Asus router Open VPN at router level not taking hold

[newconroer]

I've been getting great advisement from OneMoar in the past year on various networking queries, however might have hit a wall with this recent issue.

I own an Asus NT56U and I want to use Open VPN on it at the router level (to avoid using client software on each device in the home).

The default /stock style firmware does not support VPN client (only VPN server relay). However Padavan has a custom firmware at https://code.google.com/p/rt-n56u/ which supports VPN client.

I managed to flash and setup the firmware fine(like my previous stock firmware). Everything is running great, however cannot get it to work with the VPN.

For the testing I was using IBPVN, and the attached settings. The picture does not show the content of the Open VPN certificates & keys tab, however it has an entry. I took the ca.crt (Root CA Certificate) data from their support page.

Based on these settings it should be working and this straight forward approach is discussed in a blog here http://www.codyhiar.com/blog/vpn-all-your-traffic-with-asus-rt-n56u-padavan-private-internet-access/

Unfortunately when I save/apply and then check the WAN IP on the router (and or whatsmyip.com) it's not showing the VPN address. I've also tried rebooting the router.

Does any one run similar firmware or have VPN experience that could comment what I am missing? I don't know if this is IBVPN specific, but it should work with any.


Thanks

 

[Aquinus]

For the sake of clarification: You're trying to use OpenVPN on your router as a client to connect to another OpenVPN server so all of the devices on your network can gain access to the other network via the VPN tunnel. Did I understand the problem attempting to be tackled, correctly?

With the config in your picture, you're saying that you want all internet traffic to go through the VPN tunnel, as opposed to just gaining access to the other network. A little more information on what you're trying to do (not how you're doing it,) might be helpful.

 

[newconroer]

Hey,

You are correct. Instead of using the Open VPN software on each device, I'd rather do it on the router, so any device that comes onto my network (or already exists), is going over the VPN and not my regular IP.

I did set for all traffic to go through the VPN, as I want a full tunnel and not a split one.

 

[Aquinus]

You are correct. Instead of using the Open VPN software on each device, I'd rather do it on the router, so any device that comes onto my network (or already exists), is going over the VPN and not my regular IP.

Is it even connecting with the creds you provided? Are there any logs you could provide? I know people who've done as you suggest with OpenVPN, the issue is that they were using Linux on both ends and had full control of OpenVPN settings. My memory is hazy on the matter but, I recall being told about a flag needing to be set in the OpenVPN server config to allow OpenVPN to act as a network bridge.

I'm not sure how limited the firmware is but, I would direct you to this: https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html

Side note: Things like this is why my gateway is a tower running Linux.

 

[newconroer]

The only thing I see in the logs (after I 'apply' the VPN settings) is this :

Jun 27 13:45:46 RT-N56U: starting OpenVPN client...
Jun 27 13:45:46 openvpn-cli[26191]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 27 13:46:48 openvpn-cli[26191]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts


The notification about security script repeats itself once every minute.


This is IBVPN's support and settings for DD-WRT, but it should work on this firmware in a similar fashion. http://www.ibvpn.com/billing/knowledgebase/36/DD-WRT-routers-OpenVPN-setup.html
Attached the script file (don't feel this entire thing is necessary - it's where I got the cert from though).

I haven't come across any thing discussing the requirement for bridging.

 

[newconroer]

As a follow-up : Most of the VPN issues are/were related to cert/credentials authentication issues.
Because VPN providers use different scripts/methods for the same platform (ex: DD-WRT), it creates problems.

I've since ditched consumer routing and built a router /firewall box using pfSense and setup a VPN client properly.

Simple guide from our old friend Logan (not VPN related)
I love it when he walks into the garage with the low ceiling and at about 1:14 his eyes dart left and right. He looks like Bubbles from Trailer Park Boys.

"..very slow..very basic computers.."

 

[INSTG8R]

I JUST bought an ASUS RT-N66U, It has OpenVPN built in you just need to provide your credentials it seems. The only "VPN" I use or know anything about is I pay $5 a month for a US DNS I put on my PS3 so I can get US netflix.
I can take some screen shots if you'd like to see the setup options?

 

[newconroer]

Hi.

Different VPN services have different layers of connection and authentication. What may be a basic user/pass entry for your purposes, won't work for others.

Thanks for the offer though.

 

[Kursah]

Do you have a static WAN IP or are you utilizing a DDNS service? I ended up having to utilize a DDNS service (I went with Afraid.org) and some scripting to update it my WAN IP using WGET.

