Xentrk
Part of the Furniture
Continued from Part II
https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-ii.38282/
Troubleshooting Section
1. There are two well-known media streaming services that block VPN users. If you need access to these services, you will need to subscribe to TorGuard’s Dedicated IP service.
2. I use TorGuards’s DNS servers as the WAN DNS on all of my routers. However, doing so is optional. If you have problems connecting to hostnames or you have no connectivity when connected to the VPN server, try changing your DNS to use TorGuard’s DNS Servers. The TorGuard DNS Servers are located at the bottom of the TorGuard Specs page. To configure on the Web GUI, select the WAN menu on the left. On the Internet Connection tab, go to the WAN DNS Setting section. Select the No button for Connect to DNS Servers Automatically. Then, enter the TorGuard DNS Servers in the DNS Server 1 and DNS Server 2 fields. Select the Apply button on the bottom of the screen to save the settings.
3. If you want to change Server Address, it is not required to generate a new opvn file from the TorGuard generator. This can be done by entering one of the TorGuard hostnames or IP address located at https://torguard.net/serverstatus.php in the Web GUI.
4. If you want to change Legacy/fall back cipher, it is not required to generate a new opvn file from the TorGuard generator. It can be done by selecting the cipher from the drop down menu. If you change the cipher, the Port number must also be changed. Ports associated with the cipher levels are listed under the TorGuard specs page located at https://torguard.net/tgspec.php.
5. TorGuard servers may not be reachable due to their DNS provider suffering a DDoS attack. To avoid this, use the IP address of the server instead of the name. Using the server IP address rather than the domain name may also help with OpenVPN performance.
6. Sometimes, the VPN status reported on the VPN Status Web GUI may be incorrect. Refer to the System log if you suspect errors. Many times, toggling the Service state to OFF and back to ON to create a new OpenVPN connection will often solve connection problems.
7. NTP Server Tips: There are times when the OpenVPN client won't connect to the TorGuard servers due to the clock not being set correctly on the router. This can typically occur after the router has been rebooted and the clock is not updated right away. Currently, none of the Asus routers has an RTC hardware clock. There are a couple of ways of dealing with this issue.
One solution is to install Entware on the router and install the fake-hwclock package (opkg install fake-hwclock). Fake-hwclock will save the kernel's current clock periodically (including at shutdown) to a file and restore it at boot so that the system clock keeps at least close to real time. This only works if the clock is updated correctly by the NTP client.
At other times, the NTP client cannot reach the NTP server because the DNS servers fail to resolve, which results in the router clock not being able to update. There are a few options to deal with this:
a. Enter the IP address of the NTP server directly on the Administration Menu, System Tab, Time Zone field. Note: You can browse to a specific server by selecting a region and finding a server closest to you http://support.ntp.org/bin/view/Servers/NTPPoolServers and then ping the name of the pool. This IP address will likely change due to it being a pool of servers.
b. You can leave the NTP server name as is and add a list of IP addresses for the corresponding name to the hosts.add file in /jffs/configs. For example, the Canadian server pools below were determined by pinging the server pool:
208.73.56.29 0.ca.pool.ntp.org
70.79.92.55 1.ca.pool.ntp.org
144.217.242.53 2.ca.pool.ntp.org
199.182.221.110 3.ca.pool.ntp.org
8. Encryption - depending on your router’s CPU, you may want to change the data encryption level to achieve the best performance. If speed is the primary concern rather than encryption, then select “None” for the fastest performance, which may be the best setting if your primary reason for using the VPN is to get around geo blocking for streaming media. The next level is BF-CBC, followed by AES-128-CBC and so on. The more horse power the router has, the higher the encryption could be set with less impact on throughput.
9. If you are also using OpenVPN server on your router, make sure you select a TorGuard protocol that does not overlap with the OpenVPN Server subnet.
