1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to setup a VPN Server with Asus routers 380.68 updated 08.24

Discussion in 'VPN' started by yorgi, Jul 14, 2016.

  1. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,839
    Location:
    The Land of Smiles
    Can you draw up a simple network diagram and post it here?
     
  2. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    157
    Figured it out... Looks like the issue was the router itself was in the PIA VPN policy exception list so I could connect to it on the WAN with PPTP (legacy), otherwise PIA VPN blocked it. I took it out of the exception list and now everything connects! Thanks everyone!
     
    Xentrk likes this.
  3. TheUntouchable

    TheUntouchable Regular Contributor

    Joined:
    May 17, 2017
    Messages:
    181
    Location:
    Germany
    Just a question: Should we not switch from SHA1 to anything different? SHA1 is not secure any longer and will not be supported by a lot of software soon :(
     
  4. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,839
    Location:
    The Land of Smiles
    You are probably right on that one. I knew Blowfish CBC was vulnerable to birthday and SWEET32 attacks. I looked up SHA1 and see your point. Although it does state that "SHA-1 is no longer considered secure against well-funded opponents". I am surprised how many VPN vendors are still using it.

    Sources:
    https://en.wikipedia.org/wiki/SHA-1
    https://en.wikipedia.org/wiki/Blowfish_(cipher)
     
  5. TheUntouchable

    TheUntouchable Regular Contributor

    Joined:
    May 17, 2017
    Messages:
    181
    Location:
    Germany
    Just found that german ubuntu page for the configuration of openvpn:
    https://wiki.ubuntuusers.de/OpenVPN/

    And it tells you should use the following settings:
    cipher AES-256-CBC
    auth SHA512

    The standard configuration from asus is a little bit confusing as it seems they are first using the weakest ciphers and then the stronger ones, so I changed that to the following:
    AES-256-CBC:AES-128-CBC:AES-256-GCM:AES-128-GCM

    and used the SHA256 Auth digest, should be enough :)
     
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,984
    Location:
    Canada
    For HMAC uses, it's still adequate. There's a major performance penalty in switching to SHA256 or SHA512.

    Better to upgrade to OpenVPN 2.4, and use AES-128-GCM, which does not require the use of a separate digest.
     
    Xentrk likes this.
  7. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    32,984
    Location:
    Canada
    I set 128-bit by default because it's nearly twice faster, and secure enough for home usage.
     
  8. TheUntouchable

    TheUntouchable Regular Contributor

    Joined:
    May 17, 2017
    Messages:
    181
    Location:
    Germany
    Of course, speed is the other side of the medal! As I am coming from the IT sector and running a gateway with a dedicated SSL card, I totally had forgotten that fact ;)

    Anyway I am testing my configuration mentioned above, lets see if it has a big impact in speed :) Thanks for your information!
     
  9. Jeffitup

    Jeffitup New Around Here

    Joined:
    Jun 5, 2017
    Messages:
    3
    Hey mate, I am having the same problem, can you explain in a bit more detail how you got around this problem. I can't wrap my head around what you changed. Thanks in advance
     
  10. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    With the latest firmware 380.66.4 You need to enable Respond to DNS and Enable Advertise DNS to clients otherwise you will not be able to connect to your Local Network. This was not the case in the past.
     
  11. bayern1975

    bayern1975 Very Senior Member

    Joined:
    Sep 22, 2015
    Messages:
    551
    i need advice if this configuration ok or i need to use username and password? i would like to use without user and pass and like to know if secure or not?
    [​IMG]
     
  12. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    It is very important to have a username and password. Otherwise anyone can log in.
     
  13. bayern1975

    bayern1975 Very Senior Member

    Joined:
    Sep 22, 2015
    Messages:
    551
    what did you mean with anyone can log in? if client.ovpn file have just me?

    Poslano z mojega EVA-L09 z uporabo Tapatalk
     
  14. Jeffitup

    Jeffitup New Around Here

    Joined:
    Jun 5, 2017
    Messages:
    3
    Thanks yorgi, I appreciate all the help you have provided me so far with the guides.
    My setup as per attached works for accessing computers not behind the PIA VPN but not the ones on it.
    I also have ncp-disable in the custom area, not sure if this is still needed or not

    [​IMG]
     
  15. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Disable redirect clients to redirect internet traffic if you don't want your internet traffic to go via your VPN server at home and then back to you.
    If you disable this feature whatever you do on your network will be via the vpn and when you surf it will be from the local ISP
    Unless you have a lot of bandwidth to spare, its not advised to redirect your internet traffic back to your server.
    If you need to access a PC that is on a VPN the only way you can do this is to remote desktop to a PC that is not on a VPN and then from that PC remote desktop to the VPN PC which is on the same network. You cannot reach a VPN PC from PIA server. its the way it is.
     
  16. Jeffitup

    Jeffitup New Around Here

    Joined:
    Jun 5, 2017
    Messages:
    3
    Ah ok, thanks a lot for explaining this. I wasn't sure if it was possible due to the router running everything. Previously I used to pptp in to a machine and could access everything from there, so was hoping this was the same. Thanks again
     
  17. aabs

    aabs New Around Here

    Joined:
    Jun 25, 2017
    Messages:
    2
    I am trying to get OpenVPN server running on a Asus DSL-AC88U

    I can connect to the vpn server and client given 10.8.0.2 ip
    Local subnet is 192.168.2.0/24
    However I cannot access my local NAS or NVR when connect via VPN

    A few screen shots of my config to help trouble shoot.
    I'm configured to TCP 443 at the moment as UDP1143 won't connect
     

    Attached Files:

  18. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    Try setting firewall to Auto and compression to LZO also go back to TUN UDP 1194
    I would also try it with AES-128-CBC
    I had some issues as well with the latest version of the Server took me a while to get it up and running but its working with no issues on my end. Don't forget that every time you make any changes in the advanced configurations you need to export a new .ovpn file to load on your devices. Also if you have any windows 10 devices you need to setup a firewall rule to allow shares from other computers that are from the VPN server. I explain that in the article. Let me know if that helped.
     
    aabs likes this.
  19. aabs

    aabs New Around Here

    Joined:
    Jun 25, 2017
    Messages:
    2
    Hi Yorgi,
    Thanks for helping. I got it up and running eventually with your help on UDP.
    Only difference was I had to set firewall to external only.
    Think this maybe due to Asus DSL-AC88U having inbuilt modem.

    Screen shot to help others struggling to get OpenVPN running on this new model.
     

    Attached Files:

  20. yorgi

    yorgi Very Senior Member

    Joined:
    Jan 28, 2015
    Messages:
    847
    Location:
    Canada
    With the latest version 380.66.6 using my U87 I am not able to establish network shares from win 10 pc's
    Even if I disable windows firewall i get the same issue. I went back to 380.66.4 and it everything works fine.
    Could be a bug with my U87 but if anyone has problems with VPN server and connecting to win 10 shares I would advice to roll back until this issue is fixed. I will make some more tests now that I am back on .4 and saved my cfg file.
    Keep you all posted!