VPN Primer for Noobs

[injunear]

My Linksys router has settings that imply it will bypass the firewall (default) for VPN "passthrough". There's checkboxes for: IPSec; PPTP; L2TP and they are checked by default. They are under the Firewall TAb and under the heading of "VPN Passthrough".
Perhaps the ASUS has similar settings?

 

[aabs]

My Linksys router has settings that imply it will bypass the firewall (default) for VPN "passthrough". There's checkboxes for: IPSec; PPTP; L2TP and they are checked by default. They are under the Firewall TAb and under the heading of "VPN Passthrough".
Perhaps the ASUS has similar settings?

Yeah all enabled but still no LAN access unless I disable the firewall.
Asus DSL-AC88U relatively new so maybe a future firmware fix ?

 

[LandofTomorrow]

Thanks for the write up!! I can't believe it was so easy to setup on the asus ac66 using the open vpn server on Merlin software. Also setup on my iPhone the openvpn client and now I can remotely see my BI cams.

I do have a related question that I wonder if someone can clarify. When I connect my iPhone using openvpn I presume my other internet or app accesses are not going thru the tunnel? As in they can be viewed by others if I am on an unprotected wifi? Is there a way to make that happen from my iPhone? Thanks


Sent from my iPhone using Tapatalk

 

[Mike A.]

Thanks for the write up!! I can't believe it was so easy to setup on the asus ac66 using the open vpn server on Merlin software. Also setup on my iPhone the openvpn client and now I can remotely see my BI cams.

I do have a related question that I wonder if someone can clarify. When I connect my iPhone using openvpn I presume my other internet or app accesses are not going thru the tunnel? As in they can be viewed by others if I am on an unprotected wifi? Is there a way to make that happen from my iPhone? Thanks

Depends how it's set up. I don't have the exact same Asus router or Merlin but if you look under advanced options on the OpenVPN page, then you should see a selection that says "Direct clients to redirect Internet traffic." That toggles whether the client routes traffic to outside networks directly (no) or through your router/VPN (yes).

 

[LandofTomorrow]

Depends how it's set up. I don't have the exact same Asus router or Merlin but if you look under advanced options on the OpenVPN page, then you should see a selection that says "Direct clients to redirect Internet traffic." That toggles whether the client routes traffic to outside networks directly (no) or through your router/VPN (yes).

Thank you. Il take a look. If I do that effectively am I uploading pages from my home to my iphone i.e. depending on the upload speed of my home internet, which is sadly dismal?


Sent from my iPhone using Tapatalk

 

[Mike A.]

Thank you. Il take a look. If I do that effectively am I uploading pages from my home to my iphone i.e. depending on the upload speed of my home internet, which is sadly dismal?

Yes, there are advantages/disadvantages depending on specifics which is why it defaults to off. If your home Internet service is pitiful then may not be the best way to go. You could use a public VPN service in that case if it's worth it to you. I have gigabit service so the speed of my mobile connection is the more limiting factor and that lets me run everything back through my same firewall/spam/ad filters so works out well in that case. Easy enough to toggle it on/off to try it.

 

[LandofTomorrow]

Thank you. I probably have to read up somewhere to better understand how with the current setting the von protects my communication with my home network but not when I surf.


Sent from my iPhone using Tapatalk

 

[aabs]

Yeah all enabled but still no LAN access unless I disable the firewall.
Asus DSL-AC88U relatively new so maybe a future firmware fix ?

Finally working iDMSS app working on OpenVPN but live view is very very choppy sometimes stalling for over 5 seconds.

Anyway I can improve live view through VPN

 

[DavidDavid]

Make sure you're viewing the substream, not the full stream.

 

[aabs]

Make sure you're viewing the substream, not the full stream.

Yeah I am @256 bit rate 25fps

Think it maybe a router setting to improve as I haven't had chance enable and play around with QOS on the Asus yet

 

[LandofTomorrow]

@Mike A.
Hi mike or anyone else,
Can you confirm with the current method I have of not checking the "Direct clients to redirect Internet traffic" on my Asus openVPN server, am I still protected when I check my cams using BI app on my mobile device (iphone/ipad)? I am trying to understand with the basic setup, how exactly are my communications encrypted or protected while my surfing is still visible (and presumably can be read by someone) when i am in a public wifi. I am trying to better understand how this VPN actually works selectively for my home network but not for others. thanks for your time.
Land

 

[Mike A.]

@Mike A.
Hi mike or anyone else,
Can you confirm with the current method I have of not checking the "Direct clients to redirect Internet traffic" on my Asus openVPN server, am I still protected when I check my cams using BI app on my mobile device (iphone/ipad)?

Yes, assuming that you're going through your VPN to hit your BI server. The toggle only works to affect other traffic outside of that destined for your home network (see below). Traffic to your VPN/local network is secured either way that toggle is set.

