ASUSWRT-Merlin is a custom (free) firmware built exclusively for ASUS/ASUSWRT routers. It adds a TON of functionality, especially in terms of running a VPN client or server on your router. This step-by-step tutorial will teach you how to setup an OpenVPN tunnel with ASUSWRT-Merlin.
We’ll even discuss advanced topics like customizing encryption strength, DNS leaks, and using policy rules to create a kill-switch.
If you prefer video, check out our youtube tutorial:
VPN used in this tutorial:
This tutorial was done with IPVanish VPN. We chose them for two reasons:
- It’s awesome (and super fast). And currently you can save 25% on IPVanish!
- Their config files (like many VPN providers) don’t include the CA certificate file, so there’s any extra step involved. We wanted to make sure to show how this is done. Providers like NordVPN actually combine the .ovpn and CA file into 1, making setup a bit easier. Don’t worry if you don’t understand these terms yet, we’ll cover it all in this guide.
Things you need for this tutorial:
There are a couple pre-requisites before starting this tutorial. You’ll need:
What you need:
- An ASUS Router that comes with ASUSWRT firmware. We recommend the RT-AC68U, or one of these excellent alternatives.
- Merlin firmware installed on your router. If you haven’t done this yet, it’s really easy.
- VPN Subscription. We recommend IPVanish, Private Internet Access, ExpressVPN, NordVPN, or Torguard.
- The .ovpn/config files for your VPN provider. Check the support/help docs for your VPN, or just google ‘yourvpnname + openvpn config’ and you should find what you’re looking for.
#1 – Sign into your router control panel
To create a VPN connection you need to sign into your ASUSWRT-Merlin control panel. To access it, type the IP address of your router into the URL bar of your browser. By default, it will be 192.168.1.1 (unless you previously changed it to a different IP/subnet).
Ours happens to be set to 192.168.138.1
Enter your username/password. You may have set this previously when you first setup the router. Otherwise it will be the default combo of admin/admin.
Upon logging in, you should see the ‘Powered by Merlin’ logo, confirming that you’re using the ASUSWRT-Merlin build firmware.
#2 – Open the VPN Client settings
On the bottom left of the main screen, locate the ‘VPN’ section under ‘Advanced Settings’. Click that to bring up the VPN control panel.
Then click the tab at the top of the main screen that says OpenVPN Clients.
You’ll see the full OpenVPN settings screen. Merlin lets you configure up to 5 VPN client setups at once, and then you can switch between them simply by toggling them on/off. You’ll probably start with ‘Client 1’ if you haven’t set up one yet. We already have 2 configured, so we’re using ‘Client 3’ for this tutorial.
Now you’re ready to start setting up the vpn connection…
#3 – Configure the VPN connection
This is the main part of the guide, and will be broken down into 3 steps:
- Import the .ovpn file
- Add the CA certificate (if necessary)
- Test the connection
- Advanced settings
Let’s get started!
Part 1: Import an .ovpn config file
The .ovpn config file is the basis of an OpenVPN connection. It’s really just a simple text file that specifies important parameters for your vpn connection, and includes things like:
- The address of the server you’re connecting to
- Port/Protocol used
- Encryption Algorithm/Mode (AES, Blowfish, etc…)
- Encryption strength (Usually 128-bit or 256-bit)
- Special parameters
The .ovpn config files are unique to each VPN provider, but should be the same for every subscriber. They don’t include any personal details like passwords or secret keys. Each server has it’s own config file, so make sure to choose the .ovpn file that corresponds to the VPN server location you want to connect to.
We chose to use a VPN server in Toronto, Canada. Specifically it was:
Upload the .ovpn file to the router
Under the ‘client control‘ section, look for the ‘Import .ovpn file’ line. Then click the ‘Choose File’ button.
Then navigate to folder location where you’ve saved the ovpn config files. Choose the one you want and click ‘Open.’
Then, make sure to click the Upload button to actually transfer the file to your router.
Now if your .ovpn file doesn’t have a CA certificate file (and IPVanish’s doesn’t) you’ll likely get an error message like this…
And you’ll get a ‘Failed’ message in yellow next the ‘Upload’ button. But if you look in the section below, you’ll notice that a bunch of settings have actually been imported from the .ovpn file. Now we just need to manually add the CA certificate file. If your provider embeds the CA in the .ovpn file and you didn’t get an error, just skip the next step and go to Part 3.
