Help with setup of StrongVPN on Asus Merlin

[Gusar24]

Hello,

I have been trying to get StrongVPN working on my ASUS RT-AC32oo with Merlin software for days but I have had no success. I have looked at a few threads online but they have not helped.

At first it had the "Connecting" status but would not get past that. Now I can get it Connected but it does not open anything and there is no internet.

If anyone has been able to get this working, can you please help?

Thanks in advance.

 

[Xentrk]

Hello,

I have been trying to get StrongVPN working on my ASUS RT-AC32oo with Merlin software for days but I have had no success. I have looked at a few threads online but they have not helped.

At first it had the "Connecting" status but would not get past that. Now I can get it Connected but it does not open anything and there is no internet.

If anyone has been able to get this working, can you please help?

Thanks in advance.

Here is a recent thread for StrongVPN:
https://www.snbforums.com/threads/strongvpn-how-to-setup-in-openvpn.38284/

Please post a screen shot of your web gui configuration for OpenVPN Client so we can look it over. You can use the snipping tool in Windows if that is the OS you use. Also, list the firmware version you are on. OpenVPN version was updated starting with release 380.65 of Merlin FW which resulted in some configuration changes. Thanks.

PS. It sucks that StrongVPN does not show a screen pic of the OpenVPN Client screen on their web site. They can and should do better. Plus, the FW example they use is out of date.

 

[Gusar24]

Thank you for replying. I am currently away from home but will post the screenshots and the info you suggested later today.

 

[CaptainSTX]

I run StrongVPN and there is a trick which once you see it makes it simple.

1. Go into VPN accounts section select your VPN type and server location. I run open VPN.

2. Then go all the way to the bottom of the page and select LINUX/MAC configuration file. In lighter print it also says (Including router manual setup.)

3. Download this configuration file to your PC.

4. In your VPN setup on a router running Merlin select this file and upload it onto the router. Turn service state on, click the apply button and your VPN client should be running.

To give me maximum controll I use policy based routing and for each client that connect select if I want WAN or VPN connection.

 

[Gusar24]

Here is a recent thread for StrongVPN:
https://www.snbforums.com/threads/strongvpn-how-to-setup-in-openvpn.38284/

Please post a screen shot of your web gui configuration for OpenVPN Client so we can look it over. You can use the snipping tool in Windows if that is the OS you use. Also, list the firmware version you are on. OpenVPN version was updated starting with release 380.65 of Merlin FW which resulted in some configuration changes. Thanks.

PS. It sucks that StrongVPN does not show a screen pic of the OpenVPN Client screen on their web site. They can and should do better. Plus, the FW example they use is out of date.

Hi Xentrk,

My FW version is 380.65.4

I have attached the screenshots of the configuration. I appreciate any way you can help.


CaptainSTX,

I have tried that with many different servers and I hit the On button and it is stuck in "Connecting" mode.

Let me know if you guys need any more info.

Thanks.

 

[CaptainSTX]

Did you include BOTH the user name and password that matches the configuration that StrongVPN give you. From the screenshot the username looks like it could be blank.

The username and password are not your billing username and password.

 

[Gusar24]

Did you include BOTH the user name and password that matches the configuration that StrongVPN give you. From the screenshot the username looks like it could be blank.

The username and password are not your billing username and password.

Yes of course I did, I deleted the username for the screenshot for privacy reasons.

 

[CaptainSTX]

Yes of course I did, I deleted the username for the screenshot for privacy reasons.

Here is a text copu of my OVPN file downloaded from StrongVPN.

Some digits in server have been deleted and the certificates have been abbreviated.

You can check to see how your downloaf file compares.

