VPN Primer for Noobs

[catcamstar]

Reconfiguring my BI server since the SSD took a dump, I just need a quick confirmation:
for the VPN on my Netgear R7000, I just port forward the router to BI Server correct?
Keep it at port 81 by default? when would you change the port number?
UPnP is also disabled and BI app works on my android phone.
I was reading through the BI4 help file and wizard and it says to enable UPnP... is it just because it is easier and more so for LAN use?
It's been a while since I touched the networking stuff since I first set this up originally.

Interesting post. Not sure if the concept of VPN is crisp and clear, but in two words:
- VPN client runs on your phone/tablet
- VPN server runs on your Netgear router
- VPN client connects to your VPN server and is "transparantly" connected to your home LAN
- Absolutely no port forwarding or UPnP is required with such a setup

My advice: disable port forwarding on your router and any UPnP configurations.
Good luck!
CC

 

[Cupofschmoe]

Interesting post. Not sure if the concept of VPN is crisp and clear, but in two words:
- VPN client runs on your phone/tablet
- VPN server runs on your Netgear router
- VPN client connects to your VPN server and is "transparantly" connected to your home LAN
- Absolutely no port forwarding or UPnP is required with such a setup

My advice: disable port forwarding on your router and any UPnP configurations.
Good luck!
CC

This should be added to nayr's original post and stickied up top. Lol. The help file and wizard leads you to think this is good practice enabling UPnP and Port Forwarding.

Thanks

Sent from my SAMSUNG-SM-N920A using Tapatalk

 

[Barboots]

... disable port forwarding on your router

Some routers, such as my ASUS RT-AC88U, require an internal "port forward" of traffic to the inbuilt VPN Server. I seem to recall the same use of terminology in the Gargoyle firmware I ran on an older Netgear.

On the Asus at least, if port forwarding is totally disabled then the inbuilt VPN can not work.

I appreciate that this may be a poor choice of wording from the firmware authors, however, it's a thing.

Cheers, Steve

 

[llarsx]

I discover er possible problem with my asus 68u vpn server.

As I have wireless broadband I follow up large data use. On sep. 1st on 1 pm I replaced the power connection to the asus. The same hour the traffic analyzer show me an unnormal data upload of 3.3 GB. I never have such number on upload and have searched for explanation, but with very poor result.

I use asuswrt merlin and in "Classification " under Adaptive Qos I can see a ip number belonging to the vpn-server sending to Lets Encrypt. And in the traffic analyzer it is 3.3 GB to Lets Encrypt from the laptop. As the attached picture is taken some days later and from remote it is possible that it hasn't anything to do with the case.



I can understand that a vpn server wish to secure and send data, but in this case I don't use the vpn remote because I am local beside the router. Doing the power replacement I have my laptop on air wireless once and once shut down. This is because I first tried to change power on the wireless router (bridge) before the asus and next only changed the Power connection on the asus. Which or both of them triggered the upload I can't find.

Can the large amount of data upload via/to Lets Encrypt be a sign of hacking or can this be quite normal?

 

[Mike A.]

I use asuswrt merlin and in "Classification " under Adaptive Qos I can see a ip number belonging to the vpn-server sending to Lets Encrypt...

Can the large amount of data upload via/to Lets Encrypt be a sign of hacking or can this be quite normal?

Don't use Merlin myself but looks to be normal updating of SSL certificates (done every 90 days).

 

[catcamstar]

Some routers, such as my ASUS RT-AC88U, require an internal "port forward" of traffic to the inbuilt VPN Server. I seem to recall the same use of terminology in the Gargoyle firmware I ran on an older Netgear.

On the Asus at least, if port forwarding is totally disabled then the inbuilt VPN can not work.

I appreciate that this may be a poor choice of wording from the firmware authors, however, it's a thing.

I fully agree with you, thanks for bringing this up. My "disable all port forwarding" was more aimed at the general "dahua/hik/.." advice to forward WAN ports to your cams/NVR. Your VPN server (especially when not running on your edge router, you DO need a port forward to access it in your LAN/DMZ).

