yorgi
Very Senior Member
***There is a WebRTC bug that when using a VPN one can see your real IP Address.
Mos VPN providers have not fixed this bug and you can be vulnerable.
Please visit this site while you are connected to your VPN to make sure your VPN provider has fixed this issue.
https://ip.voidsec.com
*** I suggest that every time you update to a new firmware do a Default on OpenVPN client then reboot the router and enter the data again. Otherwise you may get into issues where connection drops or other weird things may happen.
I disabled the Cipher Negotiation for PIA because it doesn't work
Only legacy Cipher works so it's not needed at the moment.
*** the only difference from the images below is a new field for certificates
Keys and Certificates click edit and copy paste your certificates as indicated in article.
Encryption Cipher has been renamed to Legacy/fallback cipher.
It is confirmed that PIA has not updated their servers for the new Cipher.
I will update the article as soon as they make the changes to use the new Cipher.
*****OpenVPN 2.4 bug causes VPN to have re connection failure for PIA subscribers.
Add this command to custom configurations for temporary fix. If you are having similar problems and are not with PIA you can try this fix.
pull-filter ignore "auth-token"
PART I
Here is a how to guide using PIA VPN provider as an example which will help you in getting your VPN client up and running with Merlin Firmware.
I have updated this article to use PIA's new 1197 and 1198 ports with new certificates
If you do not use PIA read the section where I explain how to connect using other VPN providers
Please read both sections of this article carefully.
In the Images below I have set it to use Policy Rules Strict. If you do not want to use Policy rules and want all your traffic to go to the VPN then simply use "ALL" in the Redirect Internet traffic option. When you select "All" if VPN goes down you are protected as it has an automatic feature with the firewall which stops traffic until VPN is re established. Redirect Internet Traffic option is covered in the second part of the guide.
AES-128-CBC port 1198
AES-256-CBC port 1197
Custom configurations to use with PIA.
AES-128 and AES-256
In "custom configurations" I have added the following
auth-nocache this command doesn't cache the password otherwise you may have a security issue.
mute-replay-warnings this command stops the same warning from appearing over and over in
system log.
***Please take note that this function was not indicated in previous article. You need to put
disable-occ in custom configurations for 1198 and 1197
It is important to add this line otherwise the following 2 warnings that will occur
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
By putting disable-occ on custom configuration for port 1197 and 1198 these warnings will disappear.
pull-filter ignore "auth-token" This will fix the problem when re connection is not established after one day. This fix is only for PIA but if you experience similar issues try using this command.
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
Adding these 2 lines in custom configurations insures that the VPN doesn't use ipV6 traffic.
***Certificates for PIA and other providers are discussed in the next section of this article.
UDP ports for PIA:
port 1194: This port uses Blowfish-CBC encryption and Auth digest to SHA1
No longer supported by PIA but you are free to try it
Speed: 30-35 mb/s
port 1195: For no encryption use with encryption type set to none and Auth digest set to none and in custom configuration add auth none. this method is the fastest and full speed but without encryption. Not very safe.
Speed: full bandwidth of your ISP
port 1197: For stronger encryption use with AES-256-CBC encryption and Auth digest sha256 speeds 20-30 mb/s
port 1198: Use the preferred encryption method which is AES-128-CBC encryption with Auth digest to SHA1
This encrytpion method delivers the fastest speeds compared to the other methods.
Speeds 50-60 mb/s
**certificates are discussed in Part II of the guide
TCP Ports:
PIA also offers TCP protocol on ports 501 AES-256-CBC and 502 AES-128-CBC
Configure the same as UDP Protocol with the exception of changing UDP to TCP and new port numbers. This TCP protocol has different certificates which are found in PART II of this article.
Configuring a VPN client which is not from PIA:
***Please refer to your VPN provider for encryption and ports
If you don't use PIA for your VPN provider the image above may not help you connect.
the easiest way to get your VPN client to work quickly and painlessly is to do the following.
Every provider will supply a .ovpn file. Simply click on the browse button in the "Import .ovpn file" and go to the location where you stored the .opvn file, select the .opvn file and then click upload. The router will read all the information from the .ovpn file and will then configure the VPN client. After the router has configures the client, Some VPN providers provide the certificates in the .ovpn file while some will have a separate .crt file. Make sure you copy and paste the certificates if they are not included in the .ovpn to the "Content modification of Keys & Certificates." area. If the .ovpn file has the certificates included you will see them copied into the "Content modification of Keys & Certificates." if not, you will have to do this manually.
Almost all providers will enter different data in the custom configurations area so do not be alarmed if the data is not the same or similar to PIA. The .ovpn file contains all the important information needed to auto configure the VPN client.
The same example above will work with Stock ASUS firmware
import the client.ovpn into another ASUS router. It will automatically configure everything you need to connect to the VPN Server, including certificates.
Simply go to the VPN client on your ASUS router and look for "Import .ovpn file" use the browse button to find the client1.ovpn file then click on upload.
That's it. you should be ready to connect. Turn the service state button to ON
You can enable start to WAN option if you want the Client to automatically connect to the VPN server when router gets rebooted.
