Problem setting up Nordvpn on asus RT-ac86u merlin [Noob]

[Robson]

Tried setting up Nordvpn on my roter using this guide https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm
It works for a while and then suddenly I lose internet.
If I set "connect to dns server automatically" to yes usually internet comes back but I lose my VPN.
Could someone take a look on my setting and let me know if anything is wrong from there?

Thanks

 

[Viktor Jaep]

Tried setting up Nordvpn on my roter using this guide https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm
It works for a while and then suddenly I lose internet.
If I set "connect to dns server automatically" to yes usually internet comes back but I lose my VPN.
Could someone take a look on my setting and let me know if anything is wrong from there?

Thanks

You may want to change your "Connection Retry Attempts" from 15 to 0 (infinite). Perhaps it's giving up after 15 chances. Also, what do you have under your "custom configuration" settings? I've provided some screenshots of my setup under this thread:

VPNMON - VPNMON-R2 v2.0 -Jul 10, 2022- Monitor your VPN connection's Health (Thread locked/closed)

v2.0 - Now with even more SuperRandom(tm) goodness!! Updated July 10 2022 Executive Summary: VPNMON-R2 v2.0 (VPNMON-R2.SH) is an all-in-one script that works for any VPN service of your choice, but is optimized for NordVPN, SurfShark VPN and Perfect Privacy VPN services. It can also compliment...

www.snbforums.com

 

[ColinTaylor]

Don't use the NordVPN DNS servers on your WAN settings. Use your "normal" DNS server selection, e.g. your ISP's servers or something like 9.9.9.9.

 

[Robson]

You may want to change your "Connection Retry Attempts" from 15 to 0 (infinite). Perhaps it's giving up after 15 chances. Also, what do you have under your "custom configuration" settings? I've provided some screenshots of my setup under this thread:

VPNMON - VPNMON-R2 v2.0 -Jul 10, 2022- Monitor your VPN connection's Health (Thread locked/closed)

v2.0 - Now with even more SuperRandom(tm) goodness!! Updated July 10 2022 Executive Summary: VPNMON-R2 v2.0 (VPNMON-R2.SH) is an all-in-one script that works for any VPN service of your choice, but is optimized for NordVPN, SurfShark VPN and Perfect Privacy VPN services. It can also compliment...

www.snbforums.com

Thanks I will try it! I´ll take a look at your thread first thing tomorrow. getting late here

this is my c.c :

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 3600

#log /tmp/vpn.log

 

[Robson]

Don't use the NordVPN DNS servers on your WAN settings. Use your "normal" DNS server selection, e.g. your ISP's servers or something like 9.9.9.9.

Thanks for your reply
I changed dns to cloudfare 1.1.1.1 and 1.0.0.1
going to give it a try

 

[Viktor Jaep]

Thanks I will try it! I´ll take a look at your thread first thing tomorrow. getting late here

this is my c.c :

remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 3600

#log /tmp/vpn.log

Give this one a shot... it does seem to help with speed and stability:

remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

 

[Robson]

Give this one a shot... it does seem to help with speed and stability:

remote-random
resolv-retry infinite
remote-cert-tls server
ping 15
ping-restart 0
ping-timer-rem
persist-key
persist-tun
reneg-sec 0
fast-io
disable-occ
mute-replay-warnings
auth-nocache
sndbuf 524288
rcvbuf 524288
push "sndbuf 524288"
push "rcvbuf 524288"
pull-filter ignore "auth-token"
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
explicit-exit-notify 3
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

I´ve been using your custom code for a couple of hours now. So far so good !
I´ll report back in a couple days and let you know how it went/goes.
Thanks for taking the time helping me out!

 

[Viktor Jaep]

I´ve been using your custom code for a couple of hours now. So far so good !
I´ll report back in a couple days and let you know how it went/goes.
Thanks for taking the time helping me out!

Absolutely... I think @ColinTaylor's suggestion was probably the fix, but every little tweak helps in the overall scheme of things.

 

[NB_8]

Don't use the NordVPN DNS servers on your WAN settings. Use your "normal" DNS server selection, e.g. your ISP's servers or something like 9.9.9.9.

Would you mind sharing your reasoning regarding this?

 

[Viktor Jaep]

Would you mind sharing your reasoning regarding this?

Many times, VPN providers' DNS servers are meant to be accessed only while connected through their VPN, and may not even be usable or visible to the general public. So if you reference them in your WAN connection, you're basically making a public connection to them without accessing them through an encrypted tunnel, and may not be usable... thus breaking your ability to resolve anything, and hobbling your ability to function across the WAN.

 

[ColinTaylor]

Would you mind sharing your reasoning regarding this?

In addition to @Viktor Jaep's post, the OP was using policy rules to redirect only one device through the VPN. The VPN provider instructions assume all devices are going through the VPN and the customer wants all these devices to use their DNS servers.

