What's new

Tutorial How to setup a VPN Server with Asus routers 380.68 updated 08.24

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi All,

I have successfully setup my old Asus RT-N66U as an Open VPN server. The reason behind this is so I can access my home security camera server remotely via VPN instead of forwarding ports. My primary router is a TP-Link Archer C3200 which does not support Open VPN but is however a fantastic Tri band router. My setup is currently as follows:

  • ISP Modem/WiFi Router in Bridge mode
  • TP-Link Router connected to ISP modem (Using Wan port)
  • Asus RT-N66U connected to ISP modem (Using Wan port)

Each router has it's own separate WAN IP and my security cameras and the PC running the software (Blue Iris) are only connected to the Asus router. This setup works perfectly and I can VPN in to my cameras and any shared drives on my PC.

The only downside with this setup is that if for any reason I need to reboot the ISP modem getting both the Asus router & TP-Link router online with their own WAN addresses can be quite challenging. Lots of reboots and unplugging cables lol (My wife doesn't have my patience !!)

I was wondering if is possible to keep my TP-Link router as my primary router and use my Asus router behind my primary with the VPN server running? I have read some guides on setting a 2nd router up behind a primary router as a dedicated VPN client but wasn't sure is it is possible as a dedicated VPN server.

Any advice would be greatly appreciated

Regards

Richard

get a DDNS, to enable DDNS go to WAN tab enable DDNS, configure your OPEN VPN client profile to the DDNS address instead of WAN IP
you might need to extend your connection retry time & retry count, as some DDNS will take a while to refresh and get your new WAN IP everytime you restart your router
 
As others have asked, but I didn't see a solution. How can I route clients from the vpn server out through a vpn client interface?

My Asus 68U is configured with VPN Server and VPN Client. VPN Client is connecting to a 3rd party provider via OpenVPN. I have enabled policy rules that only some LAN clients have their traffic go through that tunnel. This is working as expected for LAN clients as defined in the 'Redirect Internet Traffic' policy rules.

I want to also redirect my VPN Server clients to have their internet traffic go through the tunnel. I have tried to illustrate my setup.

Remotely connect (user) to the Asus VPN Server. Route that traffic out through the 3rd Party VPN Client connection.
 

Attachments

  • network1.PNG
    network1.PNG
    412.8 KB · Views: 572
Why you overcomplicate the state of affairs so much. Here's the simplest app for a phone vpn for android . And it works as great as hard VPN

That's not the same thing as configuring a VPN server on your router, as this thread explains. Those app will not allow you remote access to your LAN.
 
As others have asked, but I didn't see a solution. How can I route clients from the vpn server out through a vpn client interface?

My Asus 68U is configured with VPN Server and VPN Client. VPN Client is connecting to a 3rd party provider via OpenVPN. I have enabled policy rules that only some LAN clients have their traffic go through that tunnel. This is working as expected for LAN clients as defined in the 'Redirect Internet Traffic' policy rules.

I want to also redirect my VPN Server clients to have their internet traffic go through the tunnel. I have tried to illustrate my setup.

Remotely connect (user) to the Asus VPN Server. Route that traffic out through the 3rd Party VPN Client connection.

openvpn server and client question
 
I just tracked down the bug causing this in the code. If you don't have any CA defined (or if the router is unable to open the CA file in jffs), then the previous content of a buffer gets written instead. I'll fix that one on my end.

On your end however, your issue is the current lack of any CA. If you start by defaulting the OpenVPN server, it will then automatically generate one for you. You can check the content of the Keys & Certificate pages afterward.

There is still something a bit goofy here. I just moved from 380 to 384 firmware and so I reset my router to factory defaults for the upgrade. I spent a couple hours trying to get this to generate a proper .ovpn file. I had to reset the VPN Server page to defaults several times, and then it seemed like with no warning it finally generated. When I exported, it had everything populated. Something in advanced has to be toggled just right for it to generate properly, and unfortunately I am not sure what I did.

