Best way to remotely connect to my server

[DrKK]

Me, I'm a "teach a man to fish" kinda guy

In this case, that would be like teaching a bowling ball how to fly.

 

[Jailer]

That's easy!

 

[DrKK]

That's easy!

That's a coconut. Not a bowling ball. Everyone knows coconuts can fly duh.

 

[zoomzoom]

Also, if one is using Windows and PuTTY, the proxy command can be input into Connection -> SSH -> Tunnels in the format of local port number, remote IP : port number (e.g. L5000 192.168.1.1:443)., then save the profile.

Whenever you SSH in, you can simply navigate to localhost:5000 [127.0.0.1:5000], which will send you to the WebGUI of whatever you wish to access

 

[hervon]

I got openvpn on my router to work, but I had to use an older version of the client that didn't require a high level of encryption (because Asus is filled with a bunch of jackasses who decided to put a years old version of openvpn on their routers). I was honestly fine with it until recently when it suddenly stopped working for some reason and I've been unable to get it working again.

You might consider http://www.snbforums.com/threads/asuswrt-merlin-custom-firmware-for-asus-routers.7846/
Merlin firmware for your Asus router if supported. He usually take precious care of OpenVPN. Give it a go.

 

[djdwosk97]

Sorry for the late reply everybody, I've been fairly busy and since I stopped getting email notifications about half-way through the thread (since I wasn't replying I assume), I didn't realize how many more replies there were. Anyway....Tonight I'm going to try to setup openVPN on another system I have lying around and if I can get it working on that then I'll try to repeat the process on my actual server. Are there any good openVPN client recommendations -- when my VPN was working I was using openVPN on Windows and Tunnelblik on OSX.

Here's the guide I was going to follow, is there a better one?: https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/

I hear this frequently. A (usually new) user of FreeNAS wants to access the GUI of FreeNAS remotely.

May I ask, why? What is it that you would like to do on the GUI remotely? Once your FreeNAS is set up, there is nothing you need on the GUI that can't wait until the next time you are on the LAN. At least as far as I know. Hell, @cyberjock himself once went something like 5 months without accessing the GUI....AT ALL....much less from the WAN.

So I am intellectually curious what people are after, on a day-to-day basis, that they would go through some hassle to expose it to the internet. If it's properly configured, nothing should require your tweaking in the GUI, nothing should need to be "fixed" in the GUI. At least nothing that can't wait until you get back to the local network.

I don't frequently need to access the GUI, although my Plex plugin needs to be rebooted every so often. And normally I could wait until I'm home and just deal with it then, however when I'm at school I'll be away from the server for months at a time -- and should a problem arise I would like someway to access it.

I really would like to setup a VPN, so I probably will give it another shot as I much prefer a VPN to SSH.

If OpenWrt is available for the router, it should be flashed in lieu of DD-Wrt due to the lack of functionality of DD-Wrt and it's limited customization options. Due to internal politics at OpenWrt, similar to what's occurred at ownCloud, you may also want to check out LEDE... but I would avoid DD-Wrt unless it's the absolute last alternative.

If you do decide to flash and configure OpenVPN, this is a wiki I wrote for configuring OpenVPN servers and clients on OpenWrt. I also strongly encourage utilizing OpenSSL directly via the openssl.cnf in my signature in lieu of creating certs with Easy-RSA (all commands required are at the bottom of the cnf, starting at line 321)

I have an Asus AC68u. Are there any advantages/disadvantages to Tomato/DDWRT/openwrt/Merlin/other? Also, would there be any advantage to running the VPN on my FreeNAS server vs. the router? I had a lot of trouble the last time I tried setting up openVPN, but the more I think about it, the more I think that I may have just been doing something very stupid as that was when I first started with FreeNAS, -- I'll probably try to setup openVPN on another system I have lying around and hopefully I'll be able to get it working this time.

 

[zoomzoom]

I don't frequently need to access the GUI, although my Plex plugin needs to be rebooted every so often. And normally I could wait until I'm home and just deal with it then, however when I'm at school I'll be away from the server for months at a time -- and should a problem arise I would like someway to access it.

You can do all that through SSH

I really would like to setup a VPN, so I probably will give it another shot as I much prefer a VPN to SSH.

You can utilize either, however for the above two uses, there's little point to doing that through a VPN, as SSH is just as secure and requires less system resources. There is no right or wrong option to choose, both are tools to get the same thing done.

I have an Asus AC68u. Are there any advantages/disadvantages to Tomato/DDWRT/openwrt/Merlin/other? Also, would there be any advantage to running the VPN on my FreeNAS server vs. the router? I had a lot of trouble the last time I tried setting up openVPN, but the more I think about it, the more I think that I may have just been doing something very stupid as that was when I first started with FreeNAS, -- I'll probably try to setup openVPN on another system I have lying around and hopefully I'll be able to get it working this time.

OpenWrt offers more to the end user than Tomato or DD-WRT (not familiar with Merlin), offering a package repository similar to one on a desktop distro. DD-WRT is quite lacking in many areas, as is Tomato.

