Is it possible to install WireGuard VPN?

gil80

Occasional Visitor
My router is the AX88U using Merlin 386.5_2 firmware.

I would like to incorporate WireGuard in the GUI VPN section. Is it possible? Would you recommend against it?
 

domic

Occasional Visitor
Personally I'd just wait for Asus/Merlin to implement a just as easy way to setup WG server and client, as they made the OpenVPN server. That takes careful planning, patience and time. (and money, on Asus side.)
Use the OpenVPN server and unencrypted FTP shares for the best speeds and security for the time being. Also close off any unnecessary ports open to WAN/Internet to minimize attack surface. And use a strong VPN password (I'd recommend generating a password online with many characters. Store said password somewhere safe and convenient for only you to access. I use a password manager but you choose your way.
 

gil80

Occasional Visitor
so yes, it's possible. recommended...well, what's YOUR intended use case?
Stop using paid VPN services for privacy.

OpenVPN server and unencrypted FTP shares for the best speeds and security for the time being. Also close off any unnecessary ports open to WAN/Internet
I tried, but my Xiaomi phone cannot access the internet once connected. Something is dodgy with the settings and I can't figure out what's wrong. Also, if I do get to use OpenVPN for my mobile devices, I'd like them to use my DNS server to block ads. In any case, OpenVPN didn't work as expected with my phone.

What are FTP shares?
What's the best way to figure out if I have unnecessary open ports?
 

domic

Occasional Visitor
Any other options?
Burner phones/computers, always moving around, never staying in the same place twice, all that stuff, be unpredictable etc.

I can't think of any software that can't be exploited. It's more in the habits you do online etc.
Tor isn't safer than paid VPNs either, since I heard the feds have taken over many Tor exit nodes over the years, which means it's harder to stay anonymous nowadays.

But randomly generated "everything" (OS (use Cubes OS for that), MAC and IP addresses, browser trails etc, that are one time use helps create extra work for whoever would want to find you etc. Doesn't stop them completely though.

"The only way to win is to not participate."
 

domic

Occasional Visitor
Stop using paid VPN services for privacy.


I tried, but my Xiaomi phone cannot access the internet once connected. Something is dodgy with the settings and I can't figure out what's wrong. Also, if I do get to use OpenVPN for my mobile devices, I'd like them to use my DNS server to block ads. In any case, OpenVPN didn't work as expected with my phone.

What are FTP shares?
What's the best way to figure out if I have unnecessary open ports?
1. That sounds like you haven't checked this setting correctly?
Screenshot_20220418-202406.jpg


Send screenshots of your VPN server settings, both General and Advanced. Blur any sensitive information before you upload of course.
I'll take a look at your settings and see what I can do to help.

2. FTP shares are a way to share share your USB connected storage devices with other devices in your network, (or internet, although preferably accessed only via the VPN server).
3. Do a port scan on your routers public IP adress from an outside source, for example disconnect your phone from your home Wi-Fi network, download Nmap in Termux or an app on your phone and do a port scan on that IP address.

The following command is what I use for quicker port scans:

nmap -Pn public-ip

Or you could use an app like Fing or NetworkMapper to port scan with a GUI.
 

gil80

Occasional Visitor
1. That sounds like you haven't checked this setting correctly?
View attachment 40876

Send screenshots of your VPN server settings, both General and Advanced. Blur any sensitive information before you upload of course.
I'll take a look at your settings and see what I can do to help.

2. FTP shares are a way to share share your USB connected storage devices with other devices in your network, (or internet, although preferably accessed only via the VPN server).
3. Do a port scan on your routers public IP adress from an outside source, for example disconnect your phone from your home Wi-Fi network, download Nmap in Termux or an app on your phone and do a port scan on that IP address.

The following command is what I use for quicker port scans:

nmap -Pn public-ip

Or you could use an app like Fing or NetworkMapper to port scan with a GUI.
Thanks for the reply.

Using Fing, I have these open ports:
21 FTP
1723 pptp
8443 https-alt

Do I need to do something about these ports?
It seems the FTP share is enabled, but I'm not sure how to access it via WAN.

Attached are screenshots of my OpenVPN settings.
 

Attachments

  • 2.png
    2.png
    167.4 KB · Views: 64
  • 1.png
    1.png
    117 KB · Views: 59

eibgrad

Part of the Furniture
Thanks for the reply.

Using Fing, I have these open ports:
21 FTP
1723 pptp
8443 https-alt

Do I need to do something about these ports?
It seems the FTP share is enabled, but I'm not sure how to access it via WAN.

Attached are screenshots of my OpenVPN settings.

The *only* port that should be open on your WAN should be that of the OpenVPN server!

