What's new

ASUS RT-AC86U (Merlin) does not connect to OpenVPN (NordVPN)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi,

Apologies for the delay in responding.

My RT-AC86U hardly drop about 1 mbps in speed when using VPN on merlin.

Here are my configuration screens:View attachment 13895 View attachment 13896 View attachment 13897
Full custom configuration is:
remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

#log /tmp/vpn.log

What do you have under WAN DNS settings page? “Connect to DNS servers automatically” yes or no? And if it is “No”, did you include NordVPN servers in there?

Thank you


Sent from my iPhone using Tapatalk
 
What do you have under WAN DNS settings page? “Connect to DNS servers automatically” yes or no? And if it is “No”, did you include NordVPN servers in there?

Thank you


Sent from my iPhone using Tapatalk

It doesn't matter what is in your lan DNS settings if you have your VPN accept DNS set to exclusive.
 
It doesn't matter what is in your lan DNS settings if you have your VPN accept DNS set to exclusive.
thanks. Yes, I kept these settings as you describe but my NordVPN speeds are still 1/3 of those ISP ones. I have pretty matched my settings with those of yours and of @Nosha. The way I can tell is: I turn off VPN in my RT-AC5300 then I pick the same server on my phone NordVPN app and connect to it. Speeds I get as result are 80-90% of ISP. It is very possible that low speeds could be from CPU difference between RT-AC5300 and AC86U. Previous speed tests discussed by Merlin on 86U main thread do mention the fact that AC86U are 3x faster than RT-AC5300/AC88U/AC3100. It does appear that no matter how much I tweak VPN settings I still get the same speeds. Not sure what else will need tweaking at this point.
 
thanks. Yes, I kept these settings as you describe but my NordVPN speeds are still 1/3 of those ISP ones. I have pretty matched my settings with those of yours and of @Nosha. The way I can tell is: I turn off VPN in my RT-AC5300 then I pick the same server on my phone NordVPN app and connect to it. Speeds I get as result are 80-90% of ISP. It is very possible that low speeds could be from CPU difference between RT-AC5300 and AC86U. Previous speed tests discussed by Merlin on 86U main thread do mention the fact that AC86U are 3x faster than RT-AC5300/AC88U/AC3100. It does appear that no matter how much I tweak VPN settings I still get the same speeds. Not sure what else will need tweaking at this point.

You saw my post earlier about my speeds. I'm not losing a third but am 10Mbps down on the same connection using my desktop client. I too tend to think it is probably the CPU and perhaps memory. Memory was almost fully utilised at the height of the speedtest, and one CPU core was 90%. There was a bit of capacity left on the second CPU core, but I don't know that it would make that much difference. Perhaps there is something in the Nord configuration which is very resource intensive. I might see what loss I get with another VPN.
 
Hello guys [emoji846]

Thank u sooo much for this threat.
I spend houres trying to connect my Asus 68u with merlin 384.6 to a nordvpn server.
But after reading this threat and setting the rule at the bottom for ALL DEVICES (192.168.1.0/24) to go through vpn, everything works like a charme :))
Additional i set a rule, so that my router update to my ddns provider outside the vpn tunnel, so my url will always got the original wan ip.

Okay... Everything great... All devices via vpn... Ddns update the right wan ip...
Works like a charme :))

But for some reason i can not remotely connect to my network when vpn is activated [emoji848]

As soon as i turn vpn off, i can connect via my url or wan ip and port forwarding works too...
And when switching vpn on, i can handle all devices inside my LAN and can surf the Internet with no problem, but can not ping or reach my wan IP or url from outside my network...

Any ideas what to do?
What Infos do u need from my settings to help? [emoji55]

Thank u very much
Kami :)


___________
Send from my mobile via Tapatalk.
86f9c4af2a3f851a96c31e337ae2949f.jpg
 
Last edited:
Hello guys [emoji846]

Thank u sooo much for this threat.
I spend houres trying to connect my Asus 68u with merlin 384.6 to a nordvpn server.
But after reading this threat and setting the rule at the bottom for ALL DEVICES (192.168.1.0/24) to go through vpn, everything works like a charme :))
Additional i set a rule, so that my router update to my ddns provider outside the vpn tunnel, so my url will always got the original wan ip.

