VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    857
Did you color something on that orange lamp/led in the first screenshot?
 
OK, can you try to set "Method to retrieve WAN IP" to External, this might improve your situation.

Interesting, but I am very afraid to change anything when I am not at the place where the router is. If I am lost I have to travel 300 km to that place. I intend to do so some weeks ahead and think I should waite until then doing the change. I find nothing about internal/external in the asus manual - pity.

A question; when you recommend me to change to External, do you expect the orange lamp to be bigger or change color? (to green?)
 
Interesting, but I am very afraid to change anything when I am not at the place where the router is. If I am lost I have to travel 300 km to that place. I intend to do so some weeks ahead and think I should waite until then doing the change. I find nothing about internal/external in the asus manual - pity.

A question; when you recommend me to change to External, do you expect the orange lamp to be bigger or change color? (to green?)

It is a long time that I used that ASUSCOMM ddns, I remember the color to be greenish (?) when being OK, but your status indicates it IS ok right now.

However, if I look in my ASUS (which is not on my ISP router/modem but also behind NAT), I got this feedback from the ddns config screen on the ASUS:
Code:
The wireless router currently uses a private WAN IP address.

This router may be in the multiple-NAT environment. While using an External check might allow DDNS to reflect the correct IP address, this might still interfere with remote access services.

Hence my suggestion to use "external check" (which does, to my understanding, nothing more than an outbound connection to an ASUS service, which reverse engineers your WAN IP which will be put in the DNS record of your asuscomm stuff).
 
  • Like
Reactions: llarsx
Looks different vs standard Asus since he looks to be running Merlin. In that case I believe that you can have it work double-NAT'ed (the internal vs external setting) but that doesn't seem to be his issue. The stock Asus DDNS will balk if behind on a private address as you show.

To my understanding, if your wireless ISP fails, no-ip client won't get updated either. So if you would run the pingtest script, it would indicate as much as failures than the asuscomm ddns service. But that's my 2c.

^ This. If your local service was failing neither would work. But they may have different time outs so that may vary some between them as far as timing and how long they hang onto an address. Depending on what you're using you may be able to tell by behavior as far as whether it shows host unknown or it attempts to reach the host and it's not found.

I suspect that it may just be some flaky connectivity to the Asus DDNS service. I had kind of inconsistent results with that too and went back to using no-ip. Long ago though and haven't tried it recently to know if it's better.
 
From RMerlin super moderator Oct, 7 2018 [Release] Asuswrt-Merlin 384.7 is now available

1-Oct-2018:: 384.7_2 is now available, resolving a few issues present in 384.7.

The highlights of this release:
  • Merged with Asus GPL 384_21152. The RT-AC87U binary blobs from GPL 382_50702 were merged in, allowing 384.7 to support this model (it wasn't available for 384.6).
  • Replaced ez-ipupdate with In-a-Dyn. This DDNS client is more modern, and still actively developed It also makes it easier to support multiple services. A custom plugin was developed to fully support Asus's own DDNS service.
  • All DDNS services now use HTTPS. Your DDNS login credentials are finally secure. Welcome to 2018 folks. Now might be a good time to change your DDNS password, just to be on the safe side.
  • Added freedns.afraid.org DDNS service to the webui.
  • DDNS can now retrieve your public IP either Internally (the original method of using the IP on your router's WAN interface) or Externally (by querying a remote server). This allows the use of DDNS in a Dual NAT or CGNAT situation. Note that it's still up to you to handle the fact that you have two firewalls in front of one another, so things like port forwarding or VPN server support will still require you to handle that at the first firewall level.
  • DFS Channel information are now shown on the Wireless Log page (based on upstream code from Asus's stock firmware)
  • Updated various components: curl (7.61.1), wget (1.19.5), openssl (1.0.2p), dnsmasq (2.80test8), nano (3.1).
  • DNSFilter settings were moved to the LAN section, to make it clearer that this feature is completely unrelated to Trend Micro.
  • Removed the various Norton Connect services from the DNSFIlter page. Symantec is going to discontinue the service in November. On first boot, any DNSFilter client set to use a Norton Connect DNS will be switched to OpenDNS Family to prevent service interruption while still providing security. Go to the DNSFilter page to adjust your settings as desired.
  • Added Quad9 to the list of supported DNSFIlter services (to compensate for the loss of Norton)
  • A couple of IPv6-related fixes surrounding dnsmasq (like dnsmasq crashes on the RT-AC86U in stateful mode).
The highlighted in red is colored by me.

