OpenVpn help

[Tech9]

This certificate is irrelevant, it's for https GUI access service. In .ovpn file enter the xxx.asuscomm.com name.

 

[macster2075]

That worked!!! - I can see my cameras now not on wifi.. thanks so much man!!
So, quick question on the DDNS.. - now that I am using Asus.com.. will it update OpenDns with my current dynamic ip address when it changes?
And also... how secure is this.... by doing this, does it make the network more vulnerable?

and lastly.. does that mean the DMZ setting on the modem still needs to be there or can I put it back how it was?

 

[Tech9]

So, quick question on the DDNS.. - now that I am using Asus.com.. will it update OpenDns with my current dynamic ip address when it changes?

No. I see DNS-O-Matic in Asuswrt list, but I know nothing about how it works. Someone else may help you with that.

nd also... how secure is this.... by doing this, does it make the network more vulnerable?

As secure as your OpenVPN connection. DDNS hostname is only a pointer to your external IP address, the service tracks the changes.

and lastly.. does that mean the DMZ setting on the modem still needs to be there or can I put it back how it was?

Leave it Enabled. Otherwise you have to port forward your OpenVPN port in modem settings. DMZ host tells your modem the router goes straight to Internet, all ports open for this specific IP only. Don't worry about it - the router has it's own firewall.

By the way, Asuswrt-Merlin OpenVPN server exports the .ovpn files with correct DDNS name. What we did above works on stock Asuswrt as well though.

 

[dosborne]

Personally, I would never use a DMZ, for anything. Forwarding only the ports you know you need is better (IMO) and the more firewalls, and different routers, etc between you and "them", the better. But, the choice is not mine to make on your network.

It may be worthwhile to note that the Asus DDNS service has apparently had a few issues lately (see what others have reported in the last couple of weeks) so figuring out how to use your other service provider (dmsomatic) or another free or paid service may also be worth the effort. Maybe Asus has resolved their issues, I don't know, but worth noting.

 

[Tech9]

Forwarding only the ports you know you need is better

The VPN connection works now, @macster2075 can check the modem User Manual after and forward the port only, if he wants to. The device in DMZ is a router with firewall, designed to be Internet facing. Most people bridge their modems, it's the same level of security.

 

[macster2075]

Sorry.. one more question regarding vpn.. so this type of vpn is not like the ones people use to hide their IP and such right? This is mainly to be able to connect to my router from outside my LAN and that's it?
I guess what Im asking is... if Im at a starbucks and I connect to their wifi, I can use the OpenVpn app to be more "secure" while using someone else's wifi?

 

[Tech9]

I can use the OpenVpn app to be more "secure" while using someone else's wifi?

Yes, you can connect to your own ISP at home. Connect on Data and type in Google "what's my isp". Click the result links, you must see your home ISP. Type "dnsleaktest" and go to the link, you must see your OpenDNS servers. Better than Starbucks/public Wi-Fi.

 

[elorimer]

It is and it isn't. You have a client that connects to a VPN server, and the VPN server then sends you want you want to access. If you are in a starbucks andconnect to your home vpn server, then you can access the internet from your home internet connection; from your home to your seat in starbucks it is encrypted.

Or from the starbucks you could go to some third party vpn service, same diff.

 

[macster2075]

Well.. that's awesome..no wonder people like to use them.. I've always had this kind of fear of using them (i guess lack of knowledge lol)
@Tech9 I tried that and yes it does tell me who my home ISP is while using phone data and connected to the vpn which is great!

Sorry I keep dragging this on...but Im very curious... The options seem pretty obvious.. but why would I use LAN only if Im in the house?
Or does this mean that if I select LAN only means when using the vpn, I can only connect to the LAN devices and, but not to navigate the internet right?

for example.. if at starbucks and if the setting is on LAN... it means the vpn will only connect me to the LAN devices, but if I surf the web, then I'll be using starbucks internet?
not sure if that made any sense!

 

[Tech9]

An example what you can use "LAN only" for - access to your router's GUI, but your Internet traffic still goes through your mobile operator as normal.

 

[macster2075]

You guys are gonna be upset at me lol - So now that I got it working..I was just using a test name and weak password..so I deleted the username and created another one with a stronger password... basically the same steps as I did before...but now it won't connect at all...not even on wifi

 

[Tech9]

Every time you make changes to the OpenVPN Server you have to export the .ovpn file again and import it to your OpenVPN App.

 

[macster2075]

Every time you make changes to the OpenVPN Server you have to export the .ovpn file again and import it to your OpenVPN App.

Oh so it’s not just downloading the file from the router and using that one to import to openvpn app?

 

[chongnt]

... if Im at a starbucks and I connect to their wifi, I can use the OpenVpn app to be more "secure" while using someone else's wifi?

You also have Asus Instant Guard offering as an alternative.

Instant-Guard | ASUS Global

ASUS routers with Instant Guard use VPN to create free and secure connection over public WiFi, via easy 1-click setup. Click to learn more about how to stay safe on public WiFi.

www.asus.com

 

[Tech9]

Oh so it’s not just downloading the file from the router and using that one to import to openvpn app?

In OpenVPN Server - Export OpenVPN configuration file
In OpenVPN Connect - Import profile

 

[macster2075]

In OpenVPN Server - Export OpenVPN configuration file
In OpenVPN Connect - Import profile

Yup that’s what I’ve been doing but it doesn’t work. I even opened the conf file to make sure the hostname is correct and it is.. I wonder what could have happened…the only thing I did was delete the name add a new one with a new password then clicked apply….downloaded the file and imported it to my iphone and opened it using openvpn just like other times

 

[Tech9]

I put the router on the shelf and can't see the OpenVPN configuration. Try using your router's user/pass, I remember it was the default user automatically created at server setup. You mist have a good user/pass for your router. You may have to wait for someone else to help you. I don't use Asus routers and have to fire one up to see what's going on.

 

[elorimer]

Sorry I keep dragging this on...but Im very curious... The options seem pretty obvious.. but why would I use LAN only if Im in the house?

You wouldn't ever connect to your router's VPN Server when you are in your house. Except for testing, that would be useless.

for example.. if at starbucks and if the setting is on LAN... it means the vpn will only connect me to the LAN devices, but if I surf the web, then I'll be using starbucks internet?
not sure if that made any sense!

Yes, but that is exactly the wrong thing to do. The "LAN" setting pushes a route to your LAN to your remote device, so it can connect through the tunnel to your LAN devices. The "Internet" setting pushes a new default gateway to your remote device, so when it wants to go to the internet, it reaches the internet through the tunnel. "Both" does both of those things. But you don't want to be in a Starbucks and reaching the internet except through the tunnel. If you are reaching the internet outside the tunnel, you don't have any privacy. If you are in a trusted location, like your office, then you might reach the internet outside the tunnel, because over the tunnel your download speed from the internet is limited to how fast your home router's internet connection will upload pages to your remote device.

 

[macster2075]

I put the router on the shelf and can't see the OpenVPN configuration. Try using your router's user/pass, I remember it was the default user automatically created at server setup. You mist have a good user/pass for your router. You may have to wait for someone else to help you. I don't use Asus routers and have to fire one up to see what's going on.

Thanks tech9 I will give this a try after work

 

[eibgrad]

Yup that’s what I’ve been doing but it doesn’t work. I even opened the conf file to make sure the hostname is correct and it is.. I wonder what could have happened…the only thing I did was delete the name add a new one with a new password then clicked apply….downloaded the file and imported it to my iphone and opened it using openvpn just like other times

If the *only* thing you changed or added was a username/password, you do NOT have re-export/import the .ovpn file to the client. The username/password is never provided in that config file anyway. All you will ever see is the following directive.

auth-user-pass

Because there's no file being passed as an argument w/ this directive (which if it was, would normally contain the username/password on separate lines), the OpenVPN client will prompt you for the username/password at runtime, when it's needed.

And if you think about it, how would the router even know which username/password it should provide during the export/import? If that could be communicated somehow, I suppose it's possible the export/import process could also configure and export a username/password file (e.g., userpass.txt) and pass it as an argument w/ the auth-user-pass directive.

auth-user-pass userpass.txt

But as far as I can see, at present it doesn't do that.

Just guessing, but what might have happened is that you also changed the "Username / Password Auth. Only" option from No to Yes, or vice versa. THAT would require a re-export/import of the client's config file since that determines if the client's cert and private key are also required to authenticate the connection.