What's new

Tutorial How to setup a VPN Server with Asus routers 380.68 updated 08.24

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Or perhaps I see no way to get the client to use credentials included in the exported config.
Credentials can be stored on the client side. Create a file with username on the first line, and password on the second line. Then in the .ovpn config file, reference it this way:

Code:
auth-user-pass filename_with_credentials

And configuring that client may happen years after the userid and passwords were set in the server.
That's the administrator's responsibility to store and manage the credentials for the accounts he creates regardless of the target system, be it a Windows server or their router's VPN. Anything serious will only store a hashed (and ideally salted) copy of any password. Reducing a server's security on account of laziness is not a good argument. Keepass is free - system administrators should use such a tool.
 
Credentials can be stored on the client side. Create a file with username on the first line, and password on the second line. Then in the .ovpn config file, reference it this way:

Code:
auth-user-pass filename_with_credentials
In spite of the impression I may have given, I'd be leery of this since password would be in clear text. It looks like OpenVPN stores the credential information in the registry in Windows (and I'm interested only in the Windows client). I suspect the encrypted (or otherwise munged) password could be decrypted only on the one computer, but I think I'll try importing those credential records into another computer and see what happens.

That's the administrator's responsibility to store and manage the credentials for the accounts he creates regardless of the target system, be it a Windows server or their router's VPN. Anything serious will only store a hashed (and ideally salted) copy of any password. Reducing a server's security on account of laziness is not a good argument. Keepass is free - system administrators should use such a tool.
Again, in spite of previous impressions, I do save credentials in protected location. But do to a serious blunder (involving a .cvs file somehow being created using the UTF-7 codepage and a spreadsheet program misinterpreting and/or ignoring some of the characters in the passwords), my OpenVPN passwords were corrupted.

I've fixed that problem, but my system is clumsy. I'll look at Keepass.
 
Hello

Just setup openvpn and i cant connect via phone or laptop client, i test pptp and all works but not openvpn when i try to connect i can see my phone ip on openvpn server tab but under username is UNDEF and is not connected




Common Name
Username
Real Address
Virtual Address
MBytes ReceivedMBytes SentConnected Since
Clients
UNDEF192.168.0.105:542810.000.002021-06-27 10:41:30
UNDEF192.168.0.105:416830.000.002021-06-27 10:42:00
UNDEF192.168.0.105:431740.000.002021-06-27 10:41:50


Any help please

logs

10:33:57.901 -- ----- OpenVPN Start -----

10:33:57.901 -- EVENT: CORE_THREAD_ACTIVE

10:33:57.902 -- OpenVPN core 3.git:released:662eae9a:Release android arm64 64-bit PT_PROXY

10:33:57.902 -- Frame=512/2048/512 mssfix-ctrl=1250

10:33:57.902 -- UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
7 [ncp-ciphers] [CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CB...]

10:33:57.903 -- EVENT: RESOLVE

10:33:57.979 -- Contacting 1.25.10.4:1195 via UDP

10:33:57.980 -- EVENT: WAIT

10:33:57.986 -- Connecting to [v.hopto.org]:1195 (1.25.10.4) via UDPv4

10:34:07.903 -- Server poll timeout, trying next remote entry...

10:34:07.904 -- EVENT: RECONNECTING

10:34:07.907 -- EVENT: RESOLVE

10:34:07.918 -- Contacting 1.25.10.4:1195 via UDP

10:34:07.918 -- EVENT: WAIT

10:34:07.921 -- Connecting to [v.hopto.org]:1195 (1.25.20.4) via UDPv4

10:34:17.906 -- Server poll timeout, trying next remote entry...

10:34:17.907 -- EVENT: RECONNECTING

10:34:17.910 -- EVENT: RESOLVE

10:34:17.917 -- Contacting 1.25.10.4:1195 via UDP

10:34:17.917 -- EVENT: WAIT

10:34:17.924 -- Connecting to [v.hopto.org]:1195 (1.25.10.4) via UDPv4

10:34:27.909 -- Server poll timeout, trying next remote entry...

10:34:27.910 -- EVENT: RECONNECTING

10:34:27.911 -- EVENT: RESOLVE

10:34:27.915 -- Contacting 1.25.10.4:1195 via UDP

10:34:27.915 -- EVENT: WAIT

10:34:27.917 -- Connecting to [v.hopto.org]:1195 (1.25.10.4) via UDPv4

Why is showing port 1195 not 1194 in Merlin is the default port is change to 1195 ?

Port 1195 fixed and try to connect even without ddns but still no luck


10:57:45.701 -- Server poll timeout, trying next remote entry...

10:57:45.702 -- EVENT: RECONNECTING

10:57:45.705 -- EVENT: RESOLVE

10:57:45.707 -- Contacting 1.25.10.4:1194 via UDP

10:57:45.708 -- EVENT: WAIT

10:57:45.727 -- Connecting to [1.25.10.4]:1194 (1.25.10.4) via UDPv4

10:57:55.703 -- Server poll timeout, trying next remote entry...

10:57:55.704 -- EVENT: RECONNECTING

10:57:55.707 -- EVENT: RESOLVE

10:57:55.719 -- Contacting 1.25.10.4:1194 via UDP

10:57:55.719 -- EVENT: WAIT

10:57:55.722 -- Connecting to [1.25.10.4]:1194 (1.25.10.4) via UDPv4

10:58:05.705 -- Server poll timeout, trying next remote entry...

10:58:05.706 -- EVENT: RECONNECTING

10:58:05.709 -- EVENT: RESOLVE

10:58:05.719 -- Contacting 1.25.10.4:1194 via UDP

10:58:05.720 -- EVENT: WAIT

10:58:05.723 -- Connecting to [1.25.10.4]:1194 (1.25.10.4) via UDPv4

10:58:15.714 -- Server poll timeout, trying next remote entry...

10:58:15.715 -- EVENT: RECONNECTING

10:58:15.747 -- EVENT: RESOLVE

10:58:15.766 -- Contacting 1.25.10.4:1194 via UDP

10:58:15.767 -- EVENT: WAIT

10:58:15.773 -- Connecting to 1.25.10.4:1194 (1.25.10.4) via UDPv4

10:58:25.708 -- Server poll timeout, trying next remote entry...

10:58:25.715 -- EVENT: RECONNECTING

10:58:25.718 -- EVENT: RESOLVE


Client config

# Config generated by Asuswrt-Merlin 386.2, requires OpenVPN 2.4.0 or newer.

client
dev tun
proto udp
remote 1.25.10.4 1194
resolv-retry infinite
nobind
float
ncp-ciphers AES-128-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>

when i had original asus fw all was working but i was get max 13Mbps download on openvpn, than i upload Merlin with hope i can get at least 25Mbps but instead of that vpn not working at all ;)

i follow also this link but with no luck
www.snbforums.com

Tutorial - How to setup a VPN Server with Asus routers 380.68 updated 08.24

In this new version 380.68 there are no new features for VPN server. This guide will show you how to setup a VPN server with your Asus routers This works with native ASUS firmware or Merlin Firmware *** I suggest that every time you update to a new firmware do a Default on OpenVPN server then...
www.snbforums.com
www.snbforums.com
 
I had a thought. If you can't talk to your clients, you can try to create the following iptables rule to bridge the server subnet to the lan.

VPN Server 1 to LAN:

Code:
#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE

If it solves the problem, you can use the openvpn-event script I have on my x3mRouting Repo to with a minor edit to execute the iptables during a vpn server up/down event.

I use a similar rule to allow ppl to bridge the vpn server traffic thru one of the vpn clients. I just change the interface name to tun11, tun12, etc..

This solved my problem (applying both lines manually), thank you!. I restarted the router and then the issue came again.

To make it persistent, do I need to install your scripts using
1) sh -c "$(curl -sL https://raw.githubusercontent.com/Xentrk/x3mRouting/master/Install_x3mRouting.sh)"
2) Then, modify jfss > scripts > openvpn-event, to make it looks like?

Code:
#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE
[ -s /jffs/scripts/x3mRouting/openvpn-event ] && sh /jffs/scripts/x3mRouting/openvpn-event $@

Please guide me :)
 
This solved my problem (applying both lines manually), thank you!. I restarted the router and then the issue came again.

To make it persistent, do I need to install your scripts using
1) sh -c "$(curl -sL https://raw.githubusercontent.com/Xentrk/x3mRouting/master/Install_x3mRouting.sh)"
2) Then, modify jfss > scripts > openvpn-event, to make it looks like?

Code:
#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o br0 -j MASQUERADE
[ -s /jffs/scripts/x3mRouting/openvpn-event ] && sh /jffs/scripts/x3mRouting/openvpn-event $@

Please guide me :)

I figured it out using nat-start script :cool:
 
With Merlin 386.3_2 starting an OpenVPN SERVER is only a few clicks... which is a good thing since I'm a noob at creating a VPN server.

General / VPN / OpenVPN Server; click OFF to automatically configure common defaults and start the server.

tempsnip1.png



tempsnip2.png


On the router, the only thing that must be done is to add user account(s) and password(s).

I want to use the home router as a VPN server to access local (LAN) devices as well as access WWW (WAN) as well while away from the house. This requires two changes to the default config. (if you need only LAN access no further changes are required)

General / VPN / OpenVPN / Basic Config / Client will use VPN to access
<X> Lan Only <> Internet only <> Both ========> becomes <> Lan Only <> Internet only <X> Both​
To enable the client to have access to DNS, to resolve WWW addresses, need to view details not seen in the GENERAL view.

General / VPN / OpenVPN / Basic Config / VPN Details <GENERAL> and select <Advanced Settings>

General / VPN / OpenVPN / Basic Config / Advanced Settings / Advertise DNS to clients
<> Yes <X> No =============> becomes <X> Yes <>No​


The remainder to the setup is on the OpenVPN client; which for me was more difficult than the setting up the OpenVPN server.

After exporting he .ovpn file getting the file to the client securely (not email) is a little challenging and will vary based upon your client's OS. Also, while a .cert file can be exported from the General / VPN / OpenVPN page it may not be the right format that your client requires. IOS needs a pkcs12 file with a file extension of .ovpn12. (you have to export your own using openssl to create it after putting together a text file of all the KEYS and CERTIFICATES)
 
Format JFFS partition at next boot = Yes
Enable JFFS custom scripts and configs = Yes
JFFS format magic! It's populating the Keys and Certs now, thanks!
ASUS RT-AC68U. Client keys and certificates were not generated.
take a look at the documentation on the Wiki

Following these instructions, I generated the client keys and inserted them into the GUI. There are no errors in the log, but there is no connection either - it constantly tries to reconnect.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top