Asus RT-AC68 router OpenVPN setup

[te2k]

You're welcome. Can you share your server.conf and client.ovpn files here? Do remove any 210.x address from it, leave private 192.168/10.8 addresses. Then we know which routes/DNS the server is trying to push towards the client.
Thanks & goodnight!
CC

I am unsure where I could export a server.conf file but the following is my settings on the router:

WAN IP with 210.x.x.x
LAN IP = 192.168.1.1
LAN Devices IP in the 192.168.1.xxx range
VPN Server Settings as follows:
Interface Type: TUN
Protocol: UDP
Server Port: 443
Respond to DNS: Yes
Advertise DNS to Clients: Yes
Encryption Cipher: AES-256-CBC
HMAC Authentication: SHA 1
Compression: Disabled
Authorization Mode: TLS
Username / Password Auth. Only: No
RSA Encryption: 1024 bit
Extra HMAC Authorization: Disable
VPN Subnet/Netmask: 10.8.0.0 / 255.255.255.0
Push LAN to Clients: Yes
Direct Clients to Redirect Internet Traffic: Yes
TLS Renegotiation Time: -1
Manage Client-Specific Options: No

Also unable to upload the client.ovpn files but below is the log from the client when connected to the server:

Open VPN Start
OpenVPN core 3.2 ios arm64 64-bit PT_PROXY
Frame = 512/2048/512 mssfix-ctrl=1250
UNUSED OPTIONS
2 [nobind]
5 [sndbuf] [0]
6 [rcvbuf] [0]
EVENT : RESOLVE
Contacting [210.x.x.x]:443/UDP via UDP
EVENT : WAIT
Connecting to [vpn.asuscomm.com]:443 (210.x.x.x) via UDPv4
EVENT: CONNECTING
Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,protoUDPv4,comp-lz0,cipher AES-256-CBC,authSHA1,keysize 256,key-method 2,tls-client
Creds: Username/Password
Peer Info: IV_GUI_VER=net.openvpn.connect.ios 3.0.1-770
IV_VER=3.2
IV_PLAT=ios
IV_NVP=2
IV_TCPNL=1
IV_PRONTO=2

VERIFY OK: depth=0
Cert.version: 3
Serial number: 01
Issuer name: C=TW, ST=TW, L= Taipei,O=ASUS,CN=RT-AC68U
emailAddress=me@myhost.mydomain
subject name: C=TW,ST=TW,L=Taipei,O=ASUS,CN=RT-AC68U,
emailAddress=me@myhost.mydomain
issued on: 2018-09-15
expires on: 2028-09-12
signed using: RSA with SHA1
RSA kev size: 1024 bits
Basic constraints: CA=false
Cert.type: SSL Server
Key usage: Digital Signature, Key Encipherment
Ext key usage: TLS Web Server Authentication
SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
Session is ACTIVE
EVENT: GET_CONFIG
Sending PUSH_REQUEST to server…..
OPTIONS:
0 [route] [192.168.1.0] [255.255.255.0][vpn_gateway][500]
1[redirect-gateway][def1]
2[dhcp-option][DNS][192.168.1.1]
3[route][10.8.0.1]
4[topology][net30]
5[ping][15]
6[ping-restart][60]
7[ifconfig][10.8.0.6][10.8.0.5]
PROTOCOL OPTIONS:
Cipher: AES-256-CBC
Digest: SHA1
Compress: LZO
Peer ID: -1
EVENT: ASSIGN_IP
NIP: preparing TUN network settings
NIP: init TUN network settings with endpoint: 210.x.x.x
NIP: adding IPv4 address to network settings 10.8.0.6/255.255.255.252
NIP: adding(included)IPv4 route 10.8.0.4/30
NIP: adding(included) IPv4 route 192.168.1.0/24
NIP: adding(included) IPv4 route 10.8.0.1/32
NIP: redirecting all IPv4 traffic to TUN interface
NIP: adding DNS 192.168.1.1
Connected via NetworkExtentionTUN
EVENT:CONNECTED username@vpn.asuscomm.com:443 (210.x.x.x) via /UDPv4 on NetworkExtensionTUN/10.8.0.6/ gw=[/]

 

[crw030]

For what it's worth, when I was troubleshooting my OpenVPN connection, using the tools built into the endpoint routers themselves to PING or Tracert was useful.

Not sure if it's a typo but this doesn't look right to me: 0 [route] [192.168.1.0] [255.2555.255.0][vpn_gateway][500] I wonder if it indicates a config typo?

 

[te2k]

For what it's worth, when I was troubleshooting my OpenVPN connection, using the tools built into the endpoint routers themselves to PING or Tracert was useful.

