What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Will this help with nord vpn and can I use this config on my merlin router

Jack-Sparr0w

Jack-Sparr0w

Regular Contributor
remote-random<br>resolv-retry infinite<br>remote-cert-tls server<br>ping 15<br>ping-restart 0<br>ping-timer-rem<br>persist-key<br>persist-tun<br>reneg-sec 0<br>fast-io<br>disable-occ<br>mute-replay-warnings<br>auth-nocache<br>sndbuf 524288<br>rcvbuf 524288<br>push "sndbuf 524288"<br>push "rcvbuf 524288"<br>pull-filter ignore "auth-token"<br>pull-filter ignore "ifconfig-ipv6"<br>pull-filter ignore "route-ipv6"<br>explicit-exit-notify 3<br>tun-mtu 1500<br>tun-mtu-extra 32<br>mssfix 1450
 
want to use tls crypt v2 with nord vpn
This is what I have found

Setting up TLS Crypt v2 for NordVPN on an Asus router with AsusWRT-Merlin firmware involves several steps. First, download the OpenVPN configuration files from your NordVPN account. Then, log into your router's control panel and navigate to the OpenVPN Clients tab under the VPN section. In the Custom Configuration field, you should enter specific text to configure the connection, including remote-cert-tls server and remote-random nobind among other settings.
 
Does this look better for what I'm trying to do

remote-random
nobind
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
 
###No guarantees. Use at your own risk. For novelty purposes only. Any resemblance to a real config, is purely coincidental and unintentional. Not responsible for any injuries, damages, or spontaneous combustion that may occur on your router from the use of this config.###
 
That is more readable. But it still looks like you copied this from @Viktor Jaep and have now added a nobind line. :confused:

Can you provide a link to the source of the information you posted in #3. AFAIK NordVPN doesn't support tls-crypt-v2.
 
This is what I settled on

remote-random
nobind
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

#log /tmp/vpn.log
 
I added reneg-sec 3600 and removed reneg-sec 0. From what I gather this will be best for nord vpn. Again thank you Victor for the info.

remote-random
nobind
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 3600
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

#log /tmp/vpn.log
 
After looking at ways to harden vpn this is what I've come up with, This is best for Nord VPN
disable-occ was taken out and I added tls-version-min 1.2. This Stops MITM Attacks Also added max-clients 100.

remote-random
nobind
tls-version-min 1.2
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
max-clients 100
reneg-sec 3600
fast-io
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

#log /tmp/vpn.log
 
Last edited:
Jack-Sparr0w said:
Dose not hurt to add it though
Click to expand...
It's a false sense of security. You think you're "hardening" something when in reality nothing has changed.

I'd suggest a more meaningful change would be to download an updated config file from NordVPN that includes the verify-x509-name option.
 
Seen on most VPN harden Guides that is compatible with nord
Example https://blog.securityevaluators.com/hardening-openvpn-in-2020-1672c3c4135a
thachngoctran.medium.com

Hardening OpenVPN on Windows

Default settings often work well in most cases. But knowing how to optimize the tool as well as its environment brings a stronger control…
thachngoctran.medium.com thachngoctran.medium.com

tls-version-min 1.2
tls-version-max 1.3 is on most vpn harden guides.

from what I've read tls-version-max 1.3 is preferred when you use this

Setting max-clients 100 is a conservative choice that ensures the server can handle up to 100 simultaneous connections without overloading the hardware

OpenVPN renegotiates keys every 3600 seconds (1 hour) to mitigate certain attacks, such as the Sweet32 attack, which targets 64-bit block ciphers like Blowfish.
 

Attachments

  • Untitled.png
    Untitled.png
    132.8 KB · Views: 14
Last edited:
Nord VPN custom config file Hardened Version:

remote-random
nobind
tls-version-min 1.2
tls-version-max 1.3
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
max-clients 100
reneg-sec 3600
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

#log /tmp/vpn.log
 

Attachments

  • Untitled.png
    Untitled.png
    132.8 KB · Views: 14
Did testing with a lot of games, works fine due to the fact that Nord vpn uses reneg-sec 3600 as It's default. The server and client should be the same number or this will not work well from what I gather. Because Nord uses reneg-sec 3600 as its default. It won't cut out after an hour if you use this option.
 