auth md5
auth-user-pass
cipher AES-256-CBC
client
comp-lzo adaptive
dev tun
explicit-exit-notify 2
fragment 1390
hand-window 30
key-direction 1
mssfix
mute 3
mute-replay-warnings
nobind
ns-cert-type server
persist-key
redirect-gateway def1
remote 216.169.***.** 1194 udp
reneg-sec 0
resolv-retry infinite
route-delay 2
route-method exe
route-metric 1
topology subnet
tun-mtu 1500
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIJAKl5ZQ8Me/ZNMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAa
BgNVBAoTE3JlbGlhYmxlaG9zdGluZy5jb20xHzAdBgNVBAMTFnJlbGlhYmxlaG9z
dGluZy5jb20gQ0ExKjAoBgkqhkiG9w0BCQEWG3RlY2hpZXNAcmVsaWFibGVob3N0
aW5nLmNvbTAeFw0xNTEwMjMxNTQ5MzZaFw0yNTEwMjAxNTQ5MzZaMIGdMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAa
BgNVBAoTE3JlbGlhYmxlaG9zdGluZy5jb20xHzAdBgNVBAMTFnJlbGlhYmxlaG9z
dGluZy5jb20gQ0ExKjAoBgkqhkiG9w0BCQEWG3RlY2hpZXNAcmVsaWFibGVob3N0
aW5nLmNvb.....BH4HhIqZz3HMHXSrTGF0j
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
0581c4b7bdd32608258ac97b4b1f6f00
*******b9d36e7c9cc
-----END OpenVPN Static key V1-----
</tls-auth>

 

[Gusar24]

Here is a text copu of my OVPN file downloaded from StrongVPN.

Some digits in server have been deleted and the certificates have been abbreviated.

You can check to see how your downloaf file compares.

auth md5
auth-user-pass
cipher AES-256-CBC
client
comp-lzo adaptive
dev tun
explicit-exit-notify 2
fragment 1390
hand-window 30
key-direction 1
mssfix
mute 3
mute-replay-warnings
nobind
ns-cert-type server
persist-key
redirect-gateway def1
remote 216.169.***.** 1194 udp
reneg-sec 0
resolv-retry infinite
route-delay 2
route-method exe
route-metric 1
topology subnet
tun-mtu 1500
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIJAKl5ZQ8Me/ZNMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAa
BgNVBAoTE3JlbGlhYmxlaG9zdGluZy5jb20xHzAdBgNVBAMTFnJlbGlhYmxlaG9z
dGluZy5jb20gQ0ExKjAoBgkqhkiG9w0BCQEWG3RlY2hpZXNAcmVsaWFibGVob3N0
aW5nLmNvbTAeFw0xNTEwMjMxNTQ5MzZaFw0yNTEwMjAxNTQ5MzZaMIGdMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAa
BgNVBAoTE3JlbGlhYmxlaG9zdGluZy5jb20xHzAdBgNVBAMTFnJlbGlhYmxlaG9z
dGluZy5jb20gQ0ExKjAoBgkqhkiG9w0BCQEWG3RlY2hpZXNAcmVsaWFibGVob3N0
aW5nLmNvb.....BH4HhIqZz3HMHXSrTGF0j
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
0581c4b7bdd32608258ac97b4b1f6f00
*******b9d36e7c9cc
-----END OpenVPN Static key V1-----
</tls-auth>

Everything is the same, all I have additional is "proto udp". Any idea if that means anything?

 

[Gusar24]

Here is a text copu of my OVPN file downloaded from StrongVPN.

Some digits in server have been deleted and the certificates have been abbreviated.

You can check to see how your downloaf file compares.

auth md5
auth-user-pass
cipher AES-256-CBC
client
comp-lzo adaptive
dev tun
explicit-exit-notify 2
fragment 1390
hand-window 30
key-direction 1
mssfix
mute 3
mute-replay-warnings
nobind
ns-cert-type server
persist-key
redirect-gateway def1
remote 216.169.***.** 1194 udp
reneg-sec 0
resolv-retry infinite
route-delay 2
route-method exe
route-metric 1
topology subnet
tun-mtu 1500
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIJAKl5ZQ8Me/ZNMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAa
BgNVBAoTE3JlbGlhYmxlaG9zdGluZy5jb20xHzAdBgNVBAMTFnJlbGlhYmxlaG9z
dGluZy5jb20gQ0ExKjAoBgkqhkiG9w0BCQEWG3RlY2hpZXNAcmVsaWFibGVob3N0
aW5nLmNvbTAeFw0xNTEwMjMxNTQ5MzZaFw0yNTEwMjAxNTQ5MzZaMIGdMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAa
BgNVBAoTE3JlbGlhYmxlaG9zdGluZy5jb20xHzAdBgNVBAMTFnJlbGlhYmxlaG9z
dGluZy5jb20gQ0ExKjAoBgkqhkiG9w0BCQEWG3RlY2hpZXNAcmVsaWFibGVob3N0
aW5nLmNvb.....BH4HhIqZz3HMHXSrTGF0j
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
0581c4b7bdd32608258ac97b4b1f6f00
*******b9d36e7c9cc
-----END OpenVPN Static key V1-----
</tls-auth>

Just tried to upload the file and it connects but nothing is opening...no internet. I have attached a screenshot of the Status and you can see some of the values there are 0.

 

[CaptainSTX]

Everything is the same, all I have additional is "proto udp". Any idea if that means anything?

I know that StrongVPN used to suggest that you modify your VPN file to include this statement, but that was in earlier versions of ASUS/Merlin. I don't have it and I have no problems.

 

[CaptainSTX]

I will take another look latter at my settings, but I can't risk screwing up the network while the wife is binge watching "House of Cards" .

 

[Gusar24]

I will take another look latter at my settings, but I can't risk screwing up the network while the wife is binge watching "House of Cards" .

Ok no worries, whenever you have the time. I took out the proto udp, doesn't seem to make much difference. One thing I noticed was that when it is connected, I am able to browse a handful of website but cannot open google.com or anything major. The Facebook app works on my phone though and some other sites. Might this be some kind of a DNS thing? Did you change anything in your DNS server settings in WAN?

 

[Xentrk]

Hi Xentrk,

My FW version is 380.65.4

I have attached the screenshots of the configuration. I appreciate any way you can help.


CaptainSTX,

I have tried that with many different servers and I hit the On button and it is stuck in "Connecting" mode.

Let me know if you guys need any more info.

Thanks.

I suggest you set Cipher Negotiation to Disabled. Since the vpn tunnel appears to work from the status screen, I wonder if you have wrong settings in Policy Rules? Try changing Redirect Internet Traffic to All Traffic to see if your traffic starts going through the VPN. If so, that points the issue to Policy Rules.

For policy rules, make sure you have the router's ip address set to go thru the WAN as follows:
Description...........Source IP......Destination IP.....Iface
Router....................192.168.1.1.........0.0.0.0.....................WAN
Device 1.................192.168.1.100......0.0.0.0......................VPN
Device 2.......

 

[Gusar24]

I suggest you set Cipher Negotiation to Disabled. Since the vpn tunnel appears to work from the status screen, I wonder if you have wrong settings in Policy Rules? Try changing Redirect Internet Traffic to All Traffic to see if your traffic starts going through the VPN. If so, that points the issue to Policy Rules.

For policy rules, make sure you have the router's ip address set to go thru the WAN as follows:
Description...........Source IP......Destination IP.....Iface
Router....................192.168.1.1.........0.0.0.0.....................WAN
Device 1.................192.168.1.100......0.0.0.0......................VPN
Device 2.......

I will try the cipher negotiation setting but as far as the policy rules go, I had no problems with it set this way with NordVPN so I'm not really sure if that could be the problem.

 

[Gusar24]

I suggest you set Cipher Negotiation to Disabled. Since the vpn tunnel appears to work from the status screen, I wonder if you have wrong settings in Policy Rules? Try changing Redirect Internet Traffic to All Traffic to see if your traffic starts going through the VPN. If so, that points the issue to Policy Rules.

For policy rules, make sure you have the router's ip address set to go thru the WAN as follows:
Description...........Source IP......Destination IP.....Iface
Router....................192.168.1.1.........0.0.0.0.....................WAN
Device 1.................192.168.1.100......0.0.0.0......................VPN
Device 2.......

So strangely, I finally got it to work... It seems all I had to do was set it to Redirect All Traffic. It was the Policy Rules that was messing me up the whole time. The problem is I have a Set Top Box with IPTV which I want to go directly through the internet while everything else through the VPN.

How can I set the policy rules so that it works? Also what does the Accept DNS Configuration setting do?

 

[Xentrk]

So strangely, I finally got it to work... It seems all I had to do was set it to Redirect All Traffic. It was the Policy Rules that was messing me up the whole time. The problem is I have a Set Top Box with IPTV which I want to go directly through the internet while everything else through the VPN.

How can I set the policy rules so that it works? Also what does the Accept DNS Configuration setting do?

Alright! I suspected it was Policy Rules. For a more detailed discussion on policy rules and examples, see the guide in this post https://www.snbforums.com/threads/h...r-pia-and-other-vpn-providers-380-65_4.30851/.

I keep things simple on the one router I have policy rules set up, there are 16 clients. I assign each device a static IP address. I have a small range for dynamic ip addresses which is outside the range of the static IP addresses. Using my prior example, I then list each device, their assigned static IP address (source IP), destination IP (0.0.0.0) and Iface (WAN or VPN)

Description...........Source IP......Destination IP.....Iface
Router....................192.168.1.1.........0.0.0.0.....................WAN
SetTopBox.................192.168.1.100......0.0.0.0..................WAN
Device 1..................192.168.1.110..........0.0.0.0................VPN

From what I understand, one only has to enter the clients that need to use the VPN tunnel in the table. So entering WAN clients it in the table is not required. But having the router entry on the first line is required if I recall. But it has been awhile since I reviewed the setup rules.

The definition of the Accept DNS Configuration field values are as follows (Source: https://www.snbforums.com/threads/openvpn-dns-selective-routing-questions.28191/#post-217362)

a. Disabled: DNS servers pushed by VPN provided DNS server are ignored.
b. Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
c. Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN provided ones don't respond).
d. Exclusive: Only the pushed VPN provided DNS servers are used.

I highly recommend you do a quick review of the guide I wrote as there are some issues with the Accept DNS Configuration setting depending if the setting for Redirect Internet Traffic is All Traffic or Policy Rules. Here are the links:

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-i.38281/

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-ii.38282/

https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-iii.38283/

 

[CaptainSTX]

So strangely, I finally got it to work... It seems all I had to do was set it to Redirect All Traffic. It was the Policy Rules that was messing me up the whole time. The problem is I have a Set Top Box with IPTV which I want to go directly through the internet while everything else through the VPN.

How can I set the policy rules so that it works? Also what does the Accept DNS Configuration setting do?

I personally prefer to give all devices that connect to my LAN fixed/static IP addresses. Certain ranges are for certain types of devices. I limit the DHCP pool for assignment to 20 addresses. When I check my list of connected devices I can easily spot the devices that have connected and have been assigned a DHCP address and investigate if I am suspicious of them.

Once you have your devices assigned static IPs it is trivial under VPN policy rules to assign them either WAN or VPN interface to every device. I prefer to positively know what interface a device is using when I look at this page instead of trying to recall what the default is.

One other setting you need to consider is the " block routed clients if the tunnel goes down". I have it set to no because it is more important to me to be able to communicate with some of my IoT devices when I am traveling than losing the little bit of security that the VPN provides for them. Even though all my network gear is connected to a UPS a long power outage can have strange effects on the way a network recovers and while the VPN should restart when the router reboots you can't be sure.

Glad you got StrongVPN working for you.

 

[Gusar24]

Thank you Xentrk and CaptainSTX for helping me out to get this working. So it works fine when I have it set to Redirect All Traffic and the Accept DNS Configuration set to Exclusive. If I set it to Policy Rules and Accept DNS Configuration to Strict/Relaxed/Disabled, I cannot get it working.

Xentrk, I read all of those threads and even yorgi's guide but I cannot get it working...there is lots of different info.

Do you guys know what settings I need to change to get that working? I can select all of my connected devices from the drop down and they each have a 192.168.x.x address. and then I select VPN/WAN but nothing works.

 

[CaptainSTX]

Thank you Xentrk and CaptainSTX for helping me out to get this working. So it works fine when I have it set to Redirect All Traffic and the Accept DNS Configuration set to Exclusive. If I set it to Policy Rules and Accept DNS Configuration to Strict/Relaxed/Disabled, I cannot get it working.

Xentrk, I read all of those threads and even yorgi's guide but I cannot get it working...there is lots of different info.

Do you guys know what settings I need to change to get that working? I can select all of my connected devices from the drop down and they each have a 192.168.x.x address. and then I select VPN/WAN but nothing works.

Just asking to eliminate the obvious but after selecting WAN - VPN you did click apply?

MY settings are:

Policy Rules

Accept DNS - Disable

Other than that I don't have any other suggestions at this time.