Secure OpenVPN setup

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

criminala

Regular Contributor
Hello , upgraded my AX86U to the latest and greatest 386.1 . Working very well .
I would also like to take the opportunity now to start using the asuscomm.com ddns service , along with a secure vpn connection to connect to the private network (to connect to router , NAS etc.) . Instead of opening ports towards internal servers like I used to do .

While I am finding some guides on how to set up openvpn , they contain lots of contradicting information .
Setting up and making it work is not hard but I want to be sure it it set up SECURE and PROPERLY .

For example I found this guide :
OpenVPN Server Setup Instructions for Asuswrt-Merlin – x3mtek Blog Site

1. he sais to use LZ4 compression while i read mostly to set compression to NONE .
2. when connecting from android he sais to press "continue" on the screen where it asks to select a certificate (I do not think the vpn works SECURE and PROPERLY when you do this ?!!)
3. he does not want all traffic to go through the vpn and rather use the coffeshop internet connection : Alarmbells go off in my head as I want an encrypted connection where all traffic over the vpn is secured .

So what I have now is a working VPN server running on Merlin firmware (following the above guide but his interface is somewhat different from mine) . I am not use the compression .
I also have set up the ddns and activate the Let's encrypt certificate for the dns name .
Weren't certificates supposed to be included in the ovpn file ... ? Certificates are somewhat of a blackbox for me .

So Is there a proper guide that you can point me to , to put the last bits together and make the VPN work in a SECURE way ?
Or if one would not exist , could someone briefly explain the certificate part maybe ? (which certificate to take from the router and how/where to install it on android/ipad/pc)
 

elorimer

Very Senior Member
Hello , upgraded my AX86U to the latest and greatest 386.1 . Working very well .
I would also like to take the opportunity now to start using the asuscomm.com ddns service , along with a secure vpn connection to connect to the private network (to connect to router , NAS etc.) . Instead of opening ports towards internal servers like I used to do .

While I am finding some guides on how to set up openvpn , they contain lots of contradicting information .
Setting up and making it work is not hard but I want to be sure it it set up SECURE and PROPERLY .

For example I found this guide :
OpenVPN Server Setup Instructions for Asuswrt-Merlin – x3mtek Blog Site

1. he sais to use LZ4 compression while i read mostly to set compression to NONE .
2. when connecting from android he sais to press "continue" on the screen where it asks to select a certificate (I do not think the vpn works SECURE and PROPERLY when you do this ?!!)
3. he does not want all traffic to go through the vpn and rather use the coffeshop internet connection : Alarmbells go off in my head as I want an encrypted connection where all traffic over the vpn is secured .

So what I have now is a working VPN server running on Merlin firmware (following the above guide but his interface is somewhat different from mine) . I am not use the compression .
I also have set up the ddns and activate the Let's encrypt certificate for the dns name .
Weren't certificates supposed to be included in the ovpn file ... ? Certificates are somewhat of a blackbox for me .

So Is there a proper guide that you can point me to , to put the last bits together and make the VPN work in a SECURE way ?
Or if one would not exist , could someone briefly explain the certificate part maybe ? (which certificate to take from the router and how/where to install it on android/ipad/pc)
This is the way I do it: https://www.snbforums.com/threads/vpn-instructions-for-a-newbie.59478/#post-523302
 

criminala

Regular Contributor
@elorimer
Thanks for that link . Some good tips there . I added the option of "local" in the custom configuration now .

But like I said before . Getting the openvpn to work , connect to it and access the LAN is fairly easy .
However , my concern still stands :

On the ipad for example , in the vpn profile it sais certificate : none . cant select a certificate either . Isn't this necessary to get a secure connection ?

Same on android : message saying "this profile doesn't include a client certificate. Continue connecting without a certificate or select one from the Android keychain?" , need to say continue without a certificate also because there is no certificate to select ..

--> I think a certificate is needed in order to make a secure connection ?
--> I thought the certificate should be included in the ovpn file ?



I am probably missing something obvious .




My current settings :
1. asuscomm.com ddns name with let's encrypt certificate is set .
2. openvpn server active with advanced settings (386.1 firmware) :

client will use the vpn to access = both

TUN
UDP
1198
TLS
keys and certificates left at default (static key,certificate authority,server certificate,server key,diffie helman parameters ... these are all filled in . The 2 optional ones at the bottom which are certificate revocation list and Extra Chain Certificates are empty)
user/pass = yes
user/pass auth only = yes
TLS = bi directional auth
hmac = default
VPN subnet 10.8.0.0/255.255.255.0
advertise dns to clients = yes
Data ciphers at default = AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
compression = disable
log = 3
client specific options = no



What I am trying to do is to make a SECURE connection from PC/android/ipad , so ALL traffic goes over the tunnel , ENCRYPTED .
 

Martineau

Part of the Furniture
@elorimer

I am probably missing something obvious .


user/pass auth only = yes
You have specified that you only need a valid Username/password combo.