Jack-Sparr0w said:
Nord VPN custom config file Hardened Version:
Click to expand...
Again, this is not a "hardened" config. These are the default values forced by NordVPN. You have changed nothing related to security.

The recommendations you are citing are relevant when you are controlling both ends of the tunnel (as explained in the links you provided). You don't, NordVPN is controlling the server end and they are dictating how you connect to it.
 
ColinTaylor said:
Again, this is not a "hardened" config. These are the default values forced by NordVPN. You have changed nothing.

The recommendations you are citing are relevant when you are controlling both ends of the tunnel (as explained in the links you provided). You don't, NordVPN is controlling the server end and they are dictating how you connect to it.
Click to expand...
Why is there a custom config file for Merlin on Nords VPN website then, you can change the values in that can you not, and if not explain
 
Jack-Sparr0w said:
Why is there a custom config file for Merlin on Nords VPN website then, you can change the values in that can you not, and if not explain
Click to expand...
I clarified my previous post by saying "You have changed nothing related to security" which is what hardening is. You can change some other parameters like buffer sizes if you want to.

The Merlin information on NordVPN's website is years out of date and in places plain wrong (it was originally submitted by a user). The custom config they show is already present in the file you must download from their website. So it's a pointless exercise.
 
NordVPN TLS 1.0 Support
NordVPN has been gradually upgrading its servers to use TLS 1.2 for OpenVPN. However, some of NordVPN's servers still use TLS 1.0 for OpenVPN as of the last update.
This indicates that while NordVPN is moving towards more secure protocols, some servers may still support TLS 1.0 for backward compatibility
 
ColinTaylor said:
I clarified my previous post by saying "You have changed nothing related to security" which is what hardening is. You can change some other parameters like buffer sizes if you want to.

The Merlin information on NordVPN's website is years out of date and in places plain wrong (it was originally submitted by a user). The custom config they show is already present in the file you must download from their website. So it's a pointless exercise.
Click to expand...
The custom config file has to be entered manually. reneg-sec is 0 by default in the file, I added reneg-sec 3600. The values can be changed with this. I don't see what your getting at
 

Attachments

  • Untitled.png
    Untitled.png
    132.8 KB · Views: 18
You must log in or register to reply here.

Similar threads

sl4fko
NordVPN custom configs
Replies
2
Views
3K
sl4fko
sl4fko
C
VPN doing a lot of unrecognized options without them even being in the config IPV6 issue
Replies
3
Views
1K
RMerlin
RMerlin
T
[Help] Problems setting up OpenVPN
Replies
7
Views
788
Thookie
T
P
RT-AX88U - 388.2_2 - Previously Working VPN Client (NordVPN) no longer functions - Suggestions for NordVPN Working Settings July 2023
Replies
2
Views
2K
PC Pilot
P
P
OVPN Problem. Asus rt ax56u (latest merlin firmware
Replies
9
Views
2K
pattox
P
Similar threads
Thread starter Title Forum Replies Date
K Help with Wireguard Client set up, access local LAN & provider DNS VPN 1
TanyaC Using OpenVPN with VPN and local area network with block-outsde-dns VPN 0
B How to make sure my VPN server restarts after a power outage? VPN 13
Lee MacMillan VPN causing email login problems? VPN 8
frankhere Asus ZenWifi AX(8) VPN recommendation VPN 4
P What next setting up Open VPN on Asus RT-88U Pro VPN 2
P Weird VPN config - can it work? VPN 4
L VPN included with router or extra fees? VPN 4
Paul Short Frustrating VPN Double NAT Issues VPN 5
S One website cannot be accessed when VPN is on VPN 7

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 600 (members: 21, guests: 579)
Back
Top