Help with setup of StrongVPN on Asus Merlin

[Gusar24]

Just asking to eliminate the obvious but after selecting WAN - VPN you did click apply?

MY settings are:

Policy Rules

Accept DNS - Disable

Other than that I don't have any other suggestions at this time.

Yes I do hit apply but to no avail. Any other settings need to be changed?

 

[Xentrk]

Those posts are a lot of information to digest for sure

Please validate that you have the routers IP address in the Policy rules table set to go to WAN and that you have static ip addresses configured for your clients. And, these addresses are outside the DHCP ip range. Once that is done, it could be a DNS issue.

From https://strongvpn.com/vpnreasons.html
If you can see Youtube.com via the link below, it's a DNS issue:
http://64.233.171.93/

I looked and see that StrongVPN has their own DNS servers. For policy rules, I suggest you add these two lines in the OpenVPN custom config section:

dhcp-option DNS 216.131.95.20
dhcp-option DNS 216.131.94.5

And, set Accept DNS Configuration = Strict.

Likewise, go to the WAN tab, in WAN DNS Setting, Connect to DNS Server automatically to No. Then enter the following:
DNS Server 1: 216.131.95.20
DNS Server 2: 216.131.94.5

Now, try to connect thru the tunnel..

For troubleshooting, if you use a windows client, open a command prompt (cmd command in Cortona). Type ipconfig. Does the ip address reported the static ip address you defined in the router? If not, something is not right with the static ip assignments. Type getmac at the command line. You you will get one mac for the eth interface and one mac for the wifi interface. Make sure you are using the right mac address for the connection you are using when you defined the static ip address.

Hang in there, we will get this working.

 

[Gusar24]

Thank you for the patience and help. Sorry I have not been able to work on this earlier today.

I did everything you said and it will not work. As soon as I turned policy rules on, I tried with every setting on Accept DNS Configuration, it did not work.

I set my Dynamic IP range from 192.168.1.2 to 192.168.1.199 and I set all of my devices to .200, .202 and going up.. but I do not think that is a problem.

I had policy rules working before without setting my devices to static IPs with NordVPN. The router always set the same IP for my devices without me having to set them to static IPs. But for some reason, it will not work with StrongVPN. I tried that link you had posted and it opens up Google, not Youtube.

As soon as I set those settings, in VPN Status, Tun/Tap read and write stay at 0, which I guess means there is no device connecting. In the devices under the policy, I had the router as the first device set to WAN and my iPhone set to VPN. Strangely when I had the VPN on and the DNS settings setup as you told me to, the iPhone worked through the local internet and not the VPN, while my streaming TV box froze, which is directly connected, meaning it was not getting a connection. Any ideas on this?

 

[Xentrk]

Thank you for the patience and help. Sorry I have not been able to work on this earlier today.

I did everything you said and it will not work. As soon as I turned policy rules on, I tried with every setting on Accept DNS Configuration, it did not work.

I set my Dynamic IP range from 192.168.1.2 to 192.168.1.199 and I set all of my devices to .200, .202 and going up.. but I do not think that is a problem.

I had policy rules working before without setting my devices to static IPs with NordVPN. The router always set the same IP for my devices without me having to set them to static IPs. But for some reason, it will not work with StrongVPN. I tried that link you had posted and it opens up Google, not Youtube.

As soon as I set those settings, in VPN Status, Tun/Tap read and write stay at 0, which I guess means there is no device connecting. In the devices under the policy, I had the router as the first device set to WAN and my iPhone set to VPN. Strangely when I had the VPN on and the DNS settings setup as you told me to, the iPhone worked through the local internet and not the VPN, while my streaming TV box froze, which is directly connected, meaning it was not getting a connection. Any ideas on this?

I am running out of ideas. I think I have to leave it up to @CaptainSTX to help since he is a StrongVPN customer and I use TorGuard.

One last idea I have is to enter your router's IP Address in the
DNS and WINS Server Setting section, DNS Server 1 field on the LAN-DHCP Server page.

What we know so far is All Traffic is working. But Policy Rules are the issue. At least the narrows the focus down.

I suspect the reason you did not need to assign static ip addresses before is that your lease time value is set to a high enough value that the lease never expires. But it is best practice to assign static IP if you use policy rules as there is always a possibility you can get a new IP assignment. If you go on holiday for two weeks and come back home for example.

Use the Network Map menu, View Clients button to make sure the IP addresses are assigned to the clients per your assignments. A power cycle of the router may be required to purge the dynamic DHCP leases and get the static IP assignments to take precedence. Hopefully this resolves the issue.

