1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to set up VPN Client for ProtonVPN?

Discussion in 'Asuswrt-Merlin' started by XIII, Mar 10, 2018.

  1. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    513
    After having successfully set up a VPN server (for quite some time) I would now like to try configuring a VPN client on the router. Since my paid provider does not support OpenVPN (I use it only on iOS, using IKEv2) I would like to experiment with the free variant of ProtonVPN.

    I read the instructions for NordVPN which seem a good start: https://nordvpn.com/tutorials/asustwrt-merlin/openvpn/

    From ProtonVPN I downloaded this OPVN configuration file:
    Code:
    client
    dev tun
    proto udp
    remote nl-free-01.protonvpn.com 1194
    remote-random
    resolv-retry infinite
    nobind
    cipher AES-256-CBC
    auth SHA512
    comp-lzo
    verb 3
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun
    ping 15
    ping-restart 0
    ping-timer-rem
    reneg-sec 0
    remote-cert-tls server
    auth-user-pass
    pull
    fast-io
    block-outside-dns
    <ca>REMOVED</ca>
    key-direction 1
    <tls-auth>REMOVED</tls-auth>
    After importing that and entering my ProtonVPN credentials the OpenVPN client would not start due to an invalid configuration. Removing the block-outside-dns directive seemed to solve that.

    The OpenVPN client does start now, but I can't access any site. I first thought that DNS did not work. However, accessing a site via its IP does not work either.

    Any tips on how to investigate/solve this?

    Note: I use unbound (via Entware) with DNSSEC for DNS over TLS and also run AB-Solution and SkyNet.
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Billy Chaney

    Billy Chaney Occasional Visitor

    Joined:
    Mar 16, 2018
    Messages:
    49
    Location:
    Florida
    I was just wondering what DNS you were using. I tried using 10.8.8.1 from ProtonVPN, but it kept locking up my AC68U.
     
  4. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,369
    Location:
    Thailand
    Try adding this line to custom configuration section to seeing helps

    dhcp-option dns some.dns.ip.address

    E.g. dhcp-option dns 9.9.9.9
     
  5. Billy Chaney

    Billy Chaney Occasional Visitor

    Joined:
    Mar 16, 2018
    Messages:
    49
    Location:
    Florida
    That worked. Thank you very much. I was really bummed out about having to use googles dns.
     
  6. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,369
    Location:
    Thailand
    If you route all traffic over the tunnel, set Accept DNS Configuration to Exclusive. That should force all vpn clients to use DNS of VPN provider.

    If you use Policy Rules, DNS acts differently. I have to set Accept DNS Configuration to Strict and add the dhcp-option line in the Custom Config section. Otherwise I have routing issues. wget will not work for example and AB-Solution will not work over the VPN tunnel. Unfortunately, the downside is DNS will leak.
     
  7. Xentrk

    Xentrk Very Senior Member

    Joined:
    Jul 21, 2016
    Messages:
    1,369
    Location:
    Thailand
    It is still on my to do list to test unbound on AsusWRT Merlin.
     
  8. Billy Chaney

    Billy Chaney Occasional Visitor

    Joined:
    Mar 16, 2018
    Messages:
    49
    Location:
    Florida
    I used 10.8.8.1 and checked with dnsleak.com and no leaks. Try that DNS.
     
  9. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    513
    Quad9.

    But I'm going to try the suggestions I got here this weekend. Thanks!
     
  10. LostFreq

    LostFreq Regular Contributor

    Joined:
    Nov 27, 2017
    Messages:
    59
    Location:
    Belgium
    See also my post here: https://www.snbforums.com/threads/382-2-beta3-vpn-client-working.44171/#post-375106
    Although I use ProtonVPN my config never had that block-outside-dns line.
    I use 'Policy Rules (strict)' and have 'Accept DNS Configuration' set to Exclusive. Without a dhcp-option line.
    My external DNS servers are configured only on the 'WAN - Internet Connection' page (i.e. not on the 'LAN - DHCP Server' page).
     
    Last edited: Mar 17, 2018
  11. Billy Chaney

    Billy Chaney Occasional Visitor

    Joined:
    Mar 16, 2018
    Messages:
    49
    Location:
    Florida
    You know, when I did it this way it worked good until I rebooted my router. And then no joy. The router started acting up again. Asuswrt Merlin just doesn't like ProtonVPN DNS 10.8.8.1.
     
  12. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    513
    I would like to give this another try. Any tips?
     
  13. Billy Chaney

    Billy Chaney Occasional Visitor

    Joined:
    Mar 16, 2018
    Messages:
    49
    Location:
    Florida
    I've been using ProtonVPN Plus servers with much success. I use Cloudflare dns under my Wan dns. The problem I was having was that I didn't point my windows ethernet dns settings to my routers ip address. Once I did that all my problems went away. With ProtonVPN's plus servers I just load the default settings and it works fine. Also, I use policy rules. ProtonVPN Plus is a little pricey but I like it. Hope this helps.
     
    Last edited: May 24, 2018
  14. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    513
    This week a PIA VPN OpenVPN file worked out of the box, so I wanted to give ProtonVPN another chance.

    Still fails... (hopefully I can learn something from the PIA setup?)
     
  15. Skeptical.me

    Skeptical.me Occasional Visitor

    Joined:
    Sep 22, 2016
    Messages:
    47
    Location:
    Australia
    Hey, thanks for all the good advice in this thread, I got everything working in an OpenVPN client. I checked with ipleak.net and everything is good.

    However, I have a line speed on 32Mbps and with ExpressVPN and AirVPN I get around 25(ish)Mbps using an OpenVPN client on mt RT-AC87U but with ProtonVPN I'm only getting 10Mbps.

    Code:
    remote-random
    resolv-retry infinite
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    ping 15
    ping-restart 0
    ping-timer-rem
    remote-cert-tls server
    pull
    fast-io
    dhcp-option dns 10.8.8.1
    I've got "Accept DNS Configuration" set to "Exclusive"
    LAN>DHCP>DHCP SERVER>DNS 1 10.8.8.1>DNS 2 10.7.7.1
    I use Policy Routing - I have to as some devices need WAN access

    Do you guys know how I can tweak the settings to get faster speeds?

    Edit: I set up a second client with a California server rather than the US .ovpn config file and didn't add the "dhcp-option dns 10.8.8.1" line and I', getting about 15Mbps (I have really crappy broadband speeds in general :-( )

    Edit 2: I'm getting 27Mbps on the American .ovpn config now - thats much better.
     
    Last edited: Jul 13, 2018 at 11:58 PM
  16. XIII

    XIII Very Senior Member

    Joined:
    Feb 27, 2014
    Messages:
    513
    Finally got OpenVPN to work on my router via this Reddit post and adding this to the Custom Configuration field:

    Code:
    script-security 2
    dhcp-option DNS 9.9.9.9
    dhcp-option DOMAIN example.lan
    ("example.lan" is not the real name I use; just an "obfuscated" example)

    With these settings OpenVPN uses Quad9 directly.

    Using 192.168.1.1 instead of 9.9.9.9 to also use AB-Solution and pixelserv-tls does not seem to work...
     
    Skeptical.me likes this.
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!