1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to setup a VPN Server with Asus routers 380.68 updated 08.24

Discussion in 'VPN' started by yorgi, Jul 14, 2016.

  1. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,839
    Location:
    The Land of Smiles
    I had no problem with my ovpn file. One thing I noticed is you have comp-lzo set to no. With my testing, I found I needed to specify some level of compression. None did not work. I ended up going with LZ4 Adaptive. You can refer to a screen print of my configurations in post 56 to see if that helps.
     
  2. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    157
    I have mine setup exactly like yours now and when I export the ovpn file in the GUI I still get the empty paste here. In the GUI there is only a static key and no CA. If I try to connect on Android, it gives me the: "OpenVPN core error : PolarSSL: error parsing ca certificate : X509 - The CRT/CRL/CSR format is invalid".

    client
    dev tun
    proto udp
    remote xxxx.xxxxx.com 1194
    float
    cipher AES-128-CBC
    auth SHA1
    comp-lzo adaptive
    keepalive 15 60
    auth-user-pass
    ns-cert-type server
    <ca>
    adaptive
    </ca>
    <cert>
    paste client certificate data here
    </cert>
    <key>
    paste client key data here
    </key>
    resolv-retry infinite
    nobind​

    If I look manually in the router via SSH, i can see the is a ca.crt and server.crt. Shouldn't these cert be showing in the export OVPN file instead of empty and the paste here?

    /tmp/etc/openvpn/server1
    -rw-rw-rw- 1 admin root 3803 May 10 21:01 01.pem
    -rw-rw-rw- 1 admin root 3675 May 10 21:01 02.pem
    -rw-rw-rw- 1 admin root 1172 May 10 21:01 ca.crt
    -rw------- 1 admin root 916 May 10 21:01 ca.key
    -rw-rw-rw- 1 admin root 3675 May 10 21:01 client.crt
    -rw-rw-rw- 1 admin root 660 May 10 21:01 client.csr
    -rw------- 1 admin root 916 May 10 21:01 client.key
    -rw-rw-rw- 1 admin root 307 May 10 21:01 client.ovpn
    -rw-rw-rw- 1 admin root 18 May 10 21:07 client_status
    -rw------- 1 admin root 349 May 10 21:01 config.ovpn
    -rw-rw-r-- 1 admin root 424 May 10 21:01 dh.pem
    -rw-rw-rw- 1 admin root 198 May 10 21:01 index.txt
    -rw-rw-rw- 1 admin root 21 May 10 21:01 index.txt.attr
    -rw-rw-rw- 1 admin root 21 May 10 21:01 index.txt.attr.old
    -rw-rw-rw- 1 admin root 100 May 10 21:01 index.txt.old
    -rw-rw-rw- 1 admin root 3 May 10 21:01 serial
    -rw-rw-rw- 1 admin root 3 May 10 21:01 serial.old
    -rw-rw-rw- 1 admin root 3803 May 10 21:01 server.crt
    -rw-rw-rw- 1 admin root 664 May 10 21:01 server.csr
    -rw------- 1 admin root 916 May 10 21:01 server.key
    -rw------- 1 admin root 559 May 10 21:07 status
     
    Last edited: May 10, 2017
  3. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    157
    So basically, OpenVPN Connect app on Adroid wants a CA, and errors out with anything less such as the OVPN file. Password only will not work, which is the first step to get it working.

    So from what I understand, the OVPN file below should work with basic username and password only, and no CA?

    client
    dev tun
    proto udp
    remote xxxxx.xxx 1194
    float
    cipher AES-128-CBC
    auth SHA1
    comp-lzo adaptive
    keepalive 15 60
    auth-user-pass
    ns-cert-type server
    <ca>
    adaptive
    </ca>
    resolv-retry infinite
    nobind​
     
  4. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,839
    Location:
    The Land of Smiles
    I went to the AC88U router that has 380.65_4 installed and was able to download the ovpn file with no issues and the certs were in the file. The OpenVPN Server is turned on when I did this. When I go to the /tmp/etc/openvpn/server1/ folder on the router. I see the ovpn file called client.ovpn. So, I can't duplicate the issue. Try to reinstall 380.65_4 and try again. If that does not work, then try a factory reset. You will need to reenter your configs or use John's NVRAM backup and restore utility to do it for you.
     