I suggest you set user/pass auth only = no; restart the OpenVPN server and export the resulting .ovpn config to your ipad/mobile devices.
 

elorimer

Very Senior Member
user/pass auth only = yes
TLS = bi directional auth
As @Martineau said, this is a problem. It means you don't need certificates, and I suspect they are therefore not exported in your config.

The config file is just a plain text file, and it will have certificates in it if you look.

Also, I have had problems with bidirectional TLS with my Chromebooks, so I don't use it.
 

criminala

Regular Contributor
You have specified that you only need a valid Username/password combo.

I suggest you set user/pass auth only = no; restart the OpenVPN server and export the resulting .ovpn config to your ipad/mobile devices.

That was indeed the "issue" !
Thankful you guys spotted that :)

I now set the option to NO . And now the exported ovpn config file includes the certificate as well .

@elorimer currently for me the bidirectional TLS option does not seem to affect my connection (ipad , android , pc all fine) , so I guess that for now I am just leaving it enabled as I think it offers better security .


:cool: now I am fully SECURED :cool:
 

David2001

Occasional Visitor
That was indeed the "issue" !
Thankful you guys spotted that :)

I now set the option to NO . And now the exported ovpn config file includes the certificate as well .

@elorimer currently for me the bidirectional TLS option does not seem to affect my connection (ipad , android , pc all fine) , so I guess that for now I am just leaving it enabled as I think it offers better security .


:cool: now I am fully SECURED :cool:
Hey! I am actually having the same contemplation as you. That said, are you able to see the ‘certificate’ on the iOS Open VPN client? I had that user/pass auth only = no and I am not seeing that certificate page on iOS app as filled in. Still empty. Am I missing something? Otherwise just like you, I was able to make it work. Thanks.

Edit: I also do not have a static key filled in when you check the certificate/ key edit option. You have something there?
 

criminala

Regular Contributor
certificate page on iOS app has nothing for me .
But I see the certificate in the ovpn file now .

ipad also does not say certificate : none anymore in the profile , and on android it now simply connects without giving me the popup screen "this profile doesn't include a client certificate. Continue connecting without a certificate or select one from the Android keychain?" .

So my guess (i know i know) is that my connection is safe with this setup .
 
Last edited:

David2001

Occasional Visitor
certificate page on iOS app has nothing for me .
But I see the certificate in the ovpn file now .

ipad also does not say certificate : none anymore in the profile , and on android it now simply connects without giving me the popup screen "this profile doesn't include a client certificate. Continue connecting without a certificate or select one from the Android keychain?" .

So my guess (i know i know) is that my connection is safe with this setup .
So when you open the ovpn file (I’m guessing you’re using chrome to read it) you mean that you’re seeing the certificate details (as is seen via the certificate / keys edit button on the VPN Server setup)? If so, that’s what I’m seeing as well so I guess it’s all good :).

Also, you mentioned that you’re seeing an entry for Static Key? I’m not seeing anything for that field (in addition to the two optional ones as you mentioned which are also empty for me and I assume is fine). Can you please double check?

Finally, just as a ‘test’ (to see if the connection is actually secure), do you know of an easy way to confirm that? I.e. is there something I would not be able to do for example if it is truly secure?

Thank you!
 

criminala

Regular Contributor
I open the ovpn file with notepad++ . Only ones that are the same from the vpn server setup are CA and static key . All the rest (certificate , private key ..) are different .

Yes static key is filled in with a long key in server setup , and this is also shown in the ovpn file . They are the same for me . I never done anything manually , it was already there .
Below the port in vpn server setup there is a choice between TLS and static key . I have TLS chosen there , so my guess is that the static key is not really doing anything .. Not sure why they do include the static key in the ovpn config file .

No idea how to properly test the connection , that's why i said I am guessing it is safe (which one should never do of course) .
:)
 

David2001

Occasional Visitor
I open the ovpn file with notepad++ . Only ones that are the same from the vpn server setup are CA and static key . All the rest (certificate , private key ..) are different .

Yes static key is filled in with a long key in server setup , and this is also shown in the ovpn file . They are the same for me . I never done anything manually , it was already there .
Below the port in vpn server setup there is a choice between TLS and static key . I have TLS chosen there , so my guess is that the static key is not really doing anything .. Not sure why they do include the static key in the ovpn config file .

No idea how to properly test the connection , that's why i said I am guessing it is safe (which one should never do of course) .
:)
Got it ok! I’ll try again tonight to set it up using your advanced settings (as they are just a little different than mine and see if it makes a difference). Thanks!

Oh, one last quick yes or no,- when you did not have the certificate, was the file’s contents super short?
 

elorimer

Very Senior Member

elorimer

Very Senior Member
Also, what do you recommend the values to be when choosing Advanced Settings for the Open VPN?
I don't know which of your posts to respond to so I won't. I've posted my setup before in this thread.
 

criminala

Regular Contributor
@David2001 I tend to stick to default values on the router as much as possible before starting to fiddle with it .
Whatever default means , as it does not tell for this field . Could as well be "none" who knows . But Merlin knows what's best ;)

As for Advanced settings , see the values I posted in this thread , or read the more extensive writeup of @elorimer (see the link he posted before) .
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top