• OpenWrt
  • Asus AC68U TOH [Table of Hardware] page
    • Prior to flashing any open source firmware, buy a USB-TTL cable
      • This is the only way to de-brick a failed [corrupted] flash
    • Never flash over WiFi, always via ethernet

What I'm not sure of is if it's fully supported, if there are precompiled images, or if you'll need to set up the Build environment yourself and use menuconfig to select your router and packages

1. Build Prerequisites
2. Build HowTo
   • It's fairly easy to get setup, however certain distros require differently named packages to the ones listed (i.e. if you go to install a package and are told it doesn't exist, google to find your distros equivalent). If you have any issues getting the build environment setup, let me know.

The lack of thread replies makes me wonder if it's fully supported on OpenWrt, along with the fact the ToH page is really lacking in details. For example, here's the ToH page for the Linksys WRT1X00AC/S series (granted, it's aesthetically pleasing due to a massive revamping I've done on it with the input of others in the community for content).

• If your model is supported, I would refer to certain generalized information in the WRT1X00AC/S Series wiki, as we've done a great job of ensuring new OpenWrt users have a foundation of good information to build upon. Mainly:
  • Flashing Firmware section
    • Specifically, information contained prior to the OpenWrt -> OpenWrt section and information in the OEM -> OpenWrt section, starting at #3)
  • Certain information within the Serial Port [JTAG] section

 

[djdwosk97]

You can do all that through SSH


You can utilize either, however for the above two uses, there's little point to doing that through a VPN, as SSH is just as secure and requires less system resources. There is no right or wrong option to choose, both are tools to get the same thing done.


OpenWrt offers more to the end user than Tomato or DD-WRT (not familiar with Merlin), offering a package repository similar to one on a desktop distro. DD-WRT is quite lacking in many areas, as is Tomato.

• -snip-

I know I can do it through SSH, but I would really prefer to have a VPN set up anyway, the only reason I was going to do SSH this time was because I couldn't get openVPN working the last time I tried it (I also have ownCloud and I've heard that I'm better off using a VPN then trying to secure and expose that). I don't really care about system resources, I have a 1230v2 and 32gb of RAM that just has to handle plex for 1-2 users and ownCloud, so I have a ridiculous amount of headroom.

Is there any advantage to running the VPN on the router rather than the server? (other than one being easier to set up and/or being less troublesome with regards to updates to the server). Also, same for DDNS -- is there any advantage to running DDNS on the server (it's currently running on the router) and/or is there an advantage to running both on the same device?

 

[zoomzoom]

More likely than not, the server hardware will be able to vastly outperform the router with encryption/decryption (I wouldn't recommend anything less than 2048bit/SHA256). You can test cipher speeds with the command openssl speed

DDNS needs to be ran on the WAN facing router, as the DDNS address resolves to your public IP, which the server should not be receiving.

OpenVPN is extremely easy to configure and if you haven't already, I really would recommend reading the OpenVPN HowTo [~15min] and OpenVPN man page [~45min]. Both help to fully understand not only what possibilities you have, but options you may benefit from setting, and what each option you set means.

• If you're going to run OpenVPN within a jail, there may be certain security measures that may need to be implemented (other senior members should be to provide feedback on that). I'd also recommend searching the forum for threads related to running OpenVPN in a jail and exposing that jail directly to WAN.

Here is the OpenVPN config I used on OpenWrt prior to moving to Sophos UTM

• BSD configs are slightly different, as option isn't utilized, nor are underscores [hyphens are utilized instead]
• I wrote this OpenVPN Server HowTo for OpenWrt you may want to checkout, and while some of the information will not apply, a substantial amount will. I plan on updating it this week to remove the Easy-RSA section, as Easy-RSA does not create proper VPN server and client certs, on top of it's inability to customize the certificate and it's common name.
  • I would recommend utilizing OpenSSL directly to generate a CA and certs, in lieu of using Easy-RSA. I have a custom, prebuilt openssl.cnf in my signature, with all commands you'll need at the bottom of the config (starting at line 330).

OpenVPN Server Config

Code:

        ##::[[---  OpenVPN Server Config  ---]]::##

# For OpenWRT users:
    # Use as is
    # You can utilize the same file for multiple servers.
        # Copy & paste first config below itself with a blank line separating each.

# For *nix/BSD users:
    # Certain words and characters will need to be altered:
        # Lines 28 - 31 need to be removed.
        # "Option" is not utilized.
        # Change underscores to hyphens.

# Diffie-Hellmann PEM (dh4096.pem)
    # DH cert must be generated with a value ABOVE that with which you will be utilizing .
        # If you generate 2048bit certs, your dh.pem must exceed that value.

# PFS [Perfect Forward Secrecy] is maintained by two methods: 
    # SSL:
        # Via the TLS Auth key [ta.key]
            # Generate via: openvpn --genkey --secret ta.key
    # TLS:
        # Via specifying a TLS Cipher, such as TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
            # Generate supported ciphers via: openvpn --show-tls


config openvpn 'VPNserver'

        option  enabled             1

    # --- Protocol ---#
        option  dev                 tun
        option  dev                 tun1
        option  topology            subnet
        option  proto               udp
        option  port                1194

    #--- Routes ---#
        option  server              '10.0.0.0 255.255.255.240'
        option  ifconfig            '10.0.0.1 255.255.255.240'        

    #--- Client Config ---#
    #   option  ccd_exclusive           1
    #   option  ifconfig_pool_persist   /etc/openvpn/clients/ipp.txt
    #   option  client_config_dir       /etc/openvpn/clients/