This is back to post #69 in this thread. https://www.snbforums.com/threads/h...380-68-updated-08-24.33638/page-4#post-323793
 
If I have OpenVPN configured on the router, - can I connect to it from the computer on the LAN of that router (the same subnet, 192.168.10.x), or do I have to be connecting from an outside network?
I am trying to test my OpenVPN connection from a laptop, but the connection is never established, and I am getting this in the server logs:

Apr 18 13:56:21 openvpn[3000]: 192.168.10.19 TLS: Initial packet from [AF_INET6]::ffff:192.168.10.19:65453, sid=247a2830 f80cb13d
Apr 18 13:57:21 openvpn[3000]: 192.168.10.19 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 18 13:57:21 openvpn[3000]: 192.168.10.19 TLS Error: TLS handshake failed
Apr 18 13:57:21 openvpn[3000]: 192.168.10.19 SIGUSR1[soft,tls-error] received, client-instance restarting
Apr 18 13:57:25 openvpn[3000]: 192.168.10.19 TLS: Initial packet from [AF_INET6]::ffff:192.168.10.19:64174, sid=b6d591c0 91642e76

Client side log:
Wed Apr 18 13:56:21 2018 us=506962 LZO compression initializing
Wed Apr 18 13:56:21 2018 us=506962 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Apr 18 13:56:21 2018 us=506962 MANAGEMENT: >STATE:1524077781,RESOLVE,,,,,,
Wed Apr 18 13:56:21 2018 us=930986 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Wed Apr 18 13:56:21 2018 us=930986 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Apr 18 13:56:21 2018 us=930986 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Apr 18 13:56:21 2018 us=930986 TCP/UDP: Preserving recently used remote address: [AF_INET]My.IP.x.x:1194
Wed Apr 18 13:56:21 2018 us=930986 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Apr 18 13:56:21 2018 us=930986 UDP link local: (not bound)
Wed Apr 18 13:56:21 2018 us=930986 UDP link remote: [AF_INET]My.IP.x.x:1194
Wed Apr 18 13:56:21 2018 us=931987 MANAGEMENT: >STATE:1524077781,WAIT,,,,,,
Wed Apr 18 13:57:21 2018 us=332384 [UNDEF] Inactivity timeout (--ping-restart), restarting
Wed Apr 18 13:57:21 2018 us=333384 TCP/UDP: Closing socket
Wed Apr 18 13:57:21 2018 us=333384 SIGUSR1[soft,ping-restart] received, process restarting
Wed Apr 18 13:57:21 2018 us=333384 MANAGEMENT: >STATE:1524077841,RECONNECTING,ping-restart,,,,,
Wed Apr 18 13:57:21 2018 us=333384 Restart pause, 5 second(s)


So, I am trying to figure out if the problem could be from the fact I am coming from the same network. The router (RT-N66R) is running 380.69_2 (not upgraded to the latest version). The client is running OpenVPN 2.4.5 on Win 7/32.
 
Sorry for bumping up this thread.
I hope someone would be able to answer this question posted above:
If I have OpenVPN configured on the router, - can I connect to it from the computer on the LAN of that router (the same subnet, 192.168.10.x), or do I have to be connecting from an outside network?
 
I was able to test my connection from an outside network, and it is working. So, the culprit for the problem was connecting from inside the LAN.
Does anybody know how to enable that? It would be handy for testing a few configuration options without necessity to connect from a few miles away.
 
I was able to test my connection from an outside network, and it is working. So, the culprit for the problem was connecting from inside the LAN.
Does anybody know how to enable that? It would be handy for testing a few configuration options without necessity to connect from a few miles away.
I was able to connect to my router using the VPN Server when connected to the LAN. Not sure why you would want to do this though.

upload_2018-4-23_17-26-5.png


Explanation of the settings is documented here:
https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/
 
I was able to connect to my router using the VPN Server when connected to the LAN. Not sure why you would want to do this though.
Thanks for confirming that. I wonder what makes the difference.
And just in case: I did create explicit rules in the Windows Firewall to allow Inbound and Outbound connections for 1094 from and to any address.

