1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Asus OpenVPN for Android - simple help needed

Discussion in 'VPN' started by Mpuk7, Mar 13, 2018.

  1. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    Hi all,

    Sorry this is a really basic request for advice as a follow on to my hacking thread. I have installed Merlin firmware on my Asus RT-AC66U and for remote access have enabled the OpenVPN on there, exported the certificate, installed the app from OpenVPN on my Android phone, imported the certificate and can connect perfectly.
    Thing is, is it as simple as that or have I just opened a huge simple gateway by doing it like this? Should I have made any changes to that default setup? Sorry I googled OpenVPN and couldn't find anything that specific to my setup without going into complex detail. I was just aiming to get it set up and running but with sufficient security.

    Please can someone advise?
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,094
    Location:
    Canada
    Default OpenVPN settings are safe enough.
     
    Mpuk7 likes this.
  4. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    Perfect, thanks :)
     
  5. Flipmode11

    Flipmode11 Occasional Visitor

    Joined:
    Jan 27, 2018
    Messages:
    30
    Hi,
    I would highly recommend making some changes - coming from personal experience and the perspective of using PC clients for a long time and then coming into network devices (lower resources)...

    Disclaimer - This all depends greatly on the security you wish to use and how fast the connection to the office is for you...
    For routers (site-to-site) I would normally recommend port :1194 (160bit encryption) - lighter-weight. Then for PCs and mobile devices, I would recommend 160bit to 256bit (port :443) encryption. With VyprVPN I use the next level up after 256bit which is "Chameleon" which is not even OpenVPN-based. But Chameleon is either for when your VPN is being detected by 3rd parties and blocked, or you do not trust the active connection or the remote server. Also check your Authentication Digest, connection Compression and Cipher selection (see below).

    Since I switched from 256bit ( :443) to 160bit ( :1194) (by using a different .ovpn file (download via VPN provider) or by manual configuration) the broadband has been running much much faster and consistent. With half a dozen users and double that again for mobile devices, I don't miss much speed than the obvious VPN overhead, and get 1MB/s to 2MB/s which is very good down-under, connecting from home to office!

    Four recommendations to try:
    - Change from a "256bit" OpenVPN profile to "160bit" (port :443 to :1194).
    - Change Auth Digest from "SHA256" to "Auto" (or lower value).
    - Change from "AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC" to "AES-256-CBC:AES-128-CBC:BF-CBC" or "BF-CBC" for lower encryption but higher speed.
    - Enable "LZO Adaptive" connection compression.

    But I am no expert. Just what I learnt along the way, reading articles, creating new profiles and testing before overwriting main profile, and performing dozens and dozens of speed tests from multiple geographic locations (ozspeedtest, dslreports, speedtest net). There are numerous options regarding control channel encryption, protocol (UDP/TCP), and so on... But planning these projects is never easy unless you know how many people will be connecting in, plus bandwidth and those inside utilising resources.
    Good luck mate! :D
     
    Last edited: Mar 14, 2018
    Mpuk7 likes this.
  6. Mpuk7

    Mpuk7 Occasional Visitor

    Joined:
    Mar 11, 2018
    Messages:
    19
    Thanks for the info Flipmode, useful stuff. It'll just be me that connects in, at the moment it's just to manage my router at home externally but might look into using it to access my Synology etc going forward.
     
    Flipmode11 likes this.
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!