    #--- Pushed Routes ---#
        list    push                'route 192.168.0.0 255.255.255.0'
        list    push                'dhcp-option DNS 192.168.0.1'
        list    push                'dhcp-option WINS 192.168.0.1'
        list    push                'dhcp-option DNS 8.8.8.8'
        list    push                'dhcp-option DNS 8.8.4.4'
        list    push                'dhcp-option NTP 129.6.15.30'

    #--- Encryption ---#
      # Diffie-Hellmann:
        option  dh                  /etc/ssl/certs/openvpn/dh4096.pem

      # PKCS12:
        option  pkcs12              /etc/ssl/certs/openvpn/vpn-server.p12

      # SSL:
        option  cipher              AES-256-CBC
        option  auth                SHA512
        option  tls_auth            '/etc/ssl/certs/openvpn/ta.key 0'

      # TLS:
        option  tls_version_min     1.2
        option  tls_cipher          'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256'

    #--- Logging ---#
        option  log_append          /tmp/openvpn.log
        option  status              /tmp/openvpn-status.log
        option  verb                7

    #--- Connection Options ---#
        option  keepalive           '10 120'
        option  comp_lzo            yes

    #--- Connection Reliability ---#
        option  client_to_client    1
        option  persist_key         1
        option  persist_tun         1

    #--- Connection Speed ---#  
        option  sndbuf              393216
        option  rcvbuf              393216
        option  fragment            0
        option  mssfix              0
        option  tun_mtu             24000

    #--- Pushed Buffers ---#
        list    push                'sndbuf 393216'
        list    push                'rcvbuf 393216'

    #--- Permissions ---#
        option  user                nobody
        option  group               nogroup
    #   option  chroot              /var/chroot-openvpn/


#####################################################
        ##----- If chroot is utilized -----##
#####################################################
   
# chroot SHOULD be utilized in case VPN is ever exploited

# chroot requires customization of the chroot directory; please google how to setup a chroot 


    #--- Client Config ---#
    #   option  ccd_exclusive           1
    #   option  ifconfig_pool_persist   /var/chroot-openvpn/etc/openvpn/clients/ipp.txt
    #   option  client_config_dir       /var/chroot-openvpn/etc/openvpn/clients
   
    #--- Encryption ---#
    #   option  cipher              AES-256-CBC
    #   option  dh                  /var/chroot-openvpn/etc/ssl/certs/openvpn/dh4096.pem
    #   option  pkcs12              /var/chroot-openvpn/etc/ssl/certs/openvpn/vpn-server.p12
    #   option  tls_auth            '/var/chroot-openvpn/etc/ssl/certs/openvpn/ta.key 0'

OpenVPN Client Config

Code:

        ##::[[---  OpenVPN Client Config  ---]]::##

# For Windows users:
    # Use as is
    # If PKCS12 isn't withn the same directory as the ovpn, path must be referenced.

# For Android:
    # PKCS12 [line 32] is unnecessary,. as cert will be imported into the Android Keychain.

# Certificates:
    # "remote-cert-tls server" should only be utilized if generating certs using Easy-RSA.
    # "remote-cert-ku XX" should be utilized if generating certs using an openssl.cnf.
        # For an explanation: https://www.v13.gr/blog/?p=386


# --- Config Type --- #
    client

# --- Protocol ---#
    dev tun
    proto udp

# --- DDNS --- #
    remote your.ddns.com 1194

# --- Encryption --- #

  # SSL:
    cipher AES-256-CBC
    auth SHA512
    key-direction 1

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#---PASTE KEY HERE---#
-----END OpenVPN Static key V1-----
</tls-auth>
   
  # TLS:
    tls-version-min 1.2
   
    tls_cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256:TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256

#--- Server Security ---#
    pkcs12 vpn-client1.p12
    remote-cert-ku f8
    auth-nocache

# --- Logging --- #
    verb 5

# --- Connection --- #
    comp-lzo
    float
    nobind
    resolv-retry infinite

# --- Connection Reliability --- #
    persist-key
    persist-tun

# --- Connection Speed ---#
    fragment 0
    mssfix 0
    tun-mtu 24000

 

[djdwosk97]

More likely than not, the server hardware will be able to vastly outperform the router with encryption/decryption (I wouldn't recommend anything less than 2048bit/SHA256). You can test cipher speeds with the command openssl speed

DDNS needs to be ran on the WAN facing router, as the DDNS address resolves to your public IP, which the server should not be receiving.

OpenVPN is extremely easy to configure and if you haven't already, I really would recommend reading the OpenVPN HowTo [~15min] and OpenVPN man page [~45min]. Both help to fully understand not only what possibilities you have, but options you may benefit from setting, and what each option you set means.

• If you're going to run OpenVPN within a jail, there may be certain security measures that may need to be implemented (other senior members should be to provide feedback on that). I'd also recommend searching the forum for threads related to running OpenVPN in a jail and exposing that jail directly to WAN.

I'll check out those two pages when I get on the bus later, but consider me to be networking-inept, I was going to follow this guide: https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/ to try and get openVPN running on the server. Is there anything I should/shouldn't do and/or anything I should be aware of?

 

[zoomzoom]

Simply utilize the configs above in place of those in the guide; however, it's extremely important you understand what the options in the configs, both server and client, mean. I cannot stress that enough, as too many people simply copy and paste without bothering to learn what they're copying and pasting, and in turn, majority of new users to OpenVPN end up with an insecure VPN.

