Tutorial How to setup a VPN Server with Asus routers 380.68 updated 08.24

[bnhf]

Thanks @bnhf and @yorgi . I was on the t-mobile version and over the weekened flashed it over to Merlin 360.68. However I am still having the same issues. My file transfer speed between server and client is still about 2Mbps. I have tried both TUN and TAP and get about the same speed with both of them.

My serverside download/upload is 330Mbps/25Mbps
My clientside download/upload is 25Mbps/5Mbps

Here are my server settings:

any recomendations?

Thanks for your help guys

Just to be sure we don't have a tools issue here -- what are you using to measure the file transfer speeds over the VPN? For example, if you're looking at Windows built-in File Explorer speeds, those are measured in MB (capital B) per second. And, again for example, if you're using SpeedTest.net for up/down speeds that's measuring Mb (small b) per second. At 8 bits or more per byte, I'm sure you get the drift...

 

[wacind]

Oh wow. i feel like an idiot. thanks for the clarification. So i am getting 2MBps from my Windows File Explorer transfer speeds which is about 16Mbps which i think is fairly reasonable based on my ISPs download/upload speed at my server/client. Wow. thanks @bnhf

 

[bnhf]

Oh wow. i feel like an idiot. thanks for the clarification. So i am getting 2MBps from my Windows File Explorer transfer speeds which is about 16Mbps which i think is fairly reasonable based on my ISPs download/upload speed at my server/client. Wow. thanks @bnhf

No worries - it's an easy mistake to make. The good news on this exercise for you is that you're much better off on AsusWRT-Merlin than on that behind-the-times stuff T-Mobile is STILL putting on their version of the AC1900. From a security standpoint alone you've upped your game.

 

[ThaiM]

Hope someone could help me out. Trying to setup VPN so I can access files on my network from my Note 4.

Merlin firmware. I'm able to connect and browse files on my network, but I can't copy, paste, view or transfer. I can only view the contents and structure. Any idea why?

*Update: I connected and did a Speedtest, download speed is okay on my Note 4, but I'm not getting any uploads to my VPN server.

I think it's a permissions or IP issue somewhere.

 

[ThaiM]

Anything else I need to add to this page settings?

 

[yorgi]

why did you put external only on the firewall?
leave it on auto.
Maybe this is why you are experiencing this issue.

 

[vwsplitty1980]

Hi. I have this set up and working and connecting my iOS devices ok. The question I have is what is being used to connect to my OpenVPN server by the default config file. Is it only the WAN ip adress that is likely to change?
I have a domain already up and running so can/how do I add that to the config file

Cheers

 

[bnhf]

I have a domain already up and running so can/how do I add that to the config file

Is your Asus router updating a DDNS for you? If so, and you had that setup before you exported your .ovpn file then your DDNS domain should already be in the .ovpn file. Look at the file with a text editor to confirm the "remote" entry. If it's your DDNS domain name, then you're set. If it's an IP address, change it to the domain name.

 

[vwsplitty1980]

Is your Asus router updating a DDNS for you? If so, and you had that setup before you exported your .ovpn file then your DDNS domain should already be in the .ovpn file. Look at the file with a text editor to confirm the "remote" entry. If it's your DDNS domain name, then you're set. If it's an IP address, change it to the domain name.

no my asus router is not but my server 2012R2 is.

i found that i needed to open the config file and replace the text "remote 234.234.345.123" to "remote mydomian.com" (not my real ip ).
saved it then reloaded it. jobs a gooden!

 

[vwsplitty1980]

@yorgi or @bnhf

Anything else I should be or not doing with the attched settings? Everything seems to be working ok just not sure if these are optimal

 

[bfizzle]

Finally in order for file shares to work properly you need to Have the router DHCP do the static addresses so this way the Arp entries are stored properly and the router can access shares.
in LAN tab, DCHP server, Basic Config

IP Pool Starting Address 192.168.1.97
IP Pool Ending Address 192.168.1.254

and in LAN/DHCP tab enable "Enable Manual Assignment"
Look for a network PC MAC address that you want to manage as Static IP and assign static IP address that are from the static range pool of 192.168.1.99 next PC .98 and .97
For first PC assign .99 and so on.
if you need more PC set the IP pool to reserve all the PC's you want and do them one by one to make sure that the PC gets the address you want.

Hi,

I'm attempting to VPN with my android phone to my LAN in order to access my QNAP 251+ (running my subsonic server). The QNAP (and 2 PCs) are on an external VPN (as a client on the router). I have followed the guide up to the above quote (primarily because I've already set the IP addresses previously and would prefer not to change them again). So my IP Pool starts at 192.168.1.2 and ends at 192.168.1.254. The QNAP (and PCs) reside at addresses less than .25.

