

2019-51-20 00:51:09 Performance stats on disconnect:
 CPU usage (microseconds): 54716
 Network bytes per CPU second: 7675
 Tunnel bytes per CPU second: 0

2019-51-20 00:51:09 EVENT: DISCONNECTED

2019-51-20 00:51:09 Raw stats on disconnect:
 BYTES_OUT : 420
 PACKETS_OUT : 30
 CONNECTION_TIMEOUT : 1
 N_RECONNECT : 2

2019-51-20 00:51:09 Performance stats on disconnect:
 CPU usage (microseconds): 54716
 Network bytes per CPU second: 7675
 Tunnel bytes per CPU second: 0

Server:

Code:
Aug 20 00:44:26 ovpn-server1[21827]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
Aug 20 00:44:26 ovpn-server1[21827]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
Aug 20 00:44:26 ovpn-server1[21828]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 20 00:44:26 ovpn-server1[21828]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Aug 20 00:44:26 ovpn-server1[21828]: Diffie-Hellman initialized with 2048 bit key
Aug 20 00:44:26 ovpn-server1[21828]: TUN/TAP device tun21 opened
Aug 20 00:44:26 ovpn-server1[21828]: TUN/TAP TX queue length set to 1000
Aug 20 00:44:26 ovpn-server1[21828]: /bin/ip link set dev tun21 up mtu 1500
Aug 20 00:44:26 ovpn-server1[21828]: /bin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
Aug 20 00:44:26 ovpn-server1[21828]: updown.sh tun21 1500 1621 10.8.0.1 255.255.255.0 init
Aug 20 00:44:26 ovpn-server1[21828]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Aug 20 00:44:26 ovpn-server1[21828]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Aug 20 00:44:26 ovpn-server1[21828]: UDPv4 link local (bound): [AF_INET][undef]:1194
Aug 20 00:44:26 ovpn-server1[21828]: UDPv4 link remote: [AF_UNSPEC]
Aug 20 00:44:26 ovpn-server1[21828]: MULTI: multi_init called, r=256 v=256
Aug 20 00:44:26 ovpn-server1[21828]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Aug 20 00:44:26 ovpn-server1[21828]: Initialization Sequence Completed
 
Last edited:
Good to hear you got it working. How did you do it in the end? Did you have to use either of the "cheats" I mentioned earlier or was there already an option in the GUI?
 
Maybe I jumped the gun a bit. There is a DNS problem. I tried to add a DNS server using the Custom Configuration field (DNS addr), but I couldn't make it work nor with a public DNS server or using the ip-address of the firewall.

Reaching the OpenVPN Server in the web gui in the first place was the first hurdle. I followed up on your idea by cheating, using its URL. It worked surprisingly well.

I also found out that this is not the first time this issue has been discussed.

https://www.snbforums.com/threads/vpn-in-ap-mode.49443/
 
As far as I can conclude, the OpenVPN Server adds the AP's ip-address as DNS server despite the fact that I have assigned a DNS in the LAN settings.

Code:
2019-08-20 13:08:15 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct  3 2018 06:35:04

2019-08-20 13:08:15 Frame=512/2048/512 mssfix-ctrl=1250

2019-08-20 13:08:15 UNUSED OPTIONS
5 [ncp-ciphers] [AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC]
13 [resolv-retry] [infinite]
14 [nobind]

2019-08-20 13:08:15 EVENT: RESOLVE
2019-08-20 13:08:16 Contacting [115.177.xx.xx]:1194/UDP via UDP
2019-08-20 13:08:16 EVENT: WAIT
2019-08-20 13:08:16 Connecting to [xxxxxxxxxx.ddns.net]:1194 (115.177.xx.xx) via UDPv4
2019-08-20 13:08:16 EVENT: CONNECTING
2019-08-20 13:08:16 Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2019-08-20 13:08:16 Creds: Username/Password

2019-08-20 13:08:16 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2


2019-08-20 13:08:16 VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC86U, emailAddress=me@myhost.mydomain
subject name      : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC86U, emailAddress=me@myhost.mydomain
issued  on        : 2019-08-19 22:36:22
expires on        : 2029-08-16 22:36:22
signed using      : RSA with SHA-256
RSA key size      : 1024 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication


2019-08-20 13:08:16 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2019-08-20 13:08:16 Session is ACTIVE
2019-08-20 13:08:16 EVENT: GET_CONFIG
2019-08-20 13:08:16 Sending PUSH_REQUEST to server...

2019-08-20 13:08:16 OPTIONS:
0 [route] [192.168.1.0] [255.255.255.240] [vpn_gateway] [500]
1 [dhcp-option] [DNS] [192.168.1.14]
2 [redirect-gateway] [def1]
3 [route-gateway] [10.8.0.1]
4 [topology] [subnet]
5 [ping] [15]
6 [ping-restart] [60]
7 [ifconfig] [10.8.0.2] [255.255.255.0]
8 [peer-id] [0]
9 [cipher] [AES-256-GCM]


2019-08-20 13:08:16 PROTOCOL OPTIONS:
 cipher: AES-256-GCM
 digest: SHA1
 compress: NONE
 peer ID: 0