Can the large amount of data upload via/to Lets Encrypt be a sign of hacking or can this be quite normal?

This is very strange behaviour, maybe not linked to your IPC. I suggest you head over to the Rmerlin forum and post your information here.
My 2 cents:
- it's 443 (https) traffic
- let's-encrypt might just be a reference to the SSL certificate being used
- do you have something in use with expressvpn? the first IP belongs to that domain. The second IP is in "bitbit.net", with sounds like something crazy like "Redpill Linpro AS" organisation. Sounds like the Matrix

If I was you, I'd look on the pc, turn on tcpdump/wireshark and inspect what is going on. 3GB for an SSL recertification is craaaaaaaaaazy!

Good luck!
CC

 

[llarsx]

Thanks, catcamstar.

I'll try the Rmerlin forum.
Yes, I had expressvpn, but only until tomorrow as I don't need it any more and don't have used it for months. May be it still alive hidden. I have also found Redpill and simular which may be used in some routing.

I am not sure we should talk about recertification. Another suggest is that some of my laptops programs send backup or simular to some sky backup. (Norton, Google, Asus or my mail One.com). But may be not as the upload happen very seldon - only seen one time earlier in March month.

I travel back to the summer bungalow next week where the asus is locally placed and shall try to do the same operation with restart of the router together with fresh web-log (Clear it before doing anything) and hope to find exact where the GB's is send. May be I should install wireshark again (have used it before).

 

[catcamstar]

May be I should install wireshark again (have used it before).

Important to note that https (encrypted 443) will render gibberish when wiresharking/tcpdumping, but, if you find, on your pc, which program is using that connection, you can quickly identify the root cause.

Good luck!
CC

 

[llarsx]

Important to note that https (encrypted 443) will render gibberish when wiresharking/tcpdumping, but, if you find, on your pc, which program is using that connection, you can quickly identify the root cause.

Good luck!
CC

Thank you!

 

[llarsx]

VPN-trubbel. I have used No-IP as DDNS for some time without any problem, but after I changed to asuscomm.com (which has no charge), it happens that I can't establish the client1 and got a Message like "Can't Reach asuscomm.com - try later". And later it work - after some time (minutes or hours).

Last day it happen at least 2 times. The extern ip is unchanged all the time.

I use asus 68u with asuswrt-merlin and openvpn.

In the "Forced update interval (in days)" the dummy config was 21, but I have changed it to 1. In No-IP it was every minute I suppose. I think the interval should not be the problem here, but why asuscomm.com not give response. Is that normal? If so I have to return back to NO-IP.

Can the Duc program (No-IP updater) which I installed/run a year ago disturb asuscomm? I never used it thereafter, but don't know if it run somewhere in the background.

 

[catcamstar]

Hi @llarsx, I haven't had any issues with the asuscomm.com ddns setting.

But here's what I would suggest you to do:

Step 1: create a batch file (eg "networkping.bat") and paste the following stuff in it:

@echo off

set /p host=host Address:
set logfile=Log_%host%.log

echo Target Host = %host% >%logfile%
for /f "tokens=*" %%A in ('ping %host% -n 1 ') do (echo %%A>>%logfile% && GOTO Ping)
:Ping
for /f "tokens=* skip=2" %%A in ('ping %host% -n 1 ') do (
    echo %date% %time:~0,2%:%time:~3,2%:%time:~6,2% %%A>>%logfile%
    echo %date% %time:~0,2%:%time:~3,2%:%time:~6,2% %%A
    timeout 1 >NUL
    GOTO Ping)

Step 2: run that script as follows: open a command prompt and run "networkping myddns.asuscomm.com".

You'll receive an output file (myddns.asuscomm.com.log) with sample output:

Target Host = 192.168.22.1
Pinging 192.168.22.1 with 32 bytes of data:
25/09/2018 19:39:24 Reply from 192.168.22.1: bytes=32 time=1ms TTL=63
25/09/2018 19:39:25 Reply from 192.168.22.1: bytes=32 time=3ms TTL=63
25/09/2018 19:39:26 Reply from 192.168.22.1: bytes=32 time=1ms TTL=63

At least you can then know (for sure) when that connection did drop. ASUS does not give any SLA's on their ddns service, but you are only sure that it works by testing it.