I'm guessing that the actual pool doesn't matter so much as long as the logic maintains. My current experience is that I can connect remotely and can reach the internet, but I can't connect to the QNAP. (I haven't tried the PCs as I hadn't made the firewall rule to allow it yet).

Any other thoughts?

Thanks!

 

[bnhf]

Hi,

I'm attempting to VPN with my android phone to my LAN in order to access my QNAP 251+ (running my subsonic server). The QNAP (and 2 PCs) are on an external VPN (as a client on the router). I have followed the guide up to the above quote (primarily because I've already set the IP addresses previously and would prefer not to change them again). So my IP Pool starts at 192.168.1.2 and ends at 192.168.1.254. The QNAP (and PCs) reside at addresses less than .25.

I'm guessing that the actual pool doesn't matter so much as long as the logic maintains. My current experience is that I can connect remotely and can reach the internet, but I can't connect to the QNAP. (I haven't tried the PCs as I hadn't made the firewall rule to allow it yet).

Any other thoughts?

Thanks!

We could use a bit more detail here. So you have an OpenVPN server setup on an Asus router, with a QNAP server on the LAN side, is this right? And you're attempting to connect over the Internet with an Android phone running OpenVPN client software? And you also have an OpenVPN client running on the router where you're connecting to a VPN provider of some sort?

So if you could answer/confirm the above, and also please post the OpenVPN server config from the Asus here, we could give you some better assistance.

 

[bfizzle]

We could use a bit more detail here. So you have an OpenVPN server setup on an Asus router, with a QNAP server on the LAN side, is this right? And you're attempting to connect over the Internet with an Android phone running OpenVPN client software? And you also have an OpenVPN client running on the router where you're connecting to a VPN provider of some sort?

So if you could answer/confirm the above, and also please post the OpenVPN server config from the Asus here, we could give you some better assistance.

Sure -
The Asus is setup as a client (connected to 3rd party VPN provider) and server (using OpenVPN).
The QNAP (along with a few other devices) are routed through the 3rd party VPN provider.
My goal is to somehow connect to the Subsonic (and/or Plex) server, which resides on the QNAP...I've looked into selective routing, but this method of connecting to my network via personal VPN seemed easier.

I've attached the OpenVPN server config. Let me know if there's anything else I can clarify.

Thanks for the help!

 

[bnhf]

I

Sure -
The Asus is setup as a client (connected to 3rd party VPN provider) and server (using OpenVPN).
The QNAP (along with a few other devices) are routed through the 3rd party VPN provider.
My goal is to somehow connect to the Subsonic (and/or Plex) server, which resides on the QNAP...I've looked into selective routing, but this method of connecting to my network via personal VPN seemed easier.

I've attached the OpenVPN server config. Let me know if there's anything else I can clarify.

Thanks for the help!

I use Plex frequently myself, and although you probably could use it through a VPN -- there's no advantage that I can think of. Normally all you do is forward port 32400 in your router (to your Plex server) and confirm remote access in the Plex server setup. Then from the Plex client on your Android, you should be able to connect either on your LAN or on the Internet using your Plex login credentials.

Plex itself determines whether you're on your LAN or remote and keeps track of your public IP much like DDNS. Are you able to access Plex from a client on your LAN? Does your Plex server confirm that remote access is enabled and able to be used remotely? Connecting through a VPN shouldn't make a difference with this. You can connect through the VPN and then launch the Plex client. Plex should consider you to be a local user in that case.

Just took a quick look at Subsonic and it's much the same. Remote access is done by forwarding a port on your router to the Subsonic server. Again, you could do it through a VPN, but why add extra complexity?

I'm not sure where your outbound VPN client factors in to this. It shouldn't make a difference if you have an OpenVPN client running at the same time. If the Plex and Subsonic servers are still accessible on the LAN when the OpenVPN client is running, you should be able to access the resources either on your LAN, or using the built-in remote access capabilities of these two media server packages, or through the VPN.

Your OpenVPN server setup looks fine and should support you being able access any of your LAN resources by IP address. No special routing required beyond the settings you already have.

 

[bfizzle]

I


I use Plex frequently myself, and although you probably could use it through a VPN -- there's no advantage that I can think of. Normally all you do is forward port 32400 in your router (to your Plex server) and confirm remote access in the Plex server setup. Then from the Plex client on your Android, you should be able to connect either on your LAN or on the Internet using your Plex login credentials.

Plex itself determines whether you're on your LAN or remote and keeps track of your public IP much like DDNS. Are you able to access Plex from a client on your LAN? Does your Plex server confirm that remote access is enabled and able to be used remotely? Connecting through a VPN shouldn't make a difference with this. You can connect through the VPN and then launch the Plex client. Plex should consider you to be a local user in that case.

