ASUS RT-86U Merlin and NordVPN pre-configured/custom configuration and DNS settings ?

[zillah]

Hi All

I have got ASUS RT-AX86U router with Merlin firmware and I am using NordVPN

Few two questions :

1- Is it advisable to upload a pre-configured file UDP to the router and or type in a custom configuration ?

2- The below quote :

((Now you need to configure NordVPN’s DNS settings. In the left sidebar, click WAN. In the Connect to DNS Server automatically field, select No and fill in NordVPN’s DNS servers as follows: 103.86.96.100,,,,103.86.99.100 ))

From "how to" on NordVPN website

https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm

Is using NordVPN’s DNS would prevent DNS Leak ?

Thx

 

[ColinTaylor]

1. You must upload the .ovpn profile supplied by NordVPN as it contains the key and certificate. Then enter your username and password. You don't need to make any changes to the custom configuration settings as they're already contained in the .ovpn file.

2. Don't make those changes to the WAN DNS. If you want clients to use a different DNS server use the option in the VPN client settings.

Those instructions on NordVPN's website are for an ancient version of the firmware.

People waste too much time worrying about DNS leaks for no good reason IMHO.

 

[zillah]

1. You must upload the .ovpn profile supplied by NordVPN as it contains the key and certificate. Then enter your username and password. You don't need to make any changes to the custom configuration settings as they're already contained in the .ovpn file.

Noted

Don't make those changes to the WAN DNS. If you want clients to use a different DNS server use the option in the VPN client settings.

Noted

Those instructions on NordVPN's website are for an ancient version of the firmware.

I felt it but I wasn't sure

People waste too much time worrying about DNS leaks for no good reason IMHO.

Noted

Thx Colin

 

[zillah]

@colin what is your comment about post#7 in the link below (custom configuration and speed) ?

Asuswrt-Merlin and Nordvpn

Trying to install the vpn UDP file in Asuswrt-Merlin ver. 386.4 for Asus RT-AC88U. (Having the same issue with RT-AC3100). When I upload the file it clears everything else. I've tried numerous combinations, but the router does NOT redirect. Using Nordvpn. Had great success with earlier versions...

www.snbforums.com

 

[ColinTaylor]

@colin what is your comment about post#7 in the link below (custom configuration and speed) ?

Asuswrt-Merlin and Nordvpn

Trying to install the vpn UDP file in Asuswrt-Merlin ver. 386.4 for Asus RT-AC88U. (Having the same issue with RT-AC3100). When I upload the file it clears everything else. I've tried numerous combinations, but the router does NOT redirect. Using Nordvpn. Had great success with earlier versions...

www.snbforums.com

I rarely use the VPN so I'm not really interested in optimising anything, so I just use the settings that come with the .ovpn file. Some of those recommended settings are already present. The options it adds are as follows:

disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3

If you're using IPv6 then those ignore options are required. When I tested performance the difference was negligible in a synthetic benchmark.

 

[zillah]

Thx Colin

 

[rtn66uftw]

1. You must upload the .ovpn profile supplied by NordVPN as it contains the key and certificate. Then enter your username and password. You don't need to make any changes to the custom configuration settings as they're already contained in the .ovpn file.

2. Don't make those changes to the WAN DNS. If you want clients to use a different DNS server use the option in the VPN client settings.

Those instructions on NordVPN's website are for an ancient version of the firmware.

People waste too much time worrying about DNS leaks for no good reason IMHO.

Thank you! So the customized settings suggested in this post is not really needed?

remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

 

[ColinTaylor]

Thank you! So the customized settings suggested in this post is not really needed?

remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

The only ones (in addition to those already supplied by the .ovpn file) that might be needed are the two ipv6 lines. They would be necessary if you're using IPv6.

 

[Befuddled]

@ColinTaylor - Hi - I wouldn't want to impose, but I wonder if you could give me some guidance on my router settings?

I have the Asus ZenWifi XT8 router (Hardware ver 1), running GNUton 3004_388.4_0-gnuton1 FW.

