Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Security How To

{mospagebreak toctitle= Introduction, Setup, Steps 1-4}

Introduction

Many routers now come with an integrated OpenVPN server to provide secure remote access to both router storage and LAN devices. We haven't been testing VPN performance in our reviews because, frankly, I dread messing with VPN. I usually get it working eventually, but typically burn a day in the trial-and-error process that is inevitably required.

So in the interest of saving you a day, I am doing a few articles that present both VPN performance test results and step-by-step setup instructions for getting a working OpenVPN tunnel between a Windows client and the router. This tunnel will support connection both to the router's shared storage and to client devices on the router LAN.

Since ASUS was the first to integrate OpenVPN, I'll start with them.

Setup

My test setup used Win 7 and Win 8.1 computers.

  • Windows 7: Lenovo X220i (Intel Core i3-2310M @ 2.1 GHz, 2 GB RAM) running Win 7 Home Premium SP1 64 bit
  • Windows 8.1: Acer AspireS7 (Intel Core i5-4200U @ 2.3 GHz, 8 GB RAM) running Win 8.1 64 bit

To eliminate internet connection variation, I used the test setup shown below. Note that the two computers are on different private subnets.

OpenVPN test setup

OpenVPN test setup

Steps

1) Check your shares
Before you start messing with VPN, you first need to check that your OS sharing permissions are properly set so that shares can be reached among LAN machines on both networks. This sometimes is tricky when mixing Win 7 and 8 devices.

I don't use Windows Homegroups, don't use password protected sharing and don't use Guest accounts. So in Win 8, disabling password protected sharing (Network and Sharing Center > Advanced Sharing Settings > All Networks) and adding access for Everyone in the share's security properties usually does the trick.

2) Configure your firewall
OS and anti-virus suite application firewalls are another thing that can mess you up. If you run one, you've probably already figured out the settings to not block file sharing traffic. Buf if you have any problems pinging a share across the VPN tunnel, temporarily disable the firewall to see if that's the problem.

3) Install the OpenVPN client
ASUS provides links for downloading Windows, MacOS, iOS and Android OpenVPN clients on the VPN Server tab as shown below. Each link takes you to an ASUS FAQ page that includes a downlink link for the proper app and instructions for installing and configuring it.

ASUS VPN Server tab

ASUS VPN Server tab

This OpenVPN FAQ provides a pretty accurate description of the Windows installation process. Don't bother to launch the app after you install it. It won't do much until you install an OpenVPN config file.

4) Create User(s)
Create users on the VPN Server General settings page in the Username and Password section as shown below. Please use a stronger password than the one I used. Your connection security depends on it! Be sure to Apply the settings.

ASUS VPN Create user

ASUS VPN Create user

5) Generate the OpenVPN config file
OpenVPN clients won't do anything without a config file. You can find sample files in the "[program files path]\OpenVPN\sample-config folder on the system you installed the client on, where [program files path] is the path to the Program Files or Program Files (x86) folders for 64 bit and 32 bit apps, respectively.

The sample client.opvn and sample.ovpn files are well commented and useful for advanced users. But it's much easier to click the Export button on the VPN Server page to generate and save a config that should get you up and running quickly.

Changing the selector on this page to Advanced Settings exposes the detailed settings used to configure the server and generate the client .opvn config file.

VPN Server Advanced Settings - Basic config

VPN Server Advanced Settings - Basic config

All the defaults work and will enable you to reach the router's shared storage and shares on devices connected to the router LAN. They will not, however, allow network browsing from the remote client. So you'll have to use \\ipaddress_of _device to reach shares and set up mapped drives for easy access.

VPN Server Advanced Settings - Basic config

VPN Server Advanced Settings - Basic config

If you simply must have network browsing, switching to TAP interface type will do it. But note this is a bridged connection and could cause problems.

Pay attention to the warning shown below that may appear on the VPN Server page. Most people will need to use a dynamic DNS service to reach their router due to the changing IP addresses issued by most ISPs. If you are going to use DDNS, set it up before you export the OpenVPN config file. Otherwise, the router's WAN IP address will be used. In my case, the WAN IP was fine because I was testing on a private LAN.

VPN Server Advanced Settings - Basic config

VPN Server Advanced Settings - Basic config

If you make any changes to these settings, you need to Apply them first, then Export a new config file.

6) Install the config file
Find the client.opvn file generated by clicking the Export button in Step 5 and copy / move it to the "[program files path]\OpenVPN\config folder, where [program file path] is the path to the Program Files or Program Files (x86) folders for 64 bit and 32 bit apps, respectively. If your client needs to connect to more than one VPN server, you'll need to generate a config file for each one and give them different names.

7) Start the OpenVPN client
Find the OpenVPN client shortcut created by the installer. Right click on it and select Run as administrator. At this point, this How to connect to a VPN Server with the Desktop Client FAQ screwed me up for awhile. I kept expecting to see the window below shown in the FAQ.

OpenVPN client window you won't see

OpenVPN client window you won't see

The ASUS FAQ provides a more accurate description of what to expect. The only thing you should see is the OpenVPN client icon in the System Notification Area (tray).

OpenVPN client running

OpenVPN client running

8) Connect
Right-clicking on the OpenVPN icon pops up the config(s), each of which expands into a submenu shown below. Select Connect.

OpenVPN client config selected

OpenVPN client config selected

You'll be prompted for the username and password you set up in the router.

OpenVPN client - user authentication

OpenVPN client - user authentication

After you enter the credentials, the connection will complete...

OpenVPN client - connecting

OpenVPN client - connecting

...and when it's done you'll see a confirmation.

OpenVPN client - connected

OpenVPN client - connected

9) Test the tunnel
We'll use ping to check that everything is running ok. First, try pinging the OpenVPN router LAN IP address (the default is 192.168.1.1). It should respond. Next try to ping the IP address of a LAN machine. In my test case, the Win 8.1 LAN computer was at 192.168.1.149. The screenshot below shows that the OpenVPN configuration provided connection to LAN clients.

OpenVPN tunnel test passed

OpenVPN tunnel test passed

10) Use the tunnel
At this point, you are up and running! Remember that network browsing isn't supported. So you must reach LAN devices by IP address, not hostnames. If you're just accessing shared files, mapped drives are your friend.

Performance

I had three ASUS routers handy for testing. My go-to IxChariot performance test tool would not work through the OpenVPN tunnel. So I had to resort to drag-and-dropping a >1 GB Windows backup .bkf file for testing. Drag-and-drops were initiated from the remote (WAN side) machine to ensure that traffic flowed through the tunnel.

Router CPU Firmware Remote > Server Server > Remote
ASUS RT-N66U Broadcom BCM4706
single core, 600 MHz
3.0.0.4.376_1071 1.6 1.6
ASUS RT-AC68U Broadcom BCM4708
dual core, 800 MHz
3.0.0.4.376_1663 4.1 3.8
ASUS RT-AC87U Broadcom BCM4709
dual core, 1 GHz
3.0.0.4.376_2769 5.5 5.0
Table 1: File copy throughput - OpenVPN tunnel (MBytes/sec)

There's a big difference in stepping up from the single-core BCM4706 to the dual-core BCM4708. But not as large a jump between the 4708 and 4709.

Closing Thoughts

I hope the step-by-step saves you the hassles that I ran into in getting OpenVPN working on ASUS. If you find an error, please let me know so that I can correct it.

Next time, OpenVPN on NETGEAR.

Discuss this in the Forums