What's new

TorGuard OpenVPN 2.4 Client Setup for ASUS Merlin 380.65 & 380.65_2 Part III

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Xentrk

Part of the Furniture
Continued from Part II
https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-ii.38282/

Troubleshooting Section
1. There are two well-known media streaming services that block VPN users. If you need access to these services, you will need to subscribe to TorGuard’s Dedicated IP service.

2. I use TorGuards’s DNS servers as the WAN DNS on all of my routers. However, doing so is optional. If you have problems connecting to hostnames or you have no connectivity when connected to the VPN server, try changing your DNS to use TorGuard’s DNS Servers. The TorGuard DNS Servers are located at the bottom of the TorGuard Specs page. To configure on the Web GUI, select the WAN menu on the left. On the Internet Connection tab, go to the WAN DNS Setting section. Select the No button for Connect to DNS Servers Automatically. Then, enter the TorGuard DNS Servers in the DNS Server 1 and DNS Server 2 fields. Select the Apply button on the bottom of the screen to save the settings.

3. If you want to change Server Address, it is not required to generate a new opvn file from the TorGuard generator. This can be done by entering one of the TorGuard hostnames or IP address located at https://torguard.net/serverstatus.php in the Web GUI.

4. If you want to change Legacy/fall back cipher, it is not required to generate a new opvn file from the TorGuard generator. It can be done by selecting the cipher from the drop down menu. If you change the cipher, the Port number must also be changed. Ports associated with the cipher levels are listed under the TorGuard specs page located at https://torguard.net/tgspec.php.

5. TorGuard servers may not be reachable due to their DNS provider suffering a DDoS attack. To avoid this, use the IP address of the server instead of the name. Using the server IP address rather than the domain name may also help with OpenVPN performance.

6. Sometimes, the VPN status reported on the VPN Status Web GUI may be incorrect. Refer to the System log if you suspect errors. Many times, toggling the Service state to OFF and back to ON to create a new OpenVPN connection will often solve connection problems.

7. NTP Server Tips: There are times when the OpenVPN client won't connect to the TorGuard servers due to the clock not being set correctly on the router. This can typically occur after the router has been rebooted and the clock is not updated right away. Currently, none of the Asus routers has an RTC hardware clock. There are a couple of ways of dealing with this issue.

One solution is to install Entware on the router and install the fake-hwclock package (opkg install fake-hwclock). Fake-hwclock will save the kernel's current clock periodically (including at shutdown) to a file and restore it at boot so that the system clock keeps at least close to real time. This only works if the clock is updated correctly by the NTP client.

At other times, the NTP client cannot reach the NTP server because the DNS servers fail to resolve, which results in the router clock not being able to update. There are a few options to deal with this:

a. Enter the IP address of the NTP server directly on the Administration Menu, System Tab, Time Zone field. Note: You can browse to a specific server by selecting a region and finding a server closest to you http://support.ntp.org/bin/view/Servers/NTPPoolServers and then ping the name of the pool. This IP address will likely change due to it being a pool of servers.

b. You can leave the NTP server name as is and add a list of IP addresses for the corresponding name to the hosts.add file in /jffs/configs. For example, the Canadian server pools below were determined by pinging the server pool:

208.73.56.29 0.ca.pool.ntp.org
70.79.92.55 1.ca.pool.ntp.org
144.217.242.53 2.ca.pool.ntp.org
199.182.221.110 3.ca.pool.ntp.org

8. Encryption - depending on your router’s CPU, you may want to change the data encryption level to achieve the best performance. If speed is the primary concern rather than encryption, then select “None” for the fastest performance, which may be the best setting if your primary reason for using the VPN is to get around geo blocking for streaming media. The next level is BF-CBC, followed by AES-128-CBC and so on. The more horse power the router has, the higher the encryption could be set with less impact on throughput.

9. If you are also using OpenVPN server on your router, make sure you select a TorGuard protocol that does not overlap with the OpenVPN Server subnet.

10. The definition of the Accept DNS Configuration field values are as follows (Source: https://www.snbforums.com/threads/openvpn-dns-selective-routing-questions.28191/#post-217362)

a. Disabled: DNS servers pushed by VPN provided DNS server are ignored.
b. Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
c. Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN provided ones don't respond).
d. Exclusive: Only the pushed VPN provided DNS servers are used.

11. MTU warning messages in System Log file – If you see messages similar to the following in the Systems Log file:

WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1526'
WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'​

Try removing the tun-mtu-extra 32 option from the Custom Configuration section. This removed the warning messages for @Zirescu and I. TorGuard support told me the warning messages do not cause any harm.