• I would caution against utilizing Easy-RSA, as Easy-RSA is just that, easy... but it does not generate proper VPN certs. Please utilize the openssl.cnf linked to above and in my signature (it contains all the commands you will need to issue at the bottom of the config)
  • You'll probably have questions on how to utilize the alt_name section, so PM me when you go to create your CA and certs and I can walk you through any issues you may have
• I strongly encourage configuring TLS ECDHE instead of SSL in the client and server configs (I labeled SSL & TLS options under specific headings). I'm 99% sure both can be specified in the configs at the same time, however if it does cause an issue, it will be immediately apparent in the log as soon as you start OpenVPN
  • You must factor in the version of openvpn and openssl running on each client you want to connect from, as clients will vary in which OpenSSL ciphers they accept and are compatible with (this especially applies to Android due to the massive fragmentation issues).
    • I would recommend running the openssl cipher command on all clients to determine the best encryption algorithm to go with. You can then adjust the TLS-Ciphers to include a range that's convenient, but still secure.
  • I only included ECDHE & DHE ciphers with AES256 & AES128, and SHA384 & SHA256, as these are the most secure options, with ECHDE being faster than DHE for ECC ([Elliptic Curve Cryptography, i.e. PFS [Perfect Forward Secrecy])
• I would caution against utilizing 443, as unless the individual is behind a restrictive corporate firewall, the VPN port should not be on the https port.
  • If you want to use 443 for convenience, then utilize it locally by configuring a DNAT rule on the router for say port 9147 [WAN] to 443 [jail]. This means your connection port on your client config would be 9147 and the connection port for the server config would be 443.

Some of the information involved may seem overwhelming when looked at as a whole picture, and you may benefit from what I did a few years ago when I went to setup my first OpenVPN server config... instead of looking at the whole, take each step and look at it individually.

• For example, I began with the server config.
  • With a copy and pasted config on one half of the screen, I pulled up OpenVPN's HowTo [on OpenVPNs website] on the other half and read through it to match config options to their explanations.
  • Once I did that, I navigated to the the most recent man page and read through each configurable option and added features I wanted as I found them.
• The above also gets your client config ~90% finished, since most client config options must mirror the server config.
• I then moved on to creating certificates with Easy-RSA, as it wasn't until about a year ago I learned how to fully utilize the openssl.cnf for certificate generation. After creating an organized, easy to read, and secure openssl.cnf, I posted it on GitHub so others could utilize it instead of Easy-RSA to properly secure their VPN(s).
• Lastly, I configured the router by creating a VPN interface, implementing firewall rules, etc.

 

[djdwosk97]

Simply utilize the configs above in place of those in the guide; however, it's extremely important you understand what the options in the configs, both server and client, mean. I cannot stress that enough, as too many people simply copy and paste without bothering to learn what they're copying and pasting, and in turn, majority of new users to OpenVPN end up with an insecure VPN.

-snip-

Since your post made everything seem quite a bit more complicated than I originally thought I decided to give the openVPN server on my router another shot...and by some magic it worked. I don't know how or why because I literally changed nothing, but it seems to work and it even works with a modern version of Tunnelblick (previously I had to use an antiquated version of Tunnelblick). So for the time being I won't setup openVPN on my server and hopefully I won't regret this decision after I'm back at school (for a few months).

 

[zoomzoom]

You're still missing the glaring fact I've been repeatedly trying to get one setting up a VPN server to understand... unless you understand some core things, your VPN will be no more secure than communicating over the internet directly.

It doesn't matter on which device OpenVPN is set up on, all OpenVPN servers require the same things, but most likely, your router's VPN config is not secure... I've yet to come across a store bought router's OEM firmware that enforces a secure SSL VPN configuration, nor one that properly generates VPN certs.

Bottom line is this: If one is not willing to take an hour or two to secure, and properly configure, their VPN, then one shouldn't be setting up their own VPN

This is what's really frustrating... I've already done 90% of your work for you in getting OpenVPN up and running, yet you don't want to take an hour or two to get everything set up. Why exactly did you ask for help?

• It only takes ~30 min to setup OpenVPN from scratch with what I've provided in this thread, with the remaining 30 - 90 minutes required to educate one's self with what the configuration values utilized mean

 

[djdwosk97]

You're still missing the glaring fact I've been repeatedly trying to get one setting up a VPN server to understand... unless you understand some core things, your VPN will be no more secure than communicating over the internet directly.

It doesn't matter on which device OpenVPN is set up on, all OpenVPN servers require the same things, but most likely, your router's VPN config is not secure... I've yet to come across a store bought router's OEM firmware that enforces a secure SSL VPN configuration, nor one that properly generates VPN certs.

Bottom line is this: If one is not willing to take an hour or two to secure, and properly configure, their VPN, then one shouldn't be setting up their own VPN

This is what's really frustrating... I've already done 90% of your work for you in getting OpenVPN up and running, yet you don't want to take an hour or two to get everything set up. Why exactly did you ask for help?

• It only takes ~30 min to setup OpenVPN from scratch with what I've provided in this thread, with the remaining 30 - 90 minutes required to educate one's self with what the configuration values utilized mean

I've read through the openVPN pages and the configs, but they really don't mean much to me. I don't know what custom config settings are necessary to add, which aren't, and potentially which are going to cause problems with the VPN server since I've already had issues with it in the past.

