OpenVPN Support Forum

I thought setting up my aging Asus RT-AC56U router as an OpenVPN server would be straightforward. No. AFAIK, even when choosing the highest levels of encryption, the .ovpn file isn't up to spec w requirements of the latest OpenVPN client. So, I'm shopping for a new router which will work as an OpenVPN server. No firmware updates likely for the RT-AC56U. Suggestions, please? Many thanks.

Greetings from a forum newbie

RELATED BACKGROUND
Seems I don't have "new topic" privileges; but I can respond to a "related" (if unanswered?) topic. So apologies for the necro-post.

I am a private consumer (not a business) with a few routers in different locations about 50-150 miles apart (long story).
In each location, I have an ASUS router of varying age. In general, they are "older and cheap" (since I am not a business). . .and they don't have huge amounts of traffic. I have never needed "latest and greatest" in routers.

I have a few NAS units, and I explored VPN connections to access these NAS units a few years back. Configured OpenVPN on the routers (it comes preinstalled) and . . . .it worked fine. Then - - being security conscious I hid all the NAS units behind a secure router. By secure. . .I mean no WAN connection. Local connection to the secure router ONLY. I then didn't think about open VPN for a few years.

Fast forward to 2025: I decided to create a file server for friends. Remote access needed. I added a new "sacrificial" NAS to the my "open" network for the task, and have setup WebDav and SFTP access. Works fine.

To administrate: I have decided to dust off OpenVPN. Afterall. . I am often away from the location with the NAS. While I am doing network fiddling, I have decided to add a small HDD to each router to serve as a "local" file server - - and build in access via OpenVPN

WORKING UP TO THE CURRENT QUESTION
I have several older ASUS routers in remote locations. (One is a RT-51U, another is RT-AC66U B1, plus two other similar units).
Looks like OpenVPN Server is preloaded into the firmware. . .and one cannot load newer version of OpenVPN Server to make it "current".
Looks like OpenVPN Connect . . .the newest versions. . . doesn't like the options related to older OpenVPN servers.

I just loaded 3.6.0 a few weeks ago onto a laptop. . .works on one router; but complains about "insecure hash" on another (and won't connect).
Just loaded 3.6.0.4074 on another machine. . .and it doesn't like that router also uses "compression". Gah.
Dumped 3.6.0.4074 and loaded 3.3.6.2752 (from who knows where). THAT seems to work.

THE CURRENT QUESTION
I need advice.
Not sure how to proceed.
I would like to have current software. . .. but
* I think the only practical path for that is to replace all the routers with something that allows side-loading of other software.
* Next best solution is to just compromise and run the newest version of OpenVPN client that works with hardware I have
* I really don't want to run OpenVPN on the NAS, or install Rasberry Pi's everywhere to run the VPN. (or maybe I should do the Pi's?)

Thanks for listening.

Thanks for the reply. My solution was to get a Raspberry Pi, install a headless OS and then run Wireguard on the RPi. It was inexpensive, and a joy to configure and deploy. My hesitation was in not wanting to add another "appliance" to my network, but as I did have one unused ethernet port on my router, I decided to go w the additional hardware. You can send WG certs to your friends, and revoke them as easily should you need to. I've got multiple devices which can connect to my single NAS via my single RPi. But, if you have multiple NAS devices in separate locations, you might have to deploy multiple RPis, But, trust me, it's a lot simpler to configure several of those jewels than trying to get an old router to play w current OpenVPN clients.

I hear you on the RPi. I guess a rpi 3 would be sufficient to run as a router/vpn server?

I have gone down a nutty rabbit hole the last few hours.

Fundamentally, I think there is an issue if I have *client* software that gets updates . . .but *server* software that does not.

I have a *stupid* number of routers (in different locations).
After some tweaking, I seem to have the "most current" OpenVPN settings on the most important router (the one that has a sacrificial NAS attached, and where I am right now).
The other routers. . . meh. . not too worried. Will spend some time tweaking settings and pumping out new certs when I physically get to them. Not going to redo the OpenVPN configuration and downloading certs *remotely*.

I use an RPi 4, but imagine/guess a version 3 would work. FWIW, consider that the security for remote (i.e., internet) access to older routers' GUI management is simply PW-based. Not terribly secure. Newer routers may have better security, but I don't know. The nice thing about an RPi-WG setup is that you can access the router through the WG VPN as if it were local, so the router's login interface need not be exposed to the internet. So, remote management of multiple routers is more secure if still inconvenient.

Yes. . . .I also block router config from the internet.

. . .and this is why I don't want to adjust VPN settings remotely - - If I mess it up the VPN, or do something that requires new certs. . . I lose access.

I suppose I can expose the router when playing with the VPN. . . .but honestly. . .I didn't even think about that until now. It's not like I adjust settings all that often. After playing with VPN's a few years ago, I actually had VPN turned off for a few years and am only getting back on the wagon because of a new server addition.