Asuswrt-Merlin Site-to-Site VPN with (2) RT-AC86U, coming from DD-WRT (How to?)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

cfm56

Occasional Visitor
Guys,
I've been googling and searching for a day and a half and I'm coming up with bits and pieces on how to do this, but nothing concrete. Was hoping someone could give me some insight on how to pull this off.

Our company has 2 offices, currently TAP bridged with DD-WRT, on 2 Asus RT-AC68U (read six-eight). It works perfectly, save for the fact that DD-WRT crashes daily on one router (probably due to the workload), and throughput between sites is 50ish... We're using TAP\Bridged VPN instead of TUN because we need to function as one complete office where everything crosses back and forth, DNS, AD, etc... between employees at both sites.

After reading about the horsepower of the new RT-AC86U (read eight-six....geez you think they could make it more confusing?) We decided to upgrade to the new units. Seeing that they are not DD-WRT compatible, and thinking those firmwares are increasingly buggy, we went with Merlin.

The conversion of DDWRT scripts over to Merlin seems cryptic to me. Sometimes I think I can just paste these scripts into nat-start and firewall-start, then other times I'm not so sure. I also see people setting it up directly in the gui interface too....

What do you guys say is the best way to do this? Here is a diagram of what I'm trying to do.


I did find this link where a guy was setting up one side in merlin and the other side on a RasPi, via the GUI on the router side
https://www.snbforums.com/threads/need-help-with-creating-bridged-vpn-tap.32844/

But all this seems like it's not well documented on the Merlin side of things... or at least my situation isn't.

Can y'all take a look!? thanks!


Here are my DD-WRT router scripts which work:


__________________CLIENT ROUTER STARTUP__________
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up
sleep 5

echo "
client
daemon
dev tap0
proto udp
remote <CLIENT SIDE WAN IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
" > /tmp/client.conf

echo "
-----BEGIN CERTIFICATE (ABBREVIATED FOR CHAR LIMIT)-----
XXXXDDCCA/SgAwIBAgIJANoufcXAyUn0MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCR0ExFjAUBgNVBAcTDUZsb3dlcnlCcmFuY2gxFTAT
-----END CERTIFICATE-----
" > /tmp/ca.crt

echo "
-----BEGIN PRIVATE KEY-----
XXXXvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDXwLr5FcKH03yn
A2qZnGGBmTjyAN5bAFDkhIZ3t9RzZeFgwti1EO2Mrd4gwAbVO+qUwCKGDg57OVHB
-----END PRIVATE KEY-----
" > /tmp/client.key
chmod 600 /tmp/client.key

echo "
-----BEGIN CERTIFICATE-----
XXXXUDCCBDigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkdBMRYwFAYDVQQHEw1GbG93ZXJ5QnJhbmNoMRUwEwYDVQQKEwxT
-----END CERTIFICATE-----
" > /tmp/client.crt

./myvpn --config client.conf

route add -net 192.168.1.0/24 dev br0

______________CLIENT ROUTER FIREWALL____________
#DROP DHCP FROM PASSING THRU THE VPN

ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD --out-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP


_____________SERVER ROUTER STARTUP_________________
WANIF=`get_wanface`
ifconfig $WANIF:2 <SERVER SIDE WAN IP1> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>
ifconfig $WANIF:3 <SERVER SIDE WAN IP2> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>
ifconfig $WANIF:4 <SERVER SIDE WAN IP3> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>
ifconfig $WANIF:5 <SERVER SIDE WAN IP3> netmask 255.255.255.248 broadcast <SERVER SIDE GATEWAY>

# Begin VPN
cd /tmp
openvpn --mktun --dev tap0
brctl addif br0 tap0
ifconfig tap0 0.0.0.0 promisc up

echo "
# Tunnel options
mode server # Set OpenVPN major mode
proto udp # Setup the protocol (server)
port 1194 # TCP/UDP port number
dev tap0 # TUN/TAP virtual network device
keepalive 15 60 # Simplify the expression of --ping
daemon # Become a daemon after all initialization
verb 3 # Set output verbosity to n
comp-lzo # Use fast LZO compression

# OpenVPN server mode options
client-to-client # tells OpenVPN to internally route client-to-client traffic
duplicate-cn # Allow multiple clients with the same common name

