Confused - Sort Of - VPN/Port Forwarding

[SouthernYankee]

can you ping your DDNS name xxxxxx.asuscomm.com . remember never display or show your DDNS name.

As a side note camera.asuscomm.com was in use and is address 31.10.99.203 which is in
City: Schwabisch Gmund
Country: Germany
Continent: Europe

I have used ASUS DDNS with no problems.

Are you still getting the yellow exclamation mark

 

[TL1096r]

I believe so , listed on their website is "ASUS DSL-AC55U Firmware version v1.1.2.3_743" and my router shows

​

Firmware Version:1.1.2.3_743

Click on the firmware version and it should take you to firmware upgrade section and you just click "check" to see if you have the latest firmware.

 

[gokiwi]

Hi,

Still getting the exclamation mark . However when I try to ping my new address thats been in place for over 48 hours it does not ping (not surprised) but it does resolve to an ip address that is owned by Vodafone - so a bit closer maybe ?

 

[Hammerhead786]

Hi,

Still getting the exclamation mark . However when I try to ping my new address thats been in place for over 48 hours it does not ping (not surprised) but it does resolve to an ip address that is owned by Vodafone - so a bit closer maybe ?

I've pinged my domain name and it resolves to my external ip address. Is the ip address that is being resolved the same as your external ip? If not, then your DNS is broken. Also when you do ping, make sure you are not connected to your local network (wifi) and that your router is configured to respond to pings.

 

[gokiwi]

So made another step forward well probably more of a leap at this stage. My router has two places to set DNS.
1. In the LAN Settings
2. In the WAN Settings

I had 8.8.8.8/8.8.4.4 in the LAN settings and automatic for the WAN, as soon as I changed that to manual and put 8.8.8.8/8.8.4.4 in, the exclamation mark went away and I could ping smellybum.asuscomm.com.

Now I need someway to test it.

 

[SouthernYankee]

1) Do you have the VPN client loaded on your phone ?
2) have you copied the client.ovpn file to your phone and installed it in the openvpn client ?

To test from home on the cell phone, just disable the wifi on your phone. This will force the openVPN app to use the cell network.

 

[Hammerhead786]

So made another step forward well probably more of a leap at this stage. My router has two places to set DNS.
1. In the LAN Settings
2. In the WAN Settings

I had 8.8.8.8/8.8.4.4 in the LAN settings and automatic for the WAN, as soon as I changed that to manual and put 8.8.8.8/8.8.4.4 in, the exclamation mark went away and I could ping smellybum.asuscomm.com.

Now I need someway to test it.

The LAN settings should use your internal DNS server i.e. point it to the ip address of your router. The WAN DNS settings are for when you don't want to use your ISP's provided DNS servers. Glad you fixed that issue. As SouthernYankee said, disable your wifi on your mobile and then test again.

 

[The_E]

For a group that preaches such tight security, I'm surprised at the Asus Router recommendations! Asus has been near the top of the list for backdoors and other security related issues. I think the only router manufacturer hit worse is DLink.

 

[SouthernYankee]

@The_E

Please provide the testing source and links to this information.

 

[The_E]

@The_E

Please provide the testing source and links to this information.

Hi SouthernYankee, nice to meet you too.
I suppose you could use Google to find relevant info, but sure - I'll do the legwork for you.

 

[The_E]

Some light reading:

Asus' Epic Fail Shows How Not to Handle Security Issues

Asus' security woes are partly of its own making. The company's lame response is a lesson in how to fail in dealing with security fails.

www.tomsguide.com

Asus software updates were used to spread malware, security group says

The malware was disguised as a “critical” software update.

www.theverge.com

From 2017:

Asus router warnings on privacy and security

Before buying an Asus router, it would be wise to read Daniel Aleksandersen's review of the stock Asus firmware, especially the privacy issues regarding the included Trend Micro software.

www.computerworld.com

From 2016 and from your own Government:

ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk

Taiwan-based computer hardware maker ASUSTeK Computer, Inc. has agreed to settle Federal Trade Commission charges that critical secur

www.ftc.gov

From 2014.... do I need to keep going?

Packet Storm

Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers

packetstormsecurity.com

 

[Holbs]

keep at it with the OpenVPN. Sounds like you are nearly there. I took a whole 10 minutes to setup my Netgear Nighthawk router with OpenVPN (I assume nearly same setup procedure as ASUS routers).