Not sure if it's a typo but this doesn't look right to me: 0 [route] [192.168.1.0] [255.2555.255.0][vpn_gateway][500] I wonder if it indicates a config typo?

Apologies. That was a typo. I did some pings from the router yesterday.

 

[catcamstar]

Apologies. That was a typo. I did some pings from the router yesterday.

Goodmorning te2k

Your log files were interesting, and reveal an extensive routing situation. In comparison, my vpn client log file:

2018-09-25 07:11:11 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

2018-09-25 07:11:11 Session is ACTIVE

2018-09-25 07:11:11 EVENT: GET_CONFIG

2018-09-25 07:11:11 Sending PUSH_REQUEST to server...

2018-09-25 07:11:11 OPTIONS:
0 [redirect-gateway] [def1]
1 [dhcp-option] [DNS] [192.168.x.1]
2 [dhcp-option] [DNS] [8.8.8.8]
3 [redirect-gateway] [def1]
4 [route-gateway] [10.10.10.1]
5 [topology] [subnet]
6 [ping] [10]
7 [ping-restart] [60]
8 [ifconfig] [10.10.10.240] [255.255.255.0]


2018-09-25 07:11:11 PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA256
  compress: LZO
  peer ID: -1

2018-09-25 07:11:11 EVENT: ASSIGN_IP

2018-09-25 07:11:11 NIP: preparing TUN network settings

2018-09-25 07:11:11 NIP: init TUN network settings with endpoint: 94.x.x.x

2018-09-25 07:11:11 NIP: adding IPv4 address to network settings 10.10.10.240/255.255.255.0

2018-09-25 07:11:11 NIP: adding (included) IPv4 route 10.10.10.0/24

2018-09-25 07:11:11 NIP: redirecting all IPv4 traffic to TUN interface

2018-09-25 07:11:11 NIP: adding DNS 192.168.x.1

2018-09-25 07:11:11 NIP: adding DNS 8.8.8.8

2018-09-25 07:11:11 Connected via NetworkExtensionTUN

2018-09-25 07:11:11 EVENT: CONNECTED 94.x.x.x:yyyy (94.x.x.x) via /UDPv4 on NetworkExtensionTUN/10.10.10.240/ gw=[/]

I only got one routing add (

2018-09-25 07:11:11 NIP: adding (included) IPv4 route 10.10.10.0/24

), you got three... That seems to me a bit too extensive ;-)

On your ASUS: ssh as admin, and "cd /tmp/etc/openvpn/server1" and paste the output of "config.ovpn". Especially the lines with "push route" and "route" are of interest.

The only issue I do foresee, if we twinkle around in that config file, it might fix your issue, but next time you change something in the UI, it gets "unfixed"...

Let me know if removing the redundant push route lines fixes your problem!
Good luck,
CC

 

[te2k]

Goodmorning te2k


On your ASUS: ssh as admin, and "cd /tmp/etc/openvpn/server1" and paste the output of "config.ovpn". Especially the lines with "push route" and "route" are of interest.

The only issue I do foresee, if we twinkle around in that config file, it might fix your issue, but next time you change something in the UI, it gets "unfixed"...

Let me know if removing the redundant push route lines fixes your problem!
Good luck,
CC

Good morning CC . It's evening here down under
When I SSH the above command, it returns cd /tmp/etc/openvpn/server1:not found

 

[catcamstar]

Good morning CC . It's evening here down under
When I SSH the above command, it returns cd /tmp/etc/openvpn/server1:not found

I like to be down under ;-) But I'm on top now

If you do "cd /tmp/etc/openvpn", followed by "ls -al", can you show the output? Maybe your server isn't calles server1 on your asus ;-)

 

[te2k]

I like to be down under ;-) But I'm on top now

If you do "cd /tmp/etc/openvpn", followed by "ls -al", can you show the output? Maybe your server isn't calles server1 on your asus ;-)

tek@RT-AC68U:/tmp/home/root# cd/tmp/etc/openvpn ls-al
-sh: cd/tmp/etc/openvpn: not found

 

[catcamstar]

tek@RT-AC68U:/tmp/home/root# cd/tmp/etc/openvpn ls-al
-sh: cd/tmp/etc/openvpn: not found

You were missing a blankspace after the ChangeDirectory command, so it's "cd /tmp/etc/openvpn" enter, then "ls -al" to LiSt the full output in that directory.

 

[te2k]

You were missing a blankspace after the ChangeDirectory command, so it's "cd /tmp/etc/openvpn" enter, then "ls -al" to LiSt the full output in that directory.