 

[Dimmie]

Do not use 386.7_2 or 386.7, it will not work stable with nordvpn. Esspecially the dns is buggy when using VPN (stops working). Use 386.5_2 on the ac86u and the also the dns servers of nordvpn will just work fine.

 

[RMerlin]

Do not use 386.7_2 or 386.7, it will not work stable with nordvpn. Esspecially the dns is buggy when using VPN (stops working). Use 386.5_2 on the ac86u and the also the dns servers of nordvpn will just work fine.

I use NordVPN for my tests. I had a NordVPN tunnel running non-stop for multiple weeks on my RT-AC68U without any connectivity issue.

 

[Viktor Jaep]

Do not use 386.7_2 or 386.7, it will not work stable with nordvpn. Esspecially the dns is buggy when using VPN (stops working). Use 386.5_2 on the ac86u and the also the dns servers of nordvpn will just work fine.

Agreeing completely with @RMerlin ... I've been running NordVPN non-stop on both 386.7 and 386.7_2 (and waaaayyyy before these versions)... zero issues with the firmware, or with dns. I'm not sure what @Dimmie is referring to, but feel free to ignore this advice completely. He is most likely experiencing issues due to vpn client configuration problems or custom vpn config options. <sigh>

 

[Dimmie]

Not

...but feel free to ignore this advice completely...

Too bad that I was not taken seriously. That you don't experience problems doesn't say the problem is not present.

Anyway another update: With 386.9_beta1 all problems are gone. Tested on 1x ac68u, 1x ac86u, and 2x ac2900. Different locations. So on 4 different devices/4 different locations this problem is present with 386.7 and 386.7_2. Since 389.0 is just released I will test that one also but I don't expect any issues anymore since 386.9_beta1 runs very stable.

For the record: I also run NordVPN for long time and also way before the 386.7 versions. Config exactly as recommended by NordVPN itself.

PS: According to the config you gave to Robson, NordVPN recommends to force 'cipher AES-256-CBC' but I do not see it in your config....

 

[Viktor Jaep]

Too bad that I was not taken seriously. That you don't experience problems doesn't say the problem is not present.

I think the fact that you made a blanket recommendation that nobody use 386.7_2 when it clearly has been working for everyone else here with Nordvpn. No dns issues either. Instead of downplaying a firmware that works for everyone else, the correct approach would have been diving a little more into your settings and config to figure out your issue.

PS: According to the config you gave to Robson, NordVPN recommends to force 'cipher AES-256-CBC' but I do not see it in your config....

I believe all that info is already included in the .config file you download from Nordvpn, because that how it's configured by default. You don't need to specify this in the custom config section.

 

[Dimmie]

According to technical guys from NordVPN you should put 'cipher AES-256-CBC' in the custom field when using Merlin. If they give wrong info please tell them.

 

[L&LD]

389 Beta 1???

 

[Viktor Jaep]

According to technical guys from NordVPN you should put 'cipher AES-256-CBC' in the custom field when using Merlin. If they give wrong info please tell them.

Out of the box by default, mine seems to settle on AES-256-GCM... Based on what I'm reading below, it's better to use GCM than CBC.

Jan  6 15:52:37 ovpn-client5[7114]: VERIFY OK: depth=0, CN=us2951.nordvpn.com
Jan  6 15:52:37 ovpn-client5[7114]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan  6 15:52:37 ovpn-client5[7114]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan  6 15:52:37 ovpn-client5[7114]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA512

AES-CBC vs AES-GCM​

Until fairly recently, AES was usually used in cipher block chaining (CBC) mode, where each block of plaintext is XORed with the previous ciphertext block before being encrypted. When used in CBC mode, a HMAC hashing algorithm such as HMAC-SHA256 is required to verify the data.

It is increasingly common, however, to see AES used in Galois/counter (GCM) mode, which uses the counter mode of encryption. The main advantage of this is that it uses the Galois field to verify data without the need for an outside algorithm. It is therefore more efficient than using a separate authentication algorithm that can have a high computational overhead.

Although AES-CBC with HMAC authentication is generally considered secure, CBC is potentially vulnerable to padding attacks, such as POODLE. GCM is not. Proton VPN uses AES-GCM in our OpenVPN encryption suite.


Even NordVPN Support recommends AES-256-GCM:

1. OpenVPN

OpenVPN is a mature and robust piece of open-source software that enables us to provide a reliable and secure VPN service. It is a versatile VPN protocol that can be used on both TCP and UDP ports. OpenVPN supports a great number of strong encryption algorithms and ciphers: to ensure the protection of your data, we use AES-256-GCM with a 4096-bit DH key. If you are conscious about your security and are wondering what the most stable NordVPN protocol is, we recommend OpenVPN.

Which NordVPN protocol should I choose

NordVPN supports a number of security encryption protocols to provide a VPN service. The security levels and purposes of these VPN protocols are different, but so are our customers’ needs. We encou...

support.nordvpn.com