Basic Merlin Firmare/OpenVPN Questions

[IHazAQuestion]

Hi all,

Noob kid on the block here. Nice to meet everybody!

I have a couple of basic questions. Please forgive my ignorance. I've done a fair bit of Googlin', and DuckDuckGoin' but haven't been able to find clear, direct answers. If there is a clear explanation for any of these questions on a website that I have missed, please include them, I don't mind doing the reading.

On to my questions, I'm a bit new to the whole OpenVPN thing. I understand the basics, but I'm a bit confused of the details surrounding router implementation. I recently signed up for a OpenVPN service and have successfully made a connection on my computer. I have installed Merlin (220.18) on my RT-N66U, and I wanted to understand some basic concepts in using my VPN connection within my router.

As I understand it, when I connect to the VPN to my computer all traffic *from this sole machine* is now by default routed to the secure VPN connection. Is my understanding correct?

As I look the Merlin firmware, I realize it allows two VPN setups: Client and Server.

1) If I setup the client, does that mean that the VPN connection that is on my computer begins to act as the "server" for the router? In other words, I connect via the OpenVPN software on my computer. I then activate the "client" on my router, at which point my RTN66U then looks to my computer as the server and then "shares" that connection which is on my computer with all devices on my local network?

1a) Is there a way, for my router to control which VPN server I am connecting to or must that only be done on my computer with the OpenVPN GUI software? For example, my particular VPN company has locations in several countries. Can I log on to these locations via my router, or must I use the software on my desktop?

2) If I setup the server within the router, does that mean that for external locations, my job/school/work are now "clients" to my router, and they will use the client connection that is running on the router to traverse the internet?

I hope my questions are clear (and new), and thank you all in advance.

 

[RMerlin]

The Server function on the router is to allow you to remotely access your home network while you are outside home, by using a client on whatever computer or laptop you are using remotely, and connecting to your home router. This is used for remote access of your LAN devices while outside home.

The client function lets your router connect to a remote server (such as those from OpenVPN providers), and establish a tunnel to it, so your LAN devices can go through that tunnel to access either another LAN network located behind a VPN server, or for anonymous Internet browsing (when using a VPN tunnel provider).

In either case, the computers inside your home network have little to do with the VPN functionality - they are neither VPN clients, nor VPN servers. The router either connects to a remote server, or it accepts incoming connections from outside your network.

If you use the router as a client for a remote VPN server and you wish all computers on your home network to go through the VPN tunnel, you have to configure the client with "Redirect Internet traffic" set to Yes on the router.

 

[IHazAQuestion]

Thank you Merlin. Wow. I was so mistaken (after I realized how mistaken it was a bit embarrassing). Such is the learning process.

Now that I understand, I put in all the proper settings for OpenVPN Client within the router

I clicked the slider to "on", The circle kept going...over 5 mins.

I closed the browser window, and restarted the router. The router worked (I could surf and ping it), but the VPN did not appear to be working (checked whoami). So I went to the router address and it would not prompt me to authenticate and login; in other words, I couldn't connect to the UI in order to fix it. I tried this a couple of times to no avail. So I decided to update the firmware to 246b (from 200.18b)

I put the router into rescue mode and used the firmware restore utility. The firmware uploaded and went to system initializtion to 100%, then said something to the effect of, "Failed to update, router not in rescue mode."??? (I was in rescue mode to upload an initialize, why was it complaining that I now wasn't?)

The router again worked, but I could not login still. So I attempted to reload the firmware again, same process...only this time the firmware uploads 62%...the fails, saying, "The router is not in rescue mode". I get this 3 times. I tried using 200.18b same. Original ASUS firmware...same.

The router seems gone (bricked). I called ASUS and they basically had me do what I had already done and offered to RMA. Before I do that, I wanted to see if you, or anyone else can offer some of the "wizardry alternatives" in order to save the router that I often see in these forums.

Thanks in advance.

 

[RMerlin]

I see no reason for your firmware to have gone corrupted due to simple configuration. Most likely restoring to factory defaults would have resolved your issue. Turn the router off. Press the WPS button. While keeping it pressed, turn it back on. Wait 5 seconds, then release the WPS button.

At that point the router should boot with factory default settings. See if it's now accessible - hopefully the attempts in Recovery Mode didn't leave you with a half-flashed firmware. If it did, simply go back to Recovery mode, and reflash it again.

While using Recovery Mode, make sure nothing is plugged but for that one PC you are using. Unplug even the WAN.

Also make sure you didn't change some network settings on your PC while experimenting with the VPN. Make sure the network card is still on DHCP, and that you run no OpenVPN client on the PC.

 

[IHazAQuestion]

Merlin,

Pressing the WPS button (and the other options you indicated) fixed it right up. I don't know why the tech was telling me to push the other one. I'm back in business, no RMA for me, thank you!.

It took me FOREVER to get the client settings right, the biggest obstacle was that for the Client, the "Certificate Authority" comes from your VPN provider for the particular server you are connecting to, is NOT from the Certificate Authority you create in the How-To-Geek article, I didn't know that. I was using the Certificate Authority *I* had created and it just refused to work (obviously). I was banging my head against that all day until I finally stumbled across this:

http://www.privateinternetaccess.co...-setup-for-newer-branches-including-tomatousb

This is similar to the How-To-Guide, but instead of being for the server, it's for the client. It instantly fixed my problem(s). I'm providing it because I found it helpful maybe another n00b will too. If you like it Merlin you can put the link on your wiki to so you have both configurations (client/server) covered. The How-To-Geek guide doesn't actually provide a "client VPN" walkthrough. Actually other than the one I couldn't find any clear guides for setting up client in the router. Hope it helps.