  5. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,839
    Location:
    The Land of Smiles
    You have more files in the /tmp/etc/openvpn/server1/ directory than I do
    upload_2017-5-11_9-53-55.png
     
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,982
    Location:
    Canada
    Your OpenVPN configuration seem corrupted, as the <ca> block is containing the value of a different parameter (it's the comp-lzo value). I recommend reconfiguring your OpenVPN server instance by clicking on Default and starting over.
     
  7. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    157
    Never thought of that, good idea. I went to defaults and when going into the keys and certs window, I still have a Static Key, and nothing else. See output below. Seems like the CA should be populated with a key instead of adaptive as you mentioned.

    Should the firmware be generating a CA for me? Which then gets exported into the .OVPN file?

    client
    dev tun
    proto udp
    remote xxxxxxxx.com 1194
    float
    ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
    cipher AES-128-CBC
    comp-lzo adaptive
    keepalive 15 60
    auth-user-pass
    ns-cert-type server
    <ca>
    adaptive
    </ca>
    resolv-retry infinite
    nobind


    Seems like i should be able to get this thing going with no key, and just username and password which is configured.

    Can someone paste me what the export .OVPN file should look like in this config? No keys, just user auth.
     
  8. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,982
    Location:
    Canada
    I just tracked down the bug causing this in the code. If you don't have any CA defined (or if the router is unable to open the CA file in jffs), then the previous content of a buffer gets written instead. I'll fix that one on my end.

    On your end however, your issue is the current lack of any CA. If you start by defaulting the OpenVPN server, it will then automatically generate one for you. You can check the content of the Keys & Certificate pages afterward.
     
  9. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    157
    Hmm. I tried to default and then turn OpenVPN server back on, but it still doesn't generate in the GUI Keys Page.

    Looking manually I can see the files as mentioned before:

    /tmp/etc/openvpn/server1

    -rw-rw-rw- 1 admin root 3803 May 10 23:33 01.pem
    -rw-rw-rw- 1 admin root 3675 May 10 23:33 02.pem
    -rw-rw-rw- 1 admin root 1172 May 10 23:33 ca.crt
    -rw------- 1 admin root 916 May 10 23:33 ca.key
    -rw-rw-rw- 1 admin root 3675 May 10 23:33 client.crt
    -rw-rw-rw- 1 admin root 660 May 10 23:33 client.csr
    -rw------- 1 admin root 916 May 10 23:33 client.key
    -rw-rw-rw- 1 admin root 347 May 10 23:33 client.ovpn
    -rw-rw-rw- 1 admin root 0 May 10 23:34 client_status
    -rw------- 1 admin root 386 May 10 23:33 config.ovpn
    -rw-rw-r-- 1 admin root 424 May 10 23:33 dh.pem
    -rw-rw-rw- 1 admin root 198 May 10 23:33 index.txt
    -rw-rw-rw- 1 admin root 21 May 10 23:33 index.txt.attr
    -rw-rw-rw- 1 admin root 21 May 10 23:33 index.txt.attr.old
    -rw-rw-rw- 1 admin root 100 May 10 23:33 index.txt.old
    -rw-rw-rw- 1 admin root 3 May 10 23:33 serial
    -rw-rw-rw- 1 admin root 3 May 10 23:33 serial.old
    -rw-rw-rw- 1 admin root 3803 May 10 23:33 server.crt
    -rw-rw-rw- 1 admin root 664 May 10 23:33 server.csr
    -rw------- 1 admin root 916 May 10 23:33 server.key
    -rw------- 1 admin root 472 May 10 23:34 status

    It's just not populating in GUI not matter how many times I Default it. For kicks, I enabled Server 2 and I get the same blanks. Only difference is files are generated in /tmp/etc/openvpn/server2 directory instead of /tmp/etc/openvpn/server1 (as you would expect).
     
  10. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    157
    in TOP, i can see the process running:
    /etc/openvpn/vpnserver1 --cd /etc/openvpn/server1 --config config.ovpn​

    [email protected]:/tmp/home/root# cat /etc/openvpn/server1/config.ovpn
    # Automatically generated configuration
    daemon
    topology subnet
    server 10.16.0.0 255.255.255.0
    proto udp
    port 1194
    dev tun22
    ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
    comp-lzo adaptive
    keepalive 15 60
    verb 3
    push "route 192.168.1.0 255.255.255.0"
    duplicate-cn
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status 10

    # Custom Configuration​
     
  11. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,982
    Location:
    Canada
    I just tested it and it's working for me. The generated content is stored in /jffs/openvpn/ . Make sure that directory exists, otherwise it means something is wrong with your JFFS partition.
     