Dual NAT or CGNAT is quite unfamiliar to me. I don't think my wireless router (before asus) use NAT - only bridge.

I still looking for explanation of the yellow (or green) light which comes only when using asuswrt-merlin.
 
Carrier Grade NATting is done by ISPs who cannot hand out "traditional" IPv4 addresses. Double NAT is yourself putting a router behind a router. This can be done for security reasons, or for bandwidth reasons, or ...

Back in the days, there was an "icon" thread on SNB forum, but I can't however find it back. But I stumbled on another gem for Rmerlin:
RMerl/asuswrt-merlin
For you to pick whatever dns is good for you, but keep in mind what @Mike A. wrote: as long as you have flawky internet connectivity, your "uplink" goes down, your WAN IP might change, and your ddns is wrong/gone.
 
  • Like
Reactions: llarsx
I got answer from my isp and they say that my wireless router don't use NAT when it is in bridge. They confirm that NAT is disabled. So, Dual NAT is out of question and "Internal" seems OK.

I have now bought me one new year on No-IP, but because I am far away from the router, I am bound to asuscomm until late October when I take the trip.

Thanks again to catcamstar and Mike. I think my problem has been discussed enough and I now am sure what to do. Tumbs up for all good help.
 
  • Like
Reactions: catcamstar
Last report. It could be a problem that I have the ice router, the asus router and the alarm central unit only 40-50 cm from each another as all of them use radio signals and possibly give some interference spite they use quite different frequenses. Now I got the advice to move them at least 100 cm depart. I also will receive a replacement new router from the wireless isp (ice) and can then exclude possible problems with the old one.
 
Hi Guys
apologies for the aside.
OpenVPN is the top vpn pick on BI

Can someone kindly point me in the right direction of best (and poss simplest) way to setup remote access to my bi pc securely
Are there any vids or tutorials on OpenVPN setup?
Thanks

Adam
 
Hi Adam,
can you explain first where you will be deploying the OpenVPN server? If you have, for example, an ASUS, you can do it on that device. Installing it on Windows is possible too, but then you need portforwarding to your BI pc.
 
  • Like
Reactions: adamdylan
Hi Adam,
can you explain first where you will be deploying the OpenVPN server? If you have, for example, an ASUS, you can do it on that device. Installing it on Windows is possible too, but then you need portforwarding to your BI pc.

If you do this you have to port forward?

Normally just load the openvpn file to openvpn software on windows and then you can connect to your home bi server like you are at home?
 
Hi Cat & TL

Hi Adam,
can you explain first where you will be deploying the OpenVPN server? If you have, for example, an ASUS, you can do it on that device. Installing it on Windows is possible too, but then you need portforwarding to your BI pc.


Thanks for your replies
Cat I don't have Asus will be OpenVPN via pc
Its a cafe and will be installing BI /card payment machine and access point for customer wifi
have pc and netgear switch for the pc/cams. ISP will be changed every year or so

Want to access BI remotely and was looking at using windows access

So,,, I would be vv grateful if you could point me in the direction of the easiest and most straightforward? way to set up a secure remote access that I don't need to config every time isp is changed.

Thanks

Adam
 
Last edited:
Hi Cat & TL




Thanks for your replies
Cat I don't have Asus will be OpenVPN via pc
Its a cafe and will be installing BI /card payment machine and access point for customer wifi
have pc and netgear switch for the pc/cams. ISP will be changed every year or so

Want to access BI remotely and was looking at using windows access

So,,, I would be vv grateful if you could point me in the direction of the easiest and most straightforward? way to set up a secure remote access that I don't need to config every time isp is changed.

