What's new

Test builds with OpenVPN available

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

RMerlin

Asuswrt-Merlin dev
Beta builds of Asuswrt-Merlin with OpenVPN are now available for download on Github: https://github.com/RMerl/asuswrt-merlin/downloads

The OpenVPN implementation on Asuswrt-Merlin is based on the code written by Keith Moyer for Tomato, and was reused with his permission. The webui had to be written from scratch however, since Asuswrt doesn't use the web templating engine that Tomato uses. I have however kept the same option names and a fairly similar layout, so people following tutorials written for Tomato will have no problem applying them to Asuswrt-Merlin.

One such tutorial I strongly recommend for people that aren't familiar with OpenVPN can be found here. This tutorial can be used almost as-is with Asuswrt-Merlin.

I have tested the client side of OpenVPN by having it succesfully connect to an OpenVPN server running on my old WRT320N (running DD-WRT).

Please post your feedback here. I might be able to help folks who have questions specific to OpenVPN, however note that I am not an expert (yet) in OpenVPN, so no promises. :)

The OpenVPN client can be downloaded here, on the official OpenVPN website. The Win32 installer includes easy-rsa, which can be used to generate the certificates (as explained in the howtogeek tutorial I linked above).

One additional note for RT-AC66U users: these builds have GRO disabled. So if you are having random crashes with either the official firmware or 178.15, you can safely flash this test build for now to fix your issues.

RT-N16U users: sorry, but I can't implement OpenVPN on that router due to its limited nvram space. OpenVPN needs a lot of nvram space to store its certificates. Your only alternative is to install OpenVPN through Optware, and configure it manually. I've had reports of people successfully doing so on the RT-N66U in the past, so it's doable, altho not simple I agree.
 
That was PITY

Okey that was pity. I'm looking forward to test it on my RT-N16.
In Tomato there is TWO servers and TWO clients and there is enough space to run server/client at the same time.
You can use statatic key and that would fit in NVRAM and other configuration stored in USB-drive.
Put certificates on your USB-drive and that working just fine.

octopus :eek:
 
Last edited:
Sweet! OpenVPN FTW!

I assume it is OpenVPN 2.2.2? If it is I may have to try your firmware! Thanks!

To Octopus:
Not sure what the benefit would be to running client & server from the same router though...what does this accomplish for you exactly?
 
That would be if you use VPN-service and want to connect from outside.

I'm satisfied if that got implemented on rt-n16 and only support static keys,
then people can store theirs certs in usb-drive as that isn't enough space in nvram.

octopus
 
Hi,

i update your last beta and whit my PPTP VPN no show me information under "PPTP VPN Server - Running" with my iPhone connected on pptp vpn

7912322158_f47a8dd08b_z.jpg


Is normal?
 
Hello Merlin thx for this OpenVpn release. You know i wait for this for a long time :).

Today i test the openvpn version beta1.
i have config one client and it works.

can you enlarge the address field thus internet addresses are possible.
now its only possible to write ip adresses in this field.

best regards

Sven
 
Not able to activate OpenVPN

Tx for your efforts, Merlin - I'm very pleased to see Asus FW getting better and better through your refinements...

Sorry to say I wasn't able to activate OpenVPN although I proceeded exactly as described in the OpenVPN tutorial you linked to.

If I try to enable openVPN in the section "OpenVPN Server Settings" the router tries to implement this but the green button returns immediately into the off-status, although I've filled all options according to the suggestions found in the tutorial including copy and paste of the certificates and keys for server and client in the key section.

