What's new

Asuswrt-Merlin and Nordvpn

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

How can you state that when it's a fact?
Because benchmarks run with Asus engineers gave around 300-ish Mbps with Wireguard.
Now, if Asus can't handle WG which is lighter weight and more performant then it's time to get a different "router".
You can`t compare a 1.8 GHz Cortex A53 CPU with a 4-5 GHz x86 CPU... It's designed to be a power-efficient router, not a 500W computer. Totally different needs, and different devices.
 
Beware of the following directive.

Code:
reneg-sec 0

This does improve performance ever so slightly (barely). And that's because it disables rotation (renegotiation) of the session key! By default, this directive is set to 3600 (secs), which means every hour the session key is changed for the purposes of perfect forward secrecy. And so by setting it to 0, you're compromising your security!

OpenVPN providers love to instruct their customers to use this directive because it definitely improves *their* performance much more than yours. If they don't have to rotate sessions keys every hour (or even sooner, you could set it lower) for 10's of thousands of users, that saves them substantially in terms of overhead. But as I said, at the price of your security.
Thanks @eibgrad ... so it turns out that the TLS reneg is being forced by NordVPN every 3600secs by default anyways... no matter if I have it specified as 0 on my end.
 
My posts were more in the direction of @Viktor Jaep

If you're paying for Gig service you should get Gig bandwidth over VPN.
As @RMerlin said... that's just never going to happen with the CPUs currently in these routers to be able to handle the arduous task of encryption/decryption at these speeds. I'm actually pretty happy with the jump in processing power going from a RT-AC3100 to the AC86U with the BCM4906, which has hardware-accelerated AES support in the CPU. Before I was getting maybe 30-50Mbps on the 3100. Besides, even my best wifi devices couldn't handle Gig speed... most are getting around the 400Mbps mark max. The only thing that comes close to the 1Gbps mark, is my laptop hardwired directly into the router, going outside the bounds of the VPN tunnel.
 
Should really try to find a way to use the NordLynx (wire guard) option if possible if you want to use your full bandwidth.


View attachment 38900

890/42 is not the max I can hit but, just a random speed test.
The tutorial to setup Wireguard for MulladVPN seems a bit harder compared to using stock Asus RC3-3 Beta firmware. Before install Merlin 386.4, I already tried WIreguard in Beta firmware and it is easy to fill the info needed. When change to Merlin, I cannot find the proper and easier step by step to setup wireguard in current firmware.
 
When change to Merlin, I cannot find the proper and easier step by step to setup wireguard in current firmware.
If using RMerlin firmware v386.4, in lieu of a GUI WireGuard interface, you could try WireGuard Manager for Mullvad/TorGuard 'clients'

Apologies if you are not actually requesting Mullvad WireGuard configuration help (in this NordVPN thread)

Install wg from the amtm menu

Code:
amtm

amtm 3.2.3 FW             by thelonelycoder
RT-AX86U (aarch64) FW-386.4 @ 192.168.50.1
    The Asuswrt-Merlin Terminal Menu      

1  install  Diversion - the Router Adblocker
2  install  Skynet - the Router Firewall
3  install  FlexQoS - Flexible QoS Enhancement
3d install  FreshJR QOS - Adaptive QOS (deprecated)

4  install  YazFi - enhanced guest WiFi
5  open     scribe                    v2.4.3
6  install  x3mRouting - Selective Routing

7  install  unbound Manager - unbound utility
8  install  nsrum - NVRAM Save/Restore Utility

j1 install  connmon - Internet uptime monitor
j2 install  ntpMerlin - NTP Daemon
j3 install  scMerlin - Quick access control

j4 install  spdMerlin - Automatic speedtest
j5 install  uiDivStats - Diversion WebUI stats
j6 install  uiScribe - WebUI for scribe logs

j7 install  YazDHCP - Expansion of DHCP assignments
vn install  vnStat - Data use monitoring

di install  dnscrypt installer
wg install  WireGuard Mgr                                            <==========          
ag install  Asuswrt-Merlin-AdGuardHome-Installer

ep manage   Entware packages

em install  email settings
dc install  Disk check script
fd run      Format disk
lc install  LED control - Scheduled LED control
rs enable   Reboot scheduler
sw create   Swap file

i  hide     inactive scripts or tools

    amtm options
e  exit      t  theme   r  reset   a  about
_____________________________________________

Enter option
 
Last edited:
If using RMerlin firmware v386.4, in lieu of a GUI WireGuard interface, you could try WireGuard Manager for Mullvad/TorGuard 'clients'

Apologies if you are not actually requesting Mullvad WireGuard configuration help (in this NordVPN thread)

Install wg from the amtm menu

Code:
amtm

amtm 3.2.3 FW             by thelonelycoder
RT-AX86U (aarch64) FW-386.4 @ 192.168.50.1
    The Asuswrt-Merlin Terminal Menu     

1  install  Diversion - the Router Adblocker
2  install  Skynet - the Router Firewall
3  install  FlexQoS - Flexible QoS Enhancement
3d install  FreshJR QOS - Adaptive QOS (deprecated)

4  install  YazFi - enhanced guest WiFi
5  open     scribe                    v2.4.3
6  install  x3mRouting - Selective Routing

7  install  unbound Manager - unbound utility
8  install  nsrum - NVRAM Save/Restore Utility

j1 install  connmon - Internet uptime monitor
j2 install  ntpMerlin - NTP Daemon
j3 install  scMerlin - Quick access control

j4 install  spdMerlin - Automatic speedtest
j5 install  uiDivStats - Diversion WebUI stats
j6 install  uiScribe - WebUI for scribe logs

j7 install  YazDHCP - Expansion of DHCP assignments
vn install  vnStat - Data use monitoring

di install  dnscrypt installer
wg install  WireGuard Mgr                                            <==========         
ag install  Asuswrt-Merlin-AdGuardHome-Installer

ep manage   Entware packages

em install  email settings
dc install  Disk check script
fd run      Format disk
lc install  LED control - Scheduled LED control
rs enable   Reboot scheduler
sw create   Swap file

i  hide     inactive scripts or tools

    amtm options
e  exit      t  theme   r  reset   a  about
_____________________________________________

Enter option
I know this option in amtm but I do not understand how to fill up the configuration setting based on given info by Mullvad. It is not easy as in Asus Beta firmware.
 