Here's the server config from the router (encryption cipher is set to AES-256-CBC):

 

[zoomzoom]

I could be misinterpreting your settings page, however it appears you can paste in your own config under Custom Configuration. If this is the case, I would recommend using the config I posted earlier, as it's not only secure, it's been tweaked for the fastest upload/download speeds possible. If that isn't what the box is for, then it's probably to add it additional values that aren't specified in the drop down menus, and if this is the case, please provide the information requested below and I can reply back with what extra values should be input.

I'm only mentioning values below that should be different than shown or for which additional information is required.

• Please expand Interface Type
  • TUN should be what's selected, but I'm curious what other options it's offering

Protocol: UDP

• Please expand firewall drop down
• Please expand Authorization Mode, both for TLS as well as Content modification

Username/Password: OFF

• VPN should be secured by SSL certs only, with a password on the SSL key if you wish to have one

• Please expand Extra HMAC athorization

Does it offer any help information or hint as to what the Respond to DNS option is for (as it could mean a few different things in the context of the VPN server)

• Please expand Encryption Cipher
• Please expand Compression

Manage Client-Specific Options: Yes

• Please reply back with that options it provides once you select Yes

From the Advanced Settings, it appears to be a Net30 implementation of OpenVPN (I could very well be wrong, but the lack of a topology specification indicates it's likely a Net30).

• Net30 is obsolete and quite dated, referring to the subnet mask of /30. This means it's a literal point to point VPN:
  • 1st client connection
    • Server is given an IP of 10.8.0.1 and the 1st Client an IP of 10.8.0.2
  • 2nd client connection
    • Server is given an IP of 10.8.0.3 and the 2nd Client an IP of 10.8.0.4
  • 3rd client connection
    • Server is given an IP of 10.8.0.5 and the 3rd Client an IP of 10.8.0.6 (and so forth)
• In other words, Net30 is enormously inefficient to say the least. Each Server and Client pair must have chronological, sequential IPs (i.e. Server can't be 10.8.0.1 and client be 10.8.0.10)

In my config above, I specify the topology as subnet, which is what everyone is used to dealing with, since it's the topology used by PCs and routers. Subnet topology also makes it far easier on you to create firewall rules for the VPN (this is far more important when more than one user is utilizing the VPN). Net30 prevents the user from designating static IPs to the devices they'll be connecting from, which in turn affects security of the VPN.

• For example, I connect to my VPN through two devices only. I have created firewall rules to only allow VPN traffic when the proper device is utilized by specifying MAC addresses in the firewall rules. This means even if someone garnished access to my PKCS12 cert, and discovered my password, unless they were connecting from one of the two devices, the traffic would be immediately dropped by the router prior to performing NAT and handing the connection off to OpenVPN.

Without overwhelming you with more information than is necessary, once we get the config ironed out, you will have to use openssl to generate a CA, then server and client certs. If you provide me with some information via PM, I will edit the openssl.conf, with the information you provide and list in chronological order what commands you will need to give (simply copy and paste).

 

[djdwosk97]

I could be misinterpreting your settings page, however it appears you can paste in your own config under Custom Configuration. If this is the case, I would recommend using the config I posted earlier, as it's not only secure, it's been tweaked for the fastest upload/download speeds possible. If that isn't what the box is for, then it's probably to add it additional values that aren't specified in the drop down menus, and if this is the case, please provide the information requested below and I can reply back with what extra values should be input.

I'm only mentioning values below that should be different than shown or for which additional information is required.

• Please expand Interface Type
  • TUN should be what's selected, but I'm curious what other options it's offering

Protocol: UDP

• Please expand firewall drop down
• Please expand Authorization Mode, both for TLS as well as Content modification

Username/Password: OFF

• VPN should be secured by SSL certs only, with a password on the SSL key if you wish to have one

• Please expand Extra HMAC athorization

Does it offer any help information or hint as to what the Respond to DNS option is for (as it could mean a few different things in the context of the VPN server)

• Please expand Encryption Cipher
• Please expand Compression

Manage Client-Specific Options: Yes

• Please reply back with that options it provides once you select Yes

From the Advanced Settings, it appears to be a Net30 implementation of OpenVPN (I could very well be wrong, but the lack of a topology specification indicates it's likely a Net30).

• Net30 is obsolete and quite dated, referring to the subnet mask of /30. This means it's a literal point to point VPN:
  • 1st client connection
    • Server is given an IP of 10.8.0.1 and the 1st Client an IP of 10.8.0.2
  • 2nd client connection
    • Server is given an IP of 10.8.0.3 and the 2nd Client an IP of 10.8.0.4
  • 3rd client connection
    • Server is given an IP of 10.8.0.5 and the 3rd Client an IP of 10.8.0.6 (and so forth)
• In other words, Net30 is enormously inefficient to say the least. Each Server and Client pair must have chronological, sequential IPs (i.e. Server can't be 10.8.0.1 and client be 10.8.0.10)

In my config above, I specify the topology as subnet, which is what everyone is used to dealing with, since it's the topology used by PCs and routers. Subnet topology also makes it far easier on you to create firewall rules for the VPN (this is far more important when more than one user is utilizing the VPN). Net30 prevents the user from designating static IPs to the devices they'll be connecting from, which in turn affects security of the VPN.

