VPN noob: AC1900P (internet) with N66U (OpenVPN client) woes

[amd7674]

Hi,

I've been trying to setup OpenVPN on N66U unused router. The idea was to have one or two wired device connected to N66U (OpenVPN client) which was connected AC1900P (internet router) in WAN-to-LAN configuration. Without OpenVPN client enabled, I get internet traffic from N66U just fine. However once I turn on the OpenVPN client, even though it says it is connected there is no internet traffic works. I will take another stab at it tonight or tomorrow. I will post my settings and log, so maybe somebody can help me with it

After reading some great VPN tutorials by yorgi, he said N66U might be too slow. Should I be using my new AC1900P router for it and take advantage of:

"Use "POLICY RULES" in "Redirect Internet traffic" for selective routing
By enabling Policy rules feature, it gives you the freedom to route specific devices to VPN and other devices to Local ISP. You can even have a device use VPN but have specific address's use Local ISP or vise versa."

Does this mean I can specify device X to only work with the OpenVPN clinet using my single router?

I'm sorry but I'm a total noob with VPN, and I'm trying to do this at night when my family is a sleep. (in many cases my brain is just too fried to think late at night LOL)

Thanks in advance.

 

[amd7674]

still no go... after I tried to follow yorgi's excellent tutorial and this https://vpntips.com/vpn-router-install/

I think my N66U connected to AC1900P seems to be working fine without OpenVPN client turned on. With the laptop connected to one of the N66U port I can browse the internet. As soon as I can turn OpenVPN client on, my laptop loses internet access via VPN. the VPN status shows connected, but I don't get internet access :-( I get similar message, I'm not at home so I cannot post exact log:

Feb 25 17:33:16 openvpn[2110]: /usr/sbin/ip addr add dev tun11 10.8.0.2/24 broadcast 10.8.0.255
Feb 25 17:33:18 openvpn[2110]: /usr/sbin/ip route add 192.168.1.0/24 via 10.8.0.1
Feb 25 17:33:18 openvpn[2110]: /usr/sbin/ip route add 192.168.6.0/24 via 10.8.0.1
Feb 25 17:33:19 openvpn-routing: Skipping, client 1 not in routing policy mode
Feb 25 17:33:19 openvpn[2110]: Initialization Sequence Completed

Could this be a DNS issue? What should I post so somebody can look at it.

This morning before leaving for work, I verified my OpenVPN is working perfectly fine with OpenVPN GUI app on windows10. So I know my user/account, ca.crt, *.ovpn files are fine.

I also tried playing with policy rules for "redirect internet traffic" option without any luck. I set it using CIDR range for all address go through VPN.

Any help would be much appreciated.

 

[Xentrk]

On the VPN status page, goes it show the VPN client as up?

Let’s first try to solve the internet connection working on you client(s). Set Redirect Internet Traffic to “All Traffic” on the VPN Client page. This will cause all clients to use the VPN tunnel. If you get an internet connection, go to whatismyipaddress.com and confirm it is the ip address of the VPN server you are connecting to.

If you get that working, then getting the Policy Rules working is next. Go to DHCP Server tab and assign static IP addresses for at least two clients by MAC address. Then, in the VPN client tab, change Redirect Internet Traffic to “Policy Rules”. Below this, you enter the policy rules for each client. For client1, enter a client name in the description field, the IP address you assigned in the DHCP server tab, 0.0.0.0 for Desitination IP, then WAN for Iface. Then select the plus sign to add it to the list. For client 2, enter the same information, but enter VPN for Iface. Select the plus sign. Then hit Apply.

Now, test with the clients. Client A should get a WAN IP address that you see on the Network Map page. Client B should get an IP address of the VPN server.

 

[amd7674]

Xentrk thank you very much for your feedback If it wasn't for your post I was going to give up, because I don't think I know what I'm doing.

I spent another 3 hours last night without any luck In general networking in general is not my thing and VPN is very new.

I do apologize everyone if my questions are not constructive (or even stupid), but this is because of my lack of knowledge.

I will give it a shot again tonight, including posting screenshot/logs so you can see better what I'm trying to do.

Is it possible that my VPN provider is not Asus OpenVPN friendly? Maybe I should one of the bigger/popular VPN providers that are known for working with Asus/Merlin firmware?

