Menu
What's new
By:
Filters Better Search

Is it possible to install WireGuard VPN?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

domic said:
Download a openvpn app. The two most popular on the play store works fine. OpenVPN Connect or OpenVPN for Android both can work fine. It's what you prefer.

Go to the router DDNS settings and set up a free domain to your router. Asus offers their own free subdomain.asuscomm.com for example. It's a shared space, like having to find an unused username for yourself. After that is set up, you go to the Openvpn server page and click "Export client configuration "and download that "*.ovpn" file to every device you want to connect to your home VPN server by importing it into your phone's OpenVPN app. :) after that you can connect and login with your account name and password for vpn if you set it up that way.
Click to expand...
With an OpenVPN configuration and openvpn android app, connection is established, but I can't browse the internet. See my configuration details above.
I don't know if it's because I'm also using PiHole or not.
I have set my mobile phone in the local DNS settings of PiHole with the VPN IP it's getting 10.0.8.2. But still can't browse.
 
I tried using an FTP client and I'm getting this error:
Non-Anonymous sessions must use encryption.
If I set it to FTPS then I get connection refused on port 990
If I set it to FTPS explicit then I get 522 SSL connection failed: Session reuse required.

I can't set the FTP server to use anonymous login because "Allow anonymous login is in conflict with TLS settings."

So in summary:
Since PiHole is part of my network configuration, I cannot use OpenVPN unless I find a way to tell PiHole to accept queries from non-local network.
one of the reasons of VPN is to access FTP shares without enabling WAN access, but that doesn't work either, even when I test it using my local wifi.
 
gil80 said:
With an OpenVPN configuration and openvpn android app, connection is established, but I can't browse the internet. See my configuration details above.
I don't know if it's because I'm also using PiHole or not.
I have set my mobile phone in the local DNS settings of PiHole with the VPN IP it's getting 10.0.8.2. But still can't browse.
Click to expand...

Sounds to me as if the problem is w/ DNS. IOW, I suspect you can ping a public IP (e.g., 8.8.8.8) when the OpenVPN client gets connected, but any reference to a domain name can NOT be resolved, which you are interpreting as no internet access.

As I've told others many times, it's NOT uncommon for services that would normally be reachable over the OpenVPN client connection to be denied access due to personal firewalls. We see this all the time w/ Windows PCs. And sometimes other devices as well. By default, they limit access to only those devices on the same local IP network. That's a security measure that was instituted a few years ago and has become increasingly more common.

The solution is to reconfigure those personal firewalls to allow the access by the OpenVPN's IP network (e.g., 10.8.0.0/24). But sometimes that's either NOT possible, or too inconvenient if you have to be reconfiguring many devices.

That's why I often recommend the following, to mask the OpenVPN client's assigned IP (e.g., 10.8.0.2) w/ that of the router on its LAN network interface (e.g., 192.168.1.1).

www.snbforums.com

How to allow openvpn clients to access my LAN PC?

Hey, guys! I set up an OpenVPN server on my ASUS AC66U-B1 (running Merlin 386.3_2). I have to use tun mode to allow android phones. I set "Client will use VPN to access" to Both (the other two choices are "LAN only" and "Internet only"). My phone can access the USB drive connected to the...
www.snbforums.com www.snbforums.com

So now all access by those OpenVPN clients *appears* to be coming from a device on the target's own network. However, the price you pay is that you can no longer determine which specific OpenVPN client made the access. Any logs will always report the LAN ip of the router. The best you can do is draw an inference that it must have come from *some* OpenVPN client, which may be sufficient. But if that's a problem, then as I said, you *must* instead update the personal firewall of your target devices to allow the access.

One other thing. When you configured the OpenVPN server, I see you enabled "Advertise DNS to clients", which is normally correct. But you've also configured pihole to handle your DNS. And I have no clue how you incorporated that into the overall router configuration. Normally, "Advertise DNS to clients" is going to push the router's LAN ip as the DNS server (iow, DNSMasq). But if you've configured the router to redirect DNS queries from DNSMasq to the pihole, there's no way the OpenVPN server would know that. So you'd probably have to push the pihole's LAN ip to the OpenVPN clients in custom config rather than rely on that option.

Code: 
push "dhcp-option DNS 192.168.1.100"
 
eibgrad said:
One other thing. When you configured the OpenVPN server, I see you enabled "Advertise DNS to clients", which is normally correct. But you've also configured pihole to handle your DNS. And I have no clue how you incorporated that into the overall router configuration. Normally, "Advertise DNS to clients" is going to push the router's LAN ip as the DNS server (iow, DNSMasq). But if you've configured the router to redirect DNS queries from DNSMasq to the pihole, there's no way the OpenVPN server would know that. So you'd probably have to push the pihole's LAN ip to the OpenVPN clients in custom config rather than rely on that option.
Click to expand...

Subject 1

You are correct! This is a mistake in my setting. The overall DNS setting in the router is as follows:

1650524062133.png


1650524089723.png


So I changed the OpenVPN setting to accommodate my PiHole DNS IP address by setting Advertise DNS to clients: NO but the "problem" with it is now I'm getting ads on all the news sites I'm using.

Q: Is there a way to set OpenVPN to use PiHole as my DNS in an explicit form?



Subject 1.1

To get OpenVPN working with the internet on my mobile phone, I have to set my PiHole to Permit all origins. Previously, it was set to Allow only local requests.

1650524440443.png


However, I don't like to use this setting. I posted a question on PiHole forum and I got this response:

With its default setting to Allow only local requests, Pi-hole will handle DNS requests for subnets associated to all of its host's network interfaces.
Your VPN client wouldn't match any of those interfaces subnet.
There are other ways to overcome this besides Pi-hole's Permit all origins, each with their own advantages and drawbacks, but they wouldn't involve Pi-hole, e.g. you could try to attach a VPN IP to one of your Pi-hole host's network interfaces, or you could NAT your VPN client's requests, so they would arrive from a source IP from a known subnet.
You would have to make an effort to reseach these options, along with their viabilty for your specific setup - or go with Pi-hole's Permit all origins.
If your Pi-hole is running in your home network, and your router running as OpenVPN server is properly firewalled (in particular, inbound port 53 and 80 are closed), the risk of involuntarily exposing Pi-hole via that option would be minimal.
Click to expand...
source: https://discourse.pi-hole.net/t/usi...rom-non-local-network-warning-message/54983/3

Summary of issues:
  1. OpenVPN doesn't use Pihole's DNS and therefore I'm getting ads all over the place
  2. I have to Permit all origins
Proposed solution: mask the OpenVPN client's assigned IP as you kindly suggested above. It's an option I'm considering, but in the meantime would like to explore a bit more.

Subject 2 - FTP Shares
I got it working only when I disabled "Enable TLS support". This setting seems to be causing issues when using Android apps with FTP support. FileZilla on the other hand, has no issues connecting to my FTP with this setting enabled when I provide DDNS, albeit, my FTP client is using LAN so I'm not sure if TLS is used.
I tested the FTP connection by disabling WAN access and connected my mobile phone using OpenVPN with Enable TLS support option set to NO.

Summary
I can now connect to FTP shares when WAN is disabled given:
  1. PiHole is set to Permit all origins
  2. Enable TLS support is disabled
  3. OpenVPN connection is established via DDNS on a mobile network.
 
I don't know the first thing about pihole, but I assume it is the one doing the ad-blocking. And if you've push'd that DNS server to the OpenVPN clients, I don't understand why they wouldn't benefit from the ad-blocking like any other device on your home network. Not unless the OpenVPN client itself has chosen to NOT use that push'd DNS server exclusively. That's a common issue w/ the OpenVPN client on the router when configured w/ a commercial OpenVPN provider. How you chose to configure the "Accept DNS Configuration" option determines DNS behavior. So I imagine just about *any* OpenVPN client, regardless of platform, has to consider this issue. I know on Windows-based OpenVPN clients, you can add the block-outside-dns directive to force all DNS over the tunnel.

