Welcome to the new FlexRadio Community! Please review the new Community Rules and other important new Community information on the Message Board.
If you are having a problem, please refer to the product documentation or check the Help Center for known solutions.
Need technical support from FlexRadio? It's as simple as Creating a HelpDesk ticket.

OpenVPN with Asus RT-N66U router

SteveM
SteveM Member
edited June 2020 in New Ideas

Chris Tate has provided other thread(s) covering setup of a VPN using the PPTP protocol. I tried that method but it turns out that some of the protocol packets (specifically, GRE) are blocked by the firewall at my workplace. The N66 router also supports OpenVPN, so I gave it a whirl and it turned out to be a simple 10 minute setup. I took a couple of screenshots if you would like to recreate this tunnel into your shack (note that I am running the latest router firmware as of this posting).


image

Step 1 - Advanced Settings

  1. Select VPN tab (left side)
  2. Select OpenVPN
  3. Select VPN Server tab
  4. Enable the server
  5. Select VPN Details - Advanced Settings
  6. Fill out the form settings as shown (or modified to your preference)


image

Step 2 - General Settings

  1. Select VPN Details - General
  2. Add your user-name/password
  3. Click Apply
  4. You will be prompted to save the .ovpn file (e.g., DesktopMyShack.ovpn). Use the Export button to force an upload of the .ovpn file in case you apply subsequent changes and desire an updated .ovpn file. The Export button can also be used to obtain the file on different remote machines.


Step 3 - Installing OpenVPN on remote machine

  1. Install OpenVPN
  2. Move the .ovpn file to the OpenVPN config directory (e.g., c:Program FilesOpenVPNconfig; this requires Admin privy)
  3. Start OpenVPN (you will be prompted for user-name/password)
  4. Fire-up SSDR v1.4.3
  5. Time to play - hopefully ;-)


Note: You can perform all of these instructions from the remote machine if you have remote access enabled on the router (Administration -> System -> Enable Web Access from WAN: Yes).

«1

Comments

  • spopiela
    spopiela Member ✭✭
    edited July 2019
    Steve, Just getting into remote operation with my 6300. I have it working within the LAN on all my computers and IPAD (using Splashtop streamer) . It has been great. Going outside the LAN to the big WAN and more security risks has me asking a the question about the necessity of VPN. Why? What does it do for me regarding a Ham radio? It seems like it might slow things down between the radio and the controlling application on the WAN. If it does, why do it? HAM radio has no implied confidentiality. Thanks for your great tutorial on the VPN setup. I have a Netgear router with OpenVPN support and could try it.
  • Jim Jerzycke
    Jim Jerzycke Member ✭✭
    edited November 2017
    It's more to prevent an unauthorized person grabbing control of the radio, -OR- getting into whatever network you're connecting to the radio from.

    There's a LOT more to remote control operation than just "no implied confidentiality".

    73, Jim
  • KY6LA_Howard
    KY6LA_Howard Member ✭✭✭
    edited July 2019
    Jim and Steve

    The issue is NOT confidentiality but rather the fact that SSDR 1.4.x requires both the Remote and the Local computers to be on the same LAN Subnet.   When operating WAN, the only way to achieve that is via VPN acting as a Bridge
  • spopiela
    spopiela Member ✭✭
    edited December 2016
    Howard, I wish i didn't have to keep the LAN computer on when I'm on the WAN.. AArgh! Can't just run the SSDR software remote... too slow.. Just shows how little I know about networks. I guess I still need to use a desktop app like Splashtop . This blog is awesome for a new Flexie user. Thanks guys. 73's Stan N1THL
  • KY6LA_Howard
    KY6LA_Howard Member ✭✭✭
    edited January 2017
  • Ken - NM9P
    Ken - NM9P Member ✭✭✭
    edited June 2020
    I have followed these instructions on getting OpenVPN running on my new ASUS AC1750 router.
    It will connect from my iPad when i am on my own WiFi network, but when I am at the office, it won't connect.  Is there some IP Pass-through, NAT filter, or port that I need to open in the ASUS firewall to make this work? 