I am using the OpenVPN server on my Asus AC66R, which has been solid, but it is somewhat limited...though there is enough to adjust in the advanced settings. I am using Merlin's modified AsusWRT firmware.

Right now I am working on setting up an old laptop that I slapped Xubuntu 14.04 on as a buddies' OpenVPN server and DDNS updater. I wish he had a budget so I could do a PFSense box for them, but I'm passing traffic through a router and to the laptop as a stop-gap until funds are there for something better. I will say that an OpenVPN server on Xubuntu is pretty good, a lot of terminal work, but so far it has been solid!

 

[INSTG8R]

Well I will show you anyway just so you can see it.

Edit: Looking at the pictures myself I didn't even notice it has config for both client and server.

 

[newconroer]

Do you have a static WAN IP or are you utilizing a DDNS service? I ended up having to utilize a DDNS service (I went with Afraid.org) and some scripting to update it my WAN IP using WGET.

I am using the OpenVPN server on my Asus AC66R, which has been solid, but it is somewhat limited...though there is enough to adjust in the advanced settings. I am using Merlin's modified AsusWRT firmware.

Right now I am working on setting up an old laptop that I slapped Xubuntu 14.04 on as a buddies' OpenVPN server and DDNS updater. I wish he had a budget so I could do a PFSense box for them, but I'm passing traffic through a router and to the laptop as a stop-gap until funds are there for something better. I will say that an OpenVPN server on Xubuntu is pretty good, a lot of terminal work, but so far it has been solid!

It's PPPOE WAN.

Merlin's is good as far as alternatives to DD-WRT/Tomato go. OneMoar put me onto that (and some others), however whatever hardware/software you go with consumer wise, it just cannot handle the BDS cryptodev. Especially if using ciphers of AES 256 CBC or greater.
And for a good read on ciphers - http://crypto.stackexchange.com/questions/1098/is-blowfish-strong-enough-for-vpn-encryption

Too many VPN are still using Blowfish, which might be why some consumer routers get 'acceptable' speeds over a VPN. To me, anything less than 90-95% of your clearnet speed is not acceptable, unless you're connection is over 100mbps. Then I would say the acceptable range is 85-95% of clearnet speeds.


pfSense is cheap enough to do. I have it running on :

Setup:

pfSense 2.1.5 on :
Core 2 Duo E6600 at 3.0ghz
Gigabyte GA-EP43-DS3
4GB Gskill TT 800 DDR2
Silverstone Strider 650
Some old 40gb ATA hard disk running in UDMA 2

 

[Rhyseh]

To me, anything less than 90-95% of your clearnet speed is not acceptable, unless you're connection is over 100mbps. Then I would say the acceptable range is 85-95% of clearnet speeds.

Most VPN's will reduce wire performance by ~8% to 15% regardless how well the device can decrypt the data. The 15% end of the spectrum normally comes down to MTU sizes and other transmission/session protocol's overheads that may be in play.

 

[newconroer]

Most VPN's will reduce wire performance by ~8% to 15% regardless how well the device can decrypt the data. The 15% end of the spectrum normally comes down to MTU sizes and other transmission/session protocol's overheads that may be in play.

What do you base the reduction in performance on?

 

[Rhyseh]

What do you base the reduction in performance on?

Here's an analysis of IPsec overhead using AES:

http://packetpushers.net/ipsec-bandwidth-overhead-using-aes/

I don't have any solid data on SSL VPN's, only anecdotal. My perception is less than a 10% variance with SSL. Technically it should be more efficient than IPsec, unless you have a shoddy connection.

 

[newconroer]

My understanding with Open VPN is that 128 Blowfish encryption is quite common - at least for all these popular provider/services.
But even then, you lose way more than 10% on a commercial router.

Meanwhile, moving up to pfSense, half decent hardware makes a huge difference -even with 256 encryption.

Maybe I don't fully understand the numbers and the science, however am a firm believer in building your own firewall/router box now - especially out of old computer parts.

 

[brandonwh64]

I used PFsense for a while and now I have moved to untangle firewall. It is pretty nice setup and much easier to look at.

https://www.untangle.com/shop/firewall

 

[newconroer]

I thought about untangle, but between having VPN setup knowledge for pfSense and using it at work, it was the better option for me.

Either way, they're both great.

 

[Solaris17]

I thought about untangle, but between having VPN setup knowledge for pfSense and using it at work, it was the better option for me.

Either way, they're both great.

Agreed I personally use OPNsense and I love it. building a custom box is probably the best decision iv ever made.