 

[SouthernYankee]

I have never used auto update on anything except windows 10 home. It is not a security risk unless you used auto update. Not much of a risk.

 

[TonyR]

From 2014.... do I need to keep going?

Since you asked.....no, not for my benefit.
Can you name a router that YOU would use or recommend?

 

[gokiwi]

Would be interesting to know given that most of us probably look at various reviews to make our decisions on what we buy , for example ASUS (but then what xdsl router is NOT fully or in part made in China ? )make the top 10 on most UK based review sites.

 

[catcamstar]

Since you asked.....no, not for my benefit.
Can you name a router that YOU would use or recommend?

I'm guessing The_E(TM)-not-hackable-routerd-on-earth
We have to face the ugly truth here: Lots of hacks/hit-and-misses are facing the most favorable platform - Windows was, by far, the breeding bench of virii across the world. Why? Because lots of people use(d) it, and it lacked some serious security stuff. Did that mean that you were safe on linux OS? Not at all, but why would anyone focus on such a niche platform, as it was already (too) difficult to ssh into such a rudiculous (no pun intended) text only terminal But today the landscape did change (sometimes for the good): linuxOS is, sometimes really hidden for the human eye, almost everywhere! In your IOT devices (fridge, microwave, .. ), your printer, your car, your domotica system and ... IPcams. And as these things (often) never get a decent firmware upgrade, they lack any spine strength against common vulnerabilities. What can you do about it? Buying a new fridge every 2 years is not that economically intelligent, however you might drop your fridge in a separate network (vlan), so it cannot speak with others, nor others can speak with it, except with your wanted functionalities.

That ASUS is being blamed so much, is just like "Windows-being-blamed" back in the days. The good news with Asus: you could stick to the regular ASUS firmwares, or you might opt for the RMerlin branch (free!) which gets the CVE updates on the kernel much faster than ASUS itself. Except if you would work on your dlink/netgear/personal flavor/... with an openDD or others, you still have to do the upgrades/patching yourself.

If you would drive around with a tank with the windows open, you're still vulnerable, right?

On-topic:
- download the VPN client profile from the ASUS router to your pc
- edit the file with notepad/wordpad
- look for "server a.b.c.d 1194"
- change that to "server smellybummy.asuscomm.net 1194"

Upload file to your cellphone and off you go!

My (advanced) recommendations:
- change to an unknown port helps "hiding" your VPN service (eg 443 might be a good option, especially if your work network blocks outbound 1194)
- enable the VPN service in seamless mode (so it blocks all internet access if the VPN tunnel goes down). This ensures all your traffic (including mail/skype/...) are passed through the tunnel
- you can tweak around with the encryption settings (higher/lower) and protocol (UDP/TCP) if your 4G connection is not sufficiant to draw the video footages

Good luck!
CC

 

[The_E]

I have never used auto update on anything except windows 10 home. It is not a security risk unless you used auto update. Not much of a risk.

What? With all due respect Sir, I think you've missed the mark here. But You already strike me as someone that's set on their opinions, so best of luck to you.

 

[The_E]

I'm guessing The_E(TM)-not-hackable-routerd-on-earth
We have to face the ugly truth here: Lots of hacks/hit-and-misses are facing the most favorable platform - Windows was, by far, the breeding bench of virii across the world. Why? Because lots of people use(d) it, and it lacked some serious security stuff. Did that mean that you were safe on linux OS? Not at all, but why would anyone focus on such a niche platform, as it was already (too) difficult to ssh into such a rudiculous (no pun intended) text only terminal But today the landscape did change (sometimes for the good): linuxOS is, sometimes really hidden for the human eye, almost everywhere! In your IOT devices (fridge, microwave, .. ), your printer, your car, your domotica system and ... IPcams. And as these things (often) never get a decent firmware upgrade, they lack any spine strength against common vulnerabilities. What can you do about it? Buying a new fridge every 2 years is not that economically intelligent, however you might drop your fridge in a separate network (vlan), so it cannot speak with others, nor others can speak with it, except with your wanted functionalities.