I managed to get to this:

tek@RT-AC68U:/tmp/etc/openvpn/server1# ls -al
drwx------ 2 tek root 240 Sep 24 12:48 .
drwx------ 3 tek root 80 May 5 05:05 ..
-rw------- 1 tek root 1172 May 5 05:05 ca.crt
-rw------- 1 tek root 916 May 5 05:05 ca.key
-rw-rw-rw- 1 tek root 3618 Sep 24 12:46 client.ovpn
-rw-rw-rw- 1 tek root 36 Sep 25 09:10 client_status
-rw-rw-rw- 1 tek root 577 May 5 05:05 config.ovpn
-rw------- 1 tek root 830 May 5 05:05 dh.pem
-rwx------ 1 tek root 193 May 5 05:05 fw.sh
-rw------- 1 tek root 1306 May 5 05:05 server.crt
-rw------- 1 tek root 916 May 5 05:05 server.key
-rw------- 1 tek root 627 Sep 25 11:09 status

Tried the following but did not work:
tek@RT-AC68U:/tmp/etc/openvpn/server1# cd /tmp/etc/openvpn/server1/config.ovpn
-sh: cd: can't cd to /tmp/etc/openvpn/server1/config.ovpn

Sorry for being an absolute noob and thanks for your patience cc.

 

[catcamstar]

To view the content of a file in linux, you have to issue the "cat" command, eg "cat config.ovpn".

Please paste the output of that file here. The only worry I god, is looking at the dates: your client.ovpn config file is changed on Sep 24th, but your server file did not change since May fifth... Let's investigate further with the contents of that file.

 

[te2k]

Yea I noticed the dates as well which seemed weird.

tek@RT-AC68U:/tmp/etc/openvpn/server1# cat config.ovpn
# Automatically generated configuration

# Tunnel options
proto udp
multihome
port 443
dev tun21
sndbuf 0
rcvbuf 0
keepalive 15 60
daemon vpnserver1
verb 3
status-version 2
status status 10
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn

# Server Mode
server 10.8.0.0 255.255.255.0
duplicate-cn
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"

# Data Channel Encryption Options
auth SHA1
cipher AES-256-CBC

# TLS Mode Options
ca ca.crt
dh dh.pem
cert server.crt
key server.key

# Custom Configuration
tek@RT-AC68U:/tmp/etc/openvpn/server1#


Edit 1: Just to test, I changed the port in the router GUI and redid the above and all the date changed.

# Custom Configuration
tek@RT-AC68U:/tmp/etc/openvpn/server1# ls -al
drwx------ 2 tek root 240 Sep 25 12:09 .
drwx------ 3 tek root 80 Sep 25 12:09 ..
-rw------- 1 tek root 1172 Sep 25 12:09 ca.crt
-rw------- 1 tek root 916 Sep 25 12:09 ca.key
-rw-rw-rw- 1 tek root 3565 Sep 25 12:09 client.ovpn
-rw-rw-rw- 1 tek root 0 Sep 25 12:10 client_status
-rw-rw-rw- 1 tek root 577 Sep 25 12:09 config.ovpn
-rw------- 1 tek root 830 Sep 25 12:09 dh.pem
-rwx------ 1 tek root 193 Sep 25 12:09 fw.sh
-rw------- 1 tek root 1306 Sep 25 12:09 server.crt
-rw------- 1 tek root 916 Sep 25 12:09 server.key
-rw------- 1 tek root 430 Sep 25 12:10 status

# Tunnel options
proto udp
multihome
port 444
dev tun21
sndbuf 0
rcvbuf 0
keepalive 15 60
daemon vpnserver1
verb 3
status-version 2
status status 10
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn

# Server Mode
server 10.8.0.0 255.255.255.0
duplicate-cn
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"

# Data Channel Encryption Options
auth SHA1
cipher AES-256-CBC

# TLS Mode Options
ca ca.crt
dh dh.pem
cert server.crt
key server.key

 

[catcamstar]

Here you only have 1 push route message. Can you paste the client.ovpn contents too? "cat client.ovpn" - do remove your WAN ip!

 

[catcamstar]

Do delete the hostname and certificates!

And we are going private, if we find a solution in the meantime, we will report back here.

 

[crw030]

thanks @catcamstar I was going to post my OpenVPN logs, then realized I OVPN into pfSense from my mobile (so the logs look a little diferent), pfsense OVPN to ASUS (also looks different) so I don't have a good sample that simulates what the OP is dealing with, and I don't want to disconnect all my remote cameras to test with my phone.

 

[scull20]

Subscribed...I'll be setting my cameras up soon and also have an Asus router with an OpenVPN setup...and plan on accessing the cameras in a similar fashion. Fingers crossed I don't run into any issues, but will be report back either way...either looking for help or offering it lol!