I have VERY limited understanding of routers, VPNs, etc.

After a painful experience with terrible instructions from https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm, coupled with terrible support from Nord Support, I have finally managed get connected to Nord's VPN servers.

But I am still not sure if my settings are really right, and I have zero confidence in Nord's support team. I have seen things in this thread, and other threads on this forum, that suggest my settings might NOT be okay... but I really can't understand what I'm reading. (For example, I followed the instructions given by Nord at the above link, so I did change the WAN DNS.)

I was wondering if I might ask you to take a look at some screenshots of my settings, and advise me?

Thank you very much.

 

[Viktor Jaep]

@ColinTaylor - Hi - I wouldn't want to impose, but I wonder if you could give me some guidance on my router settings?

I have the Asus ZenWifi XT8 router (Hardware ver 1), running GNUton 3004_388.4_0-gnuton1 FW.

I have VERY limited understanding of routers, VPNs, etc.

After a painful experience with terrible instructions from https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm, coupled with terrible support from Nord Support, I have finally managed get connected to Nord's VPN servers.

But I am still not sure if my settings are really right, and I have zero confidence in Nord's support team. I have seen things in this thread, and other threads on this forum, that suggest my settings might NOT be okay... but I really can't understand what I'm reading. (For example, I followed the instructions given by Nord at the above link, so I did change the WAN DNS.)

I was wondering if I might ask you to take a look at some screenshots of my settings, and advise me?

Thank you very much.

Not wanting to take away any of @ColinTaylor's thunder... but I built a short how-to guide on how to get your router configured with NordVPN here (below). You are correct - the guide they have on their site is horrible, and extremely out-of-date... and don't believe their custom config parameters even work. Take a look here:

VPNMON - VPNMON-R2 v2.65 -Jan 27, 2024- DISCONTINUED - Upgrade to VPNMON-R3 Available! (#3)

v2.65 - Now with even more SuperRandom(tm) goodness!! Updated January 27, 2024 ***NOTICE*** VPNMON-R2 is being discontinued. Please upgrade to VPNMON-R3 for further support and new development! Executive Summary: VPNMON-R2 is an all-in-one script that works for any VPN service of your choice...

www.snbforums.com

Please know, that VPNMON-R2 is discontinued, but VPNMON-R3 is available should you need it.

 

[Befuddled]

Thank you, @Viktor Jaep, I appreciate your interest. I took a look at the guide you linked to. I'm afraid it may be over my head. (I was already stuck at Step 2; I have a Mac...) And in several places, you say that these are your settings, but they might not be appropriate for all, and can be adjusted according to the user's preferences. But I am not knowledgeable enough to judge what my settings ought to be. For example, looking at your screenshot of the OpenVPN Client settings, I can see that many of my current settings differ from yours, but I would be reluctant to make all of my settings match yours, without an understanding of whether that would be appropriate for my situation. (Pls see my screenshot below.)

Also, I think your approach, which seems very comprehensive, might be overkill for me. For one thing, as far as I know, I don't think I need to have different VPN settings for my different devices. And I am not sure I need the constant monitoring of the VPN connections. Since I am not a political dissident, I am not terribly concerned about a VPN connection failing.

So, while I greatly appreciate your input, I am a little concerned that I would be in over my head, if I attempted to follow your guide.

 

[Viktor Jaep]

I took a look at the guide you linked to. I'm afraid it may be over my head. (I was already stuck at Step 2; I have a Mac...)

I'm sure there's a Mac equivalent for PuTTY... sounds like Terminal is the one to use. Check your router under Administration->System, and make sure SSH is enabled on your LAN. Then use terminal to point to your local router IP, probably port 22, and use your regular admin/pwd you use on your router to log in. That's where you can run AMTM, which is literally the swiss army knife of apps for your router.