2019-08-20 13:08:16 EVENT: ASSIGN_IP
2019-08-20 13:08:16 NIP: preparing TUN network settings
2019-08-20 13:08:16 NIP: init TUN network settings with endpoint: 115.177.xx.xx
2019-08-20 13:08:16 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0
2019-08-20 13:08:16 NIP: adding (included) IPv4 route 10.8.0.0/24
2019-08-20 13:08:16 NIP: adding (included) IPv4 route 192.168.1.0/28
2019-08-20 13:08:16 NIP: redirecting all IPv4 traffic to TUN interface
2019-08-20 13:08:16 NIP: adding DNS 192.168.1.14
2019-08-20 13:08:16 Connected via NetworkExtensionTUN
2019-08-20 13:08:16 EVENT: CONNECTED yyy@xxxxxxxxxx.ddns.net:1194 (115.177.xx.xx) via /UDPv4 on NetworkExtensionTUN/10.8.0.2/ gw=[/]
 

Attachments

  • LAN - LAN IP.png
    LAN - LAN IP.png
    280.9 KB · Views: 284
Why are you using such a small subnet? It should be the same as that of the main LAN. Using something other than /24 can cause unexpected problems.

Can you provide a screenshot of the router's VPN Details/Advanced Settings page? You might have to add the following line to the Custom Configuration box if there's not a menu option that already does it.

Code:
push "dhcp-option DNS 192.168.1.1"
 
It kind of worked, but still no DNS resolution. It did assign 192.168.1.1 as a DNS server. The problem I guess is that the OpenVPN Server still/also assigns 192.168.1.14 as a DNS server, and my hunch is that they are queried in falling order.

The smaller subnet is for two reasons, I don't have that many devices and it's easier to find a "lost" device. I have mixed experiences from the "arp -a" command.

Code:
2019-08-20 14:16:24 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct  3 2018 06:35:04

2019-08-20 14:16:24 Frame=512/2048/512 mssfix-ctrl=1250

2019-08-20 14:16:24 UNUSED OPTIONS
5 [ncp-ciphers] [AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC]
13 [resolv-retry] [infinite]
14 [nobind]

2019-08-20 14:16:24 EVENT: RESOLVE
2019-08-20 14:16:24 Contacting [115.177.xx.xx]:1194/UDP via UDP
2019-08-20 14:16:24 EVENT: WAIT
2019-08-20 14:16:24 Connecting to [xxxxxxxxxx.ddns.net]:1194 (115.177.xx.xx) via UDPv4
2019-08-20 14:16:24 EVENT: CONNECTING
2019-08-20 14:16:24 Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
2019-08-20 14:16:24 Creds: Username/Password

2019-08-20 14:16:24 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
IV_VER=3.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2


2019-08-20 14:16:24 VERIFY OK : depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC86U, emailAddress=me@myhost.mydomain
subject name      : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC86U, emailAddress=me@myhost.mydomain
issued  on        : 2019-08-19 22:36:22
expires on        : 2029-08-16 22:36:22
signed using      : RSA with SHA-256
RSA key size      : 1024 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication


2019-08-20 14:16:24 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
2019-08-20 14:16:24 Session is ACTIVE
2019-08-20 14:16:24 EVENT: GET_CONFIG
2019-08-20 14:16:24 Sending PUSH_REQUEST to server...

2019-08-20 14:16:24 OPTIONS:
0 [route] [192.168.1.0] [255.255.255.240] [vpn_gateway] [500]
1 [dhcp-option] [DNS] [192.168.1.14]
2 [redirect-gateway] [def1]
3 [dhcp-option] [DNS] [192.168.1.1]
4 [route-gateway] [10.8.0.1]
5 [topology] [subnet]
6 [ping] [15]
7 [ping-restart] [60]
8 [ifconfig] [10.8.0.2] [255.255.255.0]
9 [peer-id] [0]
10 [cipher] [AES-256-GCM]


2019-08-20 14:16:24 PROTOCOL OPTIONS:
 cipher: AES-256-GCM
 digest: SHA1
 compress: NONE
 peer ID: 0

2019-08-20 14:16:24 EVENT: ASSIGN_IP
2019-08-20 14:16:24 NIP: preparing TUN network settings
2019-08-20 14:16:24 NIP: init TUN network settings with endpoint: 115.177.xx.xx
2019-08-20 14:16:24 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0
2019-08-20 14:16:24 NIP: adding (included) IPv4 route 10.8.0.0/24
2019-08-20 14:16:24 NIP: adding (included) IPv4 route 192.168.1.0/28
2019-08-20 14:16:24 NIP: redirecting all IPv4 traffic to TUN interface
2019-08-20 14:16:24 NIP: adding DNS 192.168.1.14
2019-08-20 14:16:24 NIP: adding DNS 192.168.1.1
2019-08-20 14:16:24 Connected via NetworkExtensionTUN
2019-08-20 14:16:24 EVENT: CONNECTED yyy@xxxxxxxxxx.ddns.net:1194 (115.177.xx.xx) via /UDPv4 on NetworkExtensionTUN/10.8.0.2/ gw=[/]
 

Attachments

  • VPN Server - OpenVPN.png
    VPN Server - OpenVPN.png
    302.1 KB · Views: 269
Try turning off "Advertise DNS to clients" in the menu, but leave the custom PUSH there.
 
The weirdest thing is happening. I'm getting blocked trying to answer your question.

When I click on "Contact Us" at the bottom of the page, nothing happens. I've found myself in a kind of bizare no man's land.

Does anyone know how you get in touch with the moderators?
 
The weirdest thing is happening. I'm getting blocked trying to answer your question.

When I click on "Contact Us" at the bottom of the page, nothing happens. I've found myself in a kind of bizare no man's land.

Does anyone know how you get in touch with the moderators?

@thiggins is the site owner. You can send him a private message here.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top