Okay... Everything great... All devices via vpn... Ddns update the right wan ip...
Works like a charme :))

But for some reason i can not remotely connect to my network when vpn is activated [emoji848]

As soon as i turn vpn off, i can connect via my url or wan ip and port forwarding works too...
And when switching vpn on, i can handle all devices inside my LAN and can surf the Internet with no problem, but can not ping or reach my wan IP or url from outside my network...

Any ideas what to do?
What Infos do u need from my settings to help? [emoji55]

Thank u very much
Kami :)


___________
Send from my mobile via Tapatalk.
86f9c4af2a3f851a96c31e337ae2949f.jpg

Make sure the OpenVPN client and server do not use the same port number.

I put this guide together for the OpenVPN server.
https://x3mtek.com/openvpn-server-setup-instructions-for-asuswrt-merlin/

Look at the VPN Status tab and look at the subnets for the OpenVPN server and router to see if there is conflict.
 
Make sure the OpenVPN client and server do not use the same port number.
Look at the VPN Status tab and look at the subnets for the OpenVPN server and router to see if there is conflict.

thank u very much for your answer xentrk.

Ur guid is for setting up a vpn server - and this guid is great :) I linked it for future interests.

But now i just want to set up a vpn client, so that i can remotely reach my system.
I think the udp vpn uses port 1194, but how to configure server and client ports to avoid conflicts? I am a bit confused...


attached u find my vpn status (when connected) and settings (when not connected) and a log, after connecting to vpn.

PLEEAAASE help me
to use vpn client for ALL devices at home (check ok)
to bypass the vpn for ddns update (check ok) and
to reach my homenetwork remotely from outside via my dns or WAN-IP (no way right now...)

:(

kind regards



VPN Status when connected:
Unbenannt.JPG



VPN Settings - now dissconnected, otherwise i can not reach my network at home :(
Unbenannt2.jpg


remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0
# log /tmp/vpn.log


My Log
Code:
Aug  9 05:52:32 rc_service: httpd 270:notify_rc start_vpnclient1
Aug  9 05:52:34 ovpn-client1[27292]: OpenVPN 2.4.6 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 25 2018
Aug  9 05:52:34 ovpn-client1[27292]: library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.08
Aug  9 05:52:34 ovpn-client1[27293]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug  9 05:52:34 ovpn-client1[27293]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug  9 05:52:34 ovpn-client1[27293]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Aug  9 05:52:34 ovpn-client1[27293]: TCP/UDP: Preserving recently used remote address: [AF_INET]5.254.80.165:1194
Aug  9 05:52:34 ovpn-client1[27293]: Socket Buffers: R=[122880->122880] S=[122880->122880]
Aug  9 05:52:34 ovpn-client1[27293]: UDP link local: (not bound)
Aug  9 05:52:34 ovpn-client1[27293]: UDP link remote: [AF_INET]5.254.80.165:1194
Aug  9 05:52:34 ovpn-client1[27293]: TLS: Initial packet from [AF_INET]5.254.80.165:1194, sid=c9741247 fa00bf00
Aug  9 05:52:34 ovpn-client1[27293]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug  9 05:52:35 ovpn-client1[27293]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Aug  9 05:52:35 ovpn-client1[27293]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA2
Aug  9 05:52:35 ovpn-client1[27293]: VERIFY KU OK
Aug  9 05:52:35 ovpn-client1[27293]: Validating certificate extended key usage
Aug  9 05:52:35 ovpn-client1[27293]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug  9 05:52:35 ovpn-client1[27293]: VERIFY EKU OK
Aug  9 05:52:35 ovpn-client1[27293]: VERIFY OK: depth=0, CN=at9.nordvpn.com
Aug  9 05:52:35 ovpn-client1[27293]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Aug  9 05:52:35 ovpn-client1[27293]: [at9.nordvpn.com] Peer Connection Initiated with [AF_INET]5.254.80.165:1194
Aug  9 05:52:36 ovpn-client1[27293]: SENT CONTROL [at9.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Aug  9 05:52:36 ovpn-client1[27293]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.87 255.255.255.0,peer-id 3,cipher AES-256-GCM'
Aug  9 05:52:36 ovpn-client1[27293]: OPTIONS IMPORT: timers and/or timeouts modified
Aug  9 05:52:36 ovpn-client1[27293]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Aug  9 05:52:36 ovpn-client1[27293]: Socket Buffers: R=[122880->245760] S=[122880->245760]
Aug  9 05:52:36 ovpn-client1[27293]: OPTIONS IMPORT: --ifconfig/up options modified
Aug  9 05:52:36 ovpn-client1[27293]: OPTIONS IMPORT: route options modified
Aug  9 05:52:36 ovpn-client1[27293]: OPTIONS IMPORT: route-related options modified
Aug  9 05:52:36 ovpn-client1[27293]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Aug  9 05:52:36 ovpn-client1[27293]: OPTIONS IMPORT: peer-id set
Aug  9 05:52:36 ovpn-client1[27293]: OPTIONS IMPORT: adjusting link_mtu to 1657
Aug  9 05:52:36 ovpn-client1[27293]: OPTIONS IMPORT: data channel crypto options modified
Aug  9 05:52:36 ovpn-client1[27293]: Data Channel: using negotiated cipher 'AES-256-GCM'
Aug  9 05:52:36 ovpn-client1[27293]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  9 05:52:36 ovpn-client1[27293]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  9 05:52:36 ovpn-client1[27293]: TUN/TAP device tun11 opened
Aug  9 05:52:36 ovpn-client1[27293]: TUN/TAP TX queue length set to 100
Aug  9 05:52:36 ovpn-client1[27293]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Aug  9 05:52:36 ovpn-client1[27293]: /usr/sbin/ip link set dev tun11 up mtu 1500
Aug  9 05:52:36 ovpn-client1[27293]: /usr/sbin/ip addr add dev tun11 10.8.8.87/24 broadcast 10.8.8.255
Aug  9 05:52:36 ovpn-client1[27293]: updown.sh tun11 1500 1585 10.8.8.87 255.255.255.0 init
Aug  9 05:52:36 rc_service: service 27360:notify_rc updateresolv
Aug  9 05:52:36 dnsmasq[24467]: exiting on receipt of SIGTERM
Aug  9 05:52:37 dnsmasq[27368]: started, version 2.80test2-17-g51e4eee cachesize 1500
Aug  9 05:52:37 dnsmasq[27368]: warning: no upstream servers configured
Aug  9 05:52:37 dnsmasq[27368]: asynchronous logging enabled, queue limit is 5 messages
Aug  9 05:52:37 dnsmasq-dhcp[27368]: DHCP, IP range 192.168.1.2 -- 192.168.1.254, lease time 1d
Aug  9 05:52:37 dnsmasq[27368]: read /etc/ hosts - 5 addresses
Aug  9 05:52:37 dnsmasq[27368]: read /etc/ hosts.dnsmasq - 7 addresses
Aug  9 05:52:37 dnsmasq[27368]: using nameserver 212.186.211.21#53 for domain upc.at
Aug  9 05:52:37 dnsmasq[27368]: using nameserver 195.34.133.21#53 for domain upc.at
Aug  9 05:52:37 dnsmasq[27368]: using nameserver 212.186.211.21#53
Aug  9 05:52:37 dnsmasq[27368]: using nameserver 195.34.133.21#53
Aug  9 05:52:37 dnsmasq[27368]: using nameserver 103.86.99.100#53
Aug  9 05:52:37 dnsmasq[27368]: using nameserver 103.86.96.100#53
Aug  9 05:52:39 ovpn-client1[27293]: /usr/sbin/ip route add 5.254.80.165/32 via 80.108.14.1
Aug  9 05:52:39 ovpn-client1[27293]: /usr/sbin/ip route add 0.0.0.0/1 via 10.8.8.1
Aug  9 05:52:39 ovpn-client1[27293]: /usr/sbin/ip route add 128.0.0.0/1 via 10.8.8.1
Aug  9 05:52:40 openvpn-routing: Configuring policy rules for client 1
Aug  9 05:52:40 ovpn-client1[27293]: Initialization Sequence Completed
Aug  9 05:55:51 rc_service: httpd 270:notify_rc stop_vpnclient1
Aug  9 05:55:52 ovpn-client1[27293]: event_wait : Interrupted system call (code=4)
Aug  9 05:55:52 ovpn-client1[27293]: vpnrouting.sh tun11 1500 1585 10.8.8.87 255.255.255.0 init
Aug  9 05:55:52 openvpn-routing: Configuring policy rules for client 1
Aug  9 05:55:52 ovpn-client1[27293]: /usr/sbin/ip route del 5.254.80.165/32
Aug  9 05:55:52 ovpn-client1[27293]: /usr/sbin/ip route del 0.0.0.0/1
Aug  9 05:55:52 ovpn-client1[27293]: ERROR: Linux route delete command failed: external program exited with error status: 2
Aug  9 05:55:52 ovpn-client1[27293]: /usr/sbin/ip route del 128.0.0.0/1
Aug  9 05:55:52 ovpn-client1[27293]: ERROR: Linux route delete command failed: external program exited with error status: 2
Aug  9 05:55:52 ovpn-client1[27293]: Closing TUN/TAP interface
Aug  9 05:55:52 ovpn-client1[27293]: /usr/sbin/ip addr del dev tun11 10.8.8.87/24
Aug  9 05:55:52 lldpd[323]: removal request for address of 10.8.8.87%17, but no knowledge of it
Aug  9 05:55:52 ovpn-client1[27293]: updown.sh tun11 1500 1585 10.8.8.87 255.255.255.0 init
Aug  9 05:55:53 rc_service: service 27858:notify_rc updateresolv
Aug  9 05:55:53 rc_service: waitting "stop_vpnclient1" via httpd ...
Aug  9 05:56:04 dnsmasq[27368]: read /etc/ hosts - 5 addresses
Aug  9 05:56:04 dnsmasq[27368]: read /etc/ hosts.dnsmasq - 7 addresses
Aug  9 05:56:04 dnsmasq[27368]: using nameserver 212.186.211.21#53 for domain upc.at
Aug  9 05:56:04 dnsmasq[27368]: using nameserver 195.34.133.21#53 for domain upc.at
Aug  9 05:56:04 dnsmasq[27368]: using nameserver 212.186.211.21#53
Aug  9 05:56:04 dnsmasq[27368]: using nameserver 195.34.133.21#53
Aug  9 05:56:04 dnsmasq[27368]: read /etc/ hosts - 5 addresses
Aug  9 05:56:04 dnsmasq[27368]: read /etc/ hosts.dnsmasq - 7 addresses
Aug  9 05:56:04 dnsmasq[27368]: using nameserver 212.186.211.21#53 for domain upc.at
Aug  9 05:56:04 dnsmasq[27368]: using nameserver 195.34.133.21#53 for domain upc.at
Aug  9 05:56:04 dnsmasq[27368]: using nameserver 212.186.211.21#53
Aug  9 05:56:04 dnsmasq[27368]: using nameserver 195.34.133.21#53
 
