For bypassing country/university censorship blocks, there are some options that I've been able to implement on my Asus router, but not directly within the Merlin firmware. I don't know of any "VPN" solutions that work, so you will want to use an encrypted proxy with obfuscation.
V2Ray (
https://www.v2ray.com/en/) solutions are probably the most robust, with many different sub-flavors. The learning curve can be a little high, and would require finding pre-built binaries, or compiling them yourself. Some of the most popular options to use V2Ray are via VMess and VLESS. there is also Xray/XTLS (
https://github.com/XTLS/Xray-core), but I haven't tried this myself yet.
Shadowsocks was the golden child for a hot minute, but is only applicable today if also using the V2Ray plugin with a websocket, and setting up an nginx reverse proxy on port 443. This method ensures that active probes will not flag the endpoint as there would be some sort of legitimate web site there, along with making the SSL handshake respond exactly as an https endpoint would, tricking DPI (Deep Packet Inspection). You can go a step further and bounce this endpoint thru Cloudflare, so if the IP gets blocked, you can just change it. This has worked for me, tested in China, but that was just over 4 years ago.
Some downsides to V2Ray-based solutions is that you have TCP-only. UDP connections are separate, and the V2Ray obfuscation is easily detected on UDP. (Solutions to this are to setup OpenVPN or Wireguard on TCP, then tunnel the VPN connection over the Shadowsocks/Vless/VMESS TCP port. This however is difficult if some clients are phones/tablets.)
The only real somewhat built-in solution is to use "trojan", which is easiy installed via Entware (opkg install trojan). This version does not have websocket capabilities, so it
may be detected more easily. However, the "trojan-go" version has binaries at
https://github.com/p4gefau1t/trojan-go/releases that include websocket configurations. (I use the armv7 binary on my RT-AX86u with success.) If truly trying to bypass censorship and need plausible deniability, I'd suggest this route. Annnnd, trojan/trojan-go supports UDP over TCP, allowing gaming/VOIP/etc over the TCP tunnel. Most documentation for these solutions are in Chinese, so Google Translate is your friend.
Now as far as clients, trojan-go has binaries for Windows/Mac, and will work on the client side even if the server side is Entware's trojan. (Just don't configure a websocket.) I know some apps exist on Android, but not sure which are good. On iOS, the Shadowrocket app (
https://apps.apple.com/us/app/shadowrocket/id932747118) is fantastic, and worth every penny of that $2.99 USD. It essentially installs itself as a VPN profile, and will redirect all TCP/UDP exactly as a VPN would, but all on layer 7. Shadorocket works with all that I've mentioned here (Shadowsocks, VLess, VMESS, XTLS, etc).
If interested, I could post a step-by-step of installing and configuring trojan on the Asus, but don't have time just at the moment. LMK and I can make some time this weekend to do so.