# TLS Mode Options
tls-server # Enable TLS and assume server role during TLS handshake
ca ca.crt # Certificate authority (CA) file
dh dh1024.pem # File containing Diffie Hellman parameters
cert server.crt # Local peer's signed certificate
key server.key # Local peer's private key
" > openvpn.conf

echo "
-----BEGIN CERTIFICATE-----
INSERT YOUR ca.crt HERE
-----END CERTIFICATE-----
" > ca.crt
echo "
-----BEGIN CERTIFICATE-----
XXXDDCCA/SgAwIBAgIJANoufcXAyUn0MA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzELMAkGA1UECBMCR0ExFjAUBgNVBAcTDUZsb3dlcnlCcmFuY2gxFTAT
-----END CERTIFICATE-----
" > server.key
chmod 600 server.key
echo "
-----BEGIN CERTIFICATE-----
XXXajCCBFKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkdBMRYwFAYDVQQHEw1GbG93ZXJ5QnJhbmNoMRUwEwYDVQQKEwxT
-----END CERTIFICATE-----
" > server.crt
echo "
-----BEGIN DH PARAMETERS-----
XXXCAKCAQEA1zDLMGs9wYtPRaKD4krtEABijPS0yB58l7OUX3KSkcgw2R7uj5lh
jFkHojQFuxB0ITDgk8Z4rgUdh7EKCjna6Xy41V/aXLljqRiw9DnHpcirYUjHGRtS
-----END DH PARAMETERS-----
" > dh1024.pem

sleep 5
ln -s /usr/sbin/openvpn /tmp/myvpn
/tmp/myvpn --config openvpn.conf

route add -net 192.168.1.0/24 dev br0

#Prevent DHCP from being routed across the tunnel

echo "begin-base64 644 -" > /tmp/ebt_ip.o.gz.u64
echo "H4sIADwAAAACA5VWz28bVRD+dteON20KG9eq3BJUB21UVy1m2+RQRCO5cX5w" >>
uudecode /tmp/ebt_ip.o.gz.u64 | gunzip -cd > /tmp/ebt_ip.o

sleep 15 ; insmod ebtables ; insmod ebtable_filter ; insmod /tmp/ebt_ip.o &
sleep 25 ; ebtables -I INPUT -i tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &
sleep 5 ; ebtables -I OUTPUT -o tap0 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP &

____________________SERVER ROUTER FIREWALL______________
#_______________________NAT COMPUTER 1_________________________________

# WAN <SERVER SIDE WAN IP> -> LAN 192.168.1.35 (xxxxxx.net)
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP> -j DNAT --to 192.168.1.35
iptables -t nat -I POSTROUTING -s 192.168.1.35 -j SNAT --to <SERVER SIDE WAN IP>
iptables -I FORWARD -d 192.168.1.35 -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -d 192.168.1.35 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d 192.168.1.35 -p tcp --dport 443 -j ACCEPT


#_______________________NAT COMPUTER 2_________________________________

# WAN <SERVER SIDE WAN IP2> -> LAN 192.168.1.9 (Connections)
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP2> -j DNAT --to 192.168.1.9
iptables -t nat -I POSTROUTING -s 192.168.1.9 -j SNAT --to <SERVER SIDE WAN IP2>
iptables -I FORWARD -d 192.168.1.9 -p tcp --dport 9080 -j ACCEPT
iptables -I FORWARD -d 192.168.1.9 -p tcp --dport 9081 -j ACCEPT


#_______________________DDWRT Router_________________________________
# WAN <SERVER SIDE WAN IP3> -> LAN 192.168.1.100
/usr/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT



#_______________________Mail (RDS)_________________________________

# WAN <SERVER SIDE WAN IP4> -> LAN 192.168.1.11 (Mail)
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP4> -j DNAT --to 192.168.1.11
iptables -t nat -I POSTROUTING -s 192.168.1.11 -j SNAT --to <SERVER SIDE WAN IP4>
iptables -I FORWARD -d 192.168.1.11 -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -d 192.168.1.11 -p tcp --dport 1352 -j ACCEPT