And in several places, you say that these are your settings, but they might not be appropriate for all, and can be adjusted according to the user's preferences. But I am not knowledgeable enough to judge what my settings ought to be. For example, looking at your screenshot of the OpenVPN Client settings, I can see that many of my current settings differ from yours, but I would be reluctant to make all of my settings match yours, without an understanding of whether that would be appropriate for my situation. (Pls see my screenshot below.)

Depending on your situation, how you want your configuration to work, your settings my differ. Some people have different needs, goals and objectives. This is where you tool around, learn, play with settings, see how things work. When you run into a wall, or are expecting things to work, but for some reason you're not getting the right results, come back here and explain your situation. This community can help.

Also, I think your approach, which seems very comprehensive, might be overkill for me. For one thing, as far as I know, I don't think I need to have different VPN settings for my different devices. And I am not sure I need the constant monitoring of the VPN connections. Since I am not a political dissident, I am not terribly concerned about a VPN connection failing.

Even if you just configure one VPN client slot, you probably still want to make your way through steps 1-10. You can forget about loading custom scripts like VPNMON until you're more comfortable. The main exercise here is to get your router to a "default" state where your VPN clients are configured and running. Adding custom scripts like VPNMON simply helps keep your connections running when they (inevitably) stop. You determine how far you really want to go!

 

[ColinTaylor]

View attachment 56005

You need to change "Username / Password Auth. Only" to No.

 

[Befuddled]

You need to change "Username / Password Auth. Only" to No.

Thanks, I will do this.

 

[Befuddled]

I'm sure there's a Mac equivalent for PuTTY... sounds like Terminal is the one to use. Check your router under Administration->System, and make sure SSH is enabled on your LAN. Then use terminal to point to your local router IP, probably port 22, and use your regular admin/pwd you use on your router to log in. That's where you can run AMTM, which is literally the swiss army knife of apps for your router.

Depending on your situation, how you want your configuration to work, your settings my differ. Some people have different needs, goals and objectives. This is where you tool around, learn, play with settings, see how things work. When you run into a wall, or are expecting things to work, but for some reason you're not getting the right results, come back here and explain your situation. This community can help.

Even if you just configure one VPN client slot, you probably still want to make your way through steps 1-10. You can forget about loading custom scripts like VPNMON until you're more comfortable. The main exercise here is to get your router to a "default" state where your VPN clients are configured and running. Adding custom scripts like VPNMON simply helps keep your connections running when they (inevitably) stop. You determine how far you really want to go!

Ok, thank you!

Even if you just configure one VPN client slot, you probably still want to make your way through steps 1-10.

Well... for steps 1-10:

Steps 1-3: I can probably struggle thru these - but I'm not sure why I need to, if I'm not planning to do anything fancy with the router. Can you please explain what I would be trying to accomplish?

Step 4 & 5: I have already done this - I am subscribed to NordVPN.

Step 6: Well, I think I skipped this. But it seems to be working - I am connected to the Nord VPN server.

Step 7: I've uploaded the file, and filled in my credentials. You said "will need to go through, name some things, and make some configuration tweaks". Beyond filling in my credentials, I am at a loss.

Step 8: "Apply these custom configuration entries... entries that come with the .ovpn file may work, but aren't the greatest."

I had previously entered the custom config text provided in Nord's instructions (https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm) - these are:

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

#log /tmp/vpn.log

I can certainly overwrite that with the custom config text you have supplied -- can I go ahead and do that now, even if I have not completed Steps 1-3? Do I need all of the lines, just as you've laid out? (I don't know about the ipv6 stuff...)

Your code:

remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

Step 9: Even without having yet changed the custom config text from Nord's to yours, I am connected to Nord's VPN server (as shown by the DNSleaktest page and by going to Nord's website), and Netflix is still working on our TV (which I think is on our router's guest network). Are there other things I should check? (I will recheck things after changing the custom config text to your text.)

Also - side question - if we use our iphones on wifi calling when at home (because the cell signal is very weak) that does not mean our phones are protected by VPN, does it? We would still have to run a VPN client on the phones? (Although I probably won't bother, as the only thing I regularly use my phone for is calling, texting, and using the Libby app. Very occasionally, I will open a browser (usually Firefox) to check email or weather.)

