openvpn tutorial on asus rt-ac88u using merlin f/w 384.9

[eltell69]

Hi Guys I posted a request earlier about my asus rt-ac88u as main wifi router and rt-ac86u as the access point and I've installed the merlin f/w on both routers. Well I'm now trying to install the nordvpn on the main router but unable to see protected on the nordvpn web site.
It was a lot easier when using the asus default f/w to set up. Is there a step by step set up guide for doing this vpn when using merlin f/w as I've looked on this site and elsewhere and am unable to source at the mo.
Would appreciate your help with this. Thanks.

 

[ColinTaylor]

I just used these instructions. It was pretty straight forward.

P.S. I don't know what you mean by "unable to see protected on the nordvpn web site".

 

[eltell69]

I just used these instructions. It was pretty straight forward.

P.S. I don't know what you mean by "unable to see protected on the nordvpn web site".

Hi Colin yes the instructions for the vpn install using the default asuswrt firmware is pretty straight forward but what I'm looking for is a download version say .pdf of a step by step guide for installing a nordvpn with the merlin firmware.

When opening the nordvpn web page it tells you at the top of the page your ip address and if your not using a vpn then it says your 'unprotected', if you have a running vpn then your ip address will be different and your be 'protected'

I have seen the setup guide via google but unable to download it.

Many thanks for your reply much appreciated

 

[eltell69]

Well I've put everything back to default as the 384.9 f/w doesn't seem to like my rt-ac88u. I can't use the asus default f/w as I'm unable to find any settings for allowing my fetch tv streaming which would be wired to the rt-ac86u which is in access point mode. Maybe there's someone who can assist me with this as I can't spend loads of time trying to figure out how to use the merlin f/w. Another strange thing was the rt-ac88u slowed right down when the merlin was installed, maybe it was the way I installed it I don't know. No probs at all when it's all aimesh which is very good but I would like the vpn which the asus has and is easy to set up but as I said no streaming. Anyone.

 

[Marin]

Well I've put everything back to default as the 384.9 f/w doesn't seem to like my rt-ac88u. I can't use the asus default f/w as I'm unable to find any settings for allowing my fetch tv streaming which would be wired to the rt-ac86u which is in access point mode. Maybe there's someone who can assist me with this as I can't spend loads of time trying to figure out how to use the merlin f/w. Another strange thing was the rt-ac88u slowed right down when the merlin was installed, maybe it was the way I installed it I don't know. No probs at all when it's all aimesh which is very good but I would like the vpn which the asus has and is easy to set up but as I said no streaming. Anyone.

Did you follow their tutorial on how yo do this?

https://nordvpn.com/tutorials/asustwrt-merlin/openvpn/

There is also a link in between these instructions to download all of their servers. This will be a zip file. Save this file in a folder so you can use it later when looking for different server files to download. The list of servers is updated from time to time so it may be a good idea to frequently check this site and re-download the zip file if needed.

Would start with a server that is close to your location and go from there. There is a link on the site (which I can’t find now for some reason) that shows the location of each server. Otherwise, you can contact NordVPN and they can email this list to you.




Sent from my iPhone using Tapatalk

 

[Marin]

[QUOTE P.S. I don't know what you mean by "unable to see protected on the nordvpn web site".[/QUOTE]

Some VPN providers (ExpressVPN, NordVPN) include on their main homepage a link (at the very top usually) that states: Protected or Unprotected depending on whether you are using a VPN or not. However, this is only if you use their servers and not others. For example, if you use ExpressVPN then the NordVPN site will show you as “Unprotected”. The same goes if you have NordVPN installed and are checking out ExpressVPN’s homepage.



Sent from my iPhone using Tapatalk

 

[eltell69]

Did you follow their tutorial on how yo do this?

https://nordvpn.com/tutorials/asustwrt-merlin/openvpn/

There is also a link in between these instructions to download all of their servers. This will be a zip file. Save this file in a folder so you can use it later when looking for different server files to download. The list of servers is updated from time to time so it may be a good idea to frequently check this site and re-download the zip file if needed.

