1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Feature Request: Running an OpenVPN Server in AP-mode

Discussion in 'Asuswrt-Merlin' started by miroco, Aug 19, 2019.

  1. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    62
    A feature request to Asuswrt-Merlin branch

    I've got an rt-ac86u operating in AP-mode behind a firewall. It would be nice to be able to take advantage of the processing power of the rt-ac86u to run an OpenVPN Server on it, even if it's in AP-mode. Requirements that I can think of are a different routing scheme (AP) on the OpenVPN Server and port forwarding on the firewall.

    Let's hear what you think guys.

    https://www.snbforums.com/threads/openvpn-performance-of-the-rt-ac86u.41217/page-2#post-351407

    https://www.google.se/search?dcr=0&...hUKEwi3ps6d2Y_kAhUBxMQBHb4aBdIQ4dUDCAk&uact=5

    Edit!

    In a broader perspective.

    Quite a few people use an open source based firewall to the All-in-One SOHO router in their homes. The system resources on which such a system is based are in many cases quite low to modest. It's also not uncommon for that kind of setup with a surplus SOHO router configured in AP-mode to provide wireless coverage. In order to take full advantage of the system resources on the firewall, the idea of moving a function from the firewall to the AP struck me. My thought was, why run an OpenVPN Server on the firewall when the AP has one already, and idle at that, not breaking a sweat providing WiFi coverage?
     
    Last edited: Aug 23, 2019
  2. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,108
    Location:
    United Kingdom
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,269
    Location:
    UK
    I believe it already does this. All you need to do is forward the port from the router to the AP.
     
  4. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    62
    If memory serve me right, did Merlin implement OpenVPN into the Asuswrt code at a time when Asus only offered PPTP.

    An excerpt of the rt-n66u chengelog from 2012.

    Code:
    3.0.0.3.178.16 Beta:
       - NEW: (RT-N66U, RT-AC66U) Implemented OpenVPN, based on code written by
              Keith Moyer (from the Tomato project).
    See also:

    https://github.com/RMerl/asuswrt-merlin/wiki/Configuring-OpenVPN-on-Merlin's-fw
     
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,269
    Location:
    UK
  6. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    62
    If I understand you correctly, there are only a few changes to the web gui to make OpenVPN appear and work in AP-mode?
     
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,269
    Location:
    UK
    I could be wrong but I seem to remember people mentioning in other posts that they were running an OpenVPN server in AP mode without any problems. I remember being surprised because I knew it wasn't possible with John's firmware (which I use). But it made sense because in John's firmware the OpenVPN server listens only on the WAN interface whereas in Merlin's it listens on all interfaces (including the LAN interface).

    I suggest you try it for yourself and see if it works.

    EDIT: Sorry, it's just dawned on me that I maybe missing your point? :rolleyes: I guess your main problem is that in AP mode you don't have access to the VPN menus in the GUI? That kinda makes sense because even though it's possible to have the VPN server running it's not possible to have the client running. Perhaps it's reachable directly through its URL, http://router.asus.com/Advanced_VPN_OpenVPN.asp . Or maybe they configured it in "router mode", switched to AP mode, and then started it from the command line (service start_vpnserver1).
     
    Last edited: Aug 19, 2019
    martinr likes this.
  8. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    62
    This is a first attempt. Any ideas?

    The dates in the log from the iOS OpenVPN Client is out of whack, but that's nothing new. Time doesn't match ether.

    The DDNS is on the firewall, picking up the public ip-address for the OpenVPN client.

    Code:
    2019-50-20 00:50:38 ----- OpenVPN Start -----
    OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct  3 2018 06:35:04
    
    2019-50-20 00:50:38 Frame=512/2048/512 mssfix-ctrl=1250
    
    2019-50-20 00:50:38 UNUSED OPTIONS
    5 [ncp-ciphers] [AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC]
    13 [resolv-retry] [infinite]
    14 [nobind]
    
    2019-50-20 00:50:38 EVENT: RESOLVE
    2019-50-20 00:50:38 Contacting [115.177.xx.xx]:1194/UDP via UDP
    2019-50-20 00:50:38 EVENT: WAIT
    2019-50-20 00:50:38 Connecting to [xxxxxxxxxxx.ddns.net]:1194 (115.177.xx.xx) via UDPv4
    2019-50-20 00:50:48 Server poll timeout, trying next remote entry...
    2019-50-20 00:50:48 EVENT: RECONNECTING
    2019-50-20 00:50:48 EVENT: RESOLVE
    2019-50-20 00:50:48 Contacting [115.177.xx.xx]:1194/UDP via UDP
    2019-50-20 00:50:48 EVENT: WAIT
    2019-50-20 00:50:48 Connecting to [xxxxxxxxxxx.ddns.net]:1194 (115.177.xx.xx) via UDPv4
    2019-50-20 00:50:58 Server poll timeout, trying next remote entry...
    2019-50-20 00:50:58 EVENT: RECONNECTING
    2019-50-20 00:50:58 EVENT: RESOLVE
    2019-50-20 00:50:58 Contacting [115.177.xx.xx]:1194/UDP via UDP
    2019-50-20 00:50:58 EVENT: WAIT
    2019-50-20 00:50:58 Connecting to [xxxxxxxxxxx.ddns.net:1194 (115.177.xx.xx) via UDPv4
    2019-51-20 00:51:09 EVENT: CONNECTION_TIMEOUT [ERR]
    2019-51-20 00:51:09 Raw stats on disconnect:
    
     BYTES_OUT : 420
     PACKETS_OUT : 30
     CONNECTION_TIMEOUT : 1
     N_RECONNECT : 2
    
    2019-51-20 00:51:09 Performance stats on disconnect:
     CPU usage (microseconds): 54716
     Network bytes per CPU second: 7675
     Tunnel bytes per CPU second: 0
    
    2019-51-20 00:51:09 EVENT: DISCONNECTED
    
    2019-51-20 00:51:09 Raw stats on disconnect:
     BYTES_OUT : 420
     PACKETS_OUT : 30
     CONNECTION_TIMEOUT : 1
     N_RECONNECT : 2
    
    2019-51-20 00:51:09 Performance stats on disconnect:
     CPU usage (microseconds): 54716
     Network bytes per CPU second: 7675
     Tunnel bytes per CPU second: 0
    Server:

    Code:
    Aug 20 00:44:26 ovpn-server1[21827]: OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 31 2019
    Aug 20 00:44:26 ovpn-server1[21827]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.08
    Aug 20 00:44:26 ovpn-server1[21828]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 20 00:44:26 ovpn-server1[21828]: PLUGIN_INIT: POST /usr/lib/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
    Aug 20 00:44:26 ovpn-server1[21828]: Diffie-Hellman initialized with 2048 bit key
    Aug 20 00:44:26 ovpn-server1[21828]: TUN/TAP device tun21 opened
    Aug 20 00:44:26 ovpn-server1[21828]: TUN/TAP TX queue length set to 1000
    Aug 20 00:44:26 ovpn-server1[21828]: /bin/ip link set dev tun21 up mtu 1500
    Aug 20 00:44:26 ovpn-server1[21828]: /bin/ip addr add dev tun21 10.8.0.1/24 broadcast 10.8.0.255
    Aug 20 00:44:26 ovpn-server1[21828]: updown.sh tun21 1500 1621 10.8.0.1 255.255.255.0 init
    Aug 20 00:44:26 ovpn-server1[21828]: Could not determine IPv4/IPv6 protocol. Using AF_INET
    Aug 20 00:44:26 ovpn-server1[21828]: Socket Buffers: R=[524288->524288] S=[524288->524288]
    Aug 20 00:44:26 ovpn-server1[21828]: UDPv4 link local (bound): [AF_INET][undef]:1194
    Aug 20 00:44:26 ovpn-server1[21828]: UDPv4 link remote: [AF_UNSPEC]
    Aug 20 00:44:26 ovpn-server1[21828]: MULTI: multi_init called, r=256 v=256
    Aug 20 00:44:26 ovpn-server1[21828]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
    Aug 20 00:44:26 ovpn-server1[21828]: Initialization Sequence Completed
     
    Last edited: Aug 20, 2019
  9. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    62
    It does work. I went back to take a look at the port forwarding rule, and I noticed that I had put in the wrong port number 1195 instead of 1194. :D
     
    royarcher, martinr and ColinTaylor like this.
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,269
    Location:
    UK
    Good to hear you got it working. How did you do it in the end? Did you have to use either of the "cheats" I mentioned earlier or was there already an option in the GUI?
     
  11. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    62
    Maybe I jumped the gun a bit. There is a DNS problem. I tried to add a DNS server using the Custom Configuration field (DNS addr), but I couldn't make it work nor with a public DNS server or using the ip-address of the firewall.

    Reaching the OpenVPN Server in the web gui in the first place was the first hurdle. I followed up on your idea by cheating, using its URL. It worked surprisingly well.

    I also found out that this is not the first time this issue has been discussed.

    https://www.snbforums.com/threads/vpn-in-ap-mode.49443/
     
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,269
    Location:
    UK
    What is the problem exactly? Check what is being pushed to the client in the log file.
     
  13. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    62
    As far as I can conclude, the OpenVPN Server adds the AP's ip-address as DNS server despite the fact that I have assigned a DNS in the LAN settings.