Good luck!
CC

 

[Mike A.]

Can the Duc program (No-IP updater) which I installed/run a year ago disturb asuscomm? I never used it thereafter, but don't know if it run somewhere in the background.

No. It just beacons out your external IP to their servers so they have a running update of your current address. Shouldn't affect anything else or come into play at all unless and until you query their DNS service (or downstream) to resolve [whatever address].no-ip.org.

 

[llarsx]

Thanks again catcamstar.
One question. Should this be done locally where the router is or can I do it remote via VPN?

By the way, as I have the asus router behind a wireless router set as bridge the trouble can have something to do with this setup. But I have another "Insight" in the local net through my alarm system (mobil) where the broadband and internet seems alive.

 

[llarsx]

No. It just beacons out your external IP to their servers so they have a running update of your current address. Shouldn't affect anything else or come into play at all unless and until you query their DNS service (or downstream) to resolve [whatever address].no-ip.org.

Thanks Mike.
My account at NO-IP finish on the 27th this month. Should I delete something regarding the "Duc"?

 

[Mike A.]

Delete it if you're not using it. No need to have it running and won't do anything for you without an account.

 

[llarsx]

Delete it if you're not using it. No need to have it running and won't do anything for you without an account.

Sure. I should wrote; can it be running somewhere in the registry. But now I have searched there with no result.

The asuscomm.com still fails very often. The extern ip is still the same. If this continue the next days I go back to No-IP.

 

[catcamstar]

Thanks again catcamstar.
One question. Should this be done locally where the router is or can I do it remote via VPN?

By the way, as I have the asus router behind a wireless router set as bridge the trouble can have something to do with this setup. But I have another "Insight" in the local net through my alarm system (mobil) where the broadband and internet seems alive.

My scripts is to be run "locally", as you want to test the upstream connectivity to check whether (or not) it fails. If it fails, either your ISP is down (not good) or the dns update failed (not good either).

If you ASUS router is behind another router, you can debug the asuscomm dns by simply logging in on your ASUS router, and check at the start page right on top what the status is:

Have a look on top at "WAN IP" and "DDNS" settings. If WAN IP is something 192.x/10.x/172.x range, you're doomed anyhow That means your ISP router (which you state is in bridge mode) is not in bridge mode but in NAT mode. ASUS "expect" your ASUS router to be the "edge"router.

Good luck!
CC

 

[llarsx]

Thank you, catcamstar.

"ASUS "expect" your ASUS router to be the "edge"router".
This can be a problem, but as my WAN IP always is unchanged (91.149.xx.xx) and correct, the reason should be something else. Not my broadband both home and remote about 50 mb/s, but living in Norway the internet route could be poorer than GB and USA. Testing more tells me that the failure (as in my picture) happens several time per hour. You may ask why I login so often, and the answer is to minimize the datause in the wireless broadband. The vpn connection also fails after som time so it seems to be the same problem.

I had no such problem before with No-IP and paying about USD 20 for one year seems cheap to avoid this problem. Therefore I return to No-IP next time I travel to the asus router.

 

[catcamstar]

Thank you, catcamstar.

I had no such problem before with No-IP and paying about USD 20 for one year seems cheap to avoid this problem. Therefore I return to No-IP next time I travel to the asus router.

That's why such a pingtest script like I posted above may be of interest: if you run it from behind the ASUS, you can then validate your OUTBOUND ISP connectivity (if that won't work, because of an outage/new dhcp request, it will detect it) AND secondly, you'll detect whether (or not) the dns resolve still works.
If you run it from your friend's/family's house, you can test from their site whether (or not) DNS work or your INBOUND ISP connectivity works.

To my understanding, if your wireless ISP fails, no-ip client won't get updated either. So if you would run the pingtest script, it would indicate as much as failures than the asuscomm ddns service. But that's my 2c.

Can you please show us your ASUSCOMM status (start page of your ASUS) here? You can blurr out your "hostname/WANIP" for privacy reasons.

 

[llarsx]