Asus RT-AC68U Merlin 384.19 VPN setup

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

BVavra

Occasional Visitor
I am trying to setup a VPN to remotely connect to my Synology NAS by running an OpenVPN server on my 68U. Why have the server on the router and not the NAS?? Because having remote access to my entire network could be convent and why not have secure traffic for all of my devices.

I have followed L&LD's guide to setting up the router with the new firmware and various threads on setting up the VPN but I still cant connect to the router through the VPN. I am testing the connection from my iPhone with the wifi turned off.

Current settings:

1602265395636.png


Port Forward settings:
Internal IP Address is the address of my router.
Should it by my WAN IP or a specific device on my network?
I do have a DDNS setup through asuscomm.com
1602266372983.png


Modem settings:

1602266591959.png


To test the connection I try to connect with the OpenVPN app on my iPhone. Once I get this figured out I will change the ports to something other than the default.

I appreciate any and all help. This is a bit over my head.
 

eibgrad

Very Senior Member
Port forwarding is unnecessary and irrelevant if the RT-AC68U is your primary router (i.e., has the public IP on its WAN).

Btw, the OpenVPN server on your NAS does NOT allow access to the rest of your LAN?! That seems odd. I see no reason that would be the case. And there's an argument to be made about keeping the OpenVPN server (even the OpenVPN client) off the primary router.
 

CaptainSTX

Part of the Furniture
Just to confirm:

1. You have downloaded the OpenVPN app from the Apple Store to your phone. It is the the one with the orange circle with a key hole in the center?
2. With this app installed you exported the OVPN file from the router then uploaded and installed it on the Iphone?
3. You are not double NATing the AC68 behind another router?
4. You have the DDNS from ASUS or another provider correctly resolving?
 

BVavra

Occasional Visitor
Port forwarding is unnecessary and irrelevant if the RT-AC68U is your primary router (i.e., has the public IP on its WAN).
Did not know that. The RT-AC68U is the primary router. The modem from the ISP is also a router (Arris NVG433B) but I have the radio's turned off and the Asus connected via LAN.

Btw, the OpenVPN server on your NAS does NOT allow access to the rest of your LAN?! That seems odd. I see no reason that would be the case. And there's an argument to be made about keeping the OpenVPN server (even the OpenVPN client) off the primary router.
I know the OpenVPN server on the NAS will not all access to the rest of the LAN. I plan on putting it on the router, which will allow access to the LAN, correct?
 

BVavra

Occasional Visitor
Just to confirm:

1. You have downloaded the OpenVPN app from the Apple Store to your phone. It is the the one with the orange circle with a key hole in the center?
2. With this app installed you exported the OVPN file from the router then uploaded and installed it on the Iphone?
3. You are not double NATing the AC68 behind another router?
4. You have the DDNS from ASUS or another provider correctly resolving?
1. Correct
2. Correct
3. It looks like I do. How do I fix it? The first two IP's are not the same. I have tried putting the ISP's modem/router in transparent bridge mode but my connection speed gets throttled, drastically, and its not the greatest to begin with.
4. Im assuming so. How would I know? Here is the screen shot of what the router shows.

1602273264624.png

1602272898545.png

1602272991077.png
 
Last edited:

elorimer

Very Senior Member
Look at the ddns entries in the wiki for the double nat situation.
 

ColinTaylor

Part of the Furniture
@BVavra You have double NAT. You either need to put the Arris into bridge mode or forward the VPN port on the Arris.

There's no reason why you can't use the VPN server on the NAS to access your LAN. There are plenty of people posting on these forums that do that.
 

elorimer

Very Senior Member

BVavra

Occasional Visitor
@BVavra You have double NAT. You either need to put the Arris into bridge mode or forward the VPN port on the Arris.
I cannot put the Arris in bridge mode. I have tried several times and it severely throttles my connection speeds. I contacted my ISP and they have been less than helpful.

So, forward port 1194 (default) on the Arris to my route....then what? Do I need to do anything on the router side? How do I know the port is actually big forwarded?