• For example, I connect to my VPN through two devices only. I have created firewall rules to only allow VPN traffic when the proper device is utilized by specifying MAC addresses in the firewall rules. This means even if someone garnished access to my PKCS12 cert, and discovered my password, unless they were connecting from one of the two devices, the traffic would be immediately dropped by the router prior to performing NAT and handing the connection off to OpenVPN.

Without overwhelming you with more information than is necessary, once we get the config ironed out, you will have to use openssl to generate a CA, then server and client certs. If you provide me with some information via PM, I will edit the openssl.conf, with the information you provide and list in chronological order what commands you will need to give (simply copy and paste).

I think it's just for adding fields which aren't specified.

Interface type: Tun or Tap

Protocol: Is there a security reason to not use TCP or is it just for speed reasons. I did a bit of basic networking in one of my computer science courses, so I understand the back and forth/speed issues with TCP, but I don't forsee that being a big issue if I'm transferring/accessing small files (think word document sizes and/or pictures, not videos).

Firewall: Auto, External Only, custom (there is a firewall section on the router, so I assume custom means it will depend on that -- I'll post a screenshot of that below).

Authorization Mode: TLS, static key, custom (selecting those also changes a few other fields, so I'll post screenshots of the settings with each of those selected below as well).

Content modification: fields for 'certificate authority', 'server certificate', 'server key', 'diffie hellman parameters', and 'certificate revocation list'. All the fields (keys?) are filled out except the revocation list.

HMAC authorization: 'disable', 'Bi-directional', 'incoming(0)', 'incoming(1)'.

Respond to DNS: It doesn't say anything.

Encryption cipher: (image below)

Compression: Adaptive, disable, none, enable

Client specific options: Allow client to client, allow specified clients, and then an allowed client list (asking for username, IP, subnet mask, and push (yes/no).


P.s. I'll likely be the only one using the VPN.

Pictures: http://imgur.com/a/0JSAo

 

[zoomzoom]

Interface: TUN
Protocol: UDP

• TCP should only be used for troubleshooting purposes (unless packet loss is high). The reason why is TCP cannot efficiently encapsulate TCP packets. OpenVPN encapsulates TCP over UDP, however when the same is done over TCP, a substantial hit on speed occurs due to the inefficient way in which TCP must encapsulate itself, so unless one sees high packet loss on UDP, they should not utilize TCP.
  • There was a really great write up explaining this that I thought I bookmarked, however I must not have. If you do some searching on google, you should be able to find at least one write up that explains exactly what occurs when TCP tries to encapsulate a TCP packet.
• However, if you experience a problem, TCP should be utilized for troubleshooting purposes. This is why OpenVPN firewall rules should be both TCP & UDP rules, as it prevents one from having to do more work than is necessary when one needs to troubleshoot the connection.

Firewall: Choose Custom (if custom means you create your own rules)

• Use the rules from the OpenWrt Wiki I wrote

Authorization Mode: TLS

• I need to research exactly what Asus will be using, as it should offer the option of what TLS ciphers to use. You can see what TLS ciphers should look like in my configs above.

Content Modification: This is where you will need to paste in the certificates you generate with OpenSSL using the openssl.cnf above.

• When you go to create them, PM me and I can walk you through what you'll need to customize in the openssl.cnf

Extra HMAC Authorization: Bi-directional

• This should refer to TLS-Auth and the use of a ta.key in both the server and client configs. I need to research this on google however to see what Asus is referring to exactly (as Asus does not appear to be using the correct OpenVPN terminology)

Respond to DNS: I need to research this as well. Most likely, Yes (my hunch is it applies to LAN and not to WAN)

Encryption Cipher: Choose one of the AES ciphers under Custom (Do not use any of the others)

• AES-128-CBC, AES-192-CBC, AES-256-CBC SSL ciphers
  • I utilize AES-256-CBC for my SSL cipher, however this is personal preference as to what one of the three you choose. I would recommend using google to search the three ciphers and choose which one you find best for your uses. Technically, AES-128 hasn't been broken in the public forum (IIRC it was broken in a research setting, though I could be mis-remembering).
  • Obviously, the higher you go up in encryption, the speed with thich encryption/decryption occurs increases. I would run the openssl speed test I mentioned above on your PC to determine how fast the PC is able to encrypt/decrypt
  • Speed test may be able to be done on the router, however you will need to use google to see is Asus offers a way to access it's telnet server (the cli of the router). Some routers offer this hidden ability in their OEM firmware, some do not. Tech Support may know, however they also may very well not know.
• I have no clue what it's referring to for TLS, as TLS should refer to TLS ciphers, of which it does not list. You can see the what the TLS ciphers look like in my configs above.
  • Please select TLS, then see if that changes any of the options under Extra HMAC Authorization

Compression: Adaptive or Enable

• I need to do some research as to what Asus is utilizing for compression

Client Specific Options:

• Allow Client to Client: This allows clients to see other clients (i.e. enabling you to communicate with other devices, such as the FreeNAS server, while connected to the VPN)
• Allow Specified Clients: Yes (Refers to CCD Exclusive)
  • Allowed Client List
    • UserName: not sure what Asus is referring to (unless it's the username/pass option further up in the config, which should not be utilized)
    • IP: Static IP of device you will be connecting from
      • Repeat for each device, you will need to assign your devices static IPs for the VPN subnet
    • Subnet Mask: VPN subnet mask
    • Push: Yes (this should refer to pushing information to the client)

