What's new

Problem setting up Nordvpn on asus RT-ac86u merlin [Noob]

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Robson

New Around Here

Attachments

  • 1.png
    1.png
    125.5 KB · Views: 314
  • 2.png
    2.png
    96.9 KB · Views: 305
  • 3.png
    3.png
    102.8 KB · Views: 271
  • 4.png
    4.png
    110.7 KB · Views: 306
Tried setting up Nordvpn on my roter using this guide https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm
It works for a while and then suddenly I lose internet.
If I set "connect to dns server automatically" to yes usually internet comes back but I lose my VPN.
Could someone take a look on my setting and let me know if anything is wrong from there?

Thanks
You may want to change your "Connection Retry Attempts" from 15 to 0 (infinite). Perhaps it's giving up after 15 chances. Also, what do you have under your "custom configuration" settings? I've provided some screenshots of my setup under this thread:

 
You may want to change your "Connection Retry Attempts" from 15 to 0 (infinite). Perhaps it's giving up after 15 chances. Also, what do you have under your "custom configuration" settings? I've provided some screenshots of my setup under this thread:

Thanks I will try it! I´ll take a look at your thread first thing tomorrow. getting late here

this is my c.c :

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 3600

#log /tmp/vpn.log
 
Last edited:
Don't use the NordVPN DNS servers on your WAN settings. Use your "normal" DNS server selection, e.g. your ISP's servers or something like 9.9.9.9.
Thanks for your reply
I changed dns to cloudfare 1.1.1.1 and 1.0.0.1
going to give it a try
 
Thanks I will try it! I´ll take a look at your thread first thing tomorrow. getting late here

this is my c.c :

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 3600

#log /tmp/vpn.log

Give this one a shot... it does seem to help with speed and stability:

Code:
remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
 
Give this one a shot... it does seem to help with speed and stability:

Code:
remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
I´ve been using your custom code for a couple of hours now. So far so good !
I´ll report back in a couple days and let you know how it went/goes.
Thanks for taking the time helping me out!
 
I´ve been using your custom code for a couple of hours now. So far so good !
I´ll report back in a couple days and let you know how it went/goes.
Thanks for taking the time helping me out!

Absolutely... I think @ColinTaylor's suggestion was probably the fix, but every little tweak helps in the overall scheme of things. ;)
 
Would you mind sharing your reasoning regarding this?
Many times, VPN providers' DNS servers are meant to be accessed only while connected through their VPN, and may not even be usable or visible to the general public. So if you reference them in your WAN connection, you're basically making a public connection to them without accessing them through an encrypted tunnel, and may not be usable... thus breaking your ability to resolve anything, and hobbling your ability to function across the WAN.
 
Last edited:
Would you mind sharing your reasoning regarding this?
In addition to @Viktor Jaep's post, the OP was using policy rules to redirect only one device through the VPN. The VPN provider instructions assume all devices are going through the VPN and the customer wants all these devices to use their DNS servers.
 
Do not use 386.7_2 or 386.7, it will not work stable with nordvpn. Esspecially the dns is buggy when using VPN (stops working). Use 386.5_2 on the ac86u and the also the dns servers of nordvpn will just work fine.
 
Do not use 386.7_2 or 386.7, it will not work stable with nordvpn. Esspecially the dns is buggy when using VPN (stops working). Use 386.5_2 on the ac86u and the also the dns servers of nordvpn will just work fine.
I use NordVPN for my tests. I had a NordVPN tunnel running non-stop for multiple weeks on my RT-AC68U without any connectivity issue.
 
Do not use 386.7_2 or 386.7, it will not work stable with nordvpn. Esspecially the dns is buggy when using VPN (stops working). Use 386.5_2 on the ac86u and the also the dns servers of nordvpn will just work fine.
Agreeing completely with @RMerlin ... I've been running NordVPN non-stop on both 386.7 and 386.7_2 (and waaaayyyy before these versions)... zero issues with the firmware, or with dns. I'm not sure what @Dimmie is referring to, but feel free to ignore this advice completely. He is most likely experiencing issues due to vpn client configuration problems or custom vpn config options. <sigh>
 
Not
...but feel free to ignore this advice completely...

Too bad that I was not taken seriously. That you don't experience problems doesn't say the problem is not present.

Anyway another update: With 386.9_beta1 all problems are gone. Tested on 1x ac68u, 1x ac86u, and 2x ac2900. Different locations. So on 4 different devices/4 different locations this problem is present with 386.7 and 386.7_2. Since 389.0 is just released I will test that one also but I don't expect any issues anymore since 386.9_beta1 runs very stable.

For the record: I also run NordVPN for long time and also way before the 386.7 versions. Config exactly as recommended by NordVPN itself.

PS: According to the config you gave to Robson, NordVPN recommends to force 'cipher AES-256-CBC' but I do not see it in your config....
 
Last edited:
Too bad that I was not taken seriously. That you don't experience problems doesn't say the problem is not present.
I think the fact that you made a blanket recommendation that nobody use 386.7_2 when it clearly has been working for everyone else here with Nordvpn. No dns issues either. Instead of downplaying a firmware that works for everyone else, the correct approach would have been diving a little more into your settings and config to figure out your issue.
PS: According to the config you gave to Robson, NordVPN recommends to force 'cipher AES-256-CBC' but I do not see it in your config....
I believe all that info is already included in the .config file you download from Nordvpn, because that how it's configured by default. You don't need to specify this in the custom config section.
 
According to technical guys from NordVPN you should put 'cipher AES-256-CBC' in the custom field when using Merlin. If they give wrong info please tell them.
 
389 Beta 1???
 
According to technical guys from NordVPN you should put 'cipher AES-256-CBC' in the custom field when using Merlin. If they give wrong info please tell them.
Out of the box by default, mine seems to settle on AES-256-GCM... Based on what I'm reading below, it's better to use GCM than CBC.

Code:
Jan  6 15:52:37 ovpn-client5[7114]: VERIFY OK: depth=0, CN=us2951.nordvpn.com
Jan  6 15:52:37 ovpn-client5[7114]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan  6 15:52:37 ovpn-client5[7114]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan  6 15:52:37 ovpn-client5[7114]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512

AES-CBC vs AES-GCM​

Until fairly recently, AES was usually used in cipher block chaining (CBC) mode, where each block of plaintext is XORed with the previous ciphertext block before being encrypted. When used in CBC mode, a HMAC hashing algorithm such as HMAC-SHA256 is required to verify the data.

It is increasingly common, however, to see AES used in Galois/counter (GCM) mode, which uses the counter mode of encryption. The main advantage of this is that it uses the Galois field to verify data without the need for an outside algorithm. It is therefore more efficient than using a separate authentication algorithm that can have a high computational overhead.

Although AES-CBC with HMAC authentication is generally considered secure, CBC is potentially vulnerable to padding attacks, such as POODLE. GCM is not. Proton VPN uses AES-GCM in our OpenVPN encryption suite.


Even NordVPN Support recommends AES-256-GCM:

1. OpenVPN

OpenVPN is a mature and robust piece of open-source software that enables us to provide a reliable and secure VPN service. It is a versatile VPN protocol that can be used on both TCP and UDP ports. OpenVPN supports a great number of strong encryption algorithms and ciphers: to ensure the protection of your data, we use AES-256-GCM with a 4096-bit DH key. If you are conscious about your security and are wondering what the most stable NordVPN protocol is, we recommend OpenVPN.

 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top