Wednesday, November 9, 2016

OpenVPN on a Asus router

Sept 2021  Turned off comments because of ads

July 2021
Bought a new Asus router, an RT-AX86U.  Loaded it right away with Merlin firmware, so this is based on merlin on my ax86u now.

March 2019
Please STOP posting links in the comments/reply section.  I consider such posts to be spam, and delete them.
But I'm tired of deleting the link posts, and if this doesn't stop, I'll just delete this blog.


Revised June 2018 with newer screenshots, and added information at end with more settings and changes to secure an ASUS router.  Screenshots based on 3.0.0.4.384_21045 firmware version that I loaded right before this revision.

This is how to setup OpenVPN so you can securely access your home network from outside, using a phone in this case.

I am using a Asus RT-AC68 router.  Bought this router as a refurb from Newegg on Ebay for only $100 (Nov 2016 timeframe).  Really cheap for what this router can do.  Of course you can pay more and get a faster router, but I normally use routers that are a few years old, so you don’t pay premium for the latest and greatest.

Using stock firmware.  There is a merlin firmware upgrade, but they made it harder to change to merlin, so I just had the router install the latest Asus firmware, and am using that.

I won’t talk about basic setup, this guide assumes the router is already setup, and you can log into the router from a PC or Mac inside your home network.  I used a Macbook but it doesn’t matter.

 DDNS

First thing you need to do is setup DDNS.  Asus has a free DDNS service.  DDNS allows OpenVPN to find your home network, even if you Internet Provide (IP) changes your external internet address, which happens frequently.

EDIT . When I did the June 2018 update, it set DDNS back to No, so I had to change back to Yes.

Used method 2 (let's encrypt) from the link below:

go to Administration (left) > System (top)
Changed Authentication Method to HTTPS and Enable Web Access from WAN to yes

I applied it, then had to relogin to router from https://router.asus.com:8443
Click on advanced and let it proceed, ignoring the unsafe message

Go to WAN (left) > DDNS (top) tab
Select Yes by Enable the DDNS Client
Choose ASUS DDNS





Pick a DDNS name, it will let you know if that name is available. 
Your DDNS will have the format of YOURNAME.asuscomm.com

HTTPS Certificate
There is a Free Certificate from Let's Encrypt, select that option


Asus FAQ for Certificate
This generates a certificate that lets you enable https access.
I saved the cert, but I don't think you need to.

Click Apply at the bottom of the screen.

Now access your router page from
https://___________.asuscomm.com:8443
Fill in the DDNS address you picked in the above, and it should take you to your router login page
This worked for a while, but then I had to change back to using the network address to get to the router pages, or use 
https://router.asus.com:8443/index.asp 

Note: it may take a few hours for the DDNS to work, it needs to work its way through the Asus system.
2nd Note:  You don’t need to do anything else with DDNS, the router will automatically use your DDNS address when it configures OpenVPN.

OpenVPN

OpenVPN is a free, secure way to access your home network.  Its secure because you need a key file for it to work.  The key file is generated by the router, and you have to copy it to your client (phone) for OpenVPN to connect.  Without this file, it’s almost impossible to guess the cipher required to make the connection.

Go to VPN (left) > VPN Server (top)

Select OpenVPN tab

Enable Open VPN Server for Server 1



Client will use VPN to access:  set to Both


To start, I would just make one user with a simple password, to test it out.  Once it’s working to your satisfaction, make setup a user name/password for everyone that will be accessing it.  If a user name gets compromised (phone lost), you can delete that user name from here.  If that really happened, I would probably generate a new key file too, and send new client.ovpn files just to be safe (this will be explained later).

Enter User Name and Password, then click + to add,  Click apply to save changes

Export OpenVPN configuration file
it will download "client1.ovpn"

 Now select Advanced Settings in VPN Details. 

My settings in the screen caps below






Click Apply at bottom, and wait a few minutes for the router to update.

Now setup you client, and you will have OpenVPN.



Android setup

Email this file to your phone.  In my case, I just emailed to myself.  You could also copy to a cloud directory if you have one, any method to get the file to your phone.

For either android or iphone, I used OpenVPN Connect.
Search for this app, and install it.

Go to your mail, and send the .ovpn file to your phone, or do whatever to get the file to your phone.
email is not the most secure method, I can save files in lastpass, so that's what I did.

Install OpenVPN connect on your phone, and then start it.

Select More (top right), Import Profile from SD card.  From here, I went to the correct directory, selected client.ovpn, then pushed select.  (it doesn't highlight the file when you select it).
Note I downloaded from lastpass, and it gives you this long path to go find it.  But it works.

Enter your user name and password, then push connect. 

If all goes well, it will connect to your router.
I think I'm using the default settings.  I was having some trouble connecting after changing some stuff, and played with the settings, but turned out it was a user name password error lol.  So I think I changed all the settings back to default (it was from memory), and it all still worked, so it seems like the settings didn't matter.
I have:
VPN Protocol:  Adaptive
IPv6:  No Preference
Connection Timeout: 1 min
Compression:  Full
AES-CBC:  No check
Use Insecure Algorithms:  No check
Min TLS Ver:  Profile Default
DNS Fallback:  check


On my android phone, I connected, but could not access my home network until I made changes to the power savings settings.
Power settings tweaks

From the Edit Profile screen, you can select "SET CONNECT SHORTCUT", and it will make an icon you can push to connect, saves a push or two and some thought.

Iphone

I used OpenVPN Connect.  Search for this app, and install it.

Mail the ovpn file to your phone.  On your phone, open the email, find the file and select it.

Select “Copy to OpenVPN”.  It will bring up OpenVPN Connect

Input User Name and Password, and connect.

On my phone, it just connected and worked.
No changes or tweaks required.


Using VPN

Once you have a connection, you should be able to open your browser, enter an IP address from your home network, and be able to access it, just like if you were at home.
For instance, if you have domoticz running on 192.168.1.2 at home, you can now enter this address into your browser, and have domoticz come up.  Same for a IP camera, or any other device at home
that has web server software running.

Troubleshooting

If it doesn’t work, look at the log files for the tips what's going wrong.  
Then search for help for that problem.

From OpenVPN connect on android, select More, then “Show log file”.

From OpenVPN connect on iphone, select row that says “Connected” or “Disconnected” (depending on state), and log file will show up.

On Router, System Log (left) and see what it says.


Other changes to make on router


Here are some other things you can/should do to make your router more secure.

Change your user name and password.  Make it harder to break in, definitely change from default password, but you should also change Router Login Name to something different from admin.

Go to Administration (left) then System (top)



Disable Telnet and SSH.  If you need either, then enable it, use it, then disable again.  SSH is especially dangerous, could let someone have access to your router through a console port where they can basically do anything they want.



I used HTTPS, but you need to create a certificate per the DDNS section above.


On your browser, you will need to go to https://router.asus.com:xxxx
I changed the LAN port from the default to a random one.

I saw the connection not private message on chrome.  Select Advanced on bottom left, then proceed to router.asus.com.


It should connect if you do this, but will say it is unsafe.


Enable Web Access from WAN = no means you have to be on your network at home, or using VPN to access the admin page for your router.  You won't be able to use the router app from cell (maybe if you have vpn on the app will work), but depends how safe you want to be.
If you really want to be save, allow only specified ip addresses.  Then you need to set up a couple PCs (main and backup) for a static IP, and use these PCs to access the router.  To be really safe, select Telnet (LAN only), note I have not tried this so not sure how it works.



Update firmware

Also make sure to check for firmware updates periodically, and update when available.

WPS
Wireless (left) WPS (top)


uPnP
WAN (left) and will default to Internet Connection (top)
Setup Enable UPnP to no.