Would start with a server that is close to your location and go from there. There is a link on the site (which I can’t find now for some reason) that shows the location of each server. Otherwise, you can contact NordVPN and they can email this list to you.




Sent from my iPhone using Tapatalk

Hi Marin I did try to use the tutorial but wasn't successful. I also downloaded their recommended server config files in the .ovpn format, the one with the single file not the zip file.
Was wondering if I could download a version of the tutorial in maybe .pdf format as I don't know how to copy the web based version including the router pictures maybe you can advise me on this.
Just out of curiosity would the rt-ac86u be the better router for the main one as I use the rt-ac88u for the main one because of the 8 Ethernet ports.
Also do I require the merlin f/w on both routers or just the main one as the rt-ac86u is in access point mode.

 

[ColinTaylor]

Did you follow their tutorial on how yo do this?

https://nordvpn.com/tutorials/asustwrt-merlin/openvpn/

I found those instructions to be years out of date and contain some questionable customisation options that might conflict/replace those already supplied by NordVPN. They were written for firmware version 380.59.

The generic Asus intructions I linked to are much more up to date and worked for me. The only change I would suggest is that you don't do step 10 (change WAN DNS settings) as it not necessary and can cause problems in certain circumstances.

You don't need to download a PDF (I don't think there are any anyway), just work off the web page. If you really must have an offline copy then either print or save the web page. In Chrome (and probably other browsers) you can even select the "Print" option and change the destination to "Save as PDF".

 

[Marin]

I found those instructions to be years out of date and contain some questionable customisation options that might conflict/replace those already supplied by NordVPN. They were written for firmware version 380.59.

The generic Asus intructions I linked to are much more up to date and worked for me. The only change I would suggest is that you don't do step 10 (change WAN DNS settings) as it not necessary and can cause problems in certain circumstances.

You don't need to download a PDF (I don't think there are any anyway), just work off the web page. If you really must have an offline copy then either print or save the web page. In Chrome (and probably other browsers) you can even select the "Print" option and change the destination to "Save as PDF".

From what I see the link you provided is for Asus routers using stock firmware. I thought OP had Merlin installed but maybe I missed that detail.

Yes the info on the NordVPN’s site is quite dated but it is a start. A lot of us have ended up changing some of the settings overtime as new knowledge comes out.




Sent from my iPhone using Tapatalk

 

[Marin]

@eltell69, once you are able to download and set your VPN client please post snips of your configuration here (remove personal info) so everyone can view its settings and offer suggestions on how to tweak them to make it work.


Sent from my iPhone using Tapatalk

 

[ColinTaylor]

From what I see the link you provided is for Asus routers using stock firmware. I thought OP had Merlin installed but maybe I missed that detail.

Yes, but that was my point. The "Merlin instructions" are so out of date that the "stock" instructions are more appropriate for Merlin's current firmware now.

 

[eltell69]

Well Marin, Colin what I've done now is re-installed the stock asus f/w to get aimesh back again as it was perfect for what I wanted regarding the other static ip's and streaming from the fetchbox. I then reinstalled the merlin f/w and got a work around to enable the aimesh to work with it and it does so all's good.
Now the next thing I tried was to install the nordvpn .ovpn file but the main rt-ac88u router won't install it as after browsing and uploading it it completes then just drops it, tried reloading it but it drops it every time after it loads it. Wonder if this has anything to do with the aimesh workaround that was installed. What do you reckon guys.
Trying to avoid putting everything back to 'merlin normal' as I'll loose aimesh and not sure the best mode to put the rt-ac86u into whether access point or something else.
What do you guys think as I'm going round in circles.