1602286200425.png


Global Port Range: 1194-1194
Local Base Port: 1194?

I tried this before with no luck.

There's no reason why you can't use the VPN server on the NAS to access your LAN. There are plenty of people posting on these forums that do that.
Accessing the LAN is not the primary objective, accessing the NAS is. I just figured putting the VPN on the outside edge of the network would be the most beneficial.
 

ColinTaylor

Part of the Furniture
I am not familiar with the Arris but basically you need to forward UDP port 1194 to the WAN IP address of the Asus (which you have unhelpfully blanked out but starts with 192.168....). You also need to ensure you have removed any similar port forwarding rules you created on the Asus.

After that check the "remote" line in the ovpn file you imported on your client is valid.
 

BVavra

Occasional Visitor
I am not familiar with the Arris but basically you need to forward UDP port 1194 to the WAN IP address of the Asus (which you have unhelpfully blanked out but starts with 192.168....). You also need to ensure you have removed any similar port forwarding rules you created on the Asus.

After that check the "remote" line in the ovpn file you imported on your client is valid.
It works on TCP but not on UDP. I've read a thread on here that someone else had the same result. Is that acceptable?
 

oOMrYairOo

Occasional Visitor
It works on TCP but not on UDP. I've read a thread on here that someone else had the same result. Is that acceptable?
why you have double nat? put your modem in bridge mode and then Asus will have public IP instead of private 192.168.X.X/24
 

ColinTaylor

Part of the Furniture
It works on TCP but not on UDP. I've read a thread on here that someone else had the same result. Is that acceptable?
Yes TCP is also fine (I'm assuming you had to change your VPN server from UDP shown in post #1 to TCP and export the ovpn file again). TCP has a slightly higher overhead than UDP meaning that the throughput may be slightly lower. However UDP can be unreliable, especially over cellphone connections with poor signal strength.
 

BVavra

Occasional Visitor
why you have double nat? put your modem in bridge mode and then Asus will have public IP instead of private 192.168.X.X/24
I can't put the ISP (Frontier Communications) modem in bridge mode. Every time I do the internet disconnects and have to do a manual rest because I cant reach it via GUI in a browser.

I had everything working with the port forward but after about 3 hours the internet stopped working but said I was still connected. I had a blue light on the modem that was usually green. After some research it was indicating a router configuration error, which I can only figure is the port forward.

Now I'm back to the drawing board.

These are my current settings.
1602428268188.png


These are my options. I am going to try to use DHCP and see if that works any better. Before anyone suggests it, transparent bridging stops my internet traffic.

1602428311349.png
 

BVavra

Occasional Visitor
Yes TCP is also fine (I'm assuming you had to change your VPN server from UDP shown in post #1 to TCP and export the ovpn file again). TCP has a slightly higher overhead than UDP meaning that the throughput may be slightly lower. However UDP can be unreliable, especially over cellphone connections with poor signal strength.

I had to change the VPN server settings to match and re-export the ovpn file. It was working and I was very excited but then..... see the post above.
 

BVavra

Occasional Visitor
I have tried adding my ASUS router to the DMZ on the modem and I still have a double NAT. When I setup a Static NAT the traffic stops.

Would setting up DDNS help me? I'm running out of options.
 

ColinTaylor

Part of the Furniture
You said you were going to try DHCP instead of DHCP with 802.1x. Is that working?

I have tried adding my ASUS router to the DMZ on the modem and I still have a double NAT.
Yes you will have.

When I setup a Static NAT the traffic stops.
Where are you seeing the option to setup a Static NAT? EDIT: Never mind, it wouldn't make any difference even if it worked, it's still NAT.

Would setting up DDNS help me?
No.
 
Last edited:

BVavra

Occasional Visitor
My WAN connection said "waiting for IP" but never connected.
Call me a liar. I just tried it again and it connected and is working for the time being.

I'm going to set up the port forwarding and see if that sticks.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top