My opinion on using Stock Firmware with ASUS is when you have established connection to the VPN server if for some reason there is a glitch and the server drops connection you will leak DNS and your local ISP IP will show. There is no drop connection if tunnel goes down. I strongly suggest using Merlin Firmware if you want to use it as a VPN client.
Auth digest: refer to your VPN provider or leave it default if you are not sure.
For Pia use SHA1 for AES-128-CBC and SHA256 if you are using AES-256.CBC
Accept DNS Configuration should be set to exclusive
Cipher Negotiation: refer to your VPN provider or leave it default if you are not sure.
For PIA I have disabled it because It doesn't work.
Legacy/fallback cipher: For PIA use AES-128-CBC or AES-256-CBC depending on the encryption you use with PIA.
Redirect Internet traffic:
Use "POLICY RULES STRICT" in "Redirect Internet traffic" for selective routing
By enabling Policy rules feature, it gives you the freedom to route specific devices to VPN and other devices to Local ISP. You can even have a device use VPN but have specific address's use Local ISP or vise versa.
Please note:
When you are in a VPN tunnel the DNS is determined by the VPN therefore if you redirect specific IP address's to WAN which is Local ISP the DNS will show that of the VPN and not from Local ISP this is also known as a DNS leak.
However you can route your FTP or SMPT which do not use DNS therefore you can setup that all traffic goes to VPN except for FTP and SMPT so you can get your email or access your FTP without having it routed via the VPN.
When you enable Policy Rules you have an extra option "block traffic if VPN goes down".
This is one of the best features when using Merlin firmware because when it's enabled if for some reason the VPN Server drops connection the router will suspend all traffic until the VPN client re connects to the server. This way you won't leak your Local IP address to the public.
I strongly recommend that you Enable "block internet traffic if VPN goes down"
Please refer to the second part of this article for examples using Policy Rules.
If you do not want to use Policy Rules but want all your traffic to go via the VPN client then use the "ALL" option in the Redirect Internet traffic area this will exclusively use the DNS of VPN. You are still safe if the connection drops as the firewall is programed to automatically drop connection if VPN client drops connection.
set to compression "LZO Addaptive" I use to disable compression but I found that it is needed for best results.
Here is a good chart you can bookmark for ports, certificates and encryption methods from PIA. They recommend using ports 1198, 1197, 502 and 501 with AES encryption. You are free to explore other methods found in the link below. I will show you examples using these methods in part 2 of this guide.
https://helpdesk.privateinternetacc...ings-should-I-use-for-ports-on-your-gateways-
Part II follows;
Mos VPN providers have not fixed this bug and you can be vulnerable.
Please visit this site while you are connected to your VPN to make sure your VPN provider has fixed this issue.
https://ip.voidsec.com
*** I suggest that every time you update to a new firmware do a Default on OpenVPN client then reboot the router and enter the data again. Otherwise you may get into issues where connection drops or other weird things may happen.
I disabled the Cipher Negotiation for PIA because it doesn't work
Only legacy Cipher works so it's not needed at the moment.
*** the only difference from the images below is a new field for certificates
Keys and Certificates click edit and copy paste your certificates as indicated in article.
Encryption Cipher has been renamed to Legacy/fallback cipher.
It is confirmed that PIA has not updated their servers for the new Cipher.
I will update the article as soon as they make the changes to use the new Cipher.
*****OpenVPN 2.4 bug causes VPN to have re connection failure for PIA subscribers.
Add this command to custom configurations for temporary fix. If you are having similar problems and are not with PIA you can try this fix.
pull-filter ignore "auth-token"
PART I
Here is a how to guide using PIA VPN provider as an example which will help you in getting your VPN client up and running with Merlin Firmware.
I have updated this article to use PIA's new 1197 and 1198 ports with new certificates
If you do not use PIA read the section where I explain how to connect using other VPN providers
Please read both sections of this article carefully.
In the Images below I have set it to use Policy Rules Strict. If you do not want to use Policy rules and want all your traffic to go to the VPN then simply use "ALL" in the Redirect Internet traffic option. When you select "All" if VPN goes down you are protected as it has an automatic feature with the firewall which stops traffic until VPN is re established. Redirect Internet Traffic option is covered in the second part of the guide.
AES-128-CBC port 1198
AES-256-CBC port 1197
Custom configurations to use with PIA.
AES-128 and AES-256
In "custom configurations" I have added the following
auth-nocache this command doesn't cache the password otherwise you may have a security issue.
mute-replay-warnings this command stops the same warning from appearing over and over in
system log.
***Please take note that this function was not indicated in previous article. You need to put
disable-occ in custom configurations for 1198 and 1197
It is important to add this line otherwise the following 2 warnings that will occur
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1542'
WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
By putting disable-occ on custom configuration for port 1197 and 1198 these warnings will disappear.
pull-filter ignore "auth-token" This will fix the problem when re connection is not established after one day. This fix is only for PIA but if you experience similar issues try using this command.
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
Adding these 2 lines in custom configurations insures that the VPN doesn't use ipV6 traffic.