Step 10: So at this point, I don't have to worry about the other 4 client slots, or VPNMON-R3, right?

One other thing I am very confused about - the DNS settings, and where I should adjust those settings. I followed Nord's instructions, and set the DNS settings on the WAN tab to Nord's DNS Servers. But above, in this thread, @ColinTaylor told Zillah (the OP), "Don't make those changes to the WAN DNS. If you want clients to use a different DNS server use the option in the VPN client settings."

But I don't see a place for changing DNS settings on the VPN client settings page. And are Nord's DNS servers a bad choice? What would be better?

Thank you for all your time.

 

[ColinTaylor]

One other thing I am very confused about - the DNS settings, and where I should adjust those settings. I followed Nord's instructions, and set the DNS settings on the WAN tab to Nord's DNS Servers. But above, in this thread, @ColinTaylor told Zillah (the OP), "Don't make those changes to the WAN DNS. If you want clients to use a different DNS server use the option in the VPN client settings."

But I don't see a place for changing DNS settings on the VPN client settings page. And are Nord's DNS servers a bad choice? What would be better?

The DNS servers specified in the WAN settings must be reliable as the router depends on these always working to function properly. The router does not access these servers via the VPN client. In my experience NordVPN's DNS servers are unreliable when not accessed through their VPN tunnel. For LAN clients you can specify what DNS server behaviour you want by setting the "Accept DNS Configuration" option.

At the moment you have all your devices going through the VPN. This will limit your maximum speed to about 250Mbps. I don't know what speed your internet connection is rated at.

 

[Viktor Jaep]

Steps 1-3: I can probably struggle thru these - but I'm not sure why I need to, if I'm not planning to do anything fancy with the router. Can you please explain what I would be trying to accomplish?

These are prerequisites should you want to run any custom scripts. If you have no plans on going beyond turning the VPN on/off through your router UI, then I wouldn't worry about these.

Step 7: I've uploaded the file, and filled in my credentials. You said "will need to go through, name some things, and make some configuration tweaks". Beyond filling in my credentials, I am at a loss.

In my instructions, I included screenshots of my settings. They are by no means what everyone should use, depending on your setup or how you want things to behave. If you find something not working, this is where you can tweak things until you find things are working to your liking.

Step 8: "Apply these custom configuration entries... entries that come with the .ovpn file may work, but aren't the greatest."

I had previously entered the custom config text provided in Nord's instructions (https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm) - these are:

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

#log /tmp/vpn.log

I can certainly overwrite that with the custom config text you have supplied -- can I go ahead and do that now, even if I have not completed Steps 1-3? Do I need all of the lines, just as you've laid out? (I don't know about the ipv6 stuff...)

Your code:

remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

Step 9: Even without having yet changed the custom config text from Nord's to yours, I am connected to Nord's VPN server (as shown by the DNSleaktest page and by going to Nord's website), and Netflix is still working on our TV (which I think is on our router's guest network). Are there other things I should check? (I will recheck things after changing the custom config text to your text.)

If you are happy with the default config, I'd just leave it be. If things are working OK for you, then I wouldn't touch them. This again is where some tweaking can happen to help with speed/performance/reliability... but not necessary unless you're wanting to experiment.

Also - side question - if we use our iphones on wifi calling when at home (because the cell signal is very weak) that does not mean our phones are protected by VPN, does it? We would still have to run a VPN client on the phones? (Although I probably won't bother, as the only thing I regularly use my phone for is calling, texting, and using the Libby app. Very occasionally, I will open a browser (usually Firefox) to check email or weather.)

You will need to specify which devices go out through your VPN using the VPN Director. If you have a DHCP range of different wifi clients on your network that these iPhones belong to, then you'd need to specify that range there, and ensure that it's marked to go out through OVPN1. But yes, if they're configured for wifi calling, they would go out over the VPN. You would want to do some testing from your clients (laptops/phones), and try some IP location tools, and see what they report as their public IP, and geolocation.

