OpenVPN Server using AsusWRT-Merlin - stability and your experiences

[Avery]

For those who have setup an OpenVPN Server using recent AsusWRT-Merlin firmware, has it been stable?

What else have your experiences been?

Can anyone compare this to using a direct Tomato implementation with OpenVPN server?

 

[mobileman88]

For those who have setup an OpenVPN Server using recent AsusWRT-Merlin firmware, has it been stable?

What else have your experiences been?

Can anyone compare this to using a direct Tomato implementation with OpenVPN server?

Been rock solid. Did not use tomato but used ddwrt to in the past

 

[RMerlin]

For those who have setup an OpenVPN Server using recent AsusWRT-Merlin firmware, has it been stable?

What else have your experiences been?

Can anyone compare this to using a direct Tomato implementation with OpenVPN server?

I actually based my code on Tomato's, except that I optimized its performance a fair bit, and when Asus moved the code into the stock firmware they also added the ability to do password-based authentication, and the ability to export a .ovpn config file.

I use it quite frequently to connect back home while at work.

 

[extensi0n]

I use site to site router OVPN with no perceivable issues. I'm sure I could tweak it a bit, but if it ain't broke...

 

[Avery]

Thanks so much for your replies.

Merlin -- first off, I've heard a lot of good things about your work, and just want to say thanks for all the energy it takes to maintain such a 'project' as you've done. Kudos to you. Your firmware (and philosophy behind it) is probably the reason I will go with an ASUS product, and likely gives me all I need. Of course, there's always the ability to go to Tomato or DD-WRT, if features are needed, but I'd prefer stable and simple

Based on your comment, I did some further digging... it sounds like ASUS has already incorporated OpenVPN Server capabilities into the RT-AC68U. I see there are some references to it in the firmware release notes, but no mention of this on the specs page or in the manual, that I've see.

 

[Ford Prefect]

Based on your comment, I did some further digging... it sounds like ASUS has already incorporated OpenVPN Server capabilities into the RT-AC68U. I see there are some references to it in the firmware release notes, but no mention of this on the specs page or in the manual, that I've see.

...it's right there, see section "VPN-Support": http://www.asus.com/Networking/RTAC68U/specifications/

...I am using it quite frequently to "dial home" while on the road...it has been rock solid for me.

 

[BWR]

Rock solid here as well, connected for 10-12h at a time with no problems.

 

[bbsc]

Excellent.
I use it for site-to-site connection for an year, 24x7 for to link two offices.
Generally, it demands no attention at all.
tap-udp, same subnet, need only to use ebtables trick to prevent DHCP queries from one site to another.

 

[RMerlin]

Based on your comment, I did some further digging... it sounds like ASUS has already incorporated OpenVPN Server capabilities into the RT-AC68U. I see there are some references to it in the firmware release notes, but no mention of this on the specs page or in the manual, that I've see.

That's because it was added with a firmware update. When the RT-AC68U launched, it didn't have OpenVPN support.

Asus tends to frequently do this - release a product, and keep adding new features afterward through firmware upgrades.

 

[Deleted member 27741]

My experience is that openvpn on rmerlin firmware runs rock solid.

 

[wctest]

I've been using OpenVPN on the stock firmware and it's been running pretty well. I want to use on-demand VPN on my iPhone with the RT-AC87R. I haven't updated to the Merlin build yet and had a question. Does the Merlin build allow you to use Certificate authentication?

https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html

According to the link above, User Authentication has to be set to Certificate and the client certificate+key should be attached as a PKCS#12 file.

"User Authentication should be set to Certificate, and the client certificate+key should be attached as a PKCS#12 file.
VPN On Demand should be enabled and match entries should be defined to instruct iOS under which conditions the VPN profile should be automatically connected.
In addition, parameters normally given in the OpenVPN client configuration file may instead be defined using key/value pairs in the Custom Data section:

VoD requires an OpenVPN autologin profile, i.e. a profile that authenticates using only a client certificate and key, without requiring a connection password.
Define each OpenVPN directive as a key, with arguments specified as the value. As in the OpenVPN configuration file, arguments are space-delimited and may be quoted.
At a minimum, key/value pairs for ca and remote must be defined (Note that OpenVPN cannot get the CA list from the VoD profile, therefore it must be provided using a ca key/value pair).
Key value pairs for tls-auth, key-direction, comp-lzo, cipher, ns-cert-type, and remote-cert-tls must be defined if the server requires them."

Sorry if this is in the wrong thread!

 

[RMerlin]

You can use certificate-based authentication, yes. In fact it was how it was originally implemented, Asus added the ability to do username-based authentication afterward.

 

[wctest]

You can use certificate-based authentication, yes. In fact it was how it was originally implemented, Asus added the ability to do username-based authentication afterward.

Thanks for the quick response. I don't want to thread jack, but how do I download the pk12 file or change authentication to Certificate? Thanks again for the help.

 

[RMerlin]

Thanks for the quick response. I don't want to thread jack, but how do I download the pk12 file or change authentication to Certificate? Thanks again for the help.

When you configure the router, you will typically generate your own certificates in PEM format, and enter them on the webui.

See this howto for a starting point:

https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA

 

[Avery]

...it's right there, see section "VPN-Support": http://www.asus.com/Networking/RTAC68U/specifications/

...I am using it quite frequently to "dial home" while on the road...it has been rock solid for me.

Very interesting... their specs don't line-up online. This US site doesn't show the OpenVPN Specs. Thanks for sharing that.

http://www.asus.com/us/Networking/RTAC68U/specifications/