***Certificates for PIA and other providers are discussed in the next section of this article.
UDP ports for PIA:
port 1194: This port uses Blowfish-CBC encryption and Auth digest to SHA1
No longer supported by PIA but you are free to try it
Speed: 30-35 mb/s
port 1195: For no encryption use with encryption type set to none and Auth digest set to none and in custom configuration add auth none. this method is the fastest and full speed but without encryption. Not very safe.
Speed: full bandwidth of your ISP
port 1197: For stronger encryption use with AES-256-CBC encryption and Auth digest sha256 speeds 20-30 mb/s
port 1198: Use the preferred encryption method which is AES-128-CBC encryption with Auth digest to SHA1
This encrytpion method delivers the fastest speeds compared to the other methods.
Speeds 50-60 mb/s
**certificates are discussed in Part II of the guide
TCP Ports:
PIA also offers TCP protocol on ports 501 AES-256-CBC and 502 AES-128-CBC
Configure the same as UDP Protocol with the exception of changing UDP to TCP and new port numbers. This TCP protocol has different certificates which are found in PART II of this article.
Configuring a VPN client which is not from PIA:
***Please refer to your VPN provider for encryption and ports
If you don't use PIA for your VPN provider the image above may not help you connect.
the easiest way to get your VPN client to work quickly and painlessly is to do the following.
Every provider will supply a .ovpn file. Simply click on the browse button in the "Import .ovpn file" and go to the location where you stored the .opvn file, select the .opvn file and then click upload. The router will read all the information from the .ovpn file and will then configure the VPN client. After the router has configures the client, Some VPN providers provide the certificates in the .ovpn file while some will have a separate .crt file. Make sure you copy and paste the certificates if they are not included in the .ovpn to the "Content modification of Keys & Certificates." area. If the .ovpn file has the certificates included you will see them copied into the "Content modification of Keys & Certificates." if not, you will have to do this manually.
Almost all providers will enter different data in the custom configurations area so do not be alarmed if the data is not the same or similar to PIA. The .ovpn file contains all the important information needed to auto configure the VPN client.
The same example above will work with Stock ASUS firmware
import the client.ovpn into another ASUS router. It will automatically configure everything you need to connect to the VPN Server, including certificates.
Simply go to the VPN client on your ASUS router and look for "Import .ovpn file" use the browse button to find the client1.ovpn file then click on upload.
That's it. you should be ready to connect. Turn the service state button to ON
You can enable start to WAN option if you want the Client to automatically connect to the VPN server when router gets rebooted.
My opinion on using Stock Firmware with ASUS is when you have established connection to the VPN server if for some reason there is a glitch and the server drops connection you will leak DNS and your local ISP IP will show. There is no drop connection if tunnel goes down. I strongly suggest using Merlin Firmware if you want to use it as a VPN client.
Auth digest: refer to your VPN provider or leave it default if you are not sure.
For Pia use SHA1 for AES-128-CBC and SHA256 if you are using AES-256.CBC
Accept DNS Configuration should be set to exclusive
Cipher Negotiation: refer to your VPN provider or leave it default if you are not sure.
For PIA I have disabled it because It doesn't work.
Legacy/fallback cipher: For PIA use AES-128-CBC or AES-256-CBC depending on the encryption you use with PIA.
Redirect Internet traffic:
Use "POLICY RULES STRICT" in "Redirect Internet traffic" for selective routing
By enabling Policy rules feature, it gives you the freedom to route specific devices to VPN and other devices to Local ISP. You can even have a device use VPN but have specific address's use Local ISP or vise versa.
Please note:
When you are in a VPN tunnel the DNS is determined by the VPN therefore if you redirect specific IP address's to WAN which is Local ISP the DNS will show that of the VPN and not from Local ISP this is also known as a DNS leak.
However you can route your FTP or SMPT which do not use DNS therefore you can setup that all traffic goes to VPN except for FTP and SMPT so you can get your email or access your FTP without having it routed via the VPN.
When you enable Policy Rules you have an extra option "block traffic if VPN goes down".
This is one of the best features when using Merlin firmware because when it's enabled if for some reason the VPN Server drops connection the router will suspend all traffic until the VPN client re connects to the server. This way you won't leak your Local IP address to the public.
I strongly recommend that you Enable "block internet traffic if VPN goes down"
Please refer to the second part of this article for examples using Policy Rules.
If you do not want to use Policy Rules but want all your traffic to go via the VPN client then use the "ALL" option in the Redirect Internet traffic area this will exclusively use the DNS of VPN. You are still safe if the connection drops as the firewall is programed to automatically drop connection if VPN client drops connection.
set to compression "LZO Addaptive" I use to disable compression but I found that it is needed for best results.
Here is a good chart you can bookmark for ports, certificates and encryption methods from PIA. They recommend using ports 1198, 1197, 502 and 501 with AES encryption. You are free to explore other methods found in the link below. I will show you examples using these methods in part 2 of this guide.
https://helpdesk.privateinternetacc...ings-should-I-use-for-ports-on-your-gateways-
Part II follows;
Last edited:
