VPN Grouping

Cream

New Around Here
Hi Folks, well just got my Asus RT-AX86U and loaded the Merlin firmware on it. VPN Director is great but I was wondering if it is possible to have VPN groups? I am using ExpressVPN and with their firmware on my old (crappy) Netgear Nighthawk router I was able to put Lan devices into a group and then pass them through whatever VPN tunnel I wanted. Also would you recommend turning off QOS as I am on a 100mbps connection, but only get 85 down before using the VPN, and any other settings to get the best d/l speed? The overhead from my ISP drops me from 92mbs connection to 85 download and then the VPN knocks anther 5-10 mbps off that. Would love some advice on the best settings for this router. Thanks!
 

eibgrad

Part of the Furniture
The closest thing to grouping that I know of is YazFi. It allows you to associate a given wireless guest network w/ its own IP network, which you can then specify as a group for routing through the WAN (the default) or the VPN. But there's no grouping for the private network itself. Best you can do is define the DHCP server range such that those devices use the VPN (based on policy rules), and all other don't (or vice versa). But you can't place arbitrary devices into a named group and reference that for routing.
 

Cream

New Around Here
Hi eilgrad, thanks for the reply. Its a real pity this is not a feature of merlin as ExpressVPN have it built into their stock firmware for supported routers. From what I know ExpressVPN is the only one that supports split tunnelling on routers, would I be right with that statement? NordVPN seems to be a lot faster with OpenVPN but only support split tunnelling on their Windows App. They are much cheaper than ExpressVPN and seem to have the edge on speed unless ExpressVPN open their Lightway protocol to open source.
 

eibgrad

Part of the Furniture
You can split tunneling w/ Merlin using any OpenVPN provider of your choice. It's called the VPN Director. But the only OpenVPN provider I know of that provides their own firmware for ASUS is ExpressVPN. I've never used it, so I know nothing more about it.
 
Last edited:

Cream

New Around Here
So I could use multiple VPN connections with any vpn provider on merlin and have up to 5 of them active at the same time using Director? I was under the impression that on routers only the likes of ExpressVPN allowed multiple connections to different locations at the same time using your account..
 

Cream

New Around Here
I am just wondering as my 30 day trial period is just up with ExpressVPN and as I now have an Asus RT-AX86U I will be using OpenVPN on the router for all my devices
 

RMerlin

Asuswrt-Merlin dev
So I could use multiple VPN connections with any vpn provider on merlin and have up to 5 of them active at the same time using Director? I was under the impression that on routers only the likes of ExpressVPN allowed multiple connections to different locations at the same time using your account..
A lot of providers allow multiple simultaneous connections (up to a certain number that varies between providers). NordVPN allows it, as I occasionally connect two or three tunnels with them when testing things.
 

eibgrad

Part of the Furniture
As @RMerlin suggests, most OpenVPN providers allow multiple, concurrent connections, but they also assume those will be from different devices. Should you decide to use the *same* device (i.e., the router), you have to be careful that you don't create a situation of overlapping IP tunnels! Most OpenVPN providers will use the same IP network on the tunnels for all their servers, because they're not anticipating the same device making multiple, concurrent connections. We've seen our share of users in the forum get into trouble by not taking notice of this possibility.


What's not so obvious from that post is that the problem was exclusively an issue of servers that used a subnet topology, and NOT when it was net30. When using the latter, no two users of the same server would ever overlap due to how net30 is implemented. But a subnet topology is where things would go haywire.

But that was 386.3_2 and prior. With 386.4, @RMerlin has made a correction to mitigate this problem. But *only* if you use the VPN Director for all your concurrent OpenVPN clients.

Eventually I hope it won't be necessary to even mention this issue, but w/ the possibility there are still active 386.3_2 and prior users, it's still worth mentioning.
 

Cream

New Around Here
Many thanks for the replies! I think I made the mistake of going with ExpressVPN over NordVPN because of some biased reviews. I have had a lot of issues with ExpressVPN, their UK servers keep dropping Netflix access and I have an Amazon Echo device that cannot access Prime Video when using their VPN and they keep saying they are working on it. Would you recommend switching to NordVPN, or another VPN provider? I have a small network but do need to split it up into several VPN tunnels.
 

eibgrad

Part of the Furniture
I used to be an ExpressVPN user, but decided to NOT renew my subscription when in ended last October due their acquisition by Kape Technologies. At the time, I found ExpressVPN to be one of the best VPN providers I ever had. Servers were always up and available, (re)connections happened quickly and were reliable, throughput was acceptable (80-100Mbps), etc. But it was a bit pricey compared to others. And I didn't use it for the purposes of out-of-country access to Amazon or Netflix. So sometimes what's "good" can be subjective. Just depends on your expectations. And so I'm NOT the guy to make recommendations based on access to Amazon or Netflix.

FWIW, I do know there are quite a few NordVPN users on this forum, so much so that some are using the vpnmgr addon (I believe it works in conjunction w/ the VPN Director, NOT as a replacement of its functionality).

My primary concern in these forums is making sure users avoid known issues as those described in this thread (i.e., net30 vs. subnet). Often the kind of stuff few ppl bother to consider. For example, sometimes it can be handy to have remote access available via the OpenVPN provider's tunnel, esp. for those behind CGNAT. While some do support it, most don't. Sucks to find these sorts of things out *after* you've committed to a purchase.
 