The syslog shows some error messages concerning OpenVPN:

Jan 1 01:00:57 openvpn[1882]: OpenVPN 2.2.2 mipsel-linux [SSL] [LZO2] [EPOLL] built on Sep 1 2012
Jan 1 01:00:57 openvpn[1882]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jan 1 01:00:57 openvpn[1882]: Cannot load DH parameters from dh.pem: error:0906D06C:pEM routines:pEM_read_bio:no start line
Jan 1 01:00:57 openvpn[1882]: Exiting
Jan 1 01:00:57 notify_rc : stop_ntpc
Jan 1 01:00:57 rc_service: stop_ntpc is waitting start_vpnclient1...
Jan 1 01:00:58 openvpn[1900]: OpenVPN 2.2.2 mipsel-linux [SSL] [LZO2] [EPOLL] built on Sep 1 2012
Jan 1 01:00:58 openvpn[1900]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 1 01:00:58 openvpn[1900]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jan 1 01:00:58 openvpn[1900]: Cannot load certificate file client.crt: error:0906D06C:pEM routines:pEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:pEM lib
Jan 1 01:00:58 openvpn[1900]: Exiting

Any hint what is running wrong?
 
Yepp what I se there is problem with your certifikats.

Jan 1 01:00:57 openvpn[1882]: Cannot load DH parameters from dh.pem: PEM_read_bio:no start line

No server certificate verification method has been enabled.
Cannot load certificate file client.crt: no start line

I suggest to concentrate to get server to run first.
 
I suggest to concentrate to get server to run first.

Tx for replying... but this IS my problem that it is not possible to get the server running - regardless of whatever I try to enter...
 
Hi,

i update your last beta and whit my PPTP VPN no show me information under "PPTP VPN Server - Running" with my iPhone connected on pptp vpn

Is normal?

It should display connected clients:

openvpn4.png


Please post the content from /tmp/pptp_connected when your pptp client is connected.
 
Last edited:
Hello Merlin thx for this OpenVpn release. You know i wait for this for a long time :).

Today i test the openvpn version beta1.
i have config one client and it works.

can you enlarge the address field thus internet addresses are possible.
now its only possible to write ip adresses in this field.

I need to make sure that the server can actually do the required name resolution first. If it does I'll definitely change it. That would also allow people to connect with a server identified by a dyndns service.
 
Tx for replying... but this IS my problem that it is not possible to get the server running - regardless of whatever I try to enter...

I see errors complaining about having no start line. Make sure you copy your certs and DH including both the ---START--- and ---END--- lines. It's possible the tutorial was wrong in saying it wasn't necessary.
 
I see errors complaining about having no start line. Make sure you copy your certs and DH including both the ---START--- and ---END--- lines. It's possible the tutorial was wrong in saying it wasn't necessary.

You are right - the tutorial was wrong :) Now I'm able to activate OpenVPN...

But now another problem exists: I don't know what server address I have to enter in the section "Server Address and Port". I only have a dynamic IP and have to use DynDNS, but I can't enter my host name as "Server Address and Port" allows only numeric entries... (see screenshot)

Another hint for me? That would make my day!
 

Attachments

  • Cap-120902-01.jpg
    Cap-120902-01.jpg
    45.3 KB · Views: 469
creating the certs

is there a way to create the certs with OSX, or directly on the router using ssh?

i dont have a windows(or linux) machine to create the certs..

Many thanks!
Will
 
You are right - the tutorial was wrong :) Now I'm able to activate OpenVPN...

But now another problem exists: I don't know what server address I have to enter in the section "Server Address and Port". I only have a dynamic IP and have to use DynDNS, but I can't enter my host name as "Server Address and Port" allows only numeric entries... (see screenshot)

Another hint for me? That would make my day!

For now the client can only connect to an IP. I need to take a look to see if it's possible to use a hostname instead.
 
is there a way to create the certs with OSX, or directly on the router using ssh?

i dont have a windows(or linux) machine to create the certs..

Many thanks!
Will

See if Tunnelblick includes the easy-rsa scripts. If it does, just follow the procedure described for Windows, by navigating to the easy-rsa folder, and running the various scripts there.

Otherwise, I see little info on how to generate SSL certs under OS X. You will have to find a tutorial that explains how to do it manually using the openssl command.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top