 

[Marin]

Well Marin, Colin what I've done now is re-installed the stock asus f/w to get aimesh back again as it was perfect for what I wanted regarding the other static ip's and streaming from the fetchbox. I then reinstalled the merlin f/w and got a work around to enable the aimesh to work with it and it does so all's good.
Now the next thing I tried was to install the nordvpn .ovpn file but the main rt-ac88u router won't install it as after browsing and uploading it it completes then just drops it, tried reloading it but it drops it every time after it loads it. Wonder if this has anything to do with the aimesh workaround that was installed. What do you reckon guys.
Trying to avoid putting everything back to 'merlin normal' as I'll loose aimesh and not sure the best mode to put the rt-ac86u into whether access point or something else.
What do you guys think as I'm going round in circles.

I don’t use aimesh so I can’t make any recommendations - although I don’t know how you were able to get that working since Merlin’s firmware does not support it.

Would recommend that you include some pics of your VPN configuration screens so others can review and advise. Please remove any personal info from these before posting.


Sent from my iPhone using Tapatalk

 

[eltell69]

Hi Marin I included the home shot just to verify the aimesh with Merlin's f/w. The other screen shot is of the vpn settings, as explained earlier when I browse and load the .ovpn file it loads momentarily then seems to revert to the prior state just before loading and reloading doesn't make any difference, hope this is what your asking for.

 

[ColinTaylor]

Your VPN screenshot doesn't show any entries in the username or password fields. Have you just removed them for privacy reason, or have you forgotten to type them in?

You have blacked out some of the other options regarding IP address and crypto so I can't check those. That is publicly available information so there's no need to hide it.

You should also have some "Custom Configuration" entries in the box at the bottom of the page. If you cut and paste that into your post I can check it against what I've got.

 

[Marin]

Under the VPN Client tab (VPN tab--> VPN Client tab):

Service state: Slide to ON

Automatic Start at boot time = Yes

Accept DNS Configuration = Strict

Username = Don't forget to enter this (usually the email address from NORDVPN account)

Password: Don't forget to enter this (from NORDVPN account)

Cipher negotiation - DISABLE

Log verbosity = 3

Compression = DISABLE

TLS Renegotiation time = -1

Connection Retry Attempts = -1

Policy Rules = Strict

Block Routed Clients.... = No

Rules:

Router 192.168.1.1 0.0.0.0 WAN
All Devices 192.168.1.0/24 0.0.0.0 VPN

Copy and Paste the following under the Custom configuration window:

dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100
resolv-retry infinite
remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
explicit-exit-notify 3
remote-cert-tls server
pull
fast-io

Make sure to "Apply" after you make the above changes

Then go to WAN tab of the GUI....

Under WAN DNS Settings, enter the following:

Connect to DNS server automatically = No

then enter the following under each DNS server space (these are NordVPN servers but you can use other ones if you would like - if you do make sure that this info matches with the first 2 lines on Custom Configuration window - see info in green):

DSN Server 1 = 103.86.96.100

DNS Server 2 = 103.86.99.100

Make sure to "Apply" when you are done entering this info


Hopefully this helps.

 

[eltell69]

Under the VPN Client tab (VPN tab--> VPN Client tab):

Service state: Slide to ON

Automatic Start at boot time = Yes

Accept DNS Configuration = Strict

Username = Don't forget to enter this (usually the email address from NORDVPN account)

Password: Don't forget to enter this (from NORDVPN account)

Cipher negotiation - DISABLE

Log verbosity = 3

Compression = DISABLE

TLS Renegotiation time = -1

Connection Retry Attempts = -1

Policy Rules = Strict

Block Routed Clients.... = No

Rules:

Router 192.168.1.1 0.0.0.0 WAN
All Devices 192.168.1.0/24 0.0.0.0 VPN

Copy and Paste the following under the Custom configuration window:

dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100
resolv-retry infinite
remote-random
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 15
ping-restart 0
ping-timer-rem
explicit-exit-notify 3
remote-cert-tls server
pull
fast-io

Make sure to "Apply" after you make the above changes

Then go to WAN tab of the GUI....