    Code:
    2019-08-20 13:08:15 ----- OpenVPN Start -----
    OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct  3 2018 06:35:04
    
    2019-08-20 13:08:15 Frame=512/2048/512 mssfix-ctrl=1250
    
    2019-08-20 13:08:15 UNUSED OPTIONS
    5 [ncp-ciphers] [AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC]
    13 [resolv-retry] [infinite]
    14 [nobind]
    
    2019-08-20 13:08:15 EVENT: RESOLVE
    2019-08-20 13:08:16 Contacting [115.177.xx.xx]:1194/UDP via UDP
    2019-08-20 13:08:16 EVENT: WAIT
    2019-08-20 13:08:16 Connecting to [xxxxxxxxxx.ddns.net]:1194 (115.177.xx.xx) via UDPv4
    2019-08-20 13:08:16 EVENT: CONNECTING
    2019-08-20 13:08:16 Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
    2019-08-20 13:08:16 Creds: Username/Password
    
    2019-08-20 13:08:16 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
    IV_VER=3.2
    IV_PLAT=ios
    IV_NCP=2
    IV_TCPNL=1
    IV_PROTO=2
    
    
    2019-08-20 13:08:16 VERIFY OK : depth=0
    cert. version    : 3
    serial number    : 01
    issuer name      : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC86U, [email protected]
    subject name      : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC86U, [email protected]
    issued  on        : 2019-08-19 22:36:22
    expires on        : 2029-08-16 22:36:22
    signed using      : RSA with SHA-256
    RSA key size      : 1024 bits
    basic constraints : CA=false
    cert. type        : SSL Server
    key usage        : Digital Signature, Key Encipherment
    ext key usage    : TLS Web Server Authentication
    
    
    2019-08-20 13:08:16 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
    2019-08-20 13:08:16 Session is ACTIVE
    2019-08-20 13:08:16 EVENT: GET_CONFIG
    2019-08-20 13:08:16 Sending PUSH_REQUEST to server...
    
    2019-08-20 13:08:16 OPTIONS:
    0 [route] [192.168.1.0] [255.255.255.240] [vpn_gateway] [500]
    1 [dhcp-option] [DNS] [192.168.1.14]
    2 [redirect-gateway] [def1]
    3 [route-gateway] [10.8.0.1]
    4 [topology] [subnet]
    5 [ping] [15]
    6 [ping-restart] [60]
    7 [ifconfig] [10.8.0.2] [255.255.255.0]
    8 [peer-id] [0]
    9 [cipher] [AES-256-GCM]
    
    
    2019-08-20 13:08:16 PROTOCOL OPTIONS:
     cipher: AES-256-GCM
     digest: SHA1
     compress: NONE
     peer ID: 0
    
    2019-08-20 13:08:16 EVENT: ASSIGN_IP
    2019-08-20 13:08:16 NIP: preparing TUN network settings
    2019-08-20 13:08:16 NIP: init TUN network settings with endpoint: 115.177.xx.xx
    2019-08-20 13:08:16 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0
    2019-08-20 13:08:16 NIP: adding (included) IPv4 route 10.8.0.0/24
    2019-08-20 13:08:16 NIP: adding (included) IPv4 route 192.168.1.0/28
    2019-08-20 13:08:16 NIP: redirecting all IPv4 traffic to TUN interface
    2019-08-20 13:08:16 NIP: adding DNS 192.168.1.14
    2019-08-20 13:08:16 Connected via NetworkExtensionTUN
    2019-08-20 13:08:16 EVENT: CONNECTED [email protected]:1194 (115.177.xx.xx) via /UDPv4 on NetworkExtensionTUN/10.8.0.2/ gw=[/]
     

    Attached Files:

  14. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,269
    Location:
    UK
    Why are you using such a small subnet? It should be the same as that of the main LAN. Using something other than /24 can cause unexpected problems.

    Can you provide a screenshot of the router's VPN Details/Advanced Settings page? You might have to add the following line to the Custom Configuration box if there's not a menu option that already does it.

    Code:
    push "dhcp-option DNS 192.168.1.1"
     
  15. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    62
    It kind of worked, but still no DNS resolution. It did assign 192.168.1.1 as a DNS server. The problem I guess is that the OpenVPN Server still/also assigns 192.168.1.14 as a DNS server, and my hunch is that they are queried in falling order.

    The smaller subnet is for two reasons, I don't have that many devices and it's easier to find a "lost" device. I have mixed experiences from the "arp -a" command.