I'll reply back today or tomorrow with what additional options should be included in the Custom Configuration section

 

[djdwosk97]

Interface: TUN
Protocol: UDP

• TCP should only be used for troubleshooting purposes (unless packet loss is high). The reason why is TCP cannot efficiently encapsulate TCP packets. OpenVPN encapsulates TCP over UDP, however when the same is done over TCP, a substantial hit on speed occurs due to the inefficient way in which TCP must encapsulate itself, so unless one sees high packet loss on UDP, they should not utilize TCP.
  • There was a really great write up explaining this that I thought I bookmarked, however I must not have. If you do some searching on google, you should be able to find at least one write up that explains exactly what occurs when TCP tries to encapsulate a TCP packet.
• However, if you experience a problem, TCP should be utilized for troubleshooting purposes. This is why OpenVPN firewall rules should be both TCP & UDP rules, as it prevents one from having to do more work than is necessary when one needs to troubleshoot the connection.

Firewall: Choose Custom (if custom means you create your own rules)

• Use the rules from the OpenWrt Wiki I wrote

Authorization Mode: TLS

• I need to research exactly what Asus will be using, as it should offer the option of what TLS ciphers to use. You can see what TLS ciphers should look like in my configs above.

Content Modification: This is where you will need to paste in the certificates you generate with OpenSSL using the openssl.cnf above.

• When you go to create them, PM me and I can walk you through what you'll need to customize in the openssl.cnf

Extra HMAC Authorization: Bi-directional

• This should refer to TLS-Auth and the use of a ta.key in both the server and client configs. I need to research this on google however to see what Asus is referring to exactly (as Asus does not appear to be using the correct OpenVPN terminology)

Respond to DNS: I need to research this as well. Most likely, Yes (my hunch is it applies to LAN and not to WAN)

Encryption Cipher: Choose one of the AES ciphers under Custom (Do not use any of the others)

• AES-128-CBC, AES-192-CBC, AES-256-CBC SSL ciphers
  • I utilize AES-256-CBC for my SSL cipher, however this is personal preference as to what one of the three you choose. I would recommend using google to search the three ciphers and choose which one you find best for your uses. Technically, AES-128 hasn't been broken in the public forum (IIRC it was broken in a research setting, though I could be mis-remembering).
  • Obviously, the higher you go up in encryption, the speed with thich encryption/decryption occurs increases. I would run the openssl speed test I mentioned above on your PC to determine how fast the PC is able to encrypt/decrypt
  • Speed test may be able to be done on the router, however you will need to use google to see is Asus offers a way to access it's telnet server (the cli of the router). Some routers offer this hidden ability in their OEM firmware, some do not. Tech Support may know, however they also may very well not know.
• I have no clue what it's referring to for TLS, as TLS should refer to TLS ciphers, of which it does not list. You can see the what the TLS ciphers look like in my configs above.
  • Please select TLS, then see if that changes any of the options under Extra HMAC Authorization

Compression: Adaptive or Enable

• I need to do some research as to what Asus is utilizing for compression

Client Specific Options:

• Allow Client to Client: This allows clients to see other clients (i.e. enabling you to communicate with other devices, such as the FreeNAS server, while connected to the VPN)
• Allow Specified Clients: Yes (Refers to CCD Exclusive)
  • Allowed Client List
    • UserName: not sure what Asus is referring to (unless it's the username/pass option further up in the config, which should not be utilized)
    • IP: Static IP of device you will be connecting from
      • Repeat for each device, you will need to assign your devices static IPs for the VPN subnet
    • Subnet Mask: VPN subnet mask
    • Push: Yes (this should refer to pushing information to the client)

I'll reply back today or tomorrow with what additional options should be included in the Custom Configuration section

Setting 'Respond to DNS' to yes displays another field -- 'advertise dns to clients'.

For 'manage client specific options' what if the client/s don't have static IPs? Or is that referring to the local IP of the device (so 10.8.0.x)? Would the subnet mask be 255.255.255.0?

I still have to do the openssl.cnf file for the content modification.

Selecting TLS doesn't change anything under 'Extra HMAC authorization'.

For custom firewall, I don't see anything in the firewall section (which is outside of the VPN section). So maybe there is a firewall specifically for the VPN that has it's rules set in the custom configuration box?

 

[zoomzoom]

Setting 'Respond to DNS' to yes displays another field -- 'advertise dns to clients'.

For 'manage client specific options' what if the client/s don't have static IPs? Or is that referring to the local IP of the device (so 10.8.0.x)? Would the subnet mask be 255.255.255.0?

I still have to do the openssl.cnf file for the content modification.

Selecting TLS doesn't change anything under 'Extra HMAC authorization'.

For custom firewall, I don't see anything in the firewall section (which is outside of the VPN section). So maybe there is a firewall specifically for the VPN that has it's rules set in the custom configuration box?

CCD doesn't require clients to have a static IP set, however I d recommend it, as it's an additional layer of security as you can then configure specific firewall rules only for those IPs you assign. The static IPs are not set via the way in which you're probably thinking (via the router's WebGUI) however.