    I am using my Morotola ATT NVG510 DSL Modem/Router in passthrough mode (As much as it can be configured for this)  and feeding it into the new ASUS router.

    I am baffled.

    Ken - NM9P
  • SteveM
    SteveM Member
    edited June 2020

    Ken,

    No, nothing special on the Asus router needs to be configured except the OpenVPN server as explained above. I'm not sure how you have your network setup.

    Are you able to ping the Asus router from your workplace? If so, then there is a firewall between the Asus and your workplace that is blocking port 1194.

    If the firewall is at the cable modem, then you'll need to port-forward 1194 to the Asus.

    If the firewall is at your workplace, well, you'll need to speak to someone else.


    Edit:

    Have you looked at the Asus system log for info related to your connection attempts?

  • David Decoons, wo2x
    David Decoons, wo2x Member, Super Elmer Moderator
    edited May 2016

    Ken,


    I had issues as well but got it going. I am using PPTP mode since the iPad does not support OpenVPN TAP mode. One thing to check if you are behind NAT routers at each end, you cannot have both private subnets set to 192.168.1.x. Change the third octet to anything but 1 (example: 192.168.200.x)

    You just need to enable PPTP and then create a user name and password. Make sure Samba support is enabled. On the iPad create a PPTP VPN connection.

    Once I did that it started working.

    Dave wo2x

  • SteveM
    SteveM Member
    edited December 2015

    Honest question here, guys. What do iPads and Flex-6xxx's have to do with each other? Are you using that IOS app? Or is there some way to operate SSDR on an iPad? Forgive me for the **** question, I have never owned a Mac.


    Thanks.

  • KY6LA_Howard
    KY6LA_Howard Member ✭✭✭
    edited November 2015
    Running remote via several methods on iPad. K6TU app or parallelsAccess. Small portable easy to use package. So far from 27 countries
  • David Decoons, wo2x
    David Decoons, wo2x Member, Super Elmer Moderator
    edited May 2016
    As Howard stated operating the Flex remotely from the iPad here also. Either the K6TU app or CommCat. Dave wo2x
  • SteveM
    SteveM Member
    edited December 2015

    Do you plan to use an iPad even after v2.0? Just my personal opinion, but I think I would go with an MS tablet and run SSDR natively.


    Edit:

    Eh, forget the iPads/Phones. I suppose you guys with all of the extra money are going to be using the Maestro soon ;-)


  • Ken - NM9P
    Ken - NM9P Member ✭✭✭
    edited December 2016
    I have been trying all manner of connection - ipad, iphone in cellular data, Windows Vista laptop at work, and nothing gets through.  Nothing showing on the ASUS log, either.  (It DOES show in the log when I connect VPN through the WIFI on my own LAN.)

    I have tried setting the NVG510 router to do passthrough in two different ways and nothing seems to work.  I have heard that sometimes ATTUverse is blocking certain ports at the central office.  This may be my problem.  I will have to call them and see.
  • KY6LA_Howard
    KY6LA_Howard Member ✭✭✭
    edited November 2015
    Maestro will be too big/heavy to schlep on my International Travels...

    where sometimes you are limited to 20Kg =43lb and Carry-On is no more than 5Kg = 12lb...

    I got away with carrying my iPad in my hand on Air France and Air Lingus so it did not get weighed along with the carry-on....

    The weight issue can be super frustrating when you arrive from to USA with a 51 lb suitcase and a 25 lb carry-on.. only to find that the extra weight surcharges @€10 per KG quickly surpass the value of the stuff you are carrying...

    BTW... ridiculously small weight allowances are coming to the USA over the next year or so.... as US Carriers are always looking for new ways to stick it to their customers..

    The reason I went to the iPad is that I got tired of schlepping an IC-706 and all the attendant junk.....


    MS Tablet?

