Setting up as stand-alone OpenVPN server (AP mode)

[bengalih]

I've got an older Merlin capable ASUS I would like to use at my father's house as a VPN server.

He currently has a router from Verizon as well as an AmpliFi HD device setup and I am not looking to modify his main boxes at this point if I can help it.

I would like to repurpose this extra Merlin device to just sit on the network and only serve as a router for incoming VPN traffic, but not be the main WAN router.
Ideally I would like to connected just over WiFi (some AP Mode? Wireless client? Can this only be done using AIMesh if both devices are Asus?)
If that isn't possible, I can probably hardwire it if required.
But basically I only need it to accept connections as an incoming VPN server to route to other devices on the network and also out the local internet (father's ISP).

Assuming I forward the appropriate OpenVPN ports through his current devices to reach the Merlin box, can Merlin be configured relatively easily to act in this manner?

I won't be able to actually configure it for a couple of months, but I was going to throw the device onto my own network and play around as I believe it should be capable of this.

However before I spend to much time was hoping someone else had done something like this or could let me know if what I wanted to do just wouldn't work.

thanks.

 

[RMerlin]

You will need to connect the Asus router's WAN interface to the main LAN, and forward the VPN port from the main router to that Asus router WAN interface's IP. That way any connection to it will have access to the main LAN (which will be WAN-side of the Asus router).

 

[bengalih]

So

You will need to connect the Asus router's WAN interface to the main LAN, and forward the VPN port from the main router to that Asus router WAN interface's IP. That way any connection to it will have access to the main LAN (which will be WAN-side of the Asus router).

Thanks, so I would want to keep the WAN connection set to "Enable Wan" and set a Static IP that is an IP on the local network.
Then simply forward 1194 (or whatever I set the OVPN server to) from the main router to the Merlin and it should then be able to accept the incoming connections and route them to other devices on that local network (including the default gateway out for internet)?

That seems easy enough. Not ideal since I can't have it just sit on the WiFi network, but should do the trick for what I need to not have to buy another piece of hardware.

 

[bengalih]

Ok - so just reporting that this seems to work. I haven't placed it in the target environment yet, but tested in my own.
This is on an old RT-N66W using the last supported 380.x fw:

- Configured WAN in Static IP and set it to an available LAN address in my internal network.
- Forwarded port 1198 from my main router to this 'VPN Box'
- Enabled the OpenVPN Server to run on 1198 and set my other preferred VPN parameters, including "redirect internet traffic"
- Exported OVPN file to phone and established VPN connection*

This was all that was necessary to get it working, but I did some additional settings for ease of access and ongoing maintenance.
- Enabled Custom DDNS and use a custom script which detects the external IP of the network (`curl ident.me`) and updates my CloudFlare DNS records appropriately. Without setting up DDNS you will need to modify the OVPN file (*) above and ensure that the IP listed therein is the public IP of your external WAN (ISP).
- Turned off all WiFi and firewall settings since this device does not need to perform any of these functions
WARNING - Do NOT disable NAT
- Enabled SSH and Web access on both LAN and WAN ports. Without this you can't access the device unless you plug the LAN port in and access it over the LAN address. Since the WAN interface in this scenario is actually on the local LAN, this allows you to only keep the device plugged in with its WAN port and then access all administration functions through that.
- Configured the Static WAN IP configuration to use my proper internal DNS servers (in my case the IP of the main router).

After connecting in with my phone I was able to ping devices on the local network using their DNS names and IPs.
Doing a "what is my ip" lookup showed that my IP address was that of the external IP of the local network I was VPN'd into.

Good to go!