After you power cycle the router, go to the system log. In the browser, search for "policy rules". What do you see? Likewise, search for "openvpn" and look for any other helpful messages.

Also, I suggest you use a smaller DHCP range for security purposes. If you are going to use static IP addresses for all of the clients in your household, there is no need to have a large pool.

 

[CaptainSTX]

I am at a loss at why you are having so many problems.

Just to satisfy myself that I was not leading you down the wrong path I got my old N66 out of the closet, updated to the latest Merlin 66.4 ( I am still running 66.2 on my 1900P ), uploaded the StrongOVPN file for manual router configuration, typed in the user name and password that goes with the file, clicked the ON button and the open VPN client started.

Touched no other settings. Left the setting to route at default to route ALL traffic. On my production router I have all devices assigned static IPs and use policy routing. I specify which devices use the WAN and which devices use the VPN.

I then ran whatismyip.com and confirmed that I was connected through the tunnel. Ran a speedtest and saw the server I expected and the 13/9 Mbps speeds that are what I get using an N66.

If you can't get policy routing to work all I can suggest is you do a factory reset and start over in the configuration. Manually enter all settings. The setup just isn't as hard as it has been for you.

 

[Gusar24]

I am running out of ideas. I think I have to leave it up to @CaptainSTX to help since he is a StrongVPN customer and I use TorGuard.

One last idea I have is to enter your router's IP Address in the
DNS and WINS Server Setting section, DNS Server 1 field on the LAN-DHCP Server page.

What we know so far is All Traffic is working. But Policy Rules are the issue. At least the narrows the focus down.

I suspect the reason you did not need to assign static ip addresses before is that your lease time value is set to a high enough value that the lease never expires. But it is best practice to assign static IP if you use policy rules as there is always a possibility you can get a new IP assignment. If you go on holiday for two weeks and come back home for example.

Use the Network Map menu, View Clients button to make sure the IP addresses are assigned to the clients per your assignments. A power cycle of the router may be required to purge the dynamic DHCP leases and get the static IP assignments to take precedence. Hopefully this resolves the issue.

After you power cycle the router, go to the system log. In the browser, search for "policy rules". What do you see? Likewise, search for "openvpn" and look for any other helpful messages.

Also, I suggest you use a smaller DHCP range for security purposes. If you are going to use static IP addresses for all of the clients in your household, there is no need to have a large pool.

Xentrk,

Yesterday I assigned all the static IPs and I rebooted the router. Then I confirmed that they were the ones I assigned in the list of clients. I will try that with the DNS Server 1 setting you suggested... also do you need a screenshot of the privacy rules in the system log?

I am at a loss at why you are having so many problems.

Just to satisfy myself that I was not leading you down the wrong path I got my old N66 out of the closet, updated to the latest Merlin 66.4 ( I am still running 66.2 on my 1900P ), uploaded the StrongOVPN file for manual router configuration, typed in the user name and password that goes with the file, clicked the ON button and the open VPN client started.

Touched no other settings. Left the setting to route at default to route ALL traffic. On my production router I have all devices assigned static IPs and use policy routing. I specify which devices use the WAN and which devices use the VPN.

I then ran whatismyip.com and confirmed that I was connected through the tunnel. Ran a speedtest and saw the server I expected and the 13/9 Mbps speeds that are what I get using an N66.

If you can't get policy routing to work all I can suggest is you do a factory reset and start over in the configuration. Manually enter all settings. The setup just isn't as hard as it has been for you.

CaptainSTX,

Thank you for doing that, I really appreciate you going to all of the trouble of doing that. It was that way when I did my setup with NordVPN, all I did was upload the file and everything worked fine, had no need to change anything else, policy rules worked fine but with StrongVPN it's not that way. For some reason when I upload the openVPN file, the authentication does not change to MD5 so if you don't notice that, you won't be able to connect.

Would it be possible for you to send me screenshots of the way your is setup and maybe I can mirror that to try to get it working?

 

[CaptainSTX]

OK. PM with an e-mail address where I can send the shots. No need to post them here.

 

[Gusar24]

OK. PM with an e-mail address where I can send the shots. No need to post them here.

PM sent. Also, I just tested the NordVPN with policy rules and the accept dns configuration set to exclusive. It works fine with the policy rules. From what I can see, everything is the same in the settings but in the additional settings text box at the bottom here it is for comparison:

NordVPN



remote-random

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

ping 15

ping-restart 0

ping-timer-rem

reneg-sec 0

explicit-exit-notify 3

remote-cert-tls server

pull

fast-io



StrongVPN



explicit-exit-notify 2

fragment 1390

hand-window 30

mssfix

mute 3

mute-replay-warnings

ns-cert-type server

reneg-sec 0

route-delay 2

route-method exe

route-metric 1

topology subnet

tun-mtu 1500

I don't know if some of these settings are making it go wrong.

