Are there any tutorials on setting up OpenVPN?

[andy_d]

I found some stuff online but I'm little confused as some of the articles mention specific services like Torguard. Not sure if I have to pay for a service to use OpenVPN

 

[huotg01]

I found some stuff online but I'm little confused as some of the articles mention specific services like Torguard. Not sure if I have to pay for a service to use OpenVPN

A very good starting point:
https://github.com/RMerl/asuswrt-merlin/wiki

 

[thiggins]

http://www.smallnetbuilder.com/othe...-setting-up-and-using-openvpn-on-asus-routers

http://www.smallnetbuilder.com/othe...tting-up-and-using-openvpn-on-netgear-routers

 

[elorimer]

You might start with whether you are looking to connect your router to a vpn server elsewhere, so that your internet traffic looks like it is coming from the vpn server, or connecting to your router from elsewhere, so it looks like your internet traffic is coming from your router. The Merlin firmware makes the latter pretty easy to set up, by which I mean even I could do it.

 

[AdvHomeServer]

OpenVPN can be used at home by anyone who has an OpenVPN server associated with their router or NAS box. It will allow you to connect to your server securely over a public internet via an encrypted tunnel.

If you have an OpenVPN server associated with your router you can remotely connect to the internet from a public internet site and securely pass through your home router to your intended destination. OpenVPN on a NAS box will allow you to get files from home while sitting at a pubilc site, securely.

Many routers have OpenVPN server available. Many high end NAS boxes provide OpenVPN server as an app.

Tutorials are available. Regarding router pass through, you need to be careful that you are secure. Some routers with OpenVPN server are said to be secure with little effort. Others provide instructions that give the impression of being secure, but are not even close. Use Google.

 

[martinr]

I set up the 2 Openvpn servers on my Asus RT-AC68U with a view to browsing safely from public wifi as well as safely accessing my network remotely (both of which I can also do using ssh and public-private key pairs).

However, I took the easy way out (and how easy it was!) and set up Openvpn on my iPhone and laptop clients using a 10-character username and a 15-character password. Even though I had set up key-pair security on
ssh, I was a little daunted by the tutorials for setting up Openvpn with certificates and keys (although one day I expect I'll feel courageous enough to give it a go).

I know username/passwords aren't as secure as certificates and keys, but I have assumed that for the average user (i.e. someone that the NSA, China, North Korea or Russian cyber-criminals are not specifically targeting), it is - at present - perfectly adequate (provided a sensible password policy is employed).

I'd love to hear if my assumption is reasonable or if I've underestimated the power of the tools available to the average hacker/attacker.

Martin

 

[andy_d]

Thanks guys!

huotg01 - I actually mainly used the tutorial that it points to on how to geek. Thanks for this. Still working through some issues but looks like it's mostly related to config mistakes on my end.

elorimer - It's actually the latter that I want to do. I want to be able to connect to any of the machines in my home network including the router. I also would like to just tunnel my connection if I'm on public wifi

AdvHomeServer - I was more interested in setting up OpenVPN through Merlin. I assumed that it would be secure enough?

Martinr - I actually think that the setup isn't so bad. It does take more work than just using PPTP but really isn't that much more. I think major issues I had with it ( and still have an outstanding issue ) is...

1) The tutorial at how to geek is outdated so some things to consider...

There is a 64bit openvpn now

The setup app does not by default install OpenSSL or easy-rsa. I actually wasted a lot of time trying to figure out what I needed to install etc. All you need to do is be sure to check both RSA and OpenSSL when installing OpenVPN and that should be enough

2) Be sure to follow the tutorial as much as you can. It's fairly simple and probably why I either overlooked a setting or incorrectly set something. The errors I got were mostly because I didn't set my router up correctly with the right settings or forgot / mistyped a line in the client ovpn line

3) You have to run openvpngui as administrator

4) The remaining issue I have is that I can connect to my router now and then connect to any of my PCs but I can't browse the internet from my local laptop.