I am trying to understand with the basic setup, how exactly are my communications encrypted or protected while my surfing is still visible (and presumably can be read by someone) when i am in a public wifi. I am trying to better understand how this VPN actually works selectively for my home network but not for others. thanks for your time.
Land

When you run the VPN client and connect to your router running the VPN server, it sets up a secured, encrypted connection between the two devices. Part of what is done during that is to assign your client device another IP address and to set up the routing for that IP so that it effectively becomes another device on your home network as if you were connected locally. So any traffic that is destined to your local network is routed from your client through the VPN server and then onto wherever intended on your local net.

With the toggle turned off, traffic NOT destined for your local net is NOT routed through the VPN connection. That traffic goes out unsecured through whatever Internet service you're using via that IP and onto wherever.

With the toggle turned on, ALL traffic is routed through the VPN connection both that intended for your local net and that to other outside IP addresses.

That's how it's supposed to work in the default setup at least. I doubt that yours changes that basic flow but Merlin does give some more direct control over IP tables so that you could do more complex routing if you wanted.

As I mentioned above if you want to have your browsing secured in some place using public WiFi without running through your own VPN for whatever reasons, then there are third-party VPN services that you can pay for which do basically the same thing using their servers typically better hiding your originating IP, etc.

 

[dee]

Does the 'Asus RT-AC68U VPN' router also come with the client side app for android? If not where would I get get it?

 

[DavidDavid]

Use OpenVPN for Android

 

[LandofTomorrow]

Thank you for taking the time clarifying my questions.

Yes, assuming that you're going through your VPN to hit your BI server. The toggle only works to affect other traffic outside of that destined for your home network (see below). Traffic to your VPN/local network is secured either way that toggle is set.

Yes, my BI app has my home BI server computers IP listed as both LAN and WAN. The only time i can connect when I am outside my home network is when i toggle on my VPN client on my iphone which is secured with an userid and password. I do not have any forwarded ports and UPnP is disabled. So from what you said above, I should be good then.

That's how it's supposed to work in the default setup at least. I doubt that yours changes that basic flow but Merlin does give some more direct control over IP tables so that you could do more complex routing if you wanted.

As I mentioned above if you want to have your browsing secured in some place using public WiFi without running through your own VPN for whatever reasons, then there are third-party VPN services that you can pay for which do basically the same thing using their servers typically better hiding your originating IP, etc.

The only settings i changed from the basic/default on merlin's was toggling on the Username/Password Authentication and Username / Password Auth. Only options. In merlin, these are toggled off to allow autologin which is fine but i wanted to ensure when I emailed myself i didnt create a potential for this openvpn certificate to be usable on another device(i think in Asus OEM they are toggled on anyway).

I do have a paid VPN but it does not do very well with ios. Il look into it again.


Lastly, I noticed that @nayr recommends separate certificates for each device. Does that mean adding new user Ids and passwords and reexporting a certificate or should I also change other parameters like the server port for each certificate

Thank you very much again

 

[aabs]

Got build 385 on beta test now from Asus for the 88U bugs I've been fighting throughout this thread. So if you've got here on a DSL-AC88U OpenVPN push to LAN search update to build 385 when it becomes public.
All good ATM with the new firmware..

 

[mark4470]

Great thread!! I just bought a Linksys WRT3200acm router and it had openvpn built into it and it was easy as 123 to setup. That's saying a lot coming from me.... a very nice forum member here helped me setup my Asus router originally, but it recently bit the dust.. Thanks again Mr. Nayr for putting this together!

 

[DLONG2]

I created a VPN into my home network. What are the next steps required to go from public-IP-port-forwarding to the use of VPN? When I used my iPhone to connect to the home VPN, I went to my local LAN address and port as listed in the BI server, and got the login web page. But the login wouldn't work, I retried, and then my app was locked out (IP was auto-banned) for a time. With VPN, would I then erase the web server's remote/external access settings?

 

[mbmango]

Note for Netgear firmware: I'm totally new to this game and just starting to setup the parts for a new system, so I went and got a Netgear R6900P from our Costco and setup the OpenVPN server. All good! But their implementation is a basic as it can get. It can't generate separate configs for independent clients. I can't even revoke the current one. Disable the service, re-enable it, it always generates the same config.

To top it off, although the router is pretty much a R7000, it seems that I can't easily, if at all, flash the R6900P with an alternate open firmware, due to minor internal differences. So off I go shopping again. Does Asus firmware allow multiple client configs? Otherwise I'll probably grab a R6400 or R7000 and try flashing it.

 

[looney2ns]

Note for Netgear firmware: I'm totally new to this game and just starting to setup the parts for a new system, so I went and got a Netgear R6900P from our Costco and setup the OpenVPN server. All good! But their implementation is a basic as it can get. It can't generate separate configs for independent clients. I can't even revoke the current one. Disable the service, re-enable it, it always generates the same config.

To top it off, although the router is pretty much a R7000, it seems that I can't easily, if at all, flash the R6900P with an alternate open firmware, due to minor internal differences. So off I go shopping again. Does Asus firmware allow multiple client configs? Otherwise I'll probably grab a R6400 or R7000 and try flashing it.

Asus - Wireless-AC Dual-Band Wi-Fi Router - Black