Basically what I'm trying to do is to connect one device to the secondary N66U router (OpenVPN) so I can watch some european tv channels (Geo-blocked).

I hooked up my second router N66U to the main one AC1900P and everything seems to be working. I created second subnet for it as per instructions in this guide:

https://vpntips.com/how-to-unblock-any-digital-media-player/

IP Address Plan
Device Internet Router ********** VPN Router
Private (LAN) IP Range 192.168.1.1 – 192.168.1.254 ********** 10.0.0.1 – 10.0.0.254
LAN Settings
LAN IP 192.168.1.1 ********** 10.0.0.1
LAN Subnet Mask 255.255.255.0 ********** 255.255.255.0
WAN Settings
WAN Connection Type PPPoE ********** Static IP
WAN IP Automatic ********** 192.168.1.11
WAN Subnet Mask Automatic ********** 255.255.255.0
WAN Gateway Automatic ********** 192.168.1.1
WAN DNS Server Automatic ********** 192.168.1.1

Everything seems to be working at that point, and I get internet access on my laptop connected to one of the ports of N66U.

Problem is I cannot setup OpenVPN client to work properly. I will try suggested and post more info tonight.

Thank you again

 

[Xentrk]

Don't give up! We can make this work for you! We all had to start as noobs and I learn something new everyday.

I have configured this in the past as your picture shows because I lacked physical control of the modem at the time. I had a combo/modem router that ran the internet connection. I then connected another another router to it using what is called a LAN to WAN connection. See these sites http://m.wikihow.com/Cascade-Routers#Connect_Ethernet_to_Internet_.28LAN_to_WAN.29.
http://www.linksys.com/ca/support-article?articleNum=132275

In LAN to WAN, The main router has an ip of 192.168.1.1 and the second router 192.168.2.1 for example. The isp connection is defined in the first router on your picture and provides the internet to the second router. The first router should assign a static ip to the second router. However, this setup is not preferred in my opinion. The vpn now has to pass through two routers and may Double NAT. If the first router has a low end CPU, it will cause your vpn performance to be slow. I started out with this set up until I did more research about vpn performance,

What I prefer to do is connect both routers to the modem. If you don't have enough Ethernet ports, buy a 4 port switch and connect it to the modem then attach the two routers. Assign different IP addresses to the routers. You will neeed to enter your ISP credentials in both routers. Then, configure the router with the vpn client info that you want as your vpn Using yorgi's setup guide in this forum. This is how I have my network setup. If I need native LAN, which I need at times, I just change to that wifi network. Otherwise, I am on my vpn router 95 percent of the time.

Did you see the step where the first router has to assign a static ip to the second router? You will also need to assign the second router this ip in the LAN tab. Make sure you get WWW connections through the second router before attempting to make the vpn connection successful.

 

[amd7674]

Thank you so much...

I got it to work last night, but I chicked out at the end (you will see why) LOL....

So I started fresh and I tried to upload the .opvn config file.

client
dev tun
proto udp
remote uk.vpn.mydevil.net 1195
nobind
persist-key
persist-tun
ca ca.crt <-- I had to remove this
auth-user-pass

The file would not upload, because of "ca ca.crt" line... not sure why. So I removed it and it uploaded fine. All I had to do was copy/paste certificate file and VIOLA it worked.

So everything seems to be working however I'm getting speeds only about 5mb/sec via N66U router... However I didn't see CPU being 100% taxed, but according to Yorgi N66U might be too slow for OpenVPN client. In windows 10 OpenVPN app I was getting about 15-20mb/sec.

The scary thing was when I noticed some other clients connected to my router (wifi disabled / only wired enabled). They showed names, MACs and IPs (my router subnet 10.0.0.x). I contacted VPN provider and he assured me it is normal to see other clients using the same VPN server and protocol?!??! Is this true?

As for router setup, everything seems to be working fine. I have faster one AC1900P (as main) and N66U (as openVPN client). I can browse to www and after enabling OpenVPN client and can www as well. However N66U might be just to slow.

If I only want one device on my network using VPN, maybe I should enable OpenVPN client on AC1900P and use Redirect Internet Traffic Policy Rules only for that one particular client?
AC1900P (dual 1.4Ghz core) should be faster for it?

Thanks again for all your help and advice....

 

[Xentrk]

That is good news!

