Asus OpenVPN for Android - simple help needed

[Mpuk7]

Hi all,

Sorry this is a really basic request for advice as a follow on to my hacking thread. I have installed Merlin firmware on my Asus RT-AC66U and for remote access have enabled the OpenVPN on there, exported the certificate, installed the app from OpenVPN on my Android phone, imported the certificate and can connect perfectly.
Thing is, is it as simple as that or have I just opened a huge simple gateway by doing it like this? Should I have made any changes to that default setup? Sorry I googled OpenVPN and couldn't find anything that specific to my setup without going into complex detail. I was just aiming to get it set up and running but with sufficient security.

Please can someone advise?

 

[RMerlin]

Default OpenVPN settings are safe enough.

 

[Mpuk7]

Perfect, thanks

 

[Flipmode11]

Hi,
I would highly recommend making some changes - coming from personal experience and the perspective of using PC clients for a long time and then coming into network devices (lower resources)...

Disclaimer - This all depends greatly on the security you wish to use and how fast the connection to the office is for you...
For routers (site-to-site) I would normally recommend port :1194 (160bit encryption) - lighter-weight. Then for PCs and mobile devices, I would recommend 160bit to 256bit (port :443) encryption. With VyprVPN I use the next level up after 256bit which is "Chameleon" which is not even OpenVPN-based. But Chameleon is either for when your VPN is being detected by 3rd parties and blocked, or you do not trust the active connection or the remote server. Also check your Authentication Digest, connection Compression and Cipher selection (see below).

Since I switched from 256bit ( :443) to 160bit ( :1194) (by using a different .ovpn file (download via VPN provider) or by manual configuration) the broadband has been running much much faster and consistent. With half a dozen users and double that again for mobile devices, I don't miss much speed than the obvious VPN overhead, and get 1MB/s to 2MB/s which is very good down-under, connecting from home to office!

Four recommendations to try:
- Change from a "256bit" OpenVPN profile to "160bit" (port :443 to :1194).
- Change Auth Digest from "SHA256" to "Auto" (or lower value).
- Change from "AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC" to "AES-256-CBC:AES-128-CBC:BF-CBC" or "BF-CBC" for lower encryption but higher speed.
- Enable "LZO Adaptive" connection compression.

But I am no expert. Just what I learnt along the way, reading articles, creating new profiles and testing before overwriting main profile, and performing dozens and dozens of speed tests from multiple geographic locations (ozspeedtest, dslreports, speedtest net). There are numerous options regarding control channel encryption, protocol (UDP/TCP), and so on... But planning these projects is never easy unless you know how many people will be connecting in, plus bandwidth and those inside utilising resources.
Good luck mate!

 

[Mpuk7]

Thanks for the info Flipmode, useful stuff. It'll just be me that connects in, at the moment it's just to manage my router at home externally but might look into using it to access my Synology etc going forward.