12. @skeal reports a setting that helped him and another participant improve overall OpenVPN speed. Select the Adaptive QoS menu option on the left. Select the QoS tab. Then, select Enable QoS to turn it on. Select the manual bandwidth setting and enter your ISP internet package speed in both the Upload Bandwidth and Download Bandwidth boxes. Select Media Streaming and Apply.

Optional Custom Configuration Options
You may want to experiment with the following OpenVPN options:

fast-io
(Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. The purpose of such a call would normally be to block until the device or socket is ready to accept the write. Such blocking is unnecessary on some platforms which don't support write blocking on UDP sockets or TUN/TAP devices. In such cases, one can optimize the event loop by avoiding the poll/epoll/select call, improving CPU efficiency by 5% to 10%.

This option can only be used on non-Windows systems, when --proto udp is specified, and when --shaper is NOT specified.

sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"

https://lowendtalk.com/discussion/40099/why-openvpn-is-so-slow-cool-story
https://community.openvpn.net/openvpn/ticket/461
http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/

OpenVPN 2.4 Man Page
For more information on OpenVPN 2.4 configuration options, visit the OpenVPN Man page located at
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

Acknowledgments
Thank you to @skeal and @Zirescu for your collaboration and feedback on this guide. Your contributions are very much appreciated!
 
Last edited:
Hello, with respect to Item No.8, is the encryption specified and limited / fixed to whats listed in the ovpn file? I.E, "cipher AES-256-CBC", (this is taken from an VPN service ovpn file), and thus cannot be changed by router setting?
Thanks,
 
Hello, with respect to Item No.8, is the encryption specified and limited / fixed to whats listed in the ovpn file? I.E, "cipher AES-256-CBC", (this is taken from an VPN service ovpn file), and thus cannot be changed by router setting?
Thanks,

TorGuard supports the ciphers listed here https://torguard.net/tgspec.php. They do not support as many as are listed in the OpenVPN client tab Legacy/fallback Cipher field.

You need to click on the "v" symbol on the right of the Legacy/fallback Cipher field to display the list of available ciphers

upload_2017-3-30_22-50-17.png


There are more ciphers listed here than what TorGuard supports. Then, update the Port field to a port number that corresponds to the cipher. Then, you do not have to create and import a new opvn config file.
 
TorGuard supports the ciphers listed here https://torguard.net/tgspec.php. They do not support as many as are listed in the OpenVPN client tab Legacy/fallback Cipher field.

You need to click on the "v" symbol on the right of the Legacy/fallback Cipher field to display the list of available ciphers

View attachment 8912

There are more ciphers listed here than what TorGuard supports. Then, update the Port field to a port number that corresponds to the cipher. Then, you do not have to create and import a new opvn config file.
If I select "none" in the cipher field, what Port should I use?
 
Port setting is 1194 for None.
 
Can i use Google Dns for WAN and Torguard DNS for VPN?

Tonight I will register for Torguard . I hope to reach 50mbit at least . Now with PureVPN I have 10.
I have RT-AC88U with 4 port.
 
Can i use Google Dns for WAN and Torguard DNS for VPN?

Tonight I will register for Torguard . I hope to reach 50mbit at least . Now with PureVPN I have 10.
I have RT-AC88U with 4 port.

I am inclined to say yes per the support page at https://torguard.net/knowledgebase.php?action=displayarticle&id=180. Unfortunately, I tried to test the settings and could not get it to work. It appears that if I use Google's DNS servers on the WAN gui tab, my ISP is overriding my setting and using their own DNS servers instead. This does not happen if I use TorGuard's DNS servers though. I had not noticed this before. Go to ipleak.net to see the DNS servers the web says you are using in your testing.
 
ok I have more questions.

1)what do you have enabled?
Aiprotection ?
HW NAT ?
QoS?

2)Do you use DNS Filtering or Wan Dns Setting to set Torguard DNS?
 
Last edited:
ok I have more questions.

1)what do you have enabled?
Aiprotection ?
HW NAT ?
QoS?

2)Do you use DNS Filtering or Wan Dns Setting to set Torguard DNS?
1) I have AirProtection and HW NAT enabled. I have experimented with QoS. But with just the wife and I using the router for streaming and web surfing, it is not needed.

2) I set the DNS server on the WAN DNS Setting page. I have not tried to use DNS Filtering. Regarding DNS Filtering, you might find this recent thread of interest https://www.snbforums.com/threads/important-tip-for-vpn-services-on-openvpn.38494/
 
I am heading out for a few hours. I will read more when I return. But at first glance, I suspect you will need to have entware installed so you can install python and jffs enabled on the router so you can have a location for scripts such as firewall-start. See https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts.

