RT-N66U as second OpenVPN Client Router

[Piv]

Hi,

I'm a newbie here, so please forgive me in advance.

I've read here and else where that it is possible to set up a second home router to act as an OpenVPN Client for attached streaming devices, in my case a Panasonic TV and a Samsung BluRay player (with Apps.) My aim is to overcome geolocation blocking!

I have been "playing" for well over a week now but have not achieved my aim. I have rented a VPS (Centos 64bit) where I successfully installed OpenVPN Access Sever and connected via my Win7 computer. I then installed the latest Merlin build on my RT-N66U but have so far drawn a blank.

My main router is a Fritz!Box 7390 (192.168.178.1) with my PC, Sonos Bridge and HP printer, plus my QNAP NAS attached. The 4th LAN cables goes up to my TV room where the RT-N66U will finally go. I will not use the N66U for WiFi!

The N66U (192.168.1.1) is attached via the WAN port and I picks up the address 192.168.178.101 from the Fritz. I added some routing on the Fritz for this. I can connect my PC and Samsung tablet wirelessly and access the WWW.

I finally got rid of the OpenVPN Access Server and replaced it a standard OpenVPN Server. I originally used easy-rsa on my windows box but then discovered that the SSL Config was missing a couple of lines. So I've now installed easy-rsa on my VPS and build the CA and keys successfully.

Now to my questions:

Can I achieve what I want to do with my 2nd router?

I have reset the N66U back to factory default settings (still the Merlin build). What settings for WAN/LAN/OpenVPN Client do I need to set?

Do I need to set (permanent) iptables rules? On the N66U? On my VPS?

How do I know when the OpenVPN Client is working? I've actually been at a state where Server and Client were running but didn't know if the VPN was working?

Should DHCP be disabled on the N66U? If so, how will my TV and Samsung BluRay pick up their new addresses? OK, I guess I can hard code them but can I card code the RT-N66U?

Thanks very much in advance for any help received.

@Merlin: my wife comes from the same fair city as you! I think that I've maybe another week's grace to get my ASUS running but thereafter her Quebecoise blood will start to boil!

Piv

 

[Piv]

So, I managed to get the VPN working by going back to scratch!

On the (Centos) Server side I discovered that I hadn't completely removed the OpenVPN Access Server. I fully deleted this. Installed the OpenVpn Server, installed easy-rsa and built my CA and all the keys.

On starting the server I discovered error messages in /var/opt/messages. My first home router (Fritz Box) or somewhere on my network was still sending traffic to the Server on the VPN port??

So, on my PC I completely de-installed OpenVPN, I rebooted the PC and both routers. I made sure that my ASUS was running OK with a connection from my Fritz Box to the WAN port on the N66U. I copied my CA and client keys from the server and started the client. Hey Presto, my VPN was up and running.

For interest, here are extracts from the logs (with a few items anonymised)

Client
=====
Aug 27 22:33:37 rc_service: httpd 308:notify_rc start_vpnclient1
Aug 27 22:33:37 kernel: tun: Universal TUN/TAP device driver, 1.6
Aug 27 22:33:37 kernel: tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
Aug 27 22:33:37 openvpn[453]: OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 24 2013
Aug 27 22:33:37 openvpn[453]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 27 22:33:37 openvpn[453]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Aug 27 22:33:37 openvpn[453]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Aug 27 22:33:37 openvpn[455]: UDPv4 link local: [undef]
Aug 27 22:33:37 openvpn[455]: UDPv4 link remote: [AF_INET]123.123.123.123:1194
Aug 27 22:33:37 openvpn[455]: TLS: Initial packet from [AF_INET]123.123.123.123:1194, sid=61c647d6 406ce2f4
Aug 27 22:33:37 openvpn[455]: VERIFY OK: depth=1, C=CH, ST=FR, L=xxxxxxxxxx, O=xxxxxxxxxx, CN=xxxxxxxxxx, [email protected]
Aug 27 22:33:37 openvpn[455]: VERIFY OK: depth=0, C=CH, ST=FR, L=xxxxxxxxxx, O=xxxxxxxxxx, CN=xxxxxxxxxx, [email protected]
Aug 27 22:33:38 openvpn[455]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 27 22:33:38 openvpn[455]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 27 22:33:38 openvpn[455]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 27 22:33:38 openvpn[455]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 27 22:33:38 openvpn[455]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Aug 27 22:33:38 openvpn[455]: [xxxxxxxxxx] Peer Connection Initiated with [AF_INET]123.123.123.123:1194
Aug 27 22:33:40 openvpn[455]: SENT CONTROL [xxxxxxxxxx]: 'PUSH_REQUEST' (status=1)
Aug 27 22:33:40 openvpn[455]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Aug 27 22:33:40 openvpn[455]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 27 22:33:40 openvpn[455]: OPTIONS IMPORT: --ifconfig/up options modified
Aug 27 22:33:40 openvpn[455]: OPTIONS IMPORT: route options modified
Aug 27 22:33:40 openvpn[455]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug 27 22:33:40 openvpn[455]: TUN/TAP device tun11 opened
Aug 27 22:33:40 openvpn[455]: TUN/TAP TX queue length set to 100
Aug 27 22:33:40 openvpn[455]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Aug 27 22:33:40 openvpn[455]: /sbin/ifconfig tun11 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Aug 27 22:33:40 openvpn[455]: /sbin/route add -net 123.123.123.123 netmask 255.255.255.255 gw 192.168.178.1
Aug 27 22:33:40 openvpn[455]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Aug 27 22:33:40 openvpn[455]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Aug 27 22:33:40 openvpn[455]: /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
Aug 27 22:33:40 openvpn[455]: Initialization Sequence Completed