Are the devices you see on the vpn router connected to the first router? Check to see if you have spanning tree protocol turned on. It is in LAN, Switch Control. STP will allow you to see up stream devices. Is the IP address of these devices have ip addresses assigned by the first router? My provider recommends turning off STP.

I would recommend what you propose. Setting up VPN client on the AC1900 and use policy rules to route what devices use WAN and VPN. You want the most CPU power you can get. If your primary requirement is streaming, do not use encryption if you are having buffering issues. I do not use it on my set up. I do not get good speed test results. But I can stream 4K with no buffering and watch live tv with no blurriness. I think the CPU on the Roku player helps too. That is how I have one router confiigured primarily for a family member who lives next door. All of their devices use native WAN but the Roku uses VPN for USA content.

Also, turn LZO compression off. Another forums member reported improved speeds with the device you have. I have it turned off on my routers.

 

[amd7674]

Thanks again for your help

The devices I saw were on the second router n66u (OpenVPN router), they used the same subnet 10.0.0.x. Is this ok? I did turn off STP as per your recommendation.

I did play with n66u more and I cannot go past 5mb/sec limit, which causes KODI to buffer a lot when trying to play 720p TV stream :-(.
To make sure i did install openVPN for windows on this old laptop (running win10) and I was ablet to get about 15mb/sec using the same VPN server/protocol. So it looks like n66u is at its knees.

I was trying to turn LZO compression off by adding "comp-lzo off" to the custom configuration, however even though the OpenVPN client has connected (browsing did not work).

How do I not use encryption? Should I set it to none? I will play with it more tonight.
My final settings were, please let me know if I should change something:

If I was setting this up on ac1900P (my main / dual core router). How do I make the rules so all the devices except one go would through WAN and only one through VPN ?
i.e. 192.168.1.115 is the only device I want to go through VPN?

source IP: 192.168.1.0/24 destination IP: 0.0.0.0 lface: WAN
source IP: 192. 168.1.115 destination IP x.x.x.x lface: VPN

Thanks in advance

 

[amd7674]

Just an update... I tried pptp vpn on n66u last night and what I big difference... I was getting 25mb/sec performance increase and all the streaming works perfectly. However I believe PPTP is very bad and unsecure.

If I used it with my setup AC1900P (WAN - main router) and n66u (PPTP - wife disabled, one wired client) to stream online TV from kodi, would I put my whole network in danger?

I also got 3 days trial from Nord VPN, which I wanted to try its OpenVPN servers to see if there will be any performance increase vs current VPN provider with which I only get 5mb/sec. I wish I was getting at least 10mb/sec on n66u.

 

[Xentrk]

The devices I saw were on the second router n66u (OpenVPN router), they used the same subnet 10.0.0.x. Is this ok?

Yes. If you assigned the router IP address of 10.0.0.1 for example, and you use dynamic DHCP server, the range will default to 10.0.0.2 to 10.0.0.254 for clients that connect to the router.

I did play with n66u more and I cannot go past 5mb/sec limit, which causes KODI to buffer a lot when trying to play 720p TV stream :-(.
To make sure i did install openVPN for windows on this old laptop (running win10) and I was ablet to get about 15mb/sec using the same VPN server/protocol. So it looks like n66u is at its knees.

I also get faster speeds VPN speeds on a Win 10 laptop when compared to what the router can do. Intel processor i7-6500U CPU @ 2.50GHz 2.59GHz. That is why some build their open pfSense appliance...the CPU's are more powerful than consumer routers.

I was trying to turn LZO compression off by adding "comp-lzo off" to the custom configuration, however even though the OpenVPN client has connected (browsing did not work).

Change Compression to "None"

How do I not use encryption? Should I set it to none? I will play with it more tonight.
My final settings were, please let me know if I should change something:

To turn off encryption, set the value to "None". My VPN provider requires a different port based on the level of encryption used. For example, no encryption 1194, aes-128-cbc port 80...

If I was setting this up on ac1900P (my main / dual core router). How do I make the rules so all the devices except one go would through WAN and only one through VPN ?
i.e. 192.168.1.115 is the only device I want to go through VPN?

source IP: 192.168.1.0/24 destination IP: 0.0.0.0 lface: WAN
source IP: 192. 168.1.115 destination IP x.x.x.x lface: VPN

That is correct, except use 0.0.0.0 as destination IP for all devices. The only difference is the WAN or VPN.