Step 10: So at this point, I don't have to worry about the other 4 client slots, or VPNMON-R3, right?

If you only need one, don't worry about the other 4.

You are well on your way! ENJOY!

 

[Befuddled]

The DNS servers specified in the WAN settings must be reliable as the router depends on these always working to function properly. The router does not access these servers via the VPN client. In my experience NordVPN's DNS servers are unreliable when not accessed through their VPN tunnel. For LAN clients you can specify what DNS server behaviour you want by setting the "Accept DNS Configuration" option.

At the moment you have all your devices going through the VPN. This will limit your maximum speed to about 250Mbps. I don't know what speed your internet connection is rated at.

I have Spectrum wifi - it says I get speeds "up to 300 Mbps". Is the VPN limitation of about 250 Mbps reasonable for streaming Netflix, doing Zoom and other videocalling, browsing, etc (no gaming)? My wifi devices are 2 iphones, 1 Mac mini, 2 Como Audio radios, 1 Logitech Squeezebox Radio, 1 Visio TV (older smart model), 1 Kindle, 1 ipad. Oh, and I may add a Raspberry Pi device soon. I think that's it.

So it sounds like the WAN DNS settings should be set to use something other than Nord's DNS servers - any suggestions?

On the LAN tab, this is what I see:

Would I need to turn "Enable DNS Director" to ON in order to access the "Accept DNS Configuration" option? Would accepting the DNS configuration mean that the LAN would use the same DNS servers specified on the WAN tab? (I would (obviously) like malicious sites to be blocked.)

Thanks!

Also, disconcertingly, I just got this error message (below) when trying to connect to the Logitech Squeezebox forum. Until today, I was able to access the forum - I think I got a splash page from Cloudflare where I had to check a box, in order to proceed to the page.

I really do hope that I am not going to routinely start encountering such problems. (I chose a Nord VPN server in the the US, in order to help avoid problems with Netflix, etc.)

Is there some setting I need to adjust to fix this? (Changing the Username / Password Auth. Only setting from YES to NO wouldn't have caused this, would it?)

 

[Befuddled]

You are well on your way! ENJOY!

Well, thanks, I hope so... however, pls see what I just posted about getting an error msg...

I hope my problems aren't just beginning...

 

[ColinTaylor]

I have Spectrum wifi - it says I get speeds "up to 300 Mbps". Is the VPN limitation of about 250 Mbps reasonable for streaming Netflix, doing Zoom and other videocalling, browsing, etc (no gaming)? My wifi devices are 2 iphones, 1 Mac mini, 2 Como Audio radios, 1 Logitech Squeezebox Radio, 1 Visio TV (older smart model), 1 Kindle, 1 ipad. Oh, and I may add a Raspberry Pi device soon. I think that's it.

250Mbps is more than enough for streaming Netflix, etc. However, using a VPN tunnel will add latency which can cause problems for things like video calling or VoIP. Those services may not even work at all over a VPN, depending on how they're implemented.

So it sounds like the WAN DNS settings should be set to use something other than Nord's DNS servers - any suggestions?

Use whatever you had before you changed them. Normally the default setting (your ISP's servers) are the fastest. However some people prefer to use Google, Quad9, etc. Your choice.

On the LAN tab, this is what I see:

Would I need to turn "Enable DNS Director" to ON in order to access the "Accept DNS Configuration" option? Would accepting the DNS configuration mean that the LAN would use the same DNS servers specified on the WAN tab? (I would (obviously) like malicious sites to be blocked.)

This function is not directly related to the VPN.

I really do hope that I am not going to routinely start encountering such problems. (I chose a Nord VPN server in the the US, in order to help avoid problems with Netflix, etc.)

This is probably the question that should have been asked first, but why are you using a VPN at all? Please don't say security.

Is there some setting I need to adjust to fix this? (Changing the Username / Password Auth. Only setting from YES to NO wouldn't have caused this, would it?)

No.