CaptainSTX

Part of the Furniture
I run three clients on StrongVPN simultaneously. Works well for me never seems to drop. On servers within 1,000 miles speeds on latest version of Merlin average almost 200 Mbps on my AC86.

Running StrongVPN using WireGuard on my VPN appliance with an I7 processor usually get 650 Mbps downloads so they appear to have the backbone to support higher speed connections.
 

Cream

New Around Here
Well, just cancelled my subscription with ExpressVPN today and they are going to refund me. I think NordVPN is where I will go now, they seem to have support for Wireguard which (maybe I am wrong) Merlin looks like they are going to have support for. My main use for the VPN is Geo unlocking and downloading (need the best speed for that) and of course security. If anyone has any suggestions for a different VPN provider please feel free to advise me, it has been a hard learning curve since I started down the VPN road!
 
Last edited:

RMerlin

Asuswrt-Merlin dev
they seem to have support for Wireguard which (maybe I am wrong) Merlin looks like they are going to have support for
It only works with their own client, they do not provide config files for the wireguard client itself.
 

Martineau

Part of the Furniture
It only works with their own client, they do not provide config files for the wireguard client itself.
Ahem, ASUS doesn't support importing a WireGuard configuration file but MUST (and does) physically create a WireGuard configuration file from the NVRAM variables created from the appropriate configuration data entered manually into the GUI ....

e.g. If the Peer is running, you can issue the Userspace tool command to view 'it'
Code:
wg showconf wgc5

[Interface]
ListenPort = 48350
PrivateKey = deaDj/czAgWTzLEkWoPF/2eMFlRBkPv62W2XX3wieiVA=

[Peer]
PublicKey = 7YNog586gTRA3gb+78tpfG/w1Ua/JprciQTSO/tKjyE=
AllowedIPs = ::/0
Endpoint = [2001:ac8:20:308::a15f]:51820
PersistentKeepalive = 25
and save it to a file if you really need to.....
Code:
echo "# ASUS Client 5" > wgc5.conf; wg showconf wgc5 >> wgc5.conf
but the useful (wg-quick compatible) Pre*/Post* directives are missing (trivial enough to add them) if the resulting .conf file is to be exported to another platform.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Ahem, ASUS doesn't support importing a WireGuard configuration file but MUST (and does) physically create a WireGuard configuration file from the NVRAM variables created from the appropriate configuration data entered manually into the GUI ....
I'm talking about NordVPN.
 

Martineau

Part of the Furniture

Cream

New Around Here
RMerlin what VPN provider would you recommend then? ExpressVPN have their own Lightway protocol which I don't see them allowing it to be open source in the near future. From what I have read Wireguard is even faster than Lightway but I thought NordVPN supported the Wireguard protocol on routers, I am stumped at what provider to go with :(
 

RMerlin

Asuswrt-Merlin dev
RMerlin what VPN provider would you recommend then? ExpressVPN have their own Lightway protocol which I don't see them allowing it to be open source in the near future. From what I have read Wireguard is even faster than Lightway but I thought NordVPN supported the Wireguard protocol on routers, I am stumped at what provider to go with :(
I can't recommend any, I don't use them. I only have a NordVPN account for test and development purposes.
 

eibgrad

Part of the Furniture
RMerlin what VPN provider would you recommend then? ExpressVPN have their own Lightway protocol which I don't see them allowing it to be open source in the near future. From what I have read Wireguard is even faster than Lightway but I thought NordVPN supported the Wireguard protocol on routers, I am stumped at what provider to go with :(

The problem for VPN providers when it comes to WireGuard is that the protocol is NOT quite as private as they want it to be, or at least not to the extent their marketing materials promise for their various VPN offerings. OpenVPN works without needing to log an IP address, but WireGuard requires IP addresses to be stored on the server until the server reboots. That has made many VPN providers reluctant to offer it as-is. So instead, they've introduced mitigations to increase user privacy. But in the process, that means you *must* use their modified, proprietary versions (Lightway, NordLynx, etc.), which obviously locks out the router as a platform.

In short, WireGuard is NOT a panacea. It has advantages and disadvantages (e.g., no support for bridged tunnels, strictly routed). So it's NOT going to replace OpenVPN and other well-established VPNs anytime soon.

FWIW, I have a cheap lifetime subscription w/ KeepSolid (aka VPNUnlimited, think I paid ~$11 for 5 devices, only use it for testing), and they don't offer nor require similar mitigations. Then again, you have to accept the possibility that your public IP is being stored on the server. Whether that matters to any particular individual will obviously vary.
 
Last edited:

Cream

New Around Here
Hi eibgrad, thanks so much for your reply and info. I was confused about NordVPN supporting Wireguard on routers due to their expiation video here: https://support.nordvpn.com/Connectivity/Router/1047409322/Setting-up-a-router-with-NordVPN.htm They say to email support to get Wireguard profiles for routers - see at 5:30 I thought I had seen a screenshot of Asus firmware with a Wireguard tab on the GUI somewhere on these forums but maybe I am mistaken. My head is frazzled after looking at so many threads! I looked at KeepSolid and they are actually more expensive than Nord ATM..I think you were lucky to get a lifetime sub when you did. SurfShark seems to be the cheapest but there is no talk of WireGuard on their site, I keep heading towards WireGuard because its a newer tech and very fast, but it does seem it has its faults also. Still scratching my head as where to go to have some future proofing..
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top