The OpenVPN server in these routers is a functionality that started in the excellent RMerlin firmware mod (based in turn on the OpenVPN implementation made in the relatively popular Tomato router firmware), luckily since version 374.2050 of the official firmware, it is an option in included by default and is extremely easy to configure.
This does not mean that we cannot configure all the details as before, but several tedious tasks are automated, such as the generation of public and private keys that previously had to be done manually, allowing authentication by certificates without requiring too much time or knowledge to the user.
Why use OpenVPN instead of the usual PPTP server?
The answer is simple, it is a much more secure method (see [3]) than the PPTP server that is commonly used in home environments and routers due to its simplicity, it is relatively standard, it is not significantly more expensive in resources, it is much more flexible, and although somewhat tedious to configure, it is very comfortable once you are familiar with the environment.
In fact, it is easy to configure a PPTP server on a Windows computer, without installing any additional software, following guides like the one in [5]. But much better to configure it in the router, which in addition to saving us the requirement to redirect ports and create firewall rules, is always on to accept connections. And if it can be more secure than PPTP, that is the method that we will explain with OpenVPN, much better.
Note: You can also configure an OpenVPN server on a regular PC if you do not have a router with this firmware or are compatible with DD-WRT/OpenWRT. For users interested in this point, we recommend following the corresponding article in the Debian wiki, which perfectly details the steps to follow in [6]
Step-by-step configuration manual
This is not intended to be an exhaustive configuration guide, but a first contact to have a basic server running that can later be configured to suit each user.
The steps to follow are those:
- We connect to the router from any browser, entering the IP in the address bar (by default 192.168.1.1, although in this guide it will be 10.20.30.1), identifying ourselves with our username and password (by default admin/admin on Asus routers, but if we are following this guide they should already have been changed for a long time)
- We go to the VPN menu within advanced options, and in the OpenVPN tab we select the first instance (Server 1), we move the switch to the ON position. It is not necessary, but it is recommended to add users to our VPN, in this case, we have chosen tests/tests as user/password, we of course recommend using a more robust password to use it in a real environment. Click on the “+” button to add the user and we can now apply the changes with the Apply button located at the bottom of the page.
- OPTIONAL When activating the server we see that a dropdown has appeared in which we can select Advanced configuration and change the parameters we need. In our case, we will use the default settings. If we want to force the use of a username and password, this is the place to do it
For users who want a completely manual configuration, it is possible to generate our own certificates/keys for the users we want using easy-rsa, as described in. In this case, the easiest thing to do is to generate the keys from the PC and configure the three necessary values by clicking on the following link (keys is a bad translation of “keys” in the firmware):
This type of configuration is quite advanced, so it is recommended that users who want to venture into it configure and test a server with auto-generated keys first. It is not a good practice for a neophyte to set up the server in this way with no prior experience.
- We already have the server running. Now we need to transfer the certificates to the clients for a secure connection. See for detailed examples of the server. conf and client.conf files (respectively, client. ovpn and server. ovpn on Windows) with comments and documentation, but in our case it’s much easier to use the Export button
The file we will get will look something like this (keys removed for security):
The parameter that I have marked is the address of our server, which probably has not been configured correctly in some cases where the DDNS does not “know” the address to which it points (as is my case, that I use Dnsomatic to have an address that always points to my dynamic IP).
Although the correct configuration is like this, with a fixed address, there is no problem if you do not have a DDNS configured, to test you can fill in this field with the WAN IP of our router (the external IP, that is, the one that can be seen http://cualesmiip.com or http://echoip.com ), with the drawback that every time our IP changes we must edit the document to reflect it. As the connection is to the router, obviously we don’t have to redirect ports. - We only have to configure the client. In our case, it will be Windows and 64-bit. The installation is simple and we will not detail it. For general use, it is not necessary to change any of the default options.
- Now, depending on the installed version, we must copy the file that we have exported previously (we have named it client1.ovpn) to the client configuration directory. On Windows, this directory will be Program Files/OpenVPN/config/ ( Program Files (x86)/OpenVPN/config/ for the 32-bit version). All that remains is to run the client as administrator, it will ask us for a username and password in addition to the certificates that are already in the configuration file if we have configured it to do so. Otherwise, we go directly. If everything went well, we will see a record similar to this one in the log (screenshot taken in a scenario without password validation). The green screen icon on the taskbar confirms that we are connected, and will inform us of the virtual IP assigned to the computer from which we launched the VPN client.
From this moment the equipment will behave as if it were physically connected to the local network managed by the router in which we have configured the OpenVPN server.
We can monitor all connections of this type from our router. For example, configuring it as we have described and connected from the laptop, we will see something like this in the VPN->VPN Status section
Note: Sometimes it is problematic to connect to a VPN from within our own network (of course, since it is a rather artificial use to try to connect a local network with itself through a VPN), if someone has problems getting the VPN to work connection after having followed all the steps it would be highly recommended to try the data connection of a mobile phone (via tethering, for example), with a 3G/4G USB stick, or directly from another location.
We hope that this guide will be useful for you to increase the security of your connections to the home network from abroad. We encourage you to leave any questions or observations in the comments.