Unable to connect to ASUS Router VPN Server from outside home network

[jhv]

I’m not sure if this is the right place to post this thread. Sorry for the long post, I am trying to provide as much information as possible. Networking is still quite difficult to wrap my head around.

I live in Australia and have a fibre connection to my house. The fibre goes into a network connection box which converts the fibre signal to Ethernet and my router WAN port connects to the output of this box just like in the image below (image is from NBNco website who provide the infrastructure around the country).

My router is an ASUS RT-AX82U and I have a second ASUS router (DSL-AC68U) set up as an AiMesh node to improve wifi coverage throughout the house.

I have setup both OpenVPN and Wireguard VPN servers in the 82U router so that I can access my home network when away from home. I originally only used the OpenVPN server and it worked well except there were frequent dropouts. By dropout I mean I could not establish a connection. I then set up the wire guard server and it seemed to establish a connection much faster than OpenVPN but it also suffers from failed connections. The router is scheduled to reboot itself everyday at 2:30am. The scheduled reboot is something carried over from an old router I had years ago that needed a daily reboot because it kept locking up. I don’t know if the daily reboot is still required with the current setup.

My ISP doesn’t give me a static IP so I am using the asuscomm DDNS service for external access to my home network. The hostname registered with ASUS DDNS is configured in both the VPN servers.

I think the OpenVPN and Wireguard servers are both correctly setup in the router and the problem is with the ASUS DDNS service not being reliable. I have seen several reports of the asuscomm DDNS service often going down but most of the reports I’ve seen were several years old so don’t know if this is still an issue.

Is there a better way to access my home VPN without having a STATIC IP from my internet provider? I have tried Tailscale setup on a RPi and have it running as an exit node and also a subnet router. That seems to work better than the VPN servers on the router but it has also given some trouble accessing my home network. I am still trying to understand how tailscale works and I honestly don’t know if I have created a security risk by publicly exposing my home network more than strictly necessary to establish a remote connection from my personal trusted devices.

I am willing to upgrade my home network to make it more reliable. I have one of these boxes with OPNSense running on a proxmox VM. It’s not currently doing anything other than just sitting on the network so I can become familiar with OPNSense.

I also have a TP-Link VX420-G2h router supplied by my ISP still sitting in its box. I’m thinking the ISP router is probably best left in its box. Is it worth using the OPNSense box as the main router and have it connected directly to the NBN Connection box, with any VPN servers and firewalls setup in OPNSense, then use the ASUS routers as the wireless APs? The reason OPNSense is running as a VM on promox is that I am also thinking about setting up pihole or something similar to block ads in another VM. I could also have a clone of the OPNSense VM as a backup incase I mess things up if I make any changes.

I appreciate any guidance to point me in the right direction.

 

[ColinTaylor]

Rather than chase endless remote server variations I would start by trying to identify what is actually the cause of your problem. Is it an ISP issue, is it a router issue, is it a DDNS issue, etc? The first place to look when the problem occurs is in the router's System Log. Then check whether the IP address associated with your DDNS name matches your router's WAN address.

 

[jhv]

I checked the System Log and think I found the reason for not being able to remote connect. The log had a lots of entries like this one
“Let's Encrypt: Err, DDNS update failed”

On the router WAN->DDNS settings page there was a message saying the hostname was already in use next to DDNS Status, now it shows Active. After a quick google search, I deregistered the hostname and then registered it again and now I can once again remote connect to the network. I must have messed things up by unbinding and rebinding my account through the ASUS phone app. However, I’m not confident the DDNS Status will be stable and remain Active. I have seen it inactive many times before which is what prompted me to try unbinding the account in the first place.

There were also a whole bunch of error messages quoting the MAC and IP addresses of a windows laptop. The time stamps covered periods when the laptop was in sleep mode, or so I thought, and also while it was on and being used. Internet access from the laptop seemed to work fine.

The router is scheduled to reboot in a few hours. I will let it do its thing without a manual reboot to see if the VPN still works in the morning without any errors in the logs, then I will try to figure out what the messages relating to the laptop all mean.

 

[Tech9]

You are only making it worse with this scheduled reboot.

 

[jhv]

Ok I disabled the scheduled reboot. Could you elaborate a bit more why the scheduled reboot makes it worse? I also noticed the DDNS hostname is showing inactive again and I can’t remote access the network.

On my phone, I can select Wireguard or Tailscale switches to ON under Settings->VPN and the phone says it’s connected but I still cannot access the home network (It’s an iPhone 13 Pro, iOS 18.4.1). If I select OpenVPN switch to on it says connecting then pops up a timeout error notification.

I just did a manual reboot of the router and now DDNS Hostname is showing as Active again and I can remote connect to the network with any of the VPNs.

I assume if DDNS hostname is showing Inactive then the VPN client on my phone has no way of resolving the ip assigned to the router by my ISP? Is the Inactive status a problem at my end (perhaps caused by the daily scheduled reboot?) or with the asuscomm DDNS service? It just seems to be very unreliable lately where sometimes everything works nicely and other times it doesn’t.

I don’t know if it makes a difference, the router firmware is version:
3.0.0.4.388_25029-g8883e44
and it says it’s up to date when I check for updates.

 

[ColinTaylor]

And what did the router's System Log show when this problem occurred?

 

[jhv]

Do you mean when DDNS Hostname is showing as Inactive? There was nothing obvious to me in the log but I also don’t really know what to look. There are hundreds of entries since the last scheduled reboot about 8 hours ago.

The log entry that was there yesterday
“Let's Encrypt: Err, DDNS update failed”
is no longer present since re-registering the DDNS hostname.

There are lots of wlceventd entries in the log. These all seem to be related to devices either connecting or disconnecting to wifi due to marginal signal strength. I haven’t gone through to identify all the devices by the MAC address in the log but the my seem to be legit. One of them is the swimming pool heater which has poor wifi signal due to its location, another was the robot vacuum which was cleaning and has since finished and gone to sleep and some other devices which were on and later turned off.

Here is part of the log at the end of the boot up process this morning at 2:30. There are hundreds of entries from when the reboot initiated until the section posted below. I don’t know if it’s wise to post the whole log on the Internet for all to see incase there is some information in there that shouldn’t be made public. Btw, is it normal for the timestamp to go back to “Jan 1 11:00:00” when it reboots?

The two entries shown with the MAC address redacted is my phone.

Jan  1 11:00:48 WAN Connection: WAN was restored.
Jan  1 11:00:49 wan_up: Restart DDNS
Jan  1 11:00:49 ddns: update WWW.ASUS.COM updatev2@asus.com, wan_unit 0
Jan  1 11:00:49 ddns: Clear ddns cache.
Jan  1 11:00:49 ntp: start NTP update
May 14 02:31:46 rc_service: ntp 2696:notify_rc restart_diskmon
May 14 02:31:46 disk_monitor: Finish
May 14 02:31:46 disk monitor: be idle
May 14 02:31:47 wlceventd: wlceventd_proc_event(685): eth5: Auth xx:xx:xx:xx:xx:xx, status: Successful (0), rssi:0
May 14 02:31:47 wlceventd: wlceventd_proc_event(722): eth5: Assoc xx:xx:xx:xx:xx:xx, status: Successful (0), rssi:-75
May 14 02:31:47 ddns: update ddns token failed(-3)

The remainder of the log is flooded with wlceventd entries. Is there something specific I should be looking for in the log?

 

[jhv]

The DDNS hostname is still showing active and seems stable since I disabled the scheduled daily reboot. VPN also seems stable for now. The System Log has a bunch of “kernel” entries which I don’t remember seeing before. The full log since disabling the schedule reboot yesterday is attached. Is the entry at time May 15 08:46:25 an error message that needs to be addressed?

May 15 08:46:25 kernel: ^[[0;33;41m[ERROR archer] rdp_drv_dhd_cpu_tx_send_message,621: CPU Message Timeout: message_type=2, radio_idx=1, flow_ring_idx=213
May 15 08:46:25 kernel: ^[[0m