That ASUS is being blamed so much, is just like "Windows-being-blamed" back in the days. The good news with Asus: you could stick to the regular ASUS firmwares, or you might opt for the RMerlin branch (free!) which gets the CVE updates on the kernel much faster than ASUS itself. Except if you would work on your dlink/netgear/personal flavor/... with an openDD or others, you still have to do the upgrades/patching yourself.

If you would drive around with a tank with the windows open, you're still vulnerable, right?

On-topic:
- download the VPN client profile from the ASUS router to your pc
- edit the file with notepad/wordpad
- look for "server a.b.c.d 1194"
- change that to "server smellybummy.asuscomm.net 1194"

Upload file to your cellphone and off you go!

My (advanced) recommendations:
- change to an unknown port helps "hiding" your VPN service (eg 443 might be a good option, especially if your work network blocks outbound 1194)
- enable the VPN service in seamless mode (so it blocks all internet access if the VPN tunnel goes down). This ensures all your traffic (including mail/skype/...) are passed through the tunnel
- you can tweak around with the encryption settings (higher/lower) and protocol (UDP/TCP) if your 4G connection is not sufficiant to draw the video footages

Good luck!
CC

Sorry, this explanation is misleading and dangerous. I feel you're likely a respected member here and some folks follow your lead. You're doing them a disservice.

ASUS has been incredibly horrible about privacy and security.... this is well known amongst IT professionals and those reporting on IT. Besides the major leaks and exploits, there have been numerous smaller exploits and holes. Your Router is your gatekeeper to the world and is the main device standing between you and a lot of nastiness out there. Why accept that because you're a fanboy of ASUS?

Why do people here use dahua, Hikvision, and other decent quality cameras? Because they want to use a quality product that does a good job of performing the tasks expected of them. If quality wasn't a concern we'd all be using some $60.00 knock-off cams. So why would you be okay with sub-par performance from your router? What good is setting up a VPN when you have multiple exploits potentially allowing bad actors to penetrate your network?

I apologize for derailing this thread, it wasn't my intent.

 

[The_E]

Since you asked.....no, not for my benefit.
Can you name a router that YOU would use or recommend?

As catcamstar alluded to, most, if not all routers brands have been or can be exploited. Where he and I seem to differ is on how a company learns about and deals with found code bugs and exploits. I have no interest in and don't sell them, but Netgear has been exemplary in setting up a bug bounty program and in squashing bugs and exploits in record time once discovered.

Router Brands to stay away from in my opinion:
DLink, Asus & TPlink (nothing wrong with these companies' switches, etc)

Decent router brands to date:
Netgear, Ubiquiti, Cisco

 

[catcamstar]

Sorry, this explanation is misleading and dangerous. I feel you're likely a respected member here and some folks follow your lead. You're doing them a disservice.

ASUS has been incredibly horrible about privacy and security.... this is well known amongst IT professionals and those reporting on IT. Besides the major leaks and exploits, there have been numerous smaller exploits and holes. Your Router is your gatekeeper to the world and is the main device standing between you and a lot of nastiness out there. Why accept that because you're a fanboy of ASUS?

Why do people here use dahua, Hikvision, and other decent quality cameras? Because they want to use a quality product that does a good job of performing the tasks expected of them. If quality wasn't a concern we'd all be using some $60.00 knock-off cams. So why would you be okay with sub-par performance from your router? What good is setting up a VPN when you have multiple exploits potentially allowing bad actors to penetrate your network?

I apologize for derailing this thread, it wasn't my intent.

I'm not offended by your post, I do like to learn from others, and most of all: I do respect everyone's opinion. It is true, that enabling "free" services (like the microtrend stuff) on ASUS may even deem a privacy issue on your network. I do hate ASUS for that. So labeling me as an ASUS fanboy, that is not true.

Let's look at the facts: how many end-user friendly home-routers exist with VPN onboard, decent wifi facilities and good firmware updates? At work, I'm used with CLI enterprise grade systems. Back in the day, the costs to implement a vlan was the price of half a car. But today, these capabilities come down to the home and the real end-user. At an affordable price.

So yes, I also started with an ASUS as edgerouter, but even myself experienced the limits & boundaries of these devices. I still employ an ASUS (but only for wifi & guest wifi), but my core network is now composed out of Ubiquity material.

I still advice ASUS for "newcomers" who aren't experienced networking gurus, for the latter I would advice other brands.

But we're stealing the show here

Take care!
CC