Configuring OpenVPN server on an Asus DSL-AC68U so I can VPN to my home network. A lot of the settings are default for the moment. I'll be experimenting with generating my own certificates and various other settings in due course.

Modem Configuration

  • In the Asus GUI, browse to VPN - VPN Server - OpenVPN - Enable OpenVPN Server
  • Set Enable OpenVPN Server to: On
  • Add a Username & Password
  • Advanced Settings:
Option Configuration
Interface Type TUN
Protocol UDP
Server Port 1194
Respond to DNS No
EncryptionCipher AES-256-CBC
HMAC Authentication SHA 256
Username / Password Auth. Only No
Authorization Mode TLS
RSA Encryption 2048
Extra HMAC authorization Incoming (0)
VPN Subnet / Netmask 10.8.0.0/24
Push LAN to clients Yes
Direct clients to rediret Internet traffic No
TLS Renoegotiation Time -1
Manage Client-Specific Options No
  • Apply configuration and Export the .ovpn configuration file.

Ubuntu Client Configuration

  • Install OpenVPN if it isn't already.
$ sudo apt install openvpn
  • Update ovpn file to seperate keys from config.
  • Move each certificate / key, contained in the markup blocks as below, to a seperate file.
  • Save the files in /etc/openvpn/certs
  • Update the configuration file as below:
<ca>
-----BEGIN CERTIFICATE-----
.
.
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
.
.
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
.
.
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
.
.
-----END OpenVPN Static key V1-----
</tls-auth>

Becomes:

ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/client.crt
key /etc/openvpn/certs/client.key
tls-auth /etc/openvpn/certs/tls-auth.key
  • Configuration file
remote x.x.x.x 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 15 60
comp-lzo adaptive
auth-user-pass
client
auth SHA256
cipher AES-256-CBC
ns-cert-type server
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/client.crt
key /etc/openvpn/certs/client.key
tls-auth /etc/openvpn/certs/tls-auth.key
key-direction 1
  • Change permissions on the certs to lock them down to root.
$ sudo chmod 600 /etc/openvpn/certs/*
$ ls -al /etc/openvpn/certs/
total 24
drwxr-xr-x 2 root root 4096 Jan 20 15:14 .
drwxr-xr-x 5 root root 4096 Jan 20 15:08 ..
-rw------- 1 root root 1528 Jan 20 15:14 ca.crt
-rw------- 1 root root 1622 Jan 20 15:14 client.crt
-rw------- 1 root root 1707 Jan 20 15:14 client.key
-rw------- 1 root root  601 Jan 20 15:14 tls-auth.key
  • Connect the VPN
$ sudo openvpn mitol.ovpn
sudo openvpn mitol.ovpn 
Sun Jan 20 15:20:26 2019 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  3 2018
Sun Jan 20 15:20:26 2019 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.10
Enter Auth Username: username
Enter Auth Password: password
Sun Jan 20 15:20:29 2019 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Sun Jan 20 15:20:29 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Sun Jan 20 15:20:29 2019 UDP link local: (not bound)
Sun Jan 20 15:20:29 2019 UDP link remote: [AF_INET]x.x.x.x:1194
Sun Jan 20 15:20:29 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 20 15:20:30 2019 [DSL-AC68U] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Sun Jan 20 15:20:31 2019 TUN/TAP device tun0 opened
Sun Jan 20 15:20:31 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jan 20 15:20:31 2019 /sbin/ip link set dev tun0 up mtu 1500
Sun Jan 20 15:20:31 2019 /sbin/ip addr add dev tun0 local 10.8.0.10 peer 10.8.0.9
Sun Jan 20 15:20:31 2019 Initialization Sequence Completed

To Do

  • Update ns-cert-type in config
  • Generate own certs from internal CA.