Guide: setting up openvpn on asus routers

The OpenVPN server on these routers is a functionality that started with the excellent RMerlin firmware mod (based in turn on the OpenVPN implementation made on the relatively popular Tomato router firmware), luckily since version 374.2050 of the official firmware this option is included by default, and is extremely simple to configure.

This does not mean that we cannot configure all the details as in the past, but several tedious tasks are automated, such as the generation of public and private keys that previously had to be performed manually, allowing for certificate authentication without the need for too much time or knowledge to the user.

Why use OpenVPN instead of the usual PPTP server?

The answer is simple, it is a much more secure method (see) than the PPTP server that is commonly used in home environments and routers due to its simplicity, it is relatively standard, it is not significantly more expensive in resources, it is much more flexible, and although Something tedious to set up is very comfortable once familiar with the environment.

In fact, it is easy to configure a PPTP server on a Windows computer, without installing any additional software, following guides such as the one available at. But much better to configure it on the router, which in addition to saving us the requirement to redirect ports and create firewall rules, is always on to accept connections. And if it can be more secure than PPTP, that is, the method that we will explain with OpenVPN, much better.

Note: You can also configure an OpenVPN server on a regular PC, in case you do not have a router with this firmware or compatible with DD-WRT / OpenWRT. For users interested in this point, we recommend following the corresponding article on the Debian wiki, which perfectly details the steps to follow in

Step by step configuration manual

This is not intended to be an exhaustive configuration guide, but a first contact to have a basic server running that can later be configured to suit each user.

The steps to follow are those:

1. We connect to the router from any browser, entering the IP in the address bar (by default 192.168.1.1, although in this guide it will be 10.20.30.1), identifying ourselves with our username and password (by default admin / admin on Asus routers, but if we are following this guide they should take time to change) We go to the VPN menu within advanced options, and in the OpenVPN tab select the first instance (Server 1), move the switch to the ON position. It is not necessary, but it is recommended to add users for our VPN, in this case we have chosen tests / tests as user / password, we of course recommend using a more robust password to use it in a real environment. We click on the "+" button to add the user and we can already apply the changes with the Apply button located at the bottom of the page.

   

   OPTIONAL When activating the server we see that a dropdown has appeared in which we can select Advanced Configuration and change the parameters that we need. In our case, we will use the default configuration. If we want to force the use of username and password, this is the place to do it

   

   For users who want a completely manual configuration, it is possible to generate our own certificates / keys for the users that we want using easy-rsa, as described in. In this case, the simplest is to generate the keys from the PC and configure the three necessary values ​​by clicking on the following link (keys is a bad translation of "keys", keys, in the firmware):

   

   This type of configuration is quite advanced, so it is recommended that users who want to venture into it configure and test a server with self-generated keys first. It is not good practice for a neophyte to configure the server in this way without previous experience.

1. We already have the server working. Now we need to transfer the certificates to the clients for a secure connection. You can see detailed examples of the server.conf and client.conf files (respectively, client.ovpn and server.ovpn in Windows) with comments and documentation, but in our case it is much easier to use the Export button

   The file that we will obtain will look like this (keys deleted for security):

   

   The parameter I have marked is the address of our server, which probably has not been configured correctly in some cases where the DDNS does not "know" the address it points to (as in my case, I use Dnsomatic to have an address that always point to my dynamic IP).

   Although the correct configuration is like this, with a fixed address, there is no problem if you do not have a DDNS configured, for testing you can fill in this field with the WAN IP of our router (the external IP, that is, the one that can be see at http://cualesmiip.com or http://echoip.com), with the downside that every time our IP changes we must edit the document to reflect it. As the connection is to the router, obviously we do not have to redirect ports, we only have to configure the client. We download the latest version from its website https://openvpn.net/index.php/download/community-downloads.html, in our case it will be Windows and 64-bit. Installation is simple and we will not detail it. For general use it is not necessary to change any of the default options.

   

   Now, depending on the installed version, we must copy the file that we have previously exported (we have called it client1.ovpn) to the client's configuration directory. On Windows, this directory will be Program Files / OpenVPN / config / (Program Files (x86) / OpenVPN / config / in the case of the 32-bit version). It only remains to run the client as an administrator, it will ask us for a username and password in addition to the certificates that are already in the configuration file if we have configured it to do so. Otherwise we enter directly. If everything went well, we will see a record similar to this in the log (capture taken in a scenario without password validation). The icon on the green screen of the taskbar confirms that we are connected, and will inform us of the virtual IP assigned to the computer from which we launched the client in the VPN.

   

From this moment the equipment will behave as if it were physically connected to the local network managed by the router in which we have configured the OpenVPN server.

We can monitor all connections of this type from our router. For example, configuring it as we have described and connecting from the laptop, we will see something like this in the section VPN-> VPN Status

Note: Sometimes it is problematic to connect to a VPN from within our own network (logically, since it is a rather artificial use to try to connect a local network with itself through a VPN), if someone has problems with the operation of the connection after having followed all the steps it would be highly recommended to try the data connection of a mobile phone (via tethering, for example), with a USB 3G / 4G spike, or directly from another location.

We hope this guide is useful for you to increase the security of your connections to the home network from abroad. Encourage you to leave any questions or comments in the comments.