Asus RT-AC88U as VPN Client

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
STEPHANK
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 20, 2020 1:37 am

Asus RT-AC88U as VPN Client

Post by STEPHANK » Thu Aug 20, 2020 1:54 am

Hi! Don't know much about OpenVPN, so any help would be very appreciated!

Since a long time I run an OpenVPN Server on my own desktop. I use it to connect to it when I am in a different country.
OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017

I can connect to it from my Notebook Client and everything works fine.

I have a Asus RT-AC88U Router set up as VPN Client. It used to run fine, but a firmware upgrade about a year ago stopped it. I tried to find what I have to changed in my config, but I failed. I did a firmware downgrade and all was find again. This router is behind another router and a firewall, so not direct danger. It is used for devices that can not install OpenVPN.

However, Asus brought out many versions of firmware since and has now forced new firmware on my router and does not let me downgrade anymore, so my VPN config does not work anymore. I urgently need it. The router allows me to activate the config and it looks like he routes through the VPN, but everything gets lost.

Can you see anything from that log?

Code: Select all

Aug 19 21:47:42 vpnclient5[2804]: OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 11 2020
Aug 19 21:47:42 vpnclient5[2804]: library versions: OpenSSL 1.0.2u  20 Dec 2019, LZO 2.03
Aug 19 21:47:42 vpnclient5[2805]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Aug 19 21:47:42 vpnclient5[2805]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 19 21:47:42 vpnclient5[2805]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xxx.xxx.xxx:1194
Aug 19 21:47:42 vpnclient5[2805]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Aug 19 21:47:42 vpnclient5[2805]: UDP link local: (not bound)
Aug 19 21:47:42 vpnclient5[2805]: UDP link remote: [AF_INET]xx.xxx.xxx.xxx:1194
Aug 19 21:47:42 vpnclient5[2805]: TLS: Initial packet from [AF_INET]xx.xxx.xxx.xxx:1194, sid=64f3fd16 05b0e844
Aug 19 21:47:42 vpnclient5[2805]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Aug 19 21:47:42 vpnclient5[2805]: VERIFY OK: nsCertType=SERVER
Aug 19 21:47:42 vpnclient5[2805]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Aug 19 21:47:43 vpnclient5[2805]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Aug 19 21:47:43 vpnclient5[2805]: [changeme] Peer Connection Initiated with [AF_INET]xx.xxx.xxx.xxx:1194
Aug 19 21:47:44 vpnclient5[2805]: SENT CONTROL [changeme]: 'PUSH_REQUEST' (status=1)
Aug 19 21:47:44 vpnclient5[2805]: PUSH: Received control message: 'PUSH_REPLY,route 192.168.3.0 255.255.255.0,route 112.125.202.100 255.255.255.255 net_gateway,route 198.61.209.236 255.255.255.255 net_gateway,route 166.78.4.254 255.255.255.255 net_gateway,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Aug 19 21:47:44 vpnclient5[2805]: OPTIONS IMPORT: timers and/or timeouts modified
Aug 19 21:47:44 vpnclient5[2805]: OPTIONS IMPORT: --ifconfig/up options modified
Aug 19 21:47:44 vpnclient5[2805]: OPTIONS IMPORT: route options modified
Aug 19 21:47:44 vpnclient5[2805]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug 19 21:47:44 vpnclient5[2805]: OPTIONS IMPORT: peer-id set
Aug 19 21:47:44 vpnclient5[2805]: OPTIONS IMPORT: adjusting link_mtu to 1625
Aug 19 21:47:44 vpnclient5[2805]: OPTIONS IMPORT: data channel crypto options modified
Aug 19 21:47:44 vpnclient5[2805]: Data Channel: using negotiated cipher 'AES-256-GCM'
Aug 19 21:47:44 vpnclient5[2805]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 19 21:47:44 vpnclient5[2805]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug 19 21:47:44 vpnclient5[2805]: TUN/TAP device tun15 opened
Aug 19 21:47:44 vpnclient5[2805]: TUN/TAP TX queue length set to 100
Aug 19 21:47:44 vpnclient5[2805]: /sbin/ifconfig tun15 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Aug 19 21:47:44 vpnclient5[2805]: /etc/openvpn/ovpn-up tun15 1500 1553 10.8.0.6 10.8.0.5 init
Aug 19 21:47:46 vpnclient5[2805]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug 19 21:47:46 vpnclient5[2805]: Initialization Sequence Completed
Last edited by Pippin on Thu Aug 20, 2020 9:00 am, edited 1 time in total.
Reason: Formatting

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Asus RT-AC88U as VPN Client

Post by TinCanTech » Thu Aug 20, 2020 6:35 am

STEPHANK wrote:
Thu Aug 20, 2020 1:54 am
Can you see anything from that log?
These is nothing wrong in your log.

However .. you may be in luck none-the-less ;)

You are pushing DNS servers but a Linux client needs scripts to pick up these severs and set them in your client resolver. Find out if your client is using systemd or not and then you can install the right script (probably).

For systemd, see systemd-resolved and the update script https://github.com/jonathanio/update-systemd-resolved

Otherwise, see openresolv and the update script https://github.com/alfredopalhares/open ... esolv-conf

That is probably all you need.

Also, WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead

Please address this, you need to use EasyRSA3 to create a new PKI which does not use --ns-crt-type.
It is easy and you should sort it out.

Also, --topology net30 is deprecated, so you should switch to --topology subnet.
That is also easy and you should sort it out.

And a tip, you can use --push "route 12.34.56.78" where the IP is a host route because the default netmask in OpenVPN is 255.255.255.255

Finally, set --verb 4 in your configs for extra debugging info. Switch back to a lower --verb once everything is sorted out.

These things ought to fix your issue.

STEPHANK
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 20, 2020 1:37 am

Re: Asus RT-AC88U as VPN Client

Post by STEPHANK » Thu Aug 20, 2020 11:19 am

Thank you for your help!
TinCanTech wrote:
Thu Aug 20, 2020 6:35 am
You are pushing DNS servers but a Linux client needs scripts to pick up these severs and set them in your client resolver. Find out if your client is using systemd or not and then you can install the right script (probably).
The client is a router. So the OpenVPN software is part of the firmware. I might be wrong, but I was under the impression that I can not change anything in the firmware.

asus config

client
dev tun
#dev-node MyTap #Name of your TAP network interface
proto udp #switch to tcp if you wish to use a tcp connection, needs to match server. udp gives better performance
remote xxxxx.dyndns.org 1194 #change port as you see fit, needs to match server

resolv-retry infinite
nobind
persist-key
persist-tun

#ca ca.crt
#cert client1.crt
#key client1.key
ns-cert-type server

comp-lzo #compression for better performance. Disable if your server isn't powerful enough. Needs to be included in both server and client configs if you use it.
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

;register-dns #uncomment this if you you run into dns issues
route-method exe
route-delay 2


<ca>
-----BEGIN CERTIFICATE-----
(deleted)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(deleted)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(deleted)
-----END PRIVATE KEY-----
</key>

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Asus RT-AC88U as VPN Client

Post by TinCanTech » Thu Aug 20, 2020 12:22 pm

STEPHANK wrote:
Thu Aug 20, 2020 11:19 am
The client is a router. So the OpenVPN software is part of the firmware. I might be wrong, but I was under the impression that I can not change anything in the firmware.
You will have to check that with ASUS ..

I can see that your router is using Linux because it runs this version of OpenVPN:
STEPHANK wrote:
Thu Aug 20, 2020 1:54 am
OpenVPN 2.4.7 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 11 2020
So, unless ASUS pick up the DNS in the firmware (Unlikely) then you must use a client side script to do it.

Or not rely on pushing DNS ..

STEPHANK
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 20, 2020 1:37 am

Re: Asus RT-AC88U as VPN Client

Post by STEPHANK » Thu Aug 20, 2020 3:16 pm

So, unless ASUS pick up the DNS in the firmware (Unlikely) then you must use a client side script to do it.
I am just trying to understand ...

The Asus route IS the client. And if I can not change the firmware, how would I use a client side script?

I have full access to the server, but that is not the Asus.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Asus RT-AC88U as VPN Client

Post by TinCanTech » Thu Aug 20, 2020 5:24 pm

STEPHANK wrote:
Thu Aug 20, 2020 3:16 pm
if I can not change the firmware, how would I use a client side script?
I do not use ASUS so I have no idea..

Try reading the ASUS manual.

STEPHANK
OpenVpn Newbie
Posts: 8
Joined: Thu Aug 20, 2020 1:37 am

Re: Asus RT-AC88U as VPN Client

Post by STEPHANK » Fri Aug 21, 2020 12:21 pm

In case anybody else runs into problems: Switching to the Asus-Merlin firmware solved the problem. It has a completely new implementation of OpenVPN.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Asus RT-AC88U as VPN Client

Post by TinCanTech » Fri Aug 21, 2020 2:53 pm

Thanks for letting us know 8-)

Post Reply