    Code:
    2019-08-20 14:16:24 ----- OpenVPN Start -----
    OpenVPN core 3.2 ios arm64 64-bit PT_PROXY built on Oct  3 2018 06:35:04
    
    2019-08-20 14:16:24 Frame=512/2048/512 mssfix-ctrl=1250
    
    2019-08-20 14:16:24 UNUSED OPTIONS
    5 [ncp-ciphers] [AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC]
    13 [resolv-retry] [infinite]
    14 [nobind]
    
    2019-08-20 14:16:24 EVENT: RESOLVE
    2019-08-20 14:16:24 Contacting [115.177.xx.xx]:1194/UDP via UDP
    2019-08-20 14:16:24 EVENT: WAIT
    2019-08-20 14:16:24 Connecting to [xxxxxxxxxx.ddns.net]:1194 (115.177.xx.xx) via UDPv4
    2019-08-20 14:16:24 EVENT: CONNECTING
    2019-08-20 14:16:24 Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client
    2019-08-20 14:16:24 Creds: Username/Password
    
    2019-08-20 14:16:24 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 3.0.2-894
    IV_VER=3.2
    IV_PLAT=ios
    IV_NCP=2
    IV_TCPNL=1
    IV_PROTO=2
    
    
    2019-08-20 14:16:24 VERIFY OK : depth=0
    cert. version    : 3
    serial number    : 01
    issuer name      : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC86U, [email protected]
    subject name      : C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC86U, [email protected]
    issued  on        : 2019-08-19 22:36:22
    expires on        : 2029-08-16 22:36:22
    signed using      : RSA with SHA-256
    RSA key size      : 1024 bits
    basic constraints : CA=false
    cert. type        : SSL Server
    key usage        : Digital Signature, Key Encipherment
    ext key usage    : TLS Web Server Authentication
    
    
    2019-08-20 14:16:24 SSL Handshake: TLSv1.2/TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
    2019-08-20 14:16:24 Session is ACTIVE
    2019-08-20 14:16:24 EVENT: GET_CONFIG
    2019-08-20 14:16:24 Sending PUSH_REQUEST to server...
    
    2019-08-20 14:16:24 OPTIONS:
    0 [route] [192.168.1.0] [255.255.255.240] [vpn_gateway] [500]
    1 [dhcp-option] [DNS] [192.168.1.14]
    2 [redirect-gateway] [def1]
    3 [dhcp-option] [DNS] [192.168.1.1]
    4 [route-gateway] [10.8.0.1]
    5 [topology] [subnet]
    6 [ping] [15]
    7 [ping-restart] [60]
    8 [ifconfig] [10.8.0.2] [255.255.255.0]
    9 [peer-id] [0]
    10 [cipher] [AES-256-GCM]
    
    
    2019-08-20 14:16:24 PROTOCOL OPTIONS:
     cipher: AES-256-GCM
     digest: SHA1
     compress: NONE
     peer ID: 0
    
    2019-08-20 14:16:24 EVENT: ASSIGN_IP
    2019-08-20 14:16:24 NIP: preparing TUN network settings
    2019-08-20 14:16:24 NIP: init TUN network settings with endpoint: 115.177.xx.xx
    2019-08-20 14:16:24 NIP: adding IPv4 address to network settings 10.8.0.2/255.255.255.0
    2019-08-20 14:16:24 NIP: adding (included) IPv4 route 10.8.0.0/24
    2019-08-20 14:16:24 NIP: adding (included) IPv4 route 192.168.1.0/28
    2019-08-20 14:16:24 NIP: redirecting all IPv4 traffic to TUN interface
    2019-08-20 14:16:24 NIP: adding DNS 192.168.1.14
    2019-08-20 14:16:24 NIP: adding DNS 192.168.1.1
    2019-08-20 14:16:24 Connected via NetworkExtensionTUN
    2019-08-20 14:16:24 EVENT: CONNECTED [email protected]:1194 (115.177.xx.xx) via /UDPv4 on NetworkExtensionTUN/10.8.0.2/ gw=[/]
     

    Attached Files:

  16. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,269
    Location:
    UK
    Try turning off "Advertise DNS to clients" in the menu, but leave the custom PUSH there.
     
  17. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    62
    It dropped the 192.168.1.14 address, but still no go.
     
  18. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,269
    Location:
    UK
    What's in the client and server logs?

    What is "no go", how are you testing this?
     
  19. miroco

    miroco Regular Contributor

    Joined:
    Mar 12, 2014
    Messages:
    62
    The weirdest thing is happening. I'm getting blocked trying to answer your question.

    When I click on "Contact Us" at the bottom of the page, nothing happens. I've found myself in a kind of bizare no man's land.

    Does anyone know how you get in touch with the moderators?
     
  20. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,020
    Location:
    Canada
    @thiggins is the site owner. You can send him a private message here.