    I have far too much on the iPad that works very well to retrograde back to an MS Tablet for a single application SSDR... YMMV

    XYL usually carries her Macbook Air which runs W7.. so if and when V2.0 is released I could use the MacBook... for SSDR


    HOWEVER.. I have a VPN back to the house.. so I can already run the Macbook under W7 and SSDR...

    FRANKLY... I really prefer the iPad for convenience and ease of use when remoting...



  • SteveM
    SteveM Member
    edited December 2015

    Ken,

    Have you tried setting the server to use TCP connections? Have you tried to use a port other than 1194 (temporarily try a well known port that is surely unblocked, like TCP 22)? If you make changes to the server, make sure to export a new config-file to the remote machine. Good luck.

  • KY6LA_Howard
    KY6LA_Howard Member ✭✭✭
    edited November 2015

    Funny Thing.. a couple of minutes after I finished posting this, i was inspired to check the stock of my local Apple Store to see if they had the new iPad Pro after a long drought of the cellular ones... 

    Magic...they had none this morning BUT now they had stock (I suspect the got stock for Black Friday)... so I popped over to the Apple Store and picked up a new iPad Pro 128GB+ Cellular and of course, had to get a new iPad Air 2 for XYL.. lest she think I only buy new toys for myself.....[ the secret of buying yourself toys is to make sure XYL always gets a new one too] 

    Actually the reason I was in the market for new ones - I had upgraded our 4th Generation iPads to iOS 9.1 and both had become unbearably slow, crashing all the time and unreliable... (Microsoft does not have the monopoly on releasing new O/S with **** bugs) ...

    We head back to Paris next week and I really did not feel comfortable to go overseas with unreliable iPads.... 

  • Ken - NM9P
    Ken - NM9P Member ✭✭✭
    edited December 2016
    Howard, can you post or email me your VPN settings? I know yours work with iPad....I think you also have an ASUS router?
  • David Decoons, wo2x
    David Decoons, wo2x Member, Super Elmer Moderator
    edited May 2016
    Ken, in order for Open VpN to pass the broadcast packets you need to use TAP mode and not TUN. The problem is the iPad does not support TAP mode. So what I did was disable OpenVPN on my Asus RT-AC3200 and enable PPTP VPN. I made sure Samba support was enabled, then created a username and password. Under the WAN tab/DDNS I entered a name for the asuscomm.com dynamic dns On the iPad under General/Settings/VPN I created a PPTP connection. I entered the server name I chose in the asuscomm ddns setup (example. myflex.asuscomm.com) . I entered the username and password I created and saved the settings. From the remote network I connected to the VPN. Once it shows connected I switch to the K6TU app. Impprtant note - the Asus router defaults to a 192.168.1.x subnet. The remote private subnet cannot be 192.168.1.x or it will not work. You can verify remote subnet by checking the wifi status on the iPad. Dave wo2x
  • KY6LA_Howard
    KY6LA_Howard Member ✭✭✭
    edited November 2015
    Sorry Ken I am using SoftEther. Hardly any overhead on the Flex dedicated -pc
  • SteveM
    SteveM Member
    edited December 2015

    Ken,

    I would be willing to take a look at your router and try to get it working. Of course, you would need to temporarily open it up to me and you might not be willing to do that. But if so, enable WAN access on the router (as explained in the OP) and send me an email at stevem AT innovsys DOT com with the following info:

    1. router address

    2. Remote access port

    3. Login-Name/Password

  • Ken - NM9P
    Ken - NM9P Member ✭✭✭
    edited December 2016
    The trouble seems to be that the att uverse Motorola modem/router I seem to be forced to use doesn't have a true bridge setting, so my new ASUS router is receiving a "private" IP address and/or is in a multiple NAT situation, and the AsusWRT program won't work with this.... Frustrating. I will have to call ATT and see if they can help me with a firmware change or a different modem/router that has true bridging. The problem is that their modem also does my phone line.... Yech.....technology....big companies protecting the consumer from himself....
  • KY6LA_Howard
    KY6LA_Howard Member ✭✭✭
    edited November 2015
    @Ken I am a cable internet user. We were allowed to purchase our own cable modems as long as they were DOCSIS 3 compliant instead of renting them from the cable company. The benefit was that it was not only much less expensive than renting (payback 10 months) but I could choose a modem that had characteristics I needed. I did a quick search of Amazon for DSL Modems and found a lot of them Suggest you check AT&T to see if you can bring your own. Likely save you money too.
  • Walt - KZ1F
    Walt - KZ1F Member ✭✭
    edited November 2016
    Comcast allowed that as well.
  • John-K3MA
    John-K3MA Member
    edited January 2017
    With this setup on my Asus RT-N66U I am getting packet loss.  If less than 1% it does not effect operation but sometime it is 1-2% which cause multiple audio drop outs per second.  Is anyone else having the same issue/have a correction?  Internet connection on both ends is 30+ Down and 3+ Up.  Have tried disabling encryption but not much improvement.  Monitoring system performance (CPU, Network, Disks and Memory on both ends does not seem to show any issues.
  • Ken - NM9P
    Ken - NM9P Member ✭✭✭
    edited December 2016
    I finally found some instructions buried on an ATT forum about setting the IP Passthrough on the UVerse modem that worked.  I am now able to VPN to the 6500 using my iPad and listen with K6TU's excellent program.  I have also been able to VPN from my laptop in the office and fire up SSDR and listen.  I haven't tried to transmit yet.

    However I am only connected using PPTP.  I would like to use something more secure.  My ASUS Router will do PPTP, and it has another mode that uses OpenVPN in either TAP or TUN.  As David mentioned above, the iPad will not do OpenVPN using TAP mode.  

    Are there any other settings I can use to increase security?  Will the router do LT2P or other security?

    Ken - NM9P
  • SteveM
    SteveM Member
    edited December 2015

    The following illustration shows the most secure configuration for the PPTP protocol. Unfortunately, the PPTP protocol as a whole is now generally considered insecure (both the MS-CHAPv2 handshake and the underlying RC4 bulk-cipher have well-known attack modes):


    image
  • Ken - NM9P
    Ken - NM9P Member ✭✭✭
    edited December 2016
    Thanks. But now I have run into another snag.... Once I have logged into my VPN using either my iPhone or iPad, if I close the VPN connection and try to begi a VPN session from a different location (different WiFi router) then it rejects my connection and asks for my user me and password again. If I enter the exact same username and password it still will not let me connect. If I reboot my VPN router, then it lets me connect again. But if I change locations, it locks me out again......
  • KY6LA_Howard
    KY6LA_Howard Member ✭✭✭
    edited December 2015
    Suggest you use SoftEther It runs L2TP , needs no,special router and has minimal pverhead
  • SteveM
    SteveM Member
    edited December 2015

    Ken,

    I'm sorry you are having so many issues with this, but hey, I guess you will gain expertise from the experience.

    Regarding your latest issue, check out the entry in the AsusWrt-FAQ regarding VPN connection problems: http://www.asus.com/us/support/FAQ/1008714.

    It states that the server can support a grand total of one VPN connection (PPTP or OpenVPN) at any given time. So it sounds like you are not actually shutting down the connection from the client when you think you are. I don't think this is a router issue. I think if you were to reboot the client, a reconnect would also succeed. I suggest checking the iOS boards on properly/completely shutting down VPN connections.

    Apple... /facepalm/    ;-D

  • SteveM
    SteveM Member
    edited December 2015

    Hmm, now I'm not sure I read the Chinglish properly on the Asus-FAQ. The PPTP->Advanced Settings pic I posted above suggests the default configuration for my router will support 10 simultaneous PPTP connections. I think the FAQ meant to say that you cannot operate simultaneous PPTP and OpenVPN connections.

    With that said, I suggest you look at the PPTP config page right after your connection attempt is denied. What does the status field for that user indicate?


    image


    This seems to suggest you can only have one active connection per user at any given time. So, if you find the status is not idle, then the problem is on the client side (i.e., the client is not shutting-down the connection properly or at-all).

Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.