1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to setup a VPN Server with Asus routers 380.68 updated 08.24

Discussion in 'VPN' started by yorgi, Jul 14, 2016.

  1. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    In this new version 380.68 there are no new features for VPN server.

    This guide will show you how to setup a VPN server with your Asus routers
    This works with native ASUS firmware or Merlin Firmware

    *** I suggest that every time you update to a new firmware do a Default on OpenVPN server then reboot the router and enter the data again. Also export a new .ovpn file and import to your device in order to have smooth results. Otherwise you may get into issues where you cannot see windows shared folders.

    With the ASUS router you can have up to 2 separate VPN servers.
    In this example I am using VPN server 1
    simply enable OpenVPN server and by default the admin username and password is in the list. You can create up to 32 username and passwords in the appropriate fields.

    In VPN details click on the advanced menu.
    Use the VPN advanced image below and setup the values accordingly.

    Main Page.jpg

    server.jpg

    ***Important***
    With the latest firmware 380.66.4 and up You need to enable Respond to DNS and Enable Advertise DNS to clients otherwise you will not be able to connect to your Local Network. This was not the case in the past.

    Finally in order for file shares to work properly you need to Have the router DHCP do the static addresses so this way the Arp entries are stored properly and the router can access shares.
    in LAN tab, DCHP server, Basic Config

    IP Pool Starting Address 192.168.1.97
    IP Pool Ending Address 192.168.1.254

    and in LAN/DHCP tab enable "Enable Manual Assignment"
    Look for a network PC MAC address that you want to manage as Static IP and assign static IP address that are from the static range pool of 192.168.1.99 next PC .98 and .97
    For first PC assign .99 and so on.
    if you need more PC set the IP pool to reserve all the PC's you want and do them one by one to make sure that the PC gets the address you want.
    This way you let the router handle the static addresses and you will have any problems sharing files via the VPN. If you do not do this and assign IP address manually on the PC's it may happen that you cannot share files because the router ARP tables don't see that computer you are trying to access even though you can Ping that PC. Having the router do the static IP ensures a proper ARP table and making sure you get access to the PC's you want to.
    Even if you have the PC have a dynamic IP from the router chances are you may still get into problems where you cannot see the shares because the IP address changed.
    In the second part of the tutorial I show you how to setup firewall rules on windows PC in order to access shares properly.
    Some features to explore;

    Interface Type: TAP or TUN?

    TUN is the preferred method because it supports windows, iOS, Android, Linux
    You can file share SAMBA, remote desktop, print share etc.
    You will have to configure windows firewall explained in the end of this article.

    TAP supports windows but not iOS or Android.
    by choosing TAP, you tell the VPN to make remote machines feel like they're on the LAN, with broadcast Ethernet packets and raw Ethernet protocols available for communicating with printers and file servers and for powering their Network Neighborhood display.
    Great if you don't want to configure windows firewalls on each PC

    Push LAN to clients: allows you to access your network via the tunnel,
    such as remote desktop, file sharing and print sharing.

    Direct clients to redirect internet traffic: If this feature is enabled all traffic will go via the router and depending on your bandwidth speeds it can be very slow on the clients receiving end.

    Ideally the majority of users should keep the Redirect Internet Traffic option disabled. It means the remote client will still use his own WAN access for all Internet traffic, and only use the VPN tunnel when trying to access a resource in the home LAN network. This is what VPNs were originally designed to do.

    Respond to DNS: enable this along with Advertise DNS to clients and when you connect you will be using the DNS of the VPN server.

    Advertise DNS to clients: this needs to be enabled if you want to have access to file shares and remote computer access.

    Manage Client-Specific Options: Using this option, you can have full bidirectional site-to-site TLS VPNs with no Custom Configuration or init scripts. I have never got this to work but here is how it's suppose to work;

    Selecting this option displays a table where you fill in the Common Name (from when you generated the TLS certificates), subnet (optional), and netmask (optional). If you fill in the subnet and netmask of the client, your server LAN will be able to communicate with your client LAN whenever it's connected (be sure not to choose the NAT option on the client router). Without this, you're stuck with just client->server communication.

    If you select the "Allow Client<->Client" option, another checkbox appears in the table that, when selected, allows other clients (or client LANs) to communicate with this client LAN. So, now you can have multiple sites all connected together with communication between any of them as desired.

    An "allow only these clients" option is also present. With this selected, clients that aren't in the table are not allowed to connect. If you want to allow a client that doesn't have a LAN behind it (or you don't want to allow access to it), just put it in the table and leave the subnet/netmask blank.

    With these options, this release removed the biggest limitation that's been present since the first release: having the VPN limited to client-initiated connections.

    You can further customize the VPN server by changing its server port other than the default 1194 and change the auth digest and encryption cipher to whatever you want
    AES-128-CBC and auth digest to SHA1 is sufficient encryption for maintaining a proper security when connecting to your Server. Howerver feel free to change to whatever encryption or cipher that suites your needs.

    Now that the server is running you need to setup your devices to use the VPN server.

    ***it is very important that any device you use to connect to the VPN Server must have a different subnet then the router otherwise you will not be able to see the networks if you enable Push LAN to clients
    Example:
    Router A VPN Server IP 192.168.1.1
    Router B VPN Client IP 192.168.2.1

    Look for the Export button under the General menu and click on it.
    it will create a .ovpn file which you will need to configure your devices.
    This client1.ovpn file contains everything you need including certificates.


    For Android:

    Download the OpenVPN app and install it on your device.
    Teather your Android device to a computer and copy the client1.ovpn file to your device. Preferably the download folder.
    Start the OPENVPN app and then on the top right there are 3 vertical dots, click on the dots and choose import then import profile from SD card, use ES file manager, if you don't have that program download it from the playstore and navigate to the download folder and import that client1.ovpn to openvpn app.
    Once you have done that, simply hit on connect and you should have connection established to the VPN server.

    AUSUS routers with stock firmware:

    You can also import the client1.ovpn into another ASUS router with stock or Merlin Firmware VPN client. It will automatically configure everything you need to connect to the VPN Server, including certificates.
    Simply go to the VPN client on your ASUS router and look for "Import .ovpn file" use the browse button to find the client1.ovpn file then click on upload.
    That's it. you should be ready to connect. Turn the service state button to ON
    You can enable start to WAN option if you want the Client to automatically connect to the VPN server when router gets rebooted.
    Make sure that the client router has a different IP then the Server Router or you will not be able to see shares or print.

    AUSUS routers with Merlin firmware:
    Follow the exact steps as with ASUS stock firmware. With Merlin you need to set Accept DNS Configuration to Exclusive.

    MAC:

    A popular OpenVPN client for MacOSX is Tunnelblick. It can be obtained for free from https://tunnelblick.net. Follow these basic steps to use Tunnelblick with OpenVPN Access Server:

    • Download the Tunnelblick disk image file (a ".dmg" file) from https://tunnelblick.net
    • Open the downloaded disk image file (which mounts the disk image).
    • Double-click the Tunnelblick icon (it may be labelled "Tunnelblick.app") and you will be guided through the installation of the program.
    • Once you have installed Tunnelblick, you can download and install the configuration file. After logging in to the Access Server's Client Web Server, download the client.ovpn file and double-click it. This will launch Tunnelblick if necessary, and Tunnelblick will install and secure the configuration.
    • Run Tunnelblick by double-clicking its icon in the Applications folder. If left running when you logout or shut down your computer, Tunnelblick will be launched automatically when you next log in or start your computer.
    The first time Tunnelblick is run on a given Mac, it will ask the user for the an system administrator's username and password. This is necessary because Tunnelblick must have root privileges to run, as it modifies network settings as part of connecting to the VPN.

    For more information on using Tunnelblick, see the Using Tunnelblick at https://tunnelblick.net/czUsing.html.

    Please go to section B of the article for more.
     
    Last edited: Aug 24, 2017
  2. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Section B

    Windows 7,8, 8.1 and 10

    Download the openvpn program from this link https://openvpn.net/index.php/open-source/downloads.html
    After you install the program go to c:\windows\program files\openvpn\config
    and copy the client1.ovpn file that exported from the VPN server.
    If you don't want to put a password each time it prompts you then do the following.
    in the same directory where you have the config file create a new text document and call it vpnpass.txt
    Open the vpnpass.txt and enter your username and pass like the example below, assuming the username is don and the pass is xxx do it like this, you need to have username in one line and underneath the password like in the example below and save the text file.
    don
    xxx
    now open the .ovpn file with notepad ++ and where you see auth-user-pass add the txt file you created in your config file like this;
    auth-user-pass vpnpass.txt
    Now when you start the openvpn program you have to right click and start as administrator in order for it to work right.
    Right click on openvpn program and start as admin.
    You will see the openvpn gui on the system tray icons, right click then look for the client1.ovpn file and connect. If you called it clien1.ovpn thats what you are looking for. You can rename the .ovpn to any name you like.
    You should now be connected to your VPN server.

    Windows Computers over the years have become bullet proof with security therefore we have to create a firewall fix to allow remote desktop, file and printer sharing to work.