 

[Xentrk]

Just an update... I tried pptp vpn on n66u last night and what I big difference... I was getting 25mb/sec performance increase and all the streaming works perfectly. However I believe PPTP is very bad and unsecure.

If you are only using your VPN to overcome geo blocks for streaming and can't get good enough speeds with OpenVPN, then okay use as a fallback. But PPTP is now considered obsolete.

If I used it with my setup AC1900P (WAN - main router) and n66u (PPTP - wife disabled, one wired client) to stream online TV from kodi, would I put my whole network in danger?

Many known security issues with PPTP. So yes, perhaps.

I also got 3 days trial from Nord VPN, which I wanted to try its OpenVPN servers to see if there will be any performance increase vs current VPN provider with which I only get 5mb/sec. I wish I was getting at least 10mb/sec on n66u.

Using the AC1900P will give you better performance with the CPU compared to the N66U. Remember, level of encryption and geo distance to VPN server will also play a big factor in performance.

Have fun experimenting! I have been there done that and continue to do so.

 

[amd7674]

Xentrk thak you very much

I got OpenVPN to work with my VPN provider (lesser encryption) to work on AC1900P !!! . I get about +20mb/sec speed, which is perfect for my needs. The NordVPN (with 256bit encryption) was no were near 20mb/sec. I will try it for few days, watching some shows to see if it is not fluke. LOL.

As Yorgi or someone pointed out, the nice thing about using multi core CPU router, you can specify which core you assign. So OpenVPN client1 will use 2nd core CPU.

I've set policy rule only for the client I want to acesss VPN:

source IP: 192. 168.1.115 destination IP 0.0.0.0 lface: VPN

From my understanding VPN will only service the static client 192.168.1.115, the rest will go through WAN.

At the moment I have "Accept DNS Configuration" to disabled and it seems to work. Is this correct?

 

[Xentrk]

Xentrk thak you very much

I got OpenVPN to work with my VPN provider (lesser encryption) to work on AC1900P !!! . I get about +20mb/sec speed, which is perfect for my needs. The NordVPN (with 256bit encryption) was no were near 20mb/sec. I will try it for few days, watching some shows to see if it is not fluke. LOL.

As Yorgi or someone pointed out, the nice thing about using multi core CPU router, you can specify which core you assign. So OpenVPN client1 will use 2nd core CPU.

I've set policy rule only for the client I want to acesss VPN:

source IP: 192. 168.1.115 destination IP 0.0.0.0 lface: VPN

From my understanding VPN will only service the static client 192.168.1.115, the rest will go through WAN.

At the moment I have "Accept DNS Configuration" to disabled and it seems to work. Is this correct?

You're welcome! I have Accept DNS Configuration set to "Exclusive" on the router that has all VPN traffic going through it. This is the recommendation of Merlin and the way it is written in Yorgi's guide. There was a discussion about this setting last year.

I also had Exclusive on the router that has policy rules until last week. But had to change it to Strict. I set up two OpenVPN clients on my Android last week for two sites I support. I wanted to use the router with policy rules to make the WAN connection before attempting to connect to the remote sites. Because, vpn tunnel over a vpn tunnel is kind of slow . I could tunnel to the VPN servers on my iPad and Laptop, but not the Android. I found when I changed Accept DNS Configuration to "Strict", DNS1 to my router IP and DNS2 to 8.8.8.8 in the LAN DHCP Server tab, I could make a connection. A recent posting from the last two weeks has another forum member who had a similar problem with an Android. His use case was slightly different. He upgraded to the latest release. But his wife's Android could not connect to the internet over the VPN tunnel. He had to make the same changes as I for his wife's phone to get through the net. It worked without this fix in prior releases. Very strange. Maybe Android needs to phone home when communicating over a VPN tunnel? I can make a VPN connection using my Android using the hotspot wifi's of my cell phone provider without issue.

You can always go to whatismyipaddress.com with your clients to see if they are getting the WAN IP or VPN ip address to make sure the policy rules are working. I always list the WAN and VPN devices so it is clear what is going on. I probably create more work for myself this way. But I am detailed OCD in this regard

 

[amd7674]

Thank you I set it to exclusive and everything seems to be working fine.

Thank you again for all your help.