Skip to main content

Asus - OpenVPN Site to Site or Point to Point

Most of the documents online are missing steps or the folks writing the document are assuming that the folks setting this up are network traffic wizards.

GOAL:

With one of the Asus routers being the server and the other being a client, we want to be able from either side hit IPs or hostnames of any of any device.

Both Routers:

VPN Type: TUN as TAP maybe overkill for this case

Protocol: UDP

Static Routes: Both servers

When you export the OpenVPN certificates from the router (as opposed to supplying your own), they have the CN set as ‘client’. This is relevant/confusing for the server config, as our other router is a client named client.

Server:

ASUS RT-AC5300 with 192.168.53.1/24

Interface Type TUN TAP
Protocol TCP UDP
Server Port  (Default : 1194)
Authentication Mode TLS Static Key
Keys and Certificates
Username/Password Authentication Yes No
TLS control channel security
(tls-auth / tls-crypt)
HMAC Authentication
VPN Subnet / Netmask  
Advertise DNS to clients Yes No
Data ciphers
Compression
Log verbosity  (Between 0 and 6. Default: 3)
Manage Client-Specific Options Yes No
Allow Client <-> Client Yes No
Allow only specified clients Yes No
Allowed Clients
Common Name(CN) Subnet Mask Push Add / Delete
client 192.168.51.0 255.255.255.0 Yes
Custom Configuration
reneg-sec 432000
push "route 192.168.53.0 255.255.255.0"
route 192.168.51.0 255.255.255.0

Custom Explained:

reneg-sec 432000 #optional
push "route 192.168.53.0 255.255.255.0" #server LAN IP
route 192.168.51.0 255.255.255.0 #client LAN IP

Export the .ovpn files from the new server config

 

Client:

ASUS RT-AC5300 with 192.168.51.1/24

Import .ovpn config file exported from server, to set the certificates and some of the basic settings.

Select client instance
Service state
Automatic start at boot time Yes No
Description
Import .ovpn file  
Network Settings
Interface Type TUN TAP
Protocol TCP UDP
Server Address and Port  XXXXXXX.asuscomm.com
Create NAT on tunnel Yes No Routes must be configured manually.
Inbound Firewall Block Allow
Accept DNS Configuration
Redirect Internet traffic through tunnel
Authentication Settings
Authentication Mode TLS Static Key
Username/Password Authentication Yes No
Crypto Settings
Keys and Certificates
Data ciphers
TLS control channel security
(tls-auth / tls-crypt)
Auth digest
Advanced Settings
Log verbosity  (Between 0 and 6. Default: 3)
Compression
TLS Renegotiation Time  (in seconds, -1 for default)
Connection Retry attempts  (0 for infinite)
Verify Server Certificate Name
Custom Configuration
resolv-retry infinite
float
keepalive 15 60
remote-cert-tls server

Applied the "automatic start at boot time"

Turn on the client VPN

Server Connection:

OpenVPN Server 2 - Running
Clients
Common Name
Username
Real Address
Virtual Address
MBytes ReceivedMBytes SentConnected Since
client
XXX.XXX.XXX.XXX:47361
10.100.100.2
7305.282561.142024-12-22 09:49:57

Routes
Virtual AddressCommon NameReal AddressLast Ref
192.168.51.217CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:29
192.168.51.1CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:31
192.168.51.15CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:36
10.100.100.2clientXXX.XXX.XXX.XXX:473612024-12-22 11:03:50
192.168.51.109CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:28
192.168.51.145CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:50
192.168.51.10CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:31
192.168.51.101CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:25
192.168.51.140CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:40
192.168.51.9CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:50
192.168.51.23CclientXXX.XXX.XXX.XXX:473612024-12-22 11:03:44