Part 2: Manually import the CA certificate
If your VPN provider has a separate certificate file (file extension .crt) we need to import that manually. It will usually be in the same zip file you downloaded with all the .ovpn configs.
Locate the .crt (Certificate Authority) file and open it with a text editor like notepad. You’ll see something like this…
You want to copy the entire text contents of the file, starting with ‘—-BEGIN CERTIFICATE—–‘ all the way through ‘—-END CERTIFICATE—–‘
Then go back into your router control panel.
Still under the OpenVPN client settings, look for the Authorization Mode line. On the right site, click the yellow text that says: ‘Content Modification of Keys and Certificates’
In the section labelled ‘Certificate Authority’ paste the text that you copied from the .crt file.
Then just click Save and you should be done with this step.
Part 3: Test the connection
Here we’ll add your username/password for the VPN. You can also tweak certain settings (such as encryption algorithm) as long as your VPN supports multiple configurations on the same server.
The first thing we want to do is enter your Username/Password in the appropriate fields and test the connection.
Now test the connection by toggling the Service State to On.
Basically as long as you have internet connectivity and your IP address is different than it was before, your VPN is setup and working. If either of things isn’t true, skip ahead to our troubleshooting step.
Assuming things are working right, lets dive deeper into the settings…
Part 4: Basic/Advanced Settings Settings
ASUSWRT Merlin gives you really fine-grained control over your VPN connection. You can choose a specific encryption strength or algorithm (assuming your VPN supports multiple). You can also choose whether your VPN will authenticate incoming data (to prevent man-in-the-middle attacks), whether to use handshake encryption, etc. So here’s a closer look at what each of these settings means.
Feel free to tweak and try different things. If your VPN connection breaks, it means your provider (or that server) doesn’t support the configuration you’re trying.
Start On Wan: If you select ‘Yes’ your VPN connection will start every time the router boots up. If you prefer to manually turn on the VPN, set it to ‘No.’
Interface (Tun or Tap). For simplicity, you should always leave this as Tun unless your VPN config file specifies tap.
Protocol (UDP or TCP): This will be set by the imported .ovpn config file. UDP usually results in faster speeds and is recommended for most VPN uses.
Server Address and Port: This will be specified in the .ovpn config file. If you’re behind a vpn-blocking firewall, choose a config with TCP (protocol) and port 443.
Firewall: Leave this on Automatic
Authorization Mode: This should be imported from the .ovpn file. It defines how the handshake (start of the VPN connection) is handled. It will almost always be TLS.
Username/Password Authentication: Make sure this is set to ‘Yes’ (assuming your VPN provider has a username/password).
Username/Password Auth Only: This setting should almost always be ‘No.’ Most VPNs will use a CA certificate for authentication of the client and server. Choosing ‘NO’ allows you to import the .crt CA file as we did earlier in this guide.
Auth Digest: This is the hash algorithm used to authenticate that your incoming data packets were actually sent from the VPN server and not an attacker. This will usually be specified and imported from the .ovpn file. It will almost always be SHA1 or SHA256, with the latter being much more secure.
Global Log Verbosity: A number from 0-11 that specifies how much detail will be provided in the router logs related to the VPN connection. Higher = more detail. If trying to troubleshoot a connection that isn’t working properly, make this number higher.
Accept DNS Configuration: Choose whether to let the VPN server specify the DNS servers you use or whether to ignore them and pick your own. Most VPN providers have their own private DNS servers, so ‘Strict’ is a good setting. This is especially important if you’re using a VPN who’s DNS servers are required to unblock sites like Netflix. NordVPN is a good example. If you still prefer to use your own, choose ‘Disable.’ For troubleshooting see Merlin DNS Leaks.
Cipher Negotiation: This setting is unique to ASUSWRT-Merlin (not in the stock ASUSWRT). It allows the server and client (router) to work together to choose the best possible encryption cipher from a number of available options. The recommended setting is Enabled (with fallback).
Negotiable Ciphers: This list of Cipher’s that the client/server support. If none of these Ciphers work for both, then the fallback will be used.
Compression: Compression is a lossless technique to reduce the size of data before transmission. It makes your VPN connection faster and more efficient