Open VPN & IOS

[Neil Horowitz]

When setting up Open VPN server on my router using Asuswrt-Merlin firmware, is there anything special I need to do before exporting a certificate file to the Open VPN Connect app on an Apple iPad? The only requirement stated in the app is that the file name must end with .ovpn12.

 

[JDB]

When setting up Open VPN server on my router using Asuswrt-Merlin firmware, is there anything special I need to do before exporting a certificate file to the Open VPN Connect app on an Apple iPad? The only requirement stated in the app is that the file name must end with .ovpn12.

Just ensure all the certificates are embedded inline inside the ovpn file, not separate files.
Mine works fine. Been a couple of years since I set it up but don’t remember it being complicated once I did the above.


Sent from my iPhone using Tapatalk

 

[Xentrk]

When setting up Open VPN server on my router using Asuswrt-Merlin firmware, is there anything special I need to do before exporting a certificate file to the Open VPN Connect app on an Apple iPad? The only requirement stated in the app is that the file name must end with .ovpn12.

I have instructions on how to import the ovpn config file to the OpenVPN app on iOS on my blog post. Scroll down to the iOS section

https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/

 

[M@rco]

I have instructions on how to import the ovpn config file to the OpenVPN app on iOS on my blog post. Scroll down to the iOS section

https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/

Thanks for putting up this excellent tutorial @Xentrk. I'm fairly new to the whole VPN concept but with your guide I managed to setup the OpenVPN Server on my RT-AC68U in a few minutes and tried the OpenVPN app on my iPhone (with WiFi disabled) to connect to it and it all seems to work flawless and the connection is actually faster than I expected. Some of the screenshots do not match completely (some settings are missing) but that's probably caused by the fact that Asuswrt-Merlin has gone to through several changes, I pressume?

Another thing I'm curious about: how safe is running a VPN Server (with the settings you suggested in your excellent blogpost compared to running SSH with WAN access with an RSA key (password disabled). I've read on the SkyNet thread that @Adamm suggested running a VPN server over exposing SSH to WAN, but I'm curious why that's safer.

Thanks again for your effort, very educational!

 

[XIII]

but I'm curious why that's safer.

A reason I have once read (I think even on this forum): the OpenVPN code was reviewed more than the SSH code.

 

[Xentrk]

Thanks for putting up this excellent tutorial @Xentrk.
Thanks again for your effort, very educational!

Thank you for the encouragement. It helps motivate me to keep writing guides & other tutorials. Other than security reasons, another reason OpenVPN may be a better choice, is that you can connect to LAN other resources, like a camera or NAS, that require an interface/port other than SSH.

 

[M@rco]

Another question @Xentrk: I noticed on the OpenVPN server page as well in the iOS OpenVPN app that I can select a certificate. Could the ca.crt generated by pixelserv-tls be used for that. Would that increase security (in other words, would access be limited to clients which have the same certificate installed?)

 

[Xentrk]

Another question @Xentrk: I noticed on the OpenVPN server page as well in the iOS OpenVPN app that I can select a certificate. Could the ca.crt generated by pixelserv-tls be used for that. Would that increase security (in other words, would access be limited to clients which have the same certificate installed?)

The OpenVPN server generates the certificate. The certificate is the one you export and download from the OpenVPN Server web GUI on the router. The cert needs to be imported into the client app. Required for connecting to the OpenVPN server.

 

[M@rco]

The OpenVPN server generates the certificate. The certificate is the one you export and download from the OpenVPN Server web GUI on the router. The cert needs to be imported into the client app. Required for connecting to the OpenVPN server.

I see the fields are populated now, after setting up the server (the fields when pressing the Edit button) and I noticed the .ovpn file contained a certificate. I was just wondering whether one could use another certificate, like the ca.crt generated by Pixelserv-tls. Or is it a different kind of certificate? Sorry if these are very noobish questions, I still got a lot to learn .

 

[Xentrk]

I see the fields are populated now, after setting up the server (the fields when pressing the Edit button) and I noticed the .ovpn file contained a certificate. I was just wondering whether one could use another certificate, like the ca.crt generated by Pixelserv-tls. Or is it a different kind of certificate? Sorry if these are very noobish questions, I still got a lot to learn .

No problem. I'm learning something new everyday.

The export function on the server not only exports the cert info, but the other information required for the client to communicate with the server, such as protocol, ciphers, and other paramaters.