One final question. The client works on the router, but DNS wasn't working. I didn't see anyplace to put dhcp options, so I tried putting DNS settings under "LAN - DHCP Server". That works, but is that the proper place (and it's only one server option). Is there another place I should be putting the DNS?

 

[RMerlin]

Usually the DNS will be pushed to you by the server. The client's DNS handling is configured through the "Accept DNS Configuration" option. You'll probably want Relaxed or Strict.

Asus's tech support probably had you use the Reset button. That button only works in a case where the firmware can actually succesfully boot. The WPS button on the other hand will work from the bootloader, meaning it will work even if the firmware is corrupted or fails to boot due to corrupted settings.

 

[Builder71]

@IHazAQuestion: I used this guide to configure my OpenVPN connection.

OpenVPN works great on my router!
Big thanks to RMerlin for implementing this.

 

[IHazAQuestion]

Merlin,

Strict DNS worked fine, thanks again. I know I said above it was my final question, but I wanted to sneak in one more...please, pretty please?

I encountered the situation where I couldn't access my router via IP from my desktop. What happens is the browser keeps spinning and never gets me to an authentication window (I tried IE, FF, Opera). This is what caused all the problems in the first place. I noticed this time it resolved itself (it didn't last time), I also tried plugging my laptop directly into another port and it worked fine. In all other ways, the router is functioning fine, other than be being able to login. Ideas?

Builder71,

Thanks for the reference. Unfortunately it only shows how to setup OpenVPN as a server on the router, not as a client on the router. It instead shows you how to setup the client on a desktop. I needed instructions for the client on the router.

 

[escape2]

Builder71,

Thanks for the reference. Unfortunately it only shows how to setup OpenVPN as a server on the router, not as a client on the router. It instead shows you how to setup the client on a desktop. I needed instructions for the client on the router.

Try this:

http://www.wasagacomputers.com/home...te-vpn-using-tomato-firmware-and-openvpn.html

The instructions are based on Tomato firmware, but you should be able to figure it out.

 

[RMerlin]

Merlin,

Strict DNS worked fine, thanks again. I know I said above it was my final question, but I wanted to sneak in one more...please, pretty please?

I encountered the situation where I couldn't access my router via IP from my desktop. What happens is the browser keeps spinning and never gets me to an authentication window (I tried IE, FF, Opera). This is what caused all the problems in the first place. I noticed this time it resolved itself (it didn't last time), I also tried plugging my laptop directly into another port and it worked fine. In all other ways, the router is functioning fine, other than be being able to login. Ideas?

Is the VPN in the same IP block as the LAN (and the router)? If so, you might have an IP conflict.

Also, try accessing the router through its VPN endpoint IP - I'm not sure what happens to traffic aimed at the router if you set the tunnel to route ALL traffic to the remote end.

 

[gbguy71]

VPN connects, but Ping fails

I spent a few days getting OpenVPN Server going on my ASUS RT-N66U (Merlin build 3.0.0.4.260.21). I ran into a few hiccups along the way, but it is working. I'm going to document my issues/solutions here, so that others can hopefully find all the answers in one place. [FWIW - lots of people had the same problems, but there was no one place to find answers]

However, I still have one outstanding problem that needs answering. I can establish a working OpenVPN connection from my Win 7 laptop, but when I try and ping the router I get a timeout. I'm stumped. Any ideas?

NEVER MIND FOUND IT! - I totally missed this Firewall parameter "Respond Ping Request from WAN" (I feel like an idiot. Wasn't the first time and won't be the last either). I'm leaving this post for other mentally challenged users

TIA

 

[node]

Big hello to all;

I am planning my move from DD-WT to Asuswrt-Merlin. I have been reading for the pass few days, and feel it is time I transition. I have not obtain my Asus router as yet but will in a few days time; I am looking at the RT-AC66R at Best Buy. ( Any input advise would be appreciated). The reviews looks good thus far on this unit, hence my reason to go this route.

I do have a few questions however, now in my planning stages:

I connect to my OpenVPN server provider in the States and I am given a .p12 file in which there are three separate files, which I normally extract and obtain a .ca .crt. .key files. I open these with notepad and copy and paste the contents into the location provided under the OpenVPN client in DD-WRT firmware in txt format. I then set the Dyndns address as given by the provider, and the various other settings under the client tab. My Client VPN router is then attached either via repeater mode or cat5 hard cable to my main ISP provider router and my VPN service starts.

I will like to know with version RT-AC66U_3.0.0.4_376.44_0.trx on the RT-AC66R can I do the same or is there a way to upload the .p12 file straight into the OpenVPN client by selection upload as seen on some of the firmware images on the websites and youtube?

I have also read that I can do away with my ISP router which is set to pppoE and use this one router configured properly and achieve the same results. One side I have normal ISP internet and another side have VPN services.

This was one link I read where it was done on DD-WRT but PPTP client running StrongVPN:

http://strongvpn.com/forum/viewtopic.php?id=806

and the other running Asuswrt:

http://forums.smallnetbuilder.com/showthread.php?t=9839

This would be my end goal eventually

I trust someone on the forum can guide me with this. Thanking you kindly.

node...