10. The definition of the Accept DNS Configuration field values are as follows (Source: https://www.snbforums.com/threads/openvpn-dns-selective-routing-questions.28191/#post-217362)
a. Disabled: DNS servers pushed by VPN provided DNS server are ignored.
b. Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
c. Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN provided ones don't respond).
d. Exclusive: Only the pushed VPN provided DNS servers are used.
11. MTU warning messages in System Log file – If you see messages similar to the following in the Systems Log file:
Try removing the tun-mtu-extra 32 option from the Custom Configuration section. This removed the warning messages for @Zirescu and I. TorGuard support told me the warning messages do not cause any harm.
12. @skeal reports a setting that helped him and another participant improve overall OpenVPN speed. Select the Adaptive QoS menu option on the left. Select the QoS tab. Then, select Enable QoS to turn it on. Select the manual bandwidth setting and enter your ISP internet package speed in both the Upload Bandwidth and Download Bandwidth boxes. Select Media Streaming and Apply.
Optional Custom Configuration Options
You may want to experiment with the following OpenVPN options:
fast-io
(Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. The purpose of such a call would normally be to block until the device or socket is ready to accept the write. Such blocking is unnecessary on some platforms which don't support write blocking on UDP sockets or TUN/TAP devices. In such cases, one can optimize the event loop by avoiding the poll/epoll/select call, improving CPU efficiency by 5% to 10%.
This option can only be used on non-Windows systems, when --proto udp is specified, and when --shaper is NOT specified.
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
https://lowendtalk.com/discussion/40099/why-openvpn-is-so-slow-cool-story
https://community.openvpn.net/openvpn/ticket/461
http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/
OpenVPN 2.4 Man Page
For more information on OpenVPN 2.4 configuration options, visit the OpenVPN Man page located at
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Acknowledgments
Thank you to @skeal and @Zirescu for your collaboration and feedback on this guide. Your contributions are very much appreciated!
https://www.snbforums.com/threads/torguard-openvpn-2-4-client-setup-for-asus-merlin-380-65-380-65_2-part-ii.38282/
Troubleshooting Section
1. There are two well-known media streaming services that block VPN users. If you need access to these services, you will need to subscribe to TorGuard’s Dedicated IP service.
2. I use TorGuards’s DNS servers as the WAN DNS on all of my routers. However, doing so is optional. If you have problems connecting to hostnames or you have no connectivity when connected to the VPN server, try changing your DNS to use TorGuard’s DNS Servers. The TorGuard DNS Servers are located at the bottom of the TorGuard Specs page. To configure on the Web GUI, select the WAN menu on the left. On the Internet Connection tab, go to the WAN DNS Setting section. Select the No button for Connect to DNS Servers Automatically. Then, enter the TorGuard DNS Servers in the DNS Server 1 and DNS Server 2 fields. Select the Apply button on the bottom of the screen to save the settings.
3. If you want to change Server Address, it is not required to generate a new opvn file from the TorGuard generator. This can be done by entering one of the TorGuard hostnames or IP address located at https://torguard.net/serverstatus.php in the Web GUI.
4. If you want to change Legacy/fall back cipher, it is not required to generate a new opvn file from the TorGuard generator. It can be done by selecting the cipher from the drop down menu. If you change the cipher, the Port number must also be changed. Ports associated with the cipher levels are listed under the TorGuard specs page located at https://torguard.net/tgspec.php.
5. TorGuard servers may not be reachable due to their DNS provider suffering a DDoS attack. To avoid this, use the IP address of the server instead of the name. Using the server IP address rather than the domain name may also help with OpenVPN performance.
6. Sometimes, the VPN status reported on the VPN Status Web GUI may be incorrect. Refer to the System log if you suspect errors. Many times, toggling the Service state to OFF and back to ON to create a new OpenVPN connection will often solve connection problems.