As far as the all-origins issue, that's the point of the NAT rule I suggested (and that link has suggested). You can continue to limit your origin to only the home network by masking your OpenVPN client access w/ the router's LAN ip.
 
eibgrad said:
I don't know the first thing about pihole, but I assume it is the one doing the ad-blocking. And if you've push'd that DNS server to the OpenVPN clients, I don't understand why they wouldn't benefit from the ad-blocking like any other device on your home network. Not unless the OpenVPN client itself has chosen to NOT use that push'd DNS server exclusively. That's a common issue w/ the OpenVPN client on the router when configured w/ a commercial OpenVPN provider. How you chose to configure the "Accept DNS Configuration" option determines DNS behavior. So I imagine just about *any* OpenVPN client, regardless of platform, has to consider this issue. I know on Windows-based OpenVPN clients, you can add the block-outside-dns directive to force all DNS over the tunnel.

As far as the all-origins issue, that's the point of the NAT rule I suggested (and that link has suggested). You can continue to limit your origin to only the home network by masking your OpenVPN client access w/ the router's LAN ip.
Click to expand...
Thanks for the help so far!

I learned that the OpenVPN setting of Advertise DNS to client = ON is actually blocking ads. My assumption is as follows:
  1. DHCP server is set to use PiHole IP as the DNS server 192.168.1.2
  2. WAN is set not to advertise DNS to clients
  3. OpenVPN is set to advertise DNS to clients - Therefore, it is advertising the DNS that the router is using, which is 192.168.1.2.
I might take up on your suggestion to mask OpenVPN and be done with it.
Thank you!
 
AFAIK, Merlin will only updates over official asuswrt firmware. As today, Asus latest stable firmware doesn't support wireguard, so Merlin also doesn't.

there is a RC3-2 firmware that do support wireguard, but in my tuf ax5400, haven't been able to make it work.
 
ASadani said:
I have the AC86U and am waiting for Merlin to implement the wireguard vpn
Click to expand...

The kernel module and user space tool is already there with the most recent firmware version. I got a WG server setup in the most recent firmware.
 
gil80 said:
Subject 1

You are correct! This is a mistake in my setting. The overall DNS setting in the router is as follows:

View attachment 40922

View attachment 40923

So I changed the OpenVPN setting to accommodate my PiHole DNS IP address by setting Advertise DNS to clients: NO but the "problem" with it is now I'm getting ads on all the news sites I'm using.

Q: Is there a way to set OpenVPN to use PiHole as my DNS in an explicit form?



Subject 1.1

To get OpenVPN working with the internet on my mobile phone, I have to set my PiHole to Permit all origins. Previously, it was set to Allow only local requests.

View attachment 40924

However, I don't like to use this setting. I posted a question on PiHole forum and I got this response:


source: https://discourse.pi-hole.net/t/usi...rom-non-local-network-warning-message/54983/3

Summary of issues:
  1. OpenVPN doesn't use Pihole's DNS and therefore I'm getting ads all over the place
  2. I have to Permit all origins
Proposed solution: mask the OpenVPN client's assigned IP as you kindly suggested above. It's an option I'm considering, but in the meantime would like to explore a bit more.

Subject 2 - FTP Shares
I got it working only when I disabled "Enable TLS support". This setting seems to be causing issues when using Android apps with FTP support. FileZilla on the other hand, has no issues connecting to my FTP with this setting enabled when I provide DDNS, albeit, my FTP client is using LAN so I'm not sure if TLS is used.
I tested the FTP connection by disabling WAN access and connected my mobile phone using OpenVPN with Enable TLS support option set to NO.