The goal here is to make the OpenVPN connection to the OpenVPN server the *only* one between your remote device (e.g., smartphone on cellular) and the public IP of your WAN. Within the context of that OpenVPN connection, you then access your FTP server from its LAN network interface (e.g., 192.168.1.1), NOT the public IP of the WAN. Same holds true for the router's GUI or any other services. You do NOT want the FTP server and GUI directly exposed to the WAN.
 

gil80

Occasional Visitor
The *only* port that should be open on your WAN should be that of the OpenVPN server!

The goal here is to make the OpenVPN connection to the OpenVPN server the *only* one between your remote device (e.g., smartphone on cellular) and the public IP of your WAN. Within the context of that OpenVPN connection, you then access your FTP server from its LAN network interface (e.g., 192.168.1.1), NOT the public IP of the WAN. Same holds true for the router's GUI or any other services. You do NOT want the FTP server and GUI directly exposed to the WAN.
This port "8443 https-alt" is the WAN access port for my router?

If I enable restriction as I've just done (see screenshot), is it better? I'm using Asus domain to access my router from WAN and also this is how WireGuard interface is set up to use the DDNS and not the public IP.
 

Attachments

  • 3.png
    3.png
    18.4 KB · Views: 40

domic

Occasional Visitor
The *only* port that should be open on your WAN should be that of the OpenVPN server!

The goal here is to make the OpenVPN connection to the OpenVPN server the *only* one between your remote device (e.g., smartphone on cellular) and the public IP of your WAN. Within the context of that OpenVPN connection, you then access your FTP server from its LAN network interface (e.g., 192.168.1.1), NOT the public IP of the WAN. Same holds true for the router's GUI or any other services. You do NOT want the FTP server and GUI directly exposed to the WAN.
Weeell, if the firmware is up to date the Web GUI should be safe enough if you want that kind of access. Only as a backup plan if your VPN server isn't cooperating when you can't be home to fix it. I'd still move it to a non default port though.
 

domic

Occasional Visitor
This port "8443 https-alt" is the WAN access port for my router?
Yes. Type https://x.x.x.x:8443/ in your browser where x.x.x.x is your routers public ip adress. (connect from your phone mobile connection instead of wifi to come from the internet direction again.
If you get a asus login page on your screen, that means you can access your router settings from the internet.
 

eibgrad

Part of the Furniture
This port "8443 https-alt" is the WAN access port for my router?

If I enable restriction as I've just done (see screenshot), is it better? I'm using Asus domain to access my router from WAN and also this is how WireGuard interface is set up to use the DDNS and not the public IP.

The problem w/ enabling access of the GUI via the WAN is that the httpd implementation used by the router is NOT hardened the way a full-blown http server would be. It was only designed to make the GUI accessible on small embedded systems, with minimal concern for security and possible vulnerabilities. IMO, it's too risky to be accessing it over the WAN, esp. if you have OpenVPN server available.

But ultimately it's your choice.
 

gil80

Occasional Visitor
The problem w/ enabling access of the GUI via the WAN is that the httpd implementation used by the router is NOT hardened the way a full-blown http server would be. It was only designed to make the GUI accessible on small embedded systems, with minimal concern for security and possible vulnerabilities. IMO, it's too risky to be accessing it over the WAN, esp. if you have OpenVPN server available.

But ultimately it's your choice.
But I'm unable to get my phone to connect to OpenVPN
 
Last edited:

gil80

Occasional Visitor
I don't have OpenVPN option on my phone. The IPsec PSK doesn't work either.
 

Attachments

  • Screenshot_2022-04-20-11-51-27-779_com.android.settings.jpg
    Screenshot_2022-04-20-11-51-27-779_com.android.settings.jpg
    26.4 KB · Views: 24

eibgrad

Part of the Furniture
can't. sorry about the mistake. Edited the post.

Well the answer is to figure out why your OpenVPN connection doesn't work as desired, NOT to resort to risky alternatives.

Are you accessing the OpenVPN server from the WAN over the cellular network? Some users mistakenly try to connect to it over the wifi connection (i.e., locally), which normally doesn't work.
 

eibgrad

Part of the Furniture
I don't have OpenVPN option on my phone. The IPsec PSK doesn't work either.

Well that's a different matter entirely. I assumed you had OpenVPN as an option, but just couldn't get access to the internet through it.

There's no support for the OpenVPN Connect app on the smartphone??
 

domic

Occasional Visitor
Download a openvpn app. The two most popular on the play store works fine. OpenVPN Connect or OpenVPN for Android both can work fine. It's what you prefer.

Go to the router DDNS settings and set up a free domain to your router. Asus offers their own free subdomain.asuscomm.com for example. It's a shared space, like having to find an unused username for yourself. After that is set up, you go to the Openvpn server page and click "Export client configuration "and download that "*.ovpn" file to every device you want to connect to your home VPN server by importing it into your phone's OpenVPN app. :) after that you can connect and login with your account name and password for vpn if you set it up that way.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top