Last edited:
Hello
I have a problem with the DNS server in my VPN settings (NordVPN) i have "Accept DNS Configuration = Exclusive" and i use "Redirect Internet Traffic: Policy Rules" so that my iPad use the NordVPN connection. But my problem is, when i check browserleaks.com/ip then i see the DNS server are the server from Cloudflare and thats wrong.

My setup is on the router under LAN - DNS Setup - DNS Server 1: IP-from-my-Pihole. And on my Pihole i set the DNS from Cloudflare, so that all devices in my network use the Cloudflare DNS. So but when i use a device the VPN connection then i will use the DNS from the VPN Provider (NordVPN) and i think with "Exclusive" is it right, or not?

I use a RT-AC86U with Merlin 384.12.

Thank you very much.
 
Hello
I have a problem with the DNS server in my VPN settings (NordVPN) i have "Accept DNS Configuration = Exclusive" and i use "Redirect Internet Traffic: Policy Rules" so that my iPad use the NordVPN connection. But my problem is, when i check browserleaks.com/ip then i see the DNS server are the server from Cloudflare and thats wrong.

My setup is on the router under LAN - DNS Setup - DNS Server 1: IP-from-my-Pihole. And on my Pihole i set the DNS from Cloudflare, so that all devices in my network use the Cloudflare DNS. So but when i use a device the VPN connection then i will use the DNS from the VPN Provider (NordVPN) and i think with "Exclusive" is it right, or not?

I use a RT-AC86U with Merlin 384.12.