Summary
I can now connect to FTP shares when WAN is disabled given:
  1. PiHole is set to Permit all origins
  2. Enable TLS support is disabled
  3. OpenVPN connection is established via DDNS on a mobile network.
Click to expand...
Convert to adguardhome
 
johndoe85 said:
Convert to adguardhome
Click to expand...

gil80 said:
Subject 1

You are correct! This is a mistake in my setting. The overall DNS setting in the router is as follows:

View attachment 40922

View attachment 40923

So I changed the OpenVPN setting to accommodate my PiHole DNS IP address by setting Advertise DNS to clients: NO but the "problem" with it is now I'm getting ads on all the news sites I'm using.

Q: Is there a way to set OpenVPN to use PiHole as my DNS in an explicit form?



Subject 1.1

To get OpenVPN working with the internet on my mobile phone, I have to set my PiHole to Permit all origins. Previously, it was set to Allow only local requests.

View attachment 40924

However, I don't like to use this setting. I posted a question on PiHole forum and I got this response:


source: https://discourse.pi-hole.net/t/usi...rom-non-local-network-warning-message/54983/3

Summary of issues:
  1. OpenVPN doesn't use Pihole's DNS and therefore I'm getting ads all over the place
  2. I have to Permit all origins
Proposed solution: mask the OpenVPN client's assigned IP as you kindly suggested above. It's an option I'm considering, but in the meantime would like to explore a bit more.

Subject 2 - FTP Shares
I got it working only when I disabled "Enable TLS support". This setting seems to be causing issues when using Android apps with FTP support. FileZilla on the other hand, has no issues connecting to my FTP with this setting enabled when I provide DDNS, albeit, my FTP client is using LAN so I'm not sure if TLS is used.
I tested the FTP connection by disabling WAN access and connected my mobile phone using OpenVPN with Enable TLS support option set to NO.

Summary
I can now connect to FTP shares when WAN is disabled given:
  1. PiHole is set to Permit all origins
  2. Enable TLS support is disabled
  3. OpenVPN connection is established via DDNS on a mobile network.
Click to expand...

www.snbforums.com

AdGuardHome - [RELEASE] Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI)

Asuswrt-Merlin-AdGuardHome-Installer The Official Installer of AdGuardHome for Asuswrt-Merlin Requirements: ARM based ASUS routers (not bridges or access points) that use Asuswrt-Merlin Firmware JFFS support and enabled REQUIRES ENTWARE(!) for package management, and a separate USB drive for...
www.snbforums.com www.snbforums.com
 
You must log in or register to reply here.

Similar threads

A
Restart WireGuard client when fails
Replies
5
Views
352
ZebMcKayhan
Z
S
Guide Wireguard-portforwarding
Replies
9
Views
441
Sweden
S
S
How to start Wireguard client via SSH?
Replies
3
Views
686
sudodavi
S
T
Wireguard VPN Disable IPV6
Replies
0
Views
152
treycortez
T
T
WireGuard and Traditional QOS
2
Replies
24
Views
1K
Tomo123
T
Similar threads
Thread starter Title Forum Replies Date
L Unbound + Wireguard: is this combination possible at all? Asuswrt-Merlin 6
TanyaC Possible DNS-Rebind attack detected and unresponsive router plus one more Asuswrt-Merlin 3
C Running dnsmasq with a huge config file like pihole - possible/sensible? Asuswrt-Merlin 10
A possible DCD tainted causes? Asuswrt-Merlin 1
P Custom DNS for Guest Network Possible? Asuswrt-Merlin 15
mixels Possible to configure RT-AX86U w/ Merlin with more than 64 port forwarding rules? Asuswrt-Merlin 9
T A possible bug with QOS traffic classification? Asuswrt-Merlin 14
S Quick one. Possible to back up AX88U config and apply to AC88U router? Asuswrt-Merlin 2
K AX58U Merlin - Is it possible to subnet? Asuswrt-Merlin 7
BlueOrbit Merlin - automatic firmware update possible? Asuswrt-Merlin 45

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 962 (members: 35, guests: 927)
Top