What's new

Tutorial How to setup a VPN Server with Asus routers 380.68 updated 08.24

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Glad to help. You reminded me why I don't use the apps. The issue with having to enable GUI access over the WAN is troubling. Ah, the IoT.

I always use VPN for the three routers I support remotely. I access the Web GUI using a browser on my Windows 10 laptop, Android Phone or iOS iPad. I wrote a post in March about setting up OpenVPN Server on AsusWRT-Merlin and how to configure the clients on iOS, Android, Windows and Mac OSx that may be of additional help.

https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/
Thank you!
 
Hi Yorgi,

Having trouble accessing all my devices using an Android phone and laptop WIN 7 from a new ASUS RT-AC88U w Merlin 384.5 with OPEN VPN. This replaced an ASUS RT-AC66U running Merlin, OPENVPN worked great, no problem at all accessing everything. Now I can no longer access the IP Cameras.

I read though your awesome tutorial several times and suggestions from the other but still errors. I manually assigned static IPs in the DHCP tab as recommended but no change. Encryption is 2048, Advertise to Clients>Yes, Legacy Fallback cipher >AES-128-CBC, Compression>LZO adaptive, the other settings in the Advanced tab are default.

There has to be something simple I am overlooking because I am no expert in this and it worked fine on the other router when I set it up. That router is gone so I cannot look at those settings.

Thank you,

Paul
 
Hi Yorgi,

There has to be something simple I am overlooking because I am no expert in this and it worked fine on the other router when I set it up. That router is gone so I cannot look at those settings.

Paul

Paul,
Few things I would check ... some of my own mistakes ... for your considerations (by the way I use stock firmware, as I need AiMesh function):
  • After setting up OpenVPN Server on your new Router, I assume that you exported the client.ovpn and use it on your devices for OpenVPN connection.
  • Is DDNS working correctly ... especially, if you are using the same [your domain].asuscomm.com from your old Router
Hope you get it to work soon :)
 
Paul,
Few things I would check ... some of my own mistakes ... for your considerations (by the way I use stock firmware, as I need AiMesh function):
  • After setting up OpenVPN Server on your new Router, I assume that you exported the client.ovpn and use it on your devices for OpenVPN connection.
  • Is DDNS working correctly ... especially, if you are using the same [your domain].asuscomm.com from your old Router
Hope you get it to work soon :)


Thank you for the reply, Yes to both. I have no problem accessing the router, security, etc. just not the IP cameras for some reason
 
Thank you for the reply, Yes to both. I have no problem accessing the router, security, etc. just not the IP cameras for some reason
Per this forum post, try changing the Interface setting from TUN to TAP. Export a new config to the client and try to access the camera.

Or, try the suggestion by @eibgrab here
 
@yorgi such a great guide! Thank you very much!
I have followed your instruction and set up a OpenVPN on my new Asus AC58U router.
Everything works fine, I'm able to reach my LAN shares (on my Zyxel NAS) without any problem and also I can connect to my desktop with NX protocol (NoMachine).

Although, I have some speed problems, which I will be addressing later.

But for now, I want to ask, if I should be worried about some red lines in my connect log?

OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Windows version 6.2 (Windows 8 or greater) 64bit
library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:

WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xx.xx.xx:51170
UDP link local: (not bound)
UDP link remote: [AF_INET]xx.xx.xx.xx:51170

WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
[RT-AC58U] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:51170
open_tun
TAP-WIN32 device [Ethernet] opened: \\.\Global\{xxxxxxxxxxxxxxxx}.tap
Notified TAP-Windows driver to set a DHCP IP/netmask of 10.10.50.6/255.255.255.252 on interface {xxxxxxxxxxxxxxx} [DHCP-serv: 10.10.50.5, lease-time: 31536000]
Successful ARP Flush on interface [14] {xxxxxxxxxxxxxxxx}
do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Initialization Sequence Completed
This is my config:
WvKWFxm.jpg

mhHQgI3
 
Last edited:
Hi

With the help in this thread, I have setup my OpenVPN Server on my ASUS RT-AC5300 with Firmware: 3.0.0.4.384_21140-ge07a2dd.
  1. On my iPhoneX (iOS 11.4.1) I am able to successfully "connect" and "disconnect" from the OpenVPN Server using iOS App "OpenVPN Connect" setup with the exported "client.ovpn".
  2. On my Mac (macOS 10.13.6) with the current stable version of Tunnelblick with the same "client.ovpn", I am able to successfully connect to OpenVPN Server. BUT, I am unable to successfully disconnect (?) I would greatly appreciate some guidance on what I might have missed.
  • On the Tunnelblick log ... showing the last part of successful connection ... and disconnecting process
Code:
2018-07-23 09:28:23 Initialization Sequence Completed
2018-07-23 09:28:23 MANAGEMENT: >STATE:1532309303,CONNECTED,SUCCESS,10.8.0.6,218.212.xxx.xxx,pppp,,
2018-07-23 09:28:27 *Tunnelblick process-network-changes: A system configuration change was ignored
2018-07-23 09:28:28 *Tunnelblick: This computer's apparent public IP address (183.90.36.235) was unchanged after the connection was made