    If you enable "Push LAN to clients" in advanced configuration of the VPN server and you try connecting to a win 10 computer, you will not be able to use remote desktop or File and printer shares.
    ***Besides "Push LAN to clients" you need to also enable "Respond to DNS" and "Advertise DNS to clients" in the advanced section of the VPN server, otherwise you will not be able to see the shares or remote desktop.
    You will need to write a firewall rule in order to fix this problem.

    Go to windows search and type in windows firewall with advanced security and right click and run as administrator.
    For windows 7 pc go to control panel and firewall then advanced. You need to have administrator rights to do this process.
    Then right click on inbound rules to create a new Inbound rule.
    run as administrator. Then right click on inbound rules to create a new Inbound rule.
    Rule type click on - Program
    Program click on - All Programs
    Action click on - Allow the connection
    Profile enable Domain, public and private enabled,
    Now give it a name for example Allow VPN Server and then click on SAVE.
    Next Look for the rule you created in the inbound rules section and double click on it so you can see the properties.
    Go to Protocols and Ports tab and In "protocol type" enter "TCP"
    In "local port" enter "All Ports"
    In "Remote port" enter "All Ports"
    Then click on the "Scope" tab and in "Local IP addresses" click on "these IP addresses" and enter the computers IP address that you want to access for example 192.168.1.124 which is the IP of the computer you are configuring its Firewall.
    Next go to "Remote IP address" and enable "These IP addresses" and enter the IP range of your VPN server subnet. example 10.8.0.0/24
    Please make sure you check and see the "VPN Subnet / Netmask" in advanced settings in VPN server to make sure you put the right address for the VPN server subnet if you changed the default addresses while configuring the server.

    You will not be able to see the network computer through network you will have to map the drive in order to have access.
    Go to file manager and look for network icon. Right click and look for map network.
    Click on map network, you need to type in the IP address and folder name share like the following example.

    \\192.168.xx.xxx\foldersharename
    Lets assume the PC you want to map a network drive is 192.168.1.50 and the folder name share is documents then you will have to enter it like this
    \\192.168.1.50\documents.

    If you want to remote desktop you will have to put the IP address of the PC you want to connect too.
    Open remote desktop and type in 192.168.1.50 and enter credentials when asked.

    After reading this article if you still have problems please drop a line and one of us will try and help you out :)
     
    Last edited: Jul 22, 2017
  3. alphamatter

    alphamatter Occasional Visitor

    Joined:
    Aug 24, 2016
    Messages:
    25
    Love the clarity and steps descriptions as, if you're like me, have the curiosity, that you want to KNOW what that 'option' is for, though, you will very likely NEVER use it!

    I will be trying this soon, as I love to tinker.
     
  4. ktd

    ktd New Around Here

    Joined:
    Dec 3, 2014
    Messages:
    9
    Great guide!

    I could establish a VPN connection but I couldn't connect to my server running Windows 10.
    Just followed your guide and could access my servers shares directly.

    Thanks a lot!
     
  5. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    I reformatted my win 10 with the anniversary edition and I think it was a bug that they fixed. You no longer need to create a firewall rule if you have the latest win 10 :)
    happy the guide helped you out :)
     
  6. kangfat

    kangfat New Around Here

    Joined:
    Sep 13, 2016
    Messages:
    2

    I've followed these directions to a T but I can't seem to get network shares to connect. I can connect and RDP into my machine but I can't access any network shares. Any tips and/or ideas as to what's wrong?
     
  7. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    When you connect with RDP you should see your local shares because you are using windows..
    try connecting remote desktop without the VPN server and see if you see the shares.
     
  8. kangfat

    kangfat New Around Here

    Joined:
    Sep 13, 2016
    Messages:
    2
    I don't think I was clear enough on this. I have a network drive mapped on my laptop that I can't get to. When I connect with the VPN I can RDP into the machine the network drive is on but I can't hit the mapped drive by itself. I tried connecting via hostname and IP address but neither worked.
     
  9. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    The problem you are having is got nothing to do with the thread or VPN servers.
    You need to learn how to create shares. Do a google search on that its really simple.
    Also if you map a drive on a PC you can see it directly from file manager why would you want to see it via a share?
    When you share a drive it is to view from other computers or devices.
     
  10. dieter

    dieter Senior Member

    Joined:
    Dec 22, 2008
    Messages:
    267
    Location:
    USA
    Hello,
    I have selected "Direct clients to redirect Internet traffic" on my Asus RT-AC1900P, and would like to verify that all internet traffic from my client is actually going to the WAN port of my router's VPN server. While having a VPN connection from my cell phone, this router's "Traffic Analyzer" feature does not seem to offer any proof that the Cell phone's internet traffic is being routed to the WAN port of the router.

    Is there any way to verify this?
    Does the RMerlin firmware or DD-WRT give some feedback of VPN traffic going thru the router?

    Do I have to re-generate the CLIENT.OVPN file after enabling the option to "Direct clients to redirect Internet traffic"?

    I'm a noob...

    Dieter
     
  11. Fester1952

    Fester1952 Regular Contributor

    Joined:
    Oct 27, 2012
    Messages:
    70
    Location:
    Adelaide, Australia
    Thanks Yorgi, working well for me. I was using PPTP and it was working well with my iPad and iPhone to access my security cameras and automation when away. But since iOS10 Apple does not support PPTP anymore so needed another solution and OpenVPN is working great.
     
  12. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    If you enable Advertise DNS to clients and Respond to DNS when you Direct clients to redirect Internet traffic and you do a dns leak test you will see the IP address of your WAN and DNS
    thats proof enough :)
     
  13. dieter

    dieter Senior Member

    Joined:
    Dec 22, 2008
    Messages:
    267
    Location:
    USA
    Thanks
     
  14. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Go to this site. Do a test, if you see your IP address and the DNS of your ISP when you connect to your VPN server then everything is working good. If you see an IP address and DNS from the Cafe then its not working right.
    https://dnsleaktest.com/
     
  15. dieter

    dieter Senior Member

    Joined:
    Dec 22, 2008
    Messages:
    267
    Location:
    USA
    There are NO IP addresses listed in the results of DNSLEAK. It shows 5 servers, but no addresses. Does this mean it is working?

    To fix DNS leaks, DNSLEAK FAQ says to add: " block-outside-dns" to the Client.ovpn file?
    This line is not in the Asus created client.ovpn file.

    Thanks much.
     
  16. dieter

    dieter Senior Member

    Joined:
    Dec 22, 2008
    Messages:
    267
    Location:
    USA
    I tried again. it now shows 6 servers, and 6 Google ip addresses, and Hostname NONE.
    I guess it is working.

    But please answer my previous question re the Client.opvn.
    Thanks.
     
  17. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Here use this one as well.
    https://ipleak.net/
    When you do a check it will show you your IP address and DNS
    when you are home do a test and see the IP and DNS you get
    when you go to a cafe and log on to your VPN server test it with ipleak and you should get the IP address of your house and DNS. if you get another address then its not working.
    Your previous post has nothing to do with client open vpn file.
    If you setup your server properly and you are able to connect and redirect all the traffic via a your server
    a simple test like the addresses I gave you will show your area.
    In https://dnsleaktest.com where it says HELLO and the address next to it is the IP address
     
  18. grissli1

    grissli1 Occasional Visitor

    Joined:
    Aug 13, 2016
    Messages:
    15
    Hi,
    i tried now openvpn instead of pptp.
    I reach all of my devices in my network. But i can't reach any internet address over the vpn.
    What i need: i connect my android tablet with asus rt-ac88u (works) and then i want to reach an internet address. This is because i need the home connection in other countries.

    I hope i explained it good enough.

    Thanks for help
    Chris


    Mobil gesendet über eine Höllenmaschine
     
  19. inutile

    inutile New Around Here

    Joined:
    Oct 14, 2016
    Messages:
    3
    Hi yorgi, thanks for this thread, it gave me hope!
    ... Sadly it didn't work for me. I am using OpenVPN, set up via the asus RT-AC68U.
    I can ping my client machine from my local machine only if I disable the client machine firewall, but creating the inbound rule as you described does not work.

    Here's my config:

    upload_2016-10-14_17-12-52.png

    Suppose the LAN subnet of the router is 192.168.2.1/24, then the custom config was `push "route 192.168.2.1 255.255.255.0"`.
    Now, suppose the VPN Subnet is 10.8.0.0/24 and my client gets assigned the ip 10.8.0.8. From my local machine, pinging 10.8.0.8 would work only if my client firewall is disabled.

    I have created the inbound rule on both machines to play it safe, but it doesn't work. Here's how the rule looks like:

    upload_2016-10-14_17-21-55.png

    I have also tried on Protocol type TCP.

    I really don't know how to fix my firewall. Thanks in advance for your precious help!
     
  20. inutile

    inutile New Around Here

    Joined:
    Oct 14, 2016
    Messages:
    3
    I finally managed to ping my client machine from the local machine by setting the Protocol type to `Any` (instead of `UDP`) and by switching the 2 ip addresses of the scope. Is it safe though?