#_______________________NAT COMPUTER 3___________________

# WAN <SERVER SIDE WAN IP5> -> LAN 192.168.1.13
iptables -t nat -I PREROUTING -d <SERVER SIDE WAN IP5> -j DNAT --to 192.168.1.13
iptables -t nat -I POSTROUTING -s 192.168.1.13 -j SNAT --to <SERVER SIDE WAN IP5>
iptables -I FORWARD -d 192.168.1.13 -p tcp --dport 9080 -j ACCEPT
iptables -I FORWARD -d 192.168.1.13 -p tcp --dport 9081 -j ACCEPT

Thanks in advance, for any suggestions and advice. I want to do this the right way that can generate the fastest throughput, and I understand Merlin has it down.

cfm56
 

somms

Regular Contributor

https://i.imgur.com/1ORcgLZ.png


https://i.imgur.com/hv2LARi.jpg


End to end TAP udp via port 1194 OpenVPN tunnel throughput pictured above of XMission's Utopia active ethernet fiber network 1 Gbps up/down throughput on both ends.






https://i.imgur.com/z3vpFiE.png


https://i.imgur.com/2jU9pZ3.jpg


Pictured above is the normal https://xmission.com/utopia throughput attained on either end of this test over the Utopia fiber network...


FWIW: Although not an AC88U, my RT-AC86U gateway OpenVPN Server router is able to achieve the above throughput for remote OpenVPN clients running under Merlin's latest RT-AC86U_384.6_alpha2-g5b076fc87 test build...




My OpenVPN server gateway AC86U successfully configured pictured above for a TAP/UDP via port 1194 to remote OpenVPN client router(s)...
 

djrm

Regular Contributor
@Odkrys May I ask you if this still working in 386.2? Im asking in another post if anyone knows anything about this but no answer yet.
Im trying to make a custom build with this option for an ax88u but any attempt results in simply losing the ipsec button from the GUI... . I would appreciate any help on this. Thanks
 

john9527

Part of the Furniture
@Odkrys May I ask you if this still working in 386.2? Im asking in another post if anyone knows anything about this but no answer yet.
Im trying to make a custom build with this option for an ax88u but any attempt results in simply losing the ipsec button from the GUI... . I would appreciate any help on this. Thanks
I took a look at the code, and the target.mak change should work. Did you possibly edit the file with a Windows/DOS editor and change the file format?
 

djrm

Regular Contributor
Thanks @john9527 !!
I edited the file with nano in an ubuntu machine.... Any other consideration to have in mind after the SVR by CLI change in the file and before run the make....?
 

john9527

Part of the Furniture
Thanks @john9527 !!
I edited the file with nano in an ubuntu machine.... Any other consideration to have in mind after the SVR by CLI change in the file and before run the make....?
No,can't think of anything off the top of my head. If you like, I can try and do a build for you with the change as a check.
 

djrm

Regular Contributor
I would appreciate it, so I can test and confirm if I'm missing any step during the process
 

djrm

Regular Contributor
Thanks @john9527 , so I have tested it and outcome is the same, so at least I can discard that I was missing any step in the build. Curiously the IPsec button is missing from the VPN Server tab but it still accesible through the path /Advanced_VPN_IPSec.asp. No changes on VPN client tab ...
So I guess this could be something related to the GPL right?

Thanks once again :)
 
Last edited:

john9527

Part of the Furniture
@djrm
The way that change works is to enable the firmware to support IPSEC server OR IPSEC client.....but not both (there may be a problem trying to configure both at the same time). So not having the server tab is expected. The client settings should show on the VPN client tab though. DId you try clearing your browser cache?

Also, check under Tools in the features section. It should show an entry 'ipsec_cli".

I put up a build that tries to enable both client and server....but no idea what will happen (same link)
RT-AX88U_386.2_1-ge7f1e123a6.zip
 

djrm

Regular Contributor
@john9527 OMG thank you for that. I knew that option was to enable just server or client (the test to open the server urlwas just out of curiosity), but I was looking to an IPSEC button in client tab and it is not, now I have been exploring the VPN client tab and seen that it is under PPTP/L2TP . So going to VPN Client, then PPTP/L2TP and add profile and then appears 3 tabs PPTP, L2TP and IPSEC :D

And yep ipsec_cli is there in your firmware and also in the one I built, so the issue was that ipsec option was bit "hidden"

Again, many thanks for your help!

1.JPG


2.JPG

3.JPG
 
Last edited:

RMerlin

Asuswrt-Merlin dev
If Asus hasn't enabled it then it may imply they never finalized its implementation.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top