  12. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    157
    I do have that directory.
    /jffs/openvpn/
    -rw------- 1 admin root 2056 Apr 28 10:03 vpn_crt_client1_ca
    -rw------- 1 admin root 1734 May 1 2016 vpn_crt_client2_ca
    -rw------- 1 admin root 1416 Jan 16 2016 vpn_crt_client3_ca
    -rw------- 1 admin root 1734 May 1 2016 vpn_crt_client4_ca

    All are different cert values.
     
  13. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    157
    When I export the .OVPN file now (I XXXXX the key):

    client
    dev tun
    proto udp
    remote xxxxxxxxx.xxx 1194
    float
    ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
    comp-lzo adaptive
    keepalive 15 60
    ns-cert-type server
    <ca>
    -----BEGIN CERTIFICATE-----
    MIIDNDCCAp2gAwIBAgIJAKV04bD24Kp/MA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV
    BAYTAlRXMQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMQ0wCwYDVQQKEwRB
    U1VTMREwDwYDVQQDEwhSVC1BQzg3VTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0
    Lm15ZG9tYWluMB4XDTE3MDUxMTA0MzMzNVoXDTI3MDUwOTA0MzMzNVowcDELMAkG
    A1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxDTALBgNVBAoT
    BEFTVVMxETAPBgNVBAMTCFJULUFDODdVMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhv
    cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXYEFPGI
    yrpXR4DG/T7Nb6XfQsKtsJECoSTb1g2111ubhwL+VHxjK6zTwROq5w5Xv8XVkPdC
    vApM3hcwE9Jc9191uDK0BQ0prOmdSac+HDn45Ro4MDqWFldi1AeOtRIUlF6ljrGH
    3Xb+qLgbAuY=
    -----END CERTIFICATE-----
    </ca>
    <cert>
    paste client certificate data here
    </cert>
    <key>
    paste client key data here
    </key>
    resolv-retry infinite
    nobind
     
  14. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,839
    Location:
    The Land of Smiles
    Enable jffs partition so you can mimic our setup/config. Go to the Administrative-System Tab.

    Format JFFS partition at next boot = Yes
    Enable JFFS custom scripts and configs = Yes

    Then reboot. Now try RMerlin's recommendation.
     
  15. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,982
    Location:
    Canada
    Now your ovpn is correct, you do have actual valid content in the <ca> block. However you enabled key/cert based authentication, which is why those fields are telling you to paste the content there. This is something you have to create yourself, take a look at the documentation on the Wiki for more info. Otherwise, stick to user/password only authentication, this is a setting on the webui.
     
  16. Jack Yaz

    Jack Yaz Part of the Furniture

    Joined:
    Apr 20, 2017
    Messages:
    3,382
    I might put together a guide on this, using easyrsa3 for generation of CA, Server and Client certs + keys. RSA2048 and DH2048 etc. My OVPN server seems pretty stable, though I'm bound to have done something not recommended in there! I'll start work on this and make a thread, for feedback from the community.
     
  17. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    157
    JFFS format magic! It's populating the Keys and Certs now, thanks!
     
  18. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    157
    It looks like the last barrier is how to access machines behind the other VPN. When I use PPTP Server, I could RDP to any machine inside the PIA VPN running in the other OpenVPN Client tab. Seems like with OpenVPN server it's now allowing the traffic to cross, even with "Push LAN to clients" checked.

    Router is handing out 192.168.1.X IPs, while OpenVPN server is handing out 10.8.0.X. I need to get a 10. machine (my phone) to connect to a 192. machine inside my network. Once I figure this part out, I can stop using PPTP Server completely.

    See settings below and thanks in advance.
     

    Attached Files:

  19. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,839
    Location:
    The Land of Smiles
    Try changing "Respond to DNS" = Yes.

    I also recommend the following changes.
    Auth Digest = SHA1
    Username/Password Auth only = No
    Legacy fallback cipher = AES=128-CBC

    You will need to export/download a new ovpn file after making the changes.
     
  20. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    157
    Thanks! I did make those changes to upgrade security from password only however I still cannot connect to a local machine. I am using an ip so can't be a DNS issue. Within my local network I can hit the 192.168.1.5 machine from 192.168.3, and both are behind PIA. But when I connect with my cell phone to this OpenVPN server, it connects properly, but I cannot hit 192.168.1.3 from the assigned 10.8.0.2. Is there a manual route that needs added to connect the two?