Thank you very much.
Some VPN providers are now using Cloudflare DNS that are near the geo location of the end point you are connected to. Mine is. You can use ipleak.net or dnsleak.com to validate the DNS location.

With "Accept DNS Configuration = Exclusive" and "Redirect Internet Traffic: Policy Rules", pi-hole and any ad blocking using dnsmasq will be bypassed since the VPN tunnel will exclusively use the DNS of the VPN Provider.

If you want to use pi-hole and dnsmasq with the VPN client when using Policy Rules, set Accept DNS Configuration = Disabled.
 
I don't understand that, when i use the ovpn-File directly on my iPad and connect to the server then it's works, the DNS server are from NordVPN. And when i take the same ovpn-file on the router then isn't works.

When i set the "Accept DNS Configuration = Disabled" then isn't works. What is the problem, is it the Pihole or Cloudflare? Why use the VPN connection directly on the router the wrong DNS.

And with the NordVPN App on the iPad it works also so, only the router
 
I don't understand that, when i use the ovpn-File directly on my iPad and connect to the server then it's works, the DNS server are from NordVPN. And when i take the same ovpn-file on the router then isn't works.

When i set the "Accept DNS Configuration = Disabled" then isn't works. What is the problem, is it the Pihole or Cloudflare? Why use the VPN connection directly on the router the wrong DNS.

And with the NordVPN App on the iPad it works also so, only the router
Your experience may be different than what I explain below since you are configuring DNS using LAN -> DHCP server tab. There are some discussions on the forum about pi-hole and DNS when using a VPN.


DNS Behavior
The Accept DNS Configuration setting determines DNS behavior for clients connected to the OpenVPN Client on Asuswrt-Merlin.

“Accept DNS Configuration” set to “Exclusive”
When combined with Policy Rules based routing, all clients configured to use the VPN will use the DNS servers provided by the VPN tunnel. LAN Clients configured to go through the WAN will use the DNS configured in the WAN Settings Screen.

The disadvantage of setting “Accept DNS configuration” to “Exclusive” is that DNSMASQ will be bypassed since the VPN tunnel will exclusively use the DNS of the VPN Provider. The popular Diversion ad blocker program, written for the Asuswrt-Merlin firmware, will not work since Diversion requires the features of DNSMASQ. I am not 100% positive as I've never tested it, but I believe the same issue exists if using pi-hole. Diversion will work over the VPN tunnel when “Accept DNS configuration” is set to “Exclusive” and Policy Rules are disabled by setting “Redirect Internet Traffic” to All”.

Accept DNS Configuration Definitions
For reference, the definition of the Accept DNS Configuration field values are as follows:
  • Disabled: DNS servers pushed by VPN provided DNS server are ignored.
  • Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
  • Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order. Existing DNS servers are only used if VPN provided ones don’t respond.
  • Exclusive: Only the pushed VPN provided DNS servers are used.
 
Last edited:
Ok when i want that the connected device over VPN use the DNS server from NordVPN, then i must use Disabled for Accept DNS Configuration, right? Is this all or need other changes? And the policy rules are okay and my DNS Entry with the Pihole is also okay?
Thank you very much
 
Now i see, on the router i can set the DNS Server in the WAN section and i can set the DNS in the LAN section. At the moment i have

WAN section:
Connect to DNS Server automatically = YES

LAN section (DNS and WINS):
DNS Server 1 = IP-Address-PiHole
DNS Server 2 = blank

I don't know is this right, but is purhaps this the problem?
 
to reach my homenetwork remotely from outside via my dns or WAN-IP (no way right now...)

:(
Set up an OpenVPN server and you can connect yo your network from outside.
Do you want your OpenVPN server to go through your VPN client, i.e. through NordVPN?
 
On my router running a OpenVPN Server that i can connect from outside to my home network. My problem is i have on the router a VPN-Client connection to NordVPN and i want that some devices form my home network use this connection. And when the device use this connection then it must use the DNS server from NordVPN and not the DNS server from my WAN (Internet Provider).
 
To connect to your router from the outside using VPN, while your Nord or expressVPN is running, you need to take your router out of the internal VPN. In your VPN Client section at the bottom, simply add it passing it to the WAN. See below. Then you will easily be able to connect remotely, even while your internal VPN is running.

upload_2020-2-23_3-27-18.png
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top