Under WAN DNS Settings, enter the following:

Connect to DNS server automatically = No

then enter the following under each DNS server space (these are NordVPN servers but you can use other ones if you would like - if you do make sure that this info matches with the first 2 lines on Custom Configuration window - see info in green):

DSN Server 1 = 103.86.96.100

DNS Server 2 = 103.86.99.100

Make sure to "Apply" when you are done entering this info


Hopefully this helps.

Hi Colin as explained earlier the .ovpn file doesn't fully load and therefore auto config some of the settings, here is a shot of the page with the custom cofig setts but no nord login details
as whats the point if nothing loads.

Marin I did some of what you suggest but not sure if all. I notice I didn't include the 'explicit-exit-notify 3' in the custom setts but will go through it all again and retry.
Thanks Colin and Marin will let you know the outcome.

 

[Marin]

Hi Colin as explained earlier the .ovpn file doesn't fully load and therefore auto config some of the settings, here is a shot of the page with the custom cofig setts but no nord login details
as whats the point if nothing loads.

Marin I did some of what you suggest but not sure if all. I notice I didn't include the 'explicit-exit-notify 3' in the custom setts but will go through it all again and retry.
Thanks Colin and Marin will let you know the outcome.

After you Browse for your NordVPN .ovpn file make sure to click on Upload then enter all the rest of the info I mentioned on the previous post.

You must enter the username and password as without it you will not be able to access NordVPN servers.

After you enter all the info I mentioned (including on the WAN tab of the GUI) then go back to the VPN client tab and move the slider to ON. Then Apply.

Try rebooting the router after all of this.


Sent from my iPhone using Tapatalk

 

[eltell69]

Well Marin did what you suggested regarding the custom config plus the server state slider to on and all is working good now and when on nordvpn site I'm in 'protected' mode.
Strange thing though when changing the server state slider to 'on' initially and then the router auto applied the slider came back as 'off' but when changing slider to on after entering login details it stayed on then I was able to load the .ovpn file and the rest of the settings.
Thank you for your assistance Marin great stuff.
Just one more thing if you don't mind, I'm unable to stream using the fetchtv box which as the rest of my lan has it's own static ip. I realize because the router setting is at 'strict' as regards
policy rules so how do I go about allowing a particular ip access to the web for streaming as in downloading movies.

 

[Marin]

Well Marin did what you suggested regarding the custom config plus the server state slider to on and all is working good now and when on nordvpn site I'm in 'protected' mode.
Strange thing though when changing the server state slider to 'on' initially and then the router auto applied the slider came back as 'off' but when changing slider to on after entering login details it stayed on then I was able to load the .ovpn file and the rest of the settings.
Thank you for your assistance Marin great stuff.
Just one more thing if you don't mind, I'm unable to stream using the fetchtv box which as the rest of my lan has it's own static ip. I realize because the router setting is at 'strict' as regards
policy rules so how do I go about allowing a particular ip access to the web for streaming as in downloading movies.

It maybe that some of your streaming providers (Netflix, etc) are blocking content due to VPN. To circumvent these issue you have two options:

Option 1:


Go to the LAN tab of the GUI and under the DHCP server tab. There under the Manual Assignment, change Enable Manual assignment to Yes.

Then on the section below it (Manually Assigned IP....) beginning from left box to the right, find your device and give it a static IP (make sure to use the + sign when you add)

After you are done, Apply. This will ensure that your streaming device will always have the same IP address at all times.

Then go to your VPN Client tab and under the “Rules for routing clients....” section (very bottom of the page), add you streaming device there and choose WAN as the iFace. This will ensure that your device will bypass VPN.

Make sure to apply.

Now turn off the streaming device and leave off. Reboot the router and after few minutes that it has been on, turn on your streaming device.


Option 2:

If Netflix is what you use the most then see the post regarding @Xentrk’s Netflix Selective Routing. After I used that one, I no longer needed to use Option 1. For that you must have your jffs custom scripts and configure enabled (under Administration—>System—> Persistent JFFS2 partition). Enable them there and leave “Format jffs....” to No.






Sent from my iPhone using Tapatalk