2018-07-23 09:35:17 *Tunnelblick: Disconnecting; VPN Details… window disconnect button pressed
2018-07-23 09:35:17 *Tunnelblick: No 'pre-disconnect.sh' script to execute
2018-07-23 09:35:17 *Tunnelblick: Disconnecting using 'kill'
2018-07-23 09:35:18 event_wait : Interrupted system call (code=4)
2018-07-23 09:35:18 /sbin/route delete -net 192.168.xxx.0 10.8.0.5 255.255.255.0
                                        delete net 192.168.xxx.0: gateway 10.8.0.5
2018-07-23 09:35:18 /sbin/route delete -net 10.8.0.1 10.8.0.5 255.255.255.255
                                        delete net 10.8.0.1: gateway 10.8.0.5
2018-07-23 09:35:18 Closing TUN/TAP interface
2018-07-23 09:35:18 /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptAAAAAaaaaaaa utun1 1500 1558 10.8.0.6 10.8.0.5 init
                                        **********************************************
                                        Start of output from client.down.tunnelblick.sh
                                        Cancelled monitoring of system configuration changes
                                        Restored the DNS and SMB configurations
                                        Re-enabled IPv6 (automatic) for 'Thunderbolt Ethernet'
                                        Re-enabled IPv6 (automatic) for 'iPhone USB'
                                        Re-enabled IPv6 (automatic) for 'Wi-Fi'
                                        Re-enabled IPv6 (automatic) for 'Bluetooth PAN'
                                        Re-enabled IPv6 (automatic) for 'Thunderbolt Bridge'
                                        Flushed the DNS cache via dscacheutil
                                        /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
                                        Notified mDNSResponder that the DNS cache was flushed
                                        End of output from client.down.tunnelblick.sh
                                        **********************************************
2018-07-23 09:35:18 SIGTERM[hard,] received, process exiting
2018-07-23 09:35:18 MANAGEMENT: >STATE:1532309718,EXITING,SIGTERM,,,,,
2018-07-23 09:35:18 *Tunnelblick: No 'post-disconnect.sh' script to execute
2018-07-23 09:35:18 *Tunnelblick: Expected disconnection occurred.
  • On the ASUS RT-AC5300 Logs ... looks like there is no response ... but, timeout after a little later.
Code:
Jul 23 09:28:19 vpnserver1[31673]: client/183.90.36.235:31393 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.xxx.0 255.255.255.0 vpn_gateway 500,dhcp-option DNS 192.168.xxx.1,route 10.8.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5' (status=1)

Jul 23 09:37:18 vpnserver1[31673]: client/183.90.36.235:31393 [client] Inactivity timeout (--ping-restart), restarting
Jul 23 09:37:18 vpnserver1[31673]: client/183.90.36.235:31393 SIGUSR1[soft,ping-restart] received, client-instance restarting
 
Just some additional information; When I use iPhoneX with iOS OpenVPN App ... when I disconnect OpenVPN connection, I can see the disconnect request received by my OpenVPN Server on my Asus RT-AC5300 as follows:

Code:
Jul 25 11:33:37 vpnserver1[9465]: 192.168.xxx.xxx:nnnnn TLS: Initial packet from [AF_INET]192.168.xxx.xxx:nnnnn (via [AF_INET]218.212.xxx.xxx%br0), sid=aaaaaaaa aaaaaaaa
Jul 25 11:33:38 vpnserver1[9465]: 192.168.xxx.xxx:nnnnn VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC5300, emailAddress=me@myhost.mydomain
Jul 25 11:33:38 vpnserver1[9465]: 192.168.xxx.xxx:nnnnn VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Jul 25 11:33:38 vpnserver1[9465]: 192.168.xxx.xxx:nnnnn PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jul 25 11:33:38 vpnserver1[9465]: 192.168.xxx.xxx:nnnnn TLS: Username/Password authentication succeeded for username ‘aaaaa’
Jul 25 11:33:38 vpnserver1[9465]: 192.168.xxx.xxx:nnnnn Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 25 11:33:38 vpnserver1[9465]: 192.168.xxx.xxx:nnnnn Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 25 11:33:38 vpnserver1[9465]: 192.168.xxx.xxx:nnnnn Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jul 25 11:33:38 vpnserver1[9465]: 192.168.xxx.xxx:nnnnn Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jul 25 11:33:38 vpnserver1[9465]: 192.168.xxx.xxx:nnnnn Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 2048 bit RSA
Jul 25 11:33:38 vpnserver1[9465]: 192.168.xxx.xxx:nnnnn [client] Peer Connection Initiated with [AF_INET]192.168.xxx.xxx:65056 (via [AF_INET]218.212.xxx.xxx%br0)
Jul 25 11:33:38 vpnserver1[9465]: client/192.168.xxx.xxx:65056 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Jul 25 11:33:38 vpnserver1[9465]: client/192.168.xxx.xxx:65056 MULTI: Learn: 10.8.0.6 -> client/192.168.xxx.xxx:nnnnn
Jul 25 11:33:38 vpnserver1[9465]: client/192.168.xxx.xxx:65056 MULTI: primary virtual IP for client/192.168.xxx.xxx:nnnnn: 10.8.0.6
Jul 25 11:33:38 vpnserver1[9465]: client/192.168.xxx.xxx:65056 PUSH: Received control message: 'PUSH_REQUEST'
Jul 25 11:33:38 vpnserver1[9465]: client/192.168.xxx.xxx:65056 send_push_reply(): safe_cap=940
Jul 25 11:33:38 vpnserver1[9465]: client/192.168.xxx.xxx:65056 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.xxx.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,dhcp-option DNS 192.168.xxx.1,route 10.8.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5' (status=1)

Jul 25 11:34:16 vpnserver1[9465]: client/192.168.xxx.xxx:nnnnn SIGTERM[soft,remote-exit] received, client-instance exiting
 
I have a VPN server on my router (openvpn / RT-AC1900p) that works great, but now I want to be able to connect to it and while having local access, to play remote play with a PS4, however this connection isn't the same from outside as connecting internally on Wifi...

Are the special settings that have to be turned on in advanced settings to make it as if I were connected internally via Wifi ? like DNS and such, I am using the official Asus firmware.
 
I have been trying to set up OpenVPN as VPN Server to connect to with iOS and Android devices. I got as far as being able to connect with iOS and Android devices to the router. However neither one can see/access other devices on the LAN.

Router is a RT-AC68P with f/w 384.6.

I have tried to follow the server set up instructions in this thread as much as possible. However, the interface has since changed, so that some fields are now missing or have been added. Please see attached screenshot for what it looks now on my router.


When my iOS device connects, it shows as server address my router's WAN IP. IP address is 10.8.0.2.

Any assistance would be greatly appreciated!

------------------------
update... found the issue: I had different compression settings between the devices' ovpn profiles and the router . It's working now
 

Attachments

  • 2018-08-12_14h56_47.png
    2018-08-12_14h56_47.png
    262.5 KB · Views: 610
Last edited:
Hello everyone!

I have been rattling my brain for hours now. I have AsusWRT-Merlin installed on my router, and have OpenVPN server enabled.
I can connect no problem using my phone via Cellular, but 0nce I join my WIFI Network (Where the VPN is being hosted), VPN no longer works.
Is there a way I can have it connect to VPN, locally as well as externally??

Thanks!!!

General:

RSA Encryption 2048 bit
Client will use VPN to access Both

Advanced:
Interface Type tun
Protocol UDP
Server Port (Default : 1194)
Authorization Mode TLS
Keys and Certificates
Username/Password Authentication
Yes
Username / Password Auth. Only No
TLS control channel security disable
(tls-auth / tls-crypt)
HMAC Authentication
default
VPN Subnet / Netmask 10.8.0.0 255.255.255.0
Advertise DNS to clients Yes
Cipher Negotiation Enabled with fallback
The exported client ovpn file will require OpenVPN 2.4.0 or newer.
Negotiable ciphers (Value exists)
Legacy/fallback cipher aes-128-cbc
Compression zlo adaptive
Log verbosity (Between 0 and 6. Default: 3)
Manage Client-Specific Options No
Allow Client <-> Client No
Allow only specified clients No
 
Why would you want to connect to a local VPN? Network-wise it makes no sense.
 
Correct, if you're connected by wifi, you're already on the network you're trying to connect to.
 
Hello, yes I know it's a strange question, and it comes from a somewhat lazy reason.

For some more background as to why.
I have a pihole on my network which I use on my phone on the go.

Because I'm constantly connected to home on the go, it would be convenient to use the always on VPN setting.

I cannot do this however, becuase when I connect to my home wifi, the VPN cant connect. I then have to turn off the VPN and remember to turn it on when I leave again.

I was hoping there was an easy solution to this, network configuration wise that would resolve this. I can look into automation on my phone however if it is not possible.

**Edit**
I created a Tasker plugin for this, and it works so I guess this isn't 100% necessary anymore but would still like to know if it's possible, if not from a purely academic standpoint.
 
Last edited:
Hey,

I have a issue with openvpn Connection. I have a Asus rt-n66(client router-other country that server) and a Asus Rt-3200(server router - home). My setup is with tap. Thats because when my television decoder from a cable tv provider are connected to the home router i Can access more channels in their Android app. This works fine, but my problem i Dnsleak and that i wont get my home wan ip when connected to Client router(want to have my country versjon of Netflix etc).


Home router server ip: 192.162.1.1 (DHCP ip range: 192.168.1.x-x)
Abroad router client ip: 192.162.1.150(DHCP ip range: 192.168.1.y-y)

I have tried to give my Phone when wlan connected to Client router an ip adress on server router and set this router as standard but then nothing happens, No internet, No nothing, etc. My brother at home complains that he get ip in the DHCP pool on my Client server and gets the wan ip to the Client router(not Wanted- probably a work around with static adresses will fix this but this not the Problem) Problem is that i want my home server wan ip when connected to Client router. Why dosent it work with static adress in wifi Connection on Client server?

I use build in software and here is my server setup:
DSC_0003.JPG



Has the enabled "allocate from DHCP" anything to do with this?

Some suggest to put this in config but havent tried this myself since it was when use of tun :
Dhcp-option dns 192.168.1.1
Push "redirect-gateway def1"

I Hope someone Can help
 
Thanks a lot for this manual, I was searching but this works like a charm and now I can safely access my cameras without opening all kinds of http ports where they spill all the passwords.
 
Hello everyone!

I have been rattling my brain for hours now. I have AsusWRT-Merlin installed on my router, and have OpenVPN server enabled.
I can connect no problem using my phone via Cellular, but 0nce I join my WIFI Network (Where the VPN is being hosted), VPN no longer works.
Is there a way I can have it connect to VPN, locally as well as externally??

Thanks!!!

General:

RSA Encryption 2048 bit
Client will use VPN to access Both

Advanced:
Interface Type tun
Protocol UDP
Server Port (Default : 1194)
Authorization Mode TLS
Keys and Certificates
Username/Password Authentication
Yes
Username / Password Auth. Only No
TLS control channel security disable
(tls-auth / tls-crypt)
HMAC Authentication
default
VPN Subnet / Netmask 10.8.0.0 255.255.255.0
Advertise DNS to clients Yes
Cipher Negotiation Enabled with fallback
The exported client ovpn file will require OpenVPN 2.4.0 or newer.
Negotiable ciphers (Value exists)
Legacy/fallback cipher aes-128-cbc
Compression zlo adaptive
Log verbosity (Between 0 and 6. Default: 3)
Manage Client-Specific Options No
Allow Client <-> Client No
Allow only specified clients No
Change the "Protocol " to TCP.
Then you will have to redownload the client.ovpn and reload it into your Phone.
 
-------edit---------

Nothing works LAN to another LAN. Both LAN's using same DHCP spann. 192.168.1.1-192.168.1.254

Is there any solution for that kind of behaviour with OpenVPN TAP???


Hi everyone

I'm using OpenVPN TAP server on my Asus RT-AC86U.

Everything works perfect except one thing.

I can't Connect to the router GUI from LAN to LAN

If I'm using 4g from My cellphone then I'm able to log into Asus router GUI.

But never from WIFI connection from any other location

From both LAN outside my OpenVPN server and 4g cellular I can connect to everything on the servers LAN

Can anyone give me a hint?


Thanks
 
Last edited:
Is there any reason to use a server port other than the default 1194? Just wondering if there are certain networks or ISP's that may for some reason block port 1194? Part of my question stems from reading forums that mention that vpn's will not work on the cruise ship that I am going on soon. Wasn't sure how they blocked vpn's. Thanks.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top