From the help of someone at Neowin, it seems like this is due to the fact that both networks are set to 192.168.1.x so there are issues with routing since I can't reach the router locally. I'm going to adjust this hopefully by end of tomorrow and report back

 

[AdvHomeServer]

I am aware of how-to geek's article. It's good but leaves a bit out. Most articles leave out a thing or two.

for openvpn and dd-wrt, you need to point out a dns server and an option that allows you to use the vpn for your gateway. I think Merlin's software has a few differences here. I have no experience with Merlin's software.

The iptables do not offer a postrouting statement, let alone a correct one. This will make OpenVPN / DD-WRT look like it works, but nothing is secure via the gateway.

Port 1194 is standard openvpn but port 443 is more flexible. TCP is more stable, but slower than UDP.

The lack of a DNS redirect is probably why you can't browse.

 

[martinr]

I am aware of how-to geek's article. It's good but leaves a bit out. Most articles leave out a thing or two.

for openvpn and dd-wrt, you need to point out a dns server and an option that allows you to use the vpn for your gateway. I think Merlin's software has a few differences here. I have no experience with Merlin's software.

The iptables do not offer a postrouting statement, let alone a correct one. This will make OpenVPN / DD-WRT look like it works, but nothing is secure via the gateway.

Port 1194 is standard openvpn but port 443 is more flexible. TCP is more stable, but slower than UDP.

The lack of a DNS redirect is probably why you can't browse.

Carl,

Given the gold-standard quality and clarity of all the tutorials on your website (http://advancedhomeserver.com/), when you are next looking for a project, would you possibly consider adding a tutorial on OpenVPN and Asus-Merlin to your list? Perhaps you've already done much of the donkey work with your 3-part series OpenVPN and DD-WRT?

Not that I'm looking to make extra work for you.

Martin

 

[AdvHomeServer]

Carl,

Given the gold-standard quality and clarity of all the tutorials on your website (http://advancedhomeserver.com/), when you are next looking for a project, would you possibly consider adding a tutorial on OpenVPN and Asus-Merlin to your list? Perhaps you've already done much of the donkey work with your 3-part series OpenVPN and DD-WRT?

Not that I'm looking to make extra work for you.

Martin

Thank you for your kind words. I don't own a router capable of loading Merlin's software, thus, I have no experience with Merlin's software. I might consider it, but only if I could think of more than one article of interest, I was sure Merlin hadn't already covered the info elsewhere, and I could find a router used and cheap since I already have several routers around the house.

 

[martinr]

Thank you for your kind words. I don't own a router capable of loading Merlin's software, thus, I have no experience with Merlin's software. I might consider it, but only if I could think of more than one article of interest, I was sure Merlin hadn't already covered the info elsewhere, and I could find a router used and cheap since I already have several routers around the house.

I knew there must be a good reason why you hadn't already written such a tutorial. And, if you don't own a router capable of loading Merlin's software, it's all the more altruistic of you to hang around this forum helping out the rest of us.

Best wishes for the new year.

Martin

 

[andy_d]

At this point, I think I can write up a tutorial or at the very least update the one on How to Geek hah

1) OpenVPN successfully online after switching the default segment from 192.168.1.x to 192.168.72.x ( this can be anything really )

2) #1 just allowed me to browse the net but not actually route my traffic through the VPN. There is one key line that the tutorial forgets to mention and it is this...

redirect-gateway def1

After adding that line to the client ovpn, I'm able to connect my VPN server + route my traffic through the VPN ( meaning when I check my IP address it's the remote IP and not the local )

 

[RMerlin]

2) #1 just allowed me to browse the net but not actually route my traffic through the VPN. There is one key line that the tutorial forgets to mention and it is this...

redirect-gateway def1

After adding that line to the client ovpn, I'm able to connect my VPN server + route my traffic through the VPN ( meaning when I check my IP address it's the remote IP and not the local )

This is exactly what the "Direct clients to redirect Internet traffic" setting does on the webui.

 

[andy_d]

Hey RMerlin. That's good to know then. The tutorial doesn't mention using that option so I didn't even think about it.

I removed the line from the client config and switched that radio button to on - you're right. It does the same thing. Thanks!

I guess I can't blame the tutorial - it does say in the title "how to connect to your home network from anywhere". Not routing VPN traffic.