If you compared the pixelserv-tls ca.crt file in /opt/var/cache/pixelserv with the certificate inside the .ovpn file, they will be different values.

 

[st3v3n]

Xentrx, thanks for another helpful hint. Not to go astray, but thought this might be relevant, as my search-fu has failed me today on this. I could've sworn I read that on the AC86U, AC3200 or nother model) that it's best to use odd-numbered OpenVPN clients, for instance, 1, 3, 5, rather than 1, 2, 3, in order to lighten the loads on the CPU or memory. Any help or pointer is greatly appreciated, Cheers.

 

[M@rco]

Xentrx, thanks for another helpful hint. Not to go astray, but thought this might be relevant, as my search-fu has failed me today on this. I could've sworn I read that on the AC86U, AC3200 or nother model) that it's best to use odd-numbered OpenVPN clients, for instance, 1, 3, 5, rather than 1, 2, 3, in order to lighten the loads on the CPU or memory. Any help or pointer is greatly appreciated, Cheers.

Maybe you came across this post by @Martineau?

 

[st3v3n]

M@rco, appreciated, helpful and that's one I hadn't seen. The particular post that I remember was in the last several months. I usually bookmark or save a screen-grab of a valuable tip, but this time I didn't. Haven't hit on the correct search combination in or outside of the forum but eventually It will turn up. Too bad the box doesn't have a 4 or 8 core CPU, like the PfSense box), Again,thank you. G'Day.

 

[M@rco]

To be honest, I've read it too. In the past two weeks, to be exact, as I've only recently started with VPN. But I can't recall where. After reading your post, I started searching, read dozens of posts and several sources outside the forum which I've visited in the past two weeks (as far as I can recall - short term memory issues and no browser history), but the post by Martineau at least explains why server instances 1, 3 and 5 are preferred.

 

[Martineau]

To be honest, I've read it too. In the past two weeks, to be exact, as I've only recently started with VPN. But I can't recall where. After reading your post, I started searching, read dozens of posts and several sources outside the forum which I've visited in the past two weeks (as far as I can recall - short term memory issues and no browser history), but the post by Martineau at least explains why server instances 1, 3 and 5 are preferred.

[Experimental] Wireguard for RT-AC86U

 

[M@rco]

@st3v3n, I found the post I was looking for (hopefully it's the same you were looking for): https://www.snbforums.com/threads/router-vpn-with-pc-vpn.48624/#post-427504. It refers to a post by @RMerlin.

Edit:

[Experimental] Wireguard for RT-AC86U

@Martineau, thanks for digging That wasn't the one I was looking for, but maybe it was for @st3v3n. Nevertheless, it all comes down to same: stick with server 1,3 and 5 for best performance.

 

[st3v3n]

Many thanks gentlemen, you nailed it. When one's search-fu sometimes fails, the friends on the forum come through. After a couple of hours, my eyes can't handle the screen as they used to. After removing cataracts, I sometimes exceed my time limits when I'm caught up in researching, and have to call a halt to baby the eyes to keep what's left. As great as these HD screens are fatigue sets in much more quickly than it used to. Again, my appreciation and gratitude for your help. Cheers

 

[Martineau]

@Martineau, thanks for digging That wasn't the one I was looking for...

Yes...but it was close enough! however, just for the code nerds, the origins of this VPN Client performance tweak go way back....so from the 2014/2015 archives...…

OpenVPN performance post #31
OpenVPN performance post #41

although perhaps Clients 1,2 & 4 should be assigned to CPU1 and Clients 3 & 5 to CPU0 ? assuming users only probably only configure/use the first two VPN clients at most.

 

[st3v3n]

Even more tweak goodmess! Before Scotty beams me up, I'd like to be a code nerd
We've only had only two concurrent OpenVPN configs running on the 3200, so I was looking for way to divy up the work, in the GUI (if possible) and to set up a couple of standby configs in case one of the provider's servers goes wonky. We've had days when the preferred server goes down, and it's faster to switch a client on/off when it's not convenient to upload/test a config. I gather using only one OpenVPN client as the router stands in stock configuration, it shares/uses core 0, but then adding a second client engages the second core. Will using clients 1, 2 and 4 split the chore up evenly and/or what am I missing? I assume I'm missing how to assign what to where, because it can't be that easy even on Sunday. Thank you again Cheers