Normally OpenVPN is configured via cli, so I'll explain it in that context so you'll have the correct understanding of how it works. I'll then list what it would look like in the Asus WebGUI:

• When you enable CCD in the OpenVPN config file, you must then create a file within the CCD directory you specified in the config (say /etc/openvpn/clients/). The file name must match the name of the certificate for that client.
  • Not the common name, but the actual certificate filename, of which cannot contain spaces
    • For example: WRT1900ac-VPNclient-Client1.crt.pem
  • So our filename would be: WRT1900ac-VPNclient-Client1
• Each client file is read like an openvpn config file, so you would place options you want pushed to the client in this file. It must contain at least one ifconfig-push command, as this is what sets the static IP:
  • ifconfig-push 10.0.0.2 255.255.255.240
• If you have a second device you'll be connecting from, same thing:
  • Certificate Filename: WRT1900ac-VPNclient-Nexus6.crt.pem
  • CCD filename: /etc/openvpn/clients/WRT1900ac-VPNclient-Nexus6
    • ifconfig-push 10.0.0.3 255.255.255.240
• Once you start OpenVPN, one of two things happens (I can't remember which), either it reads from the CCD client directory and auto assigns those IPs, writing them to ipp.txt (Ifconfig Pool Persist), or it waits for the client to connect, then once it does and it's corresponding client file read, it assigns the IP and writes it to ipp.txt
  • ipp.txt would list the following:
    • WRT1900ac-VPNclient-Client1,10.0.0.2
    • WRT1900ac-VPNclient-Nexus6,10.0.0.3
• If you were able to view the OpenVPN log (/tmp/openvpn.log), it would look something similar to this if everything was configured correctly (lines 22 - 28 are specific to CCD configs, non-CCD configs will not have these):
• Code:

  root@WRT1900:/# cat /tmp/openvpn.log
  
  Tue Jul  7 19:57:02 2015 us=55343 OpenVPN 2.3.6 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun  2 2015
  Tue Jul  7 19:57:02 2015 us=55674 library versions: OpenSSL 1.0.2a 19 Mar 2015, LZO 2.08
  Tue Jul  7 19:57:02 2015 us=454270 Diffie-Hellman initialized with 2048 bit key
  Tue Jul  7 19:57:02 2015 us=546774 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
  Tue Jul  7 19:57:02 2015 us=547010 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
  Tue Jul  7 19:57:02 2015 us=547197 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
  Tue Jul  7 19:57:02 2015 us=547412 TLS-Auth MTU parms [ L:48058 D:166 EF:66 EB:0 ET:0 EL:0 ]
  Tue Jul  7 19:57:02 2015 us=547644 Socket Buffers: R=[163840->327680] S=[163840->327680]
  Tue Jul  7 19:57:02 2015 us=567559 TUN/TAP device tun0 opened
  Tue Jul  7 19:57:02 2015 us=567788 TUN/TAP TX queue length set to 100
  Tue Jul  7 19:57:02 2015 us=567990 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
  Tue Jul  7 19:57:02 2015 us=568318 /sbin/ifconfig tun0 10.0.0.1 netmask 255.255.255.240 mtu 24000 broadcast 10.0.0.15
  Tue Jul  7 19:57:02 2015 us=608940 Data Channel MTU parms [ L:48058 D:48058 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
  Tue Jul  7 19:57:02 2015 us=609448 GID set to nogroup
  Tue Jul  7 19:57:02 2015 us=609690 UID set to nobody
  Tue Jul  7 19:57:02 2015 us=609897 UDPv4 link local (bound): [undef]
  Tue Jul  7 19:57:02 2015 us=610077 UDPv4 link remote: [undef]
  Tue Jul  7 19:57:02 2015 us=610251 MULTI: multi_init called, r=256 v=256
  Tue Jul  7 19:57:02 2015 us=610560 IFCONFIG POOL: base=10.0.0.2 size=13, ipv6=0
  Tue Jul  7 19:57:02 2015 us=610897 ifconfig_pool_read(), in='WRT1900ac-VPNclient-Client1,10.0.0.2', TODO: IPv6
  Tue Jul  7 19:57:02 2015 us=612378 succeeded -> ifconfig_pool_set()
  Tue Jul  7 19:57:02 2015 us=612581 ifconfig_pool_read(), in='WRT1900ac-VPNclient-Nexus6,10.0.0.3', TODO: IPv6
  Tue Jul  7 19:57:02 2015 us=612747 succeeded -> ifconfig_pool_set()
  Tue Jul  7 19:57:02 2015 us=612912 IFCONFIG POOL LIST
  Tue Jul  7 19:57:02 2015 us=613077 WRT1900ac-VPNclient-Client1,10.0.0.2
  Tue Jul  7 19:57:02 2015 us=613349 WRT1900ac-VPNclient-Nexus6,10.0.0.3
  Tue Jul  7 19:57:02 2015 us=614653 Initialization Sequence Completed

In regards to Asus, I would try the certificate filename as the username field, followed by the IP you want the device to have, and the netmask you configured further up, setting Push to yes.

In regards to VPN firewall rules, you can try using what Asus does, but I would highly encourage you verify exactly what each rule it configured does. They should almost match the rules in the OpenWrt OpenVPN Streamlined wiki I linked to several posts up.

 

[zoomzoom]

Additionally, if you have a Windows PC, when you install the OpenVPN client software, it also installs OpenSSL. I recommend adding the OpenVPN bin path (C:\Program Files\OpenVPN\bin) to your Environment Path in Windows, which will allow you to access openssl from any command/powershell terminal

• Control Panel\System and Security\System -> Advanced System Settings -> Environment Variables -> System Variables -> Path