Check out this thread to see if something here helps before you go down this path:
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-25
https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
 
ok so That is difficult because I dont have entwareand I dont know how to use script ,maybe i find a guide.
 
ok so That is difficult because I dont have entwareand I dont know how to use script ,maybe i find a guide.
Contact TorGuard support to see if they can help you with what you are trying to accomplish. You will need some basic Linux knowledge and be able to SSH into the router go download the code and edit the config file for python per the instruction in GitHub...https://github.com/cdhowie/netflix-no-ipv6-dns-proxy. You can also post a new thread here in the forums asking for help to see what other solutions and ideas others may have.
 
By using Amazon fire TV, is there a way to use vpn for Kodi and popcorntime and wan for Amazon video and Netflix only.?

Tomorrow I will start my membership with torguard so I finally can test all your settings.

Sent from my LG-H815 using Tapatalk
 
By using Amazon fire TV, is there a way to use vpn for Kodi and popcorntime and wan for Amazon video and Netflix only.?

Tomorrow I will start my membership with torguard so I finally can test all your settings.

Sent from my LG-H815 using Tapatalk
Selective routing should be able to do what you want. There are techniques for this in that forum. I have not required it though because I subscribe to the private IP option with TorGuard.

If you get the Private IP option with TorGuard with an address in USA, you can bypass the Netflix and Hulu blocks and get access to USA library. Amazon video does not block VPN, but does detect geo location and limits library based on that. So, same applies here, Private IP option is the fix. It is worth the extra $ for me.
 
Yes when I test the speed I will try. Now with purevpn from London to ny server I got 10 mbit,
From London to London between 40 50 mbit. Both at 128. I need at least 30 35 mbit for 4k. I will write all my settings to compare.
In torguard if I use bfcfc instead 128 it should be faster even?
I just need encryption to protect torrent in popcorntime on fire TV.


Sent from my LG-H815 using Tapatalk
 
Yes, distance is not our friend when it comes to vpn performance. However, don't let the speed test sites be the decision maker. Watch the video stream to see what happens. Most sites other than dslreports.com give me below 30-35 mbit speeds. However, I am able to watch videos and sporting events in 4K without buffering and high quality. Use no encryption to get the best speed. Then, work your way up from there ..AES-128-CBC should be good enough for most use cases. I have been using no encryption for the past year. But my fiber line is now 225 Mbps. I recently changed to AES-128-CBC and all is good with my streaming.
 
I am testing.
I bought 1 month and no dedicated ip

For now I can say:
By using windows client you can choose openvpn or openconnect protocol.
Test Server Uk london - USA NY -Italy .I am in London. AES 128
-Torguard server are 30% slower than PureVPN by using openvpn :(
-better when i use openconnect ,maybe a bit better Torguard in europe.:)
I didnt change anything in the windows app.

Well good news on Amazon Fire TV . I can install android app and it works really well with AES128:D
I connected to NY and even Netflix US was working without dedicated ip.:eek::eek::eek:
I tested the speed on Fire Tv and it is around 70mbit .It is definily better than by using router.


Now I am testing the router with your setting. when you create in the config generator the ovpn file do you tick "Require TLS 1.2:"???
 
I am testing.
I bought 1 month and no dedicated ip

For now I can say:
By using windows client you can choose openvpn or openconnect protocol.
Test Server Uk london - USA NY -Italy .I am in London. AES 128
-Torguard server are 30% slower than PureVPN by using openvpn :(
-better when i use openconnect ,maybe a bit better Torguard in europe.:)
I didnt change anything in the windows app.

Well good news on Amazon Fire TV . I can install android app and it works really well with AES128:D
I connected to NY and even Netflix US was working without dedicated ip.:eek::eek::eek:
I tested the speed on Fire Tv and it is around 70mbit .It is definily better than by using router.


Now I am testing the router with your setting. when you create in the config generator the ovpn file do you tick "Require TLS 1.2:"???
Do not tick the "Require TLS 1.2".

Yes, the CPU on the laptop is more powerful than the router, which is why you will often see better speed. Speed will vary depending if it is a work day, weekend, etc..
 
Hello, I notice there is NO option for GCM cipher under Legacy/fallback cipher setting in the Asus OpenVPN Client settings page?? I am using Merlin FW (382.1_2)

Any thoughts in that?
Regards,
Buk
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top