Thanks

Adam

Great questions. It is my next write-up to explain how to connect out of network in new ways. @catcamstar will help you with this better than I can until I learn more on how to do so.
 
  • Like
Reactions: adamdylan
Hi Cat & TL

Thanks for your replies
Cat I don't have Asus will be OpenVPN via pc
Its a cafe and will be installing BI /card payment machine and access point for customer wifi
have pc and netgear switch for the pc/cams. ISP will be changed every year or so

Want to access BI remotely and was looking at using windows access

So,,, I would be vv grateful if you could point me in the direction of the easiest and most straightforward? way to set up a secure remote access that I don't need to config every time isp is changed.

Thanks

Adam

Hi @adamdylan,

it "would" have been easier to only have to "configure" openVPN on an ASUS router, however it's not the end of the wold if you have to install it yourself.

Highlevel, what you are looking for:
1) download and install OpenVPN SERVER on your BI/card pc:
2) what's missing in that tutorial: having that VPN Server is good, you must configure a port forwarding rule to that VPN server (eg default 1194). However, during installation in step 1, you can change that port to (for example 443 TCP) or hide it in upper 32k ports in UDP, so no chinese scanner will ever find you :)
3) setup any DDNS system so that when your WAN ISP changes, your "my-tiny-private-vpn-access.mydomain.com" keeps working in your openvpn client configuration file. Some here work with no-ip, some work with the IPCT one! (IPCT - Introducing IPCT DDNS! Free DDNS service!)

From then on, you can keep your openVPN open all the time for remote access!

Good luck!
CC
 
Thank you very much for that CC :)

How long would that take a mere mortal to install openvpn to windows pc and how straightforward /reliable is that method? (I've read some don't find it easy)

It appears my windows options are Openvpn on
1) My pc (61% of members using)
2) Asus (ac68u) router. (15% using)
3) Raspberry Pi (4.8%)

So which is the simplest? most straightforward? most reliable/stable? How long does each take?

I am thinking the Asus router may be best because
1) easiest to setup
2) has spare ports if want to add to other devices can use the asus vpn
3) problem or change pc the vpn on the asus is still there

Your thoughts are most appreciated

Thanks, Adam
 
Last edited:
Personally, I don't like windows desktop pc running 24/7 (but hey that's me), nor having VPN server on a raspberry Pi (dual NIC rpi is underpowered). VPN is a core network feature, hence rectifies to run it on a networking device. So my first choice would be an ASUS router, but I eventually dropped that one to for a Ubiquity EdgerouterX.

ASUS VPN server setup is 5 minutes setup. VPN on windows: some people never got it running. I never considered it (nor tried it out of curiosity). ER-X: 15 minutes setup (but you shouldn't be afraid of some command line hocus pocus as the GUI doesn't expose all features).

BUT. If you are looking for SOHO based networking capabilities, increased security (firewall, vlans etc), then you're leaving the ASUS league and entering the managed switches/vlan era. Bit more expensive, but tons more options and capabilities.

The choice is yours!

Good luck,
CC
 
Thank you very much for that CC :)

How long would that take a mere mortal to install openvpn to windows pc and how straightforward /reliable is that method? (I've read some don't find it easy)

It appears my windows options are Openvpn on
1) My pc (61% of members using)
2) Asus (ac68u) router. (15% using)
3) Raspberry Pi (4.8%)

So which is the simplest? most straightforward? most reliable/stable? How long does each take?

I am thinking the Asus router may be best because
1) easiest to setup
2) has spare ports if want to add to other devices can use the asus vpn
3) problem or change pc the vpn on the asus is still there

Your thoughts are most appreciated

Thanks, Adam

Where did you find this %? I think the majority is using the asus router to setup their vpn. It is the easiest and doesn't require port forwarding like using a PC or raspberry PI.

I agree with catcamstar advice if you have the time/money and patience to set up something more advanced go with that.
 
  • Like
Reactions: adamdylan