Asus - OpenVPN Site to Site or Point to Point
Most of the documents online are missing steps or the folks writing the document are assuming that the folks setting this up are network traffic wizards.
GOAL:
With one of the Asus routers being the server and the other being a client, we want to be able from either side hit IPs or hostnames of any of any device.
Both Routers:
VPN Type: TUN as TAP maybe overkill for this case
Protocol: UDP
Static Routes: Both servers
When you export the OpenVPN certificates from the router (as opposed to supplying your own), they have the CN set as ‘client’. This is relevant/confusing for the server config, as our other router is a client named client.
Server:
ASUS RT-AC5300 with 192.168.53.1/24
| Interface Type | TUN TAP |
|---|---|
| Protocol | TCP UDP |
| Server Port | (Default : 1194) |
| Authentication Mode | TLS Static Key |
| Keys and Certificates | |
| Username/Password Authentication | Yes No |
| TLS control channel security (tls-auth / tls-crypt) |
|
| HMAC Authentication | |
| VPN Subnet / Netmask | |
| Advertise DNS to clients | Yes No |
| Data ciphers | |
| Compression | |
| Log verbosity | (Between 0 and 6. Default: 3) |
| Manage Client-Specific Options | Yes No |
| Allow Client <-> Client | Yes No |
| Allow only specified clients | Yes No |
| Allowed Clients | ||||
| Common Name(CN) | Subnet | Mask | Push | Add / Delete |
|---|---|---|---|---|
| client | 192.168.51.0 | 255.255.255.0 | Yes |
| Custom Configuration |
| reneg-sec 432000 push "route 192.168.53.0 255.255.255.0" route 192.168.51.0 255.255.255.0 |
Custom Explained:
reneg-sec 432000 #optional
push "route 192.168.53.0 255.255.255.0" #server LAN IP
route 192.168.51.0 255.255.255.0 #client LAN IPExport the .ovpn files from the new server config
Client:
ASUS RT-AC5300 with 192.168.51.1/24
Import .ovpn config file exported from server, to set the certificates and some of the basic settings.
| Select client instance | |
|---|---|
| Service state |
 |
| Automatic start at boot time | Yes No |
| Description | |
| Import .ovpn file |
| Network Settings | ||
| Interface Type | TUN TAP | |
|---|---|---|
| Protocol | TCP UDP | |
| Server Address and Port | XXXXXXX.asuscomm.com |
|
| Create NAT on tunnel | Yes No Routes must be configured manually. | |
| Inbound Firewall | Block Allow | |
| Accept DNS Configuration | ||
| Redirect Internet traffic through tunnel | ||
| Authentication Settings | |
| Authentication Mode | TLS Static Key |
|---|---|
| Username/Password Authentication | Yes No |
| Crypto Settings | |
| Keys and Certificates | |
|---|---|
| Data ciphers | |
| TLS control channel security (tls-auth / tls-crypt) |
|
| Auth digest | |
| Advanced Settings | |
| Log verbosity | (Between 0 and 6. Default: 3) |
|---|---|
| Compression | |
| TLS Renegotiation Time | (in seconds, -1 for default) |
| Connection Retry attempts | (0 for infinite) |
| Verify Server Certificate Name | |
| Custom Configuration |
| resolv-retry infinite float keepalive 15 60 remote-cert-tls server |
Applied the "automatic start at boot time"
Turn on the client VPN
Server Connection:
| OpenVPN Server 2 - Running | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||