As I wrote above, - the purpose is enable testing certain configuration options pertaining to OpenVPN and hosts connected through to it, while being on the local network.


Yep, that's what I have. (The only difference is that at the moment, I've got cipher negotiations disabled, just in case that was simplifying the handshake, but it was not working locally either way.)

One thing that caught my attention in the server logs when I was trying to connect from inside the LAN was that it was recording my IP as the LAN's (in 192.168.10.19), and not my external IP (see the logs I posted above). So, the OpenVPN server was aware that I was coming from inside. I wonder if that is creating confusion for where the packets from the server should be routed to, thus leading to the situation when the client was not receiving server's response.
 
I will update the guide soon. With the new update it's even easier to setup the VPN server.
 
I was able to test my connection from an outside network, and it is working. So, the culprit for the problem was connecting from inside the LAN.

Does anybody know how to enable that? It would be handy for testing a few configuration options without necessity to connect from a few miles away.

Hmmm, accessing your home network from the WAN side, while still at home.

One way might be to access the Internet through your mobile phone (using 3G, *not* WiFi). Then create a hotspot on your phone, and then connect your laptop to the hotspot.

Your laptop will then access the Internet through the phone company's airwaves, and then come back into your building from outside.

But you may like to bear in mind that depending on your mobile phone data plan, this could be either gratis (free as in beer) or horrifically expensive.
 
Hmmm, accessing your home network from the WAN side, while still at home.

One way might be to access the Internet through your mobile phone (using 3G, *not* WiFi). Then create a hotspot on your phone, and then connect your laptop to the hotspot.

Your laptop will then access the Internet through the phone company's airwaves, and then come back into your building from outside.

But you may like to bear in mind that depending on your mobile phone data plan, this could be either gratis (free as in beer) or horrifically expensive.
My problem is on the LAN side on my network. I can access all my shares from ES file manager but I cant from VLC LAN
I don't want to connect through my phone carrier.
Everything worked fine prior to the latest firmware update so maybe its a firewall issue.
I cannot access SAMBA media from the Router or any windows Shares.
This is being connected on my wi fi network
 
Hi Yorgi,

Thank you, based on the guide here, I have successfully setup my OpenVPN for the first time:
  • OpenVPN Server Version 2.3.2 on my ASUS RT-AC5300 with Stock Firmware 3.0.0.4.384_21045-gb451ba1
  • OpenVPN Connect Version 1.2.9 on my iPhone X with iOS 11.4
AlMost all things are working over both Wifi and Cellular connections:
  • Safari Browser via VPN is able to access local IP of various devices like: Asus Router, Synology NAS and etc.
  • All my iOS Apps from Synology like DS Finder, DS File, etc works as expected
The only thing that does not work is
  • ASUS Router iOS App (?) where I get "connection failed"
Is there anything obvious that I might have missed? Thanks for any guidance. The following is my OpenVPN settings:

Screen Shot 2018-06-22 at 12.04.52 PM.png
 
Last edited:
Hi Yorgi,

Thank you, based on the guide here, I have successfully setup my OpenVPN for the first time:
  • OpenVPN Server Version 2.3.2 on my ASUS RT-AC5300 with Stock Firmware 3.0.0.4.384_21045-gb451ba1
  • OpenVPN Connect Version 1.2.9 on my iPhone X with iOS 11.4
AlMost all things are working over both Wifi and Cellular connections:
  • Safari Browser via VPN is able to access local IP of various devices like: Asus Router, Synology NAS and etc.
  • All my iOS Apps from Synology like DS Finder, DS File, etc works as expected
The only thing that does not work is
  • ASUS Router iOS App (?) where I get "connection failed"
Is there anything obvious that I might have missed? Thanks for any guidance. The following is my OpenVPN settings:

View attachment 13523
Connection to LAN clients appears to check out okay.

I don’t use the apps. Maybe it does not work for remote access? I saw a similar issue here http://forums.whirlpool.net.au/archive/2625046

Do you have a dynamic WAN IP and if so, have you also configured DDNS?