 

[Xentrk]

PM sent. Also, I just tested the NordVPN with policy rules and the accept dns configuration set to exclusive. It works fine with the policy rules. From what I can see, everything is the same in the settings but in the additional settings text box at the bottom here it is for comparison:

NordVPN



remote-random

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

ping 15

ping-restart 0

ping-timer-rem

reneg-sec 0

explicit-exit-notify 3

remote-cert-tls server

pull

fast-io



StrongVPN

explicit-exit-notify 2

fragment 1390

hand-window 30

mssfix

mute 3

mute-replay-warnings

ns-cert-type server

reneg-sec 0

route-delay 2

route-method exe

route-metric 1

topology subnet

tun-mtu 1500

I don't know if some of these settings are making it go wrong.

I looked at the settings in the openvpn 2.4 manual https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage. These may be issues:

--ns-cert-type client|server (DEPRECATED)
This option is deprecated. Use the more modern equivalent --remote-cert-tls instead. This option will be removed in OpenVPN 2.5.

This option is a Windows setting. Best to remove it from the router config:
--route-method m
Which method m to use for adding routes on Windows?

adaptive (default) -- Try IP helper API first. If that fails, fall back to the route.exe shell command.
ipapi -- Use IP helper API.
exe -- Call the route.exe shell command.

 

[Gusar24]

I looked at the settings in the openvpn 2.4 manual https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage. These may be issues:

--ns-cert-type client|server (DEPRECATED)
This option is deprecated. Use the more modern equivalent --remote-cert-tls instead. This option will be removed in OpenVPN 2.5.

This option is a Windows setting. Best to remove it from the router config:
--route-method m
Which method m to use for adding routes on Windows?

adaptive (default) -- Try IP helper API first. If that fails, fall back to the route.exe shell command.
ipapi -- Use IP helper API.
exe -- Call the route.exe shell command.

Xentrk,

I tried all of this you mentioned and no change... :-(

The strange thing is when I set it to policy rules and set my iPhone to have access through the VPN, it goes through the local internet... if I change it from Policy Rules to Redirect All Traffic, then it goes through the VPN as well as everything else. I just don't get it...

 

[Xentrk]

Xentrk,

I tried all of this you mentioned and no change... :-(

The strange thing is when I set it to policy rules and set my iPhone to have access through the VPN, it goes through the local internet... if I change it from Policy Rules to Redirect All Traffic, then it goes through the VPN as well as everything else. I just don't get it...

I suggest the following. Sorry if this is redundant to some prior posts. Something appears to not be right with policy rules. Or perhaps the iPhone?

1. Pick two clients in your household, say a iPad and a Laptop. Obtain the MAC address of both. If the laptop is a windows client, you can get the MAC using the getmac command in a DOS prompt. Make sure it is the MAC for the adapter or method (wifi or eth) you will use to connect to the router.

2. In the LAN, DHCP Server screen, enter the two entries from above in the Manually Assigned IP around the DHCP list (Max Limit : 128) section and press apply when done.

3. In the Policy Rules section, have the router ip address as the first entry. Pick one of the clients to go thru the WAN and another to use the VPN tunnel:
Description Source IP Destination IP Iface
Router.........192.168.1.1.....0.0.0.0......WAN
Client1.........192.168.1.100....0.0.0.0...WAN
Clilent2.......192.168.1.101.....0.0.0.0...VPN

4. Set Accept DNS Configuration to Strict

5. In the custom config section, add these two lines (xxx’s is the IP address of StrongVPN DNS Servers);
dhcp-option DNS xxx.xxx.xxx.xxx
dhcp-option DNS xxx.xxx.xxx.xxx

6. Press Apply Button

7. Power off the router and the two clients. After a few minutes, power the router backup. Once it is up and running, power up the two clients. This is being done to make sure the clients and router release the prior mac addresses used.

8. Go to the Network Map page and validate the ip addresses listed for the two clients match what you used in the manual DHCP assignments.

9. Go to whatismyipaddress.com or ipleak.net for both devices to confirm you are or are not connect to the vpn or wan per the policy rules.

Troubleshooting:
Go to System Log. In the browser, search for openvpn. Does it look like the tunnel started correctly? Do you see messages about policy rules?

 

[CaptainSTX]

After testing and having no issues setting up StrongVPN the only thing I can suggest is to do a factory reset, download a fresh ovpn file for another server and start from scratch.