Just took a quick look at Subsonic and it's much the same. Remote access is done by forwarding a port on your router to the Subsonic server. Again, you could do it through a VPN, but why add extra complexity?

I'm not sure where your outbound VPN client factors in to this. It shouldn't make a difference if you have an OpenVPN client running at the same time. If the Plex and Subsonic servers are still accessible on the LAN when the OpenVPN client is running, you should be able to access the resources either on your LAN, or using the built-in remote access capabilities of these two media server packages, or through the VPN.

Your OpenVPN server setup looks fine and should support you being able access any of your LAN resources by IP address. No special routing required beyond the settings you already have.

I get an "indirect connection" with Plex at best...and just connection errors with Subsonic (when remote) but when on LAN - all good. Which is why I think I "should" be able to connect just as well if I am VPN'd in via remote to the LAN. I may just move the server - keeping it on a different PC not behind VPN but on principal, I don't like that solution as much.

Thanks for the continued guidance!

 

[bnhf]

I get an "indirect connection" with Plex at best...and just connection errors with Subsonic (when remote) but when on LAN - all good. Which is why I think I "should" be able to connect just as well if I am VPN'd in via remote to the LAN. I may just move the server - keeping it on a different PC not behind VPN but on principal, I don't like that solution as much.

Thanks for the continued guidance!

Getting an indirect connection with Plex (which means relay servers are being used) and connection errors with Subsonic strongly suggests problems with your public IP. Assuming your ISP gives you a Public IP (most do, though people using cellular for Internet at home usually don't), the most common problem is double NAT. If you have one of those all-in-one modem/routers and you're using your Asus Router behind that, you need to be sure the ISP device is in bridge mode. Please verify that the WAN IP shown on your Asus matches the IP you get from typing "what's my ip" into a Google search box.

Also if you could clarify what you mean by moving the server from behind the VPN. You have a LAN with a single subnet and a single gateway don't you? I'm also assuming here that you don't have any special policy routing in place -- if you do please post the rules you're using. You're not trying to port forward from a VPN provider are you?

 

[payandplay]

Hi Guys,

You help will be greatly appreciated, if you can provide an advise how to improve very slow client VPN bandwith.

I have brand new Asus AC86U(recently released by Asus) router. When connected with my VPN client PC(wireless or wired) ,the internet speed(all traffic through the VPN server) i get is extremely slow (0.5 mbps download/ 10 mbps upload)with OpenVPN server build on Asus stock firmware 3.0.0.4.382_18219.
My ISP provides me GPON (fiber) 200 mbps/120 mpbs stable connection.With this ISP connection i was able to get around 15 mbps/15 mbps (all traffic through the OpenVPN server) with my previous Asus router RT-16N flashed with DD-WRT. As you know, Asus RT-16 is an old router and its CPU speed is much slower compare to Asus AC86U (1.8 dual core Ghz) but the RT-16 has much faster client VPN speed compare to AC86U, which for me is very odd. My settings on the DD WRT are the same as the one on the asus router.

I have some doubts that the issue might be firewall rules, which i placed on the DD-WRT(below) and do not know how to setup these in the Asus stock firmware.

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 10.8.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE




You can see here my VPN server config in my Asus AC86U

I am using OpenVPN client 2.3.11
Should I forward port 1194 in WAN section of the router, because i noticed that even without port forwarding the VPN connection is established?

 

[fryrpc]

Have you seen this?

https://www.snbforums.com/threads/rt-ac86u-slow-openvpn-server.41738/

 

[payandplay]

Have you seen this?

https://www.snbforums.com/threads/rt-ac86u-slow-openvpn-server.41738/

Hi fryrpc,

Thank you very much for sharing this thread.
It seems you have the same router as me and the same VPN server issue.

I have followed what you shared and now my speed is 60 mpbs/ 60 mpbs. Very satisfied now
It seems that the process cannot handle more bandwith because it goes to 80 % CPU during speed test.

What speed do you get now, after the entries are added?

Did Asus support tell you to add these entries in to the OpenVPN server config?
Do you know what does it mean?
Can we increase sndbuf 524288 and rcvbuf 524288 to 1000000 for example?

sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
fast-io

 

[fryrpc]

Hi fryrpc,

Thank you very much for sharing this thread.
It seems you have the same router as me and the same VPN server issue.

I have followed what you shared and now my speed is 60 mpbs/ 60 mpbs. Very satisfied now
It seems that the process cannot handle more bandwith because it goes to 80 % CPU during speed test.

What speed do you get now, after the entries are added?

Did Asus support tell you to add these entries in to the OpenVPN server config?
Do you know what does it mean?
Can we increase sndbuf 524288 and rcvbuf 524288 to 1000000 for example?

sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
fast-io

Replied in the quoted thread as that one is probably more relevant to the router/firmware.