Can you access the web GUI using a browser by entering the IP address of the router in the URL?
 
Last edited:
Connection to LAN clients appears to check out okay.

I don’t use the apps. Maybe it does not work for remote access? I saw a similar issue here http://forums.whirlpool.net.au/archive/2625046

Do you have a dynamic WAN IP and if so, have you also configured DDNS?

Can you access the web GUI using a browser by entering the IP address of the router in the URL?

Xentrk,

Thanks for your reply :)
  • Yes my DDNS is configured correctly, I am using "www.NO-IP.com" Dynamic DNS service provider and
  • Yes web GUI using Safari Browser on iPhone by entering local IP address of my router in URL is working
 
Xentrk,

Thanks for your reply :)
  • Yes my DDNS is configured correctly, I am using "www.NO-IP.com" Dynamic DNS service provider and
  • Yes web GUI using Safari Browser on iPhone by entering local IP address of my router in URL is working
Everything looks okay with the OpenVPN Server configuration. It appears to be an app issue.

Looks like you are not the first person to have this issue. https://www.snbforums.com/threads/asus-router-app-over-vpn.29875/

The app appears to only work when connected directly to the WiFi. According to the https://www.asus.com/asus-router-app/ website, the app should allow you to access from wherever you are.

Check Network Status Wherever You Are
With ASUS Router App, you’re able to keep an eye on both your network traffic and your connected devices anywhere and at any time — for instant reassurance, day or night!

But contact Asus Support or the developer to verify.

I believe the issues is the app only works for remote access if you enable access to the router GUI over the WAN? It apparently does it without asking you. If so, don't use the app unless you want to be hacked! This is discussed in some of the recent threads about people being hacked.
https://www.snbforums.com/threads/p...nt-from-senior-users.45597/page-8#post-395089

https://www.snbforums.com/threads/p...nt-from-senior-users.45597/page-8#post-403569
 
Last edited:
Everything looks okay with the OpenVPN Server configuration. It appears to be an app issue.

Looks like you are not the first person to have this issue. https://www.snbforums.com/threads/asus-router-app-over-vpn.29875/

The app appears to only work when connected directly to the WiFi. According to the https://www.asus.com/asus-router-app/ website, the app should allow you to access from wherever you are.

But contact Asus Support or the developer to verify.

I believe the issues is the app only works for remote access if you enable access to the router GUI over the WAN? It apparently does it without asking you. If so, don't use the app unless you want to be hacked! This is discussed in some of the recent threads about people being hacked.
https://www.snbforums.com/threads/p...nt-from-senior-users.45597/page-8#post-395089

https://www.snbforums.com/threads/p...nt-from-senior-users.45597/page-8#post-403569

Xentrk,

Thank you for your reply :)
  • I just saw the thread ... it was over 2 years ago ... so was hoping that the issue might have been resolved. I would expect that ASUS own iOS "ASUS Router App" should at least work over it's own "OpenVPN Server" ;)
  • By the way, the new iOS App Version 1.0.0.0.95 actually provides an option during setup to Decline the "Enable Remote Connection". I only use it in my Local Network ... hoping that OpenVPN Connection would provide a more secured option vs direct WAN access.
IMG_9024.PNG

  • I have contacted ASUS email support ... not very useful so far, they just told me
    • to turn on WAN Access ... :( that will expose my Home network as you mentioned and
    • give me some standard canned reply to setup DDNS, Firmware Upgrade, ... etc.
  • I am quite happy with my first OpenVPN Server experience connecting from iOS and macOS devices so far. Thanks to guidance I found on this thread :)
 
Glad to help. You reminded me why I don't use the apps. The issue with having to enable GUI access over the WAN is troubling. Ah, the IoT.

I always use VPN for the three routers I support remotely. I access the Web GUI using a browser on my Windows 10 laptop, Android Phone or iOS iPad. I wrote a post in March about setting up OpenVPN Server on AsusWRT-Merlin and how to configure the clients on iOS, Android, Windows and Mac OSx that may be of additional help.

https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top