7. NTP Server Tips: There are times when the OpenVPN client won't connect to the TorGuard servers due to the clock not being set correctly on the router. This can typically occur after the router has been rebooted and the clock is not updated right away. Currently, none of the Asus routers has an RTC hardware clock. There are a couple of ways of dealing with this issue.
One solution is to install Entware on the router and install the fake-hwclock package (opkg install fake-hwclock). Fake-hwclock will save the kernel's current clock periodically (including at shutdown) to a file and restore it at boot so that the system clock keeps at least close to real time. This only works if the clock is updated correctly by the NTP client.
At other times, the NTP client cannot reach the NTP server because the DNS servers fail to resolve, which results in the router clock not being able to update. There are a few options to deal with this:
a. Enter the IP address of the NTP server directly on the Administration Menu, System Tab, Time Zone field. Note: You can browse to a specific server by selecting a region and finding a server closest to you http://support.ntp.org/bin/view/Servers/NTPPoolServers and then ping the name of the pool. This IP address will likely change due to it being a pool of servers.
b. You can leave the NTP server name as is and add a list of IP addresses for the corresponding name to the hosts.add file in /jffs/configs. For example, the Canadian server pools below were determined by pinging the server pool:
208.73.56.29 0.ca.pool.ntp.org
70.79.92.55 1.ca.pool.ntp.org
144.217.242.53 2.ca.pool.ntp.org
199.182.221.110 3.ca.pool.ntp.org
8. Encryption - depending on your router’s CPU, you may want to change the data encryption level to achieve the best performance. If speed is the primary concern rather than encryption, then select “None” for the fastest performance, which may be the best setting if your primary reason for using the VPN is to get around geo blocking for streaming media. The next level is BF-CBC, followed by AES-128-CBC and so on. The more horse power the router has, the higher the encryption could be set with less impact on throughput.
9. If you are also using OpenVPN server on your router, make sure you select a TorGuard protocol that does not overlap with the OpenVPN Server subnet.
10. The definition of the Accept DNS Configuration field values are as follows (Source: https://www.snbforums.com/threads/openvpn-dns-selective-routing-questions.28191/#post-217362)
a. Disabled: DNS servers pushed by VPN provided DNS server are ignored.
b. Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
c. Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN provided ones don't respond).
d. Exclusive: Only the pushed VPN provided DNS servers are used.
11. MTU warning messages in System Log file – If you see messages similar to the following in the Systems Log file:
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1526'
WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
Try removing the tun-mtu-extra 32 option from the Custom Configuration section. This removed the warning messages for @Zirescu and I. TorGuard support told me the warning messages do not cause any harm.
12. @skeal reports a setting that helped him and another participant improve overall OpenVPN speed. Select the Adaptive QoS menu option on the left. Select the QoS tab. Then, select Enable QoS to turn it on. Select the manual bandwidth setting and enter your ISP internet package speed in both the Upload Bandwidth and Download Bandwidth boxes. Select Media Streaming and Apply.
Optional Custom Configuration Options
You may want to experiment with the following OpenVPN options:
fast-io
(Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation. The purpose of such a call would normally be to block until the device or socket is ready to accept the write. Such blocking is unnecessary on some platforms which don't support write blocking on UDP sockets or TUN/TAP devices. In such cases, one can optimize the event loop by avoiding the poll/epoll/select call, improving CPU efficiency by 5% to 10%.
This option can only be used on non-Windows systems, when --proto udp is specified, and when --shaper is NOT specified.
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
https://lowendtalk.com/discussion/40099/why-openvpn-is-so-slow-cool-story
https://community.openvpn.net/openvpn/ticket/461
http://winaero.com/blog/speed-up-openvpn-and-get-faster-speed-over-its-channel/
OpenVPN 2.4 Man Page
For more information on OpenVPN 2.4 configuration options, visit the OpenVPN Man page located at
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Acknowledgments
Thank you to @skeal and @Zirescu for your collaboration and feedback on this guide. Your contributions are very much appreciated!
Last edited: