Sept 2021 Turned off comments because of ads
July 2021
Bought a new Asus router, an RT-AX86U. Loaded it right away with Merlin firmware, so this is based on merlin on my ax86u now.
March 2019
Please STOP posting links in the comments/reply section. I consider such posts to be spam, and delete them.
But I'm tired of deleting the link posts, and if this doesn't stop, I'll just delete this blog.
Revised June 2018 with newer screenshots, and added information at end with more settings and changes to secure an ASUS router. Screenshots based on 3.0.0.4.384_21045 firmware version that I loaded right before this revision.
This is how to setup OpenVPN so you can securely access your home network from outside, using a phone in this case.
Please STOP posting links in the comments/reply section. I consider such posts to be spam, and delete them.
But I'm tired of deleting the link posts, and if this doesn't stop, I'll just delete this blog.
This is how to setup OpenVPN so you can securely access your home network from outside, using a phone in this case.
I won’t talk about basic setup, this guide assumes the
router is already setup, and you can log into the router from a PC or Mac
inside your home network. I used a
Macbook but it doesn’t matter.
DDNS
First thing you need to do is setup DDNS. Asus has a free DDNS service. DDNS allows OpenVPN to find your home
network, even if you Internet Provide (IP) changes your external internet
address, which happens frequently.
EDIT . When I did the June 2018 update, it set DDNS back to No, so I had to change back to Yes.
Used method 2 (let's encrypt) from the link below:
go to Administration (left) > System (top)
Changed Authentication Method to HTTPS and Enable Web Access from WAN to yes
I applied it, then had to relogin to router from https://router.asus.com:8443
Click on advanced and let it proceed, ignoring the unsafe message
Go to WAN (left) > DDNS (top) tab
Select Yes by Enable the DDNS Client
Choose ASUS DDNS
Pick a DDNS name, it will let you know if that name is
available.
Your DDNS will have the format of YOURNAME.asuscomm.com
HTTPS Certificate
There is a Free Certificate from Let's Encrypt, select that option
I saved the cert, but I don't think you need to.
Click Apply at the bottom of the screen.
Now access your router page from
https://___________.asuscomm.com:8443
Fill in the DDNS address you picked in the above, and it should take you to your router login page
This worked for a while, but then I had to change back to using the network address to get to the router pages, or use
https://router.asus.com:8443/index.asp
Note: it may take a few hours for the DDNS to work, it needs to work its way through the Asus system.
2nd Note: You don’t need to do anything else with DDNS, the router will automatically use your DDNS address when it configures OpenVPN.
OpenVPN
OpenVPN is a free, secure way to access your home
network. Its secure because you need a
key file for it to work. The key file is
generated by the router, and you have to copy it to your client (phone) for
OpenVPN to connect. Without this file,
it’s almost impossible to guess the cipher required to make the connection.
Go to VPN (left) > VPN Server (top)
Select OpenVPN tab
Enable Open VPN Server for Server 1
Client will use VPN to access: set to Both
To start, I would just make one user with a simple password,
to test it out. Once it’s working to
your satisfaction, make setup a user name/password for everyone that will be
accessing it. If a user name gets
compromised (phone lost), you can delete that user name from here. If that really happened, I would probably
generate a new key file too, and send new client.ovpn files just to be safe
(this will be explained later).
Enter User Name and Password, then click + to add, Click apply to save changes
Export OpenVPN configuration file
it will download "client1.ovpn"
My settings in the screen caps below
Click Apply at bottom, and wait a few minutes for the router to
update.
Now setup you client, and you will have OpenVPN.
Android setup
Email this file to your phone. In my case, I just emailed to myself. You could also copy to a cloud directory if
you have one, any method to get the file to your phone.
For either android or iphone, I used OpenVPN Connect.
Search for this app, and install it.
Search for this app, and install it.
Go to your mail, and send the .ovpn file to your phone, or
do whatever to get the file to your phone.
email is not the most secure method, I can save files in lastpass, so that's what I did.
email is not the most secure method, I can save files in lastpass, so that's what I did.
Install OpenVPN connect on your phone, and then start it.
Select More (top right), Import Profile from SD card. From here, I went to the correct directory, selected client.ovpn, then pushed select. (it doesn't highlight the file when you select it).
Note I downloaded from lastpass, and it gives you this long path to go find it. But it works.
Enter your user name and password, then push connect.
If all goes well, it will connect to your router.
I think I'm using the default settings. I was having some trouble connecting after changing some stuff, and played with the settings, but turned out it was a user name password error lol. So I think I changed all the settings back to default (it was from memory), and it all still worked, so it seems like the settings didn't matter.
I have:
VPN Protocol: Adaptive
IPv6: No Preference
Connection Timeout: 1 min
Compression: Full
AES-CBC: No check
Use Insecure Algorithms: No check
Min TLS Ver: Profile Default
DNS Fallback: check
On my android phone, I connected, but could not access my home network until I made changes to the power savings settings.
Power settings tweaks
From the Edit Profile screen, you can select "SET CONNECT SHORTCUT", and it will make an icon you can push to connect, saves a push or two and some thought.
From the Edit Profile screen, you can select "SET CONNECT SHORTCUT", and it will make an icon you can push to connect, saves a push or two and some thought.
Iphone
I used OpenVPN Connect. Search for this app, and install it.
Mail the ovpn file to your phone. On your phone, open the email, find the file and select it.
Select “Copy to OpenVPN”. It will bring up OpenVPN Connect
Input User Name and Password, and connect.
On my phone, it just connected and worked.
No changes or tweaks required.
Using VPN
Once you have a connection, you should be able to open your
browser, enter an IP address from your home network, and be able to access it,
just like if you were at home.
For instance, if you have domoticz running on 192.168.1.2 at
home, you can now enter this address into your browser, and have domoticz come
up. Same for a IP camera, or any other
device at home
that has web server software running.
that has web server software running.
Troubleshooting
If it doesn’t work, look at the log files for the tips what's going wrong.
Then search for help for that problem.
Then search for help for that problem.
From OpenVPN connect on android, select More, then “Show log
file”.
From OpenVPN connect on iphone, select row that says “Connected” or “Disconnected” (depending on state), and log file will show up.
On Router, System Log (left) and see what it says.
Other changes to make on router
Here are some other things you can/should do to make your router more secure.
Go to Administration (left) then System (top)
Disable Telnet and SSH. If you need either, then enable it, use it, then disable again. SSH is especially dangerous, could let someone have access to your router through a console port where they can basically do anything they want.
I used HTTPS, but you need to create a certificate per the DDNS section above.
I changed the LAN port from the default to a random one.
I saw the connection not private message on chrome. Select Advanced on bottom left, then proceed to router.asus.com.
It should connect if you do this, but will say it is unsafe.
Enable Web Access from WAN = no means you have to be on your network at home, or using VPN to access the admin page for your router. You won't be able to use the router app from cell (maybe if you have vpn on the app will work), but depends how safe you want to be.
If you really want to be save, allow only specified ip addresses. Then you need to set up a couple PCs (main and backup) for a static IP, and use these PCs to access the router. To be really safe, select Telnet (LAN only), note I have not tried this so not sure how it works.
Update firmware
Also make sure to check for firmware updates periodically, and update when available.
WPS
Wireless (left) WPS (top)
uPnP
WAN (left) and will default to Internet Connection (top)
Setup Enable UPnP to no.