I know this option in amtm but I do not understand how to fill up the configuration setting based on given info by Mullvad. It is not easy as in Asus Beta firmware.
@ZebMcKayhan has an excellent tutorial:
WireguardManager/README.md at main · ZebMcKayhan/WireguardManager (github.com)

i.e. rather than transcribe the Mullvad .conf by hand, simply download/copy the file generated by the Mullvad config generator e.g. 'mlvd-gb22.conf' to the router directory 'opt/etc/wireguard.d/' then issue wireguard_manager command import mlvd-gb22

see detailed description:
WireguardManager/README.md at main · ZebMcKayhan/WireguardManager (github.com)
 
Because benchmarks run with Asus engineers gave around 300-ish Mbps with Wireguard.

Was this with the RT-AX86u? If so, I'd have expected that number to be a bit higher given WireGuard performance on devices with weaker processors on OpenWrt giving around 300 Mbit/s.

Is there something like irqbalance to improve performance? On OpenWrt this gives a huge performance boost for various different hardware configurations.

Or perhaps there is something slightly different for broadcom. I came across this:

 
Last edited:
Was this with the RT-AX86u?
Probably, or another router with the same CPU. I don't remember.

Is there something like irqbalance to improve performance?
I experimented with irqbalance a few years ago, and saw zero performance difference. Might be because Asus is manually finetuning IRQ assignment at boot time. I also assign CPU cores to OpenVPN processes to ensure that running multiple clients will spread the load across all cores (and also avoid if possible using the first core that's already used by a lot of things).
 
As @RMerlin said... that's just never going to happen with the CPUs currently in these routers to be able to handle the arduous task of encryption/decryption at these speeds. I'm actually pretty happy with the jump in processing power going from a RT-AC3100 to the AC86U with the BCM4906, which has hardware-accelerated AES support in the CPU. Before I was getting maybe 30-50Mbps on the 3100. Besides, even my best wifi devices couldn't handle Gig speed... most are getting around the 400Mbps mark max. The only thing that comes close to the 1Gbps mark, is my laptop hardwired directly into the router, going outside the bounds of the VPN tunnel.

If speeds using NordVPN are CPU limited do the newer Broadcom BCM4912 (2Ghz quad core w/16nm) and DDR4 in the XT12 offer a significant speed boost? Has anyone tested this?

As far as I can tell the XT12 is the only Broadcom BCM4912 based Merlin compatible router since the other two (ET12 & GT-AXE16000) have only been recently released and are not yet supported. You could probably still test the speed difference with the more basic AsusWRT firmware on the ET12 & GT-AXE16000 though...
 
Beware, if the .ovpn file does NOT contain the following directive ...

Code:
redirect-gateway def1

... then it will leave the "Redirect internet traffic through tunnel" setting in the GUI as No (the default), rather than "Yes (all)". Since most providers push that directive from the server to the client, it wouldn't surprise me if many (most?) don't bother to include it in the client's config file. Prior to 386.3, having "Redirect internet traffic through tunnel" set to No would still allow the client to be redirected over the VPN provided the server pushed that directive. But with the introduction of 386.3 and beyond, that's no longer the case. When "Redirect internet traffic through tunnel" is set to No, it means NO!
Thanks for mentioning this! I recently had the "Error - check configuration" issue with NordVPN but adding that line fixed it
redirect-gateway def1
 
Thanks for mentioning this! I recently had the "Error - check configuration" issue with NordVPN but adding that line fixed it
Not having the redirect-gateway def1 line in the file should not generate an error. There was no suggestion of it fixing a bad config, only that without it you have to manually set the "Redirect..." option in the GUI. I don't have that line in any of my NordVPN files.
 
Not having the redirect-gateway def1 line in the file should not generate an error. There was no suggestion of it fixing a bad config, only that without it you have to manually set the "Redirect..." option in the GUI. I don't have that line in any of my NordVPN files.
Without that line, I couldn't connect to the internet at all. Any idea why?
I followed the setup on NordVPN's page (except step 9 and 10) and here is the current settings.
FWIW, this VPN router is behind a main router (main router LAN port to VPN router WAN, so double NATs I think).

VPN Client

aCB1cU5.png

okwsTCe.png


VPN Director

tBhR7mq.png
 
Without that line, I couldn't connect to the internet at all. Any idea why?
I followed the setup on NordVPN's page (except step 9 and 10) and here is the current settings.
FWIW, this VPN router is behind a main router (main router LAN port to VPN router WAN, so double NATs I think).

VPN Client

aCB1cU5.png

okwsTCe.png


VPN Director

tBhR7mq.png

NordVPN user here... and I don't need to have that statement in my config in order to get a working connection... Though these VPN providers are trying to do the right thing by providing instructions out there on how to configure your routers, many times they are incorrect, or just way out of date. This is what I'm using...

Code:
remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

I provided some rudimentary setup instructions here:

 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top