Server
=====
Aug 27 16:13:11 xxxxxxxxxx openvpn[10581]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Aug 27 16:13:11 xxxxxxxxxx openvpn[10581]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Aug 27 16:13:11 xxxxxxxxxx openvpn[10589]: GID set to nobody
Aug 27 16:13:11 xxxxxxxxxx openvpn[10589]: UID set to nobody
Aug 27 16:13:11 xxxxxxxxxx openvpn[10589]: UDPv4 link local (bound): [undef]
Aug 27 16:13:11 xxxxxxxxxx openvpn[10589]: UDPv4 link remote: [undef]
Aug 27 16:13:11 xxxxxxxxxx openvpn[10589]: MULTI: multi_init called, r=256 v=256
Aug 27 16:13:11 xxxxxxxxxx openvpn[10589]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Aug 27 16:13:11 xxxxxxxxxx openvpn[10589]: IFCONFIG POOL LIST
Aug 27 16:13:11 xxxxxxxxxx openvpn[10589]: Initialization Sequence Completed
Aug 27 16:35:55 xxxxxxxxxx openvpn[10589]: 222.222.222.222:34875 TLS: Initial packet from [AF_INET]222.222.222.222:34875, sid=7cb5437c 480f1937
Aug 27 16:35:56 xxxxxxxxxx openvpn[10589]: 222.222.222.222:34875 VERIFY OK: depth=1, C=CH, ST=FR, L=xxxxxxxxxx, O=xxxxxxxxxx, CN=xxxxxxxxxx, [email protected]
Aug 27 16:35:56 xxxxxxxxxx openvpn[10589]: 222.222.222.222:34875 VERIFY OK: depth=0, C=CH, ST=FR, L=xxxxxxxxxx, O=xxxxxxxxxx, CN=ASUS, [email protected]
Aug 27 16:35:56 xxxxxxxxxx openvpn[10589]: 222.222.222.222:34875 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 27 16:35:56 xxxxxxxxxx openvpn[10589]: 222.222.222.222:34875 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 27 16:35:56 xxxxxxxxxx openvpn[10589]: 222.222.222.222:34875 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Aug 27 16:35:56 xxxxxxxxxx openvpn[10589]: 222.222.222.222:34875 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 27 16:35:56 xxxxxxxxxx openvpn[10589]: 222.222.222.222:34875 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Aug 27 16:35:56 xxxxxxxxxx openvpn[10589]: 222.222.222.222:34875 [ASUS] Peer Connection Initiated with [AF_INET]222.222.222.222:34875
Aug 27 16:35:56 xxxxxxxxxx openvpn[10589]: ASUS/222.222.222.222:34875 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Aug 27 16:35:56 xxxxxxxxxx openvpn[10589]: ASUS/222.222.222.222:34875 MULTI: Learn: 10.8.0.6 -> ASUS/222.222.222.222:34875
Aug 27 16:35:56 xxxxxxxxxx openvpn[10589]: ASUS/222.222.222.222:34875 MULTI: primary virtual IP for ASUS/222.222.222.222:34875: 10.8.0.6
Aug 27 16:35:58 xxxxxxxxxx openvpn[10589]: ASUS/222.222.222.222:34875 PUSH: Received control message: 'PUSH_REQUEST'
Aug 27 16:35:58 xxxxxxxxxx openvpn[10589]: ASUS/222.222.222.222:34875 send_push_reply(): safe_cap=940
Aug 27 16:35:58 xxxxxxxxxx openvpn[10589]: ASUS/222.222.222.222:34875 SENT CONTROL [ASUS]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

The only changes that I performed to the "factory" Merlin configuration for the OpenVPN client was to add the server IP address and set Start on WAN.

Yesterday evening I connected the ASUS to my Samsung dvd player and reset the installed Apps for the new "geolocation" (of my Server). I can successfully watch catch up TV and can access Netflix and Lovefilm. Will subscribe later.

One small down-point though, while watching a film in SD via catch up TV, I started getting buffering issues after about 5 minutes. I have a 10Gb DSL line which I was expecting to be OK.

Question: How do I go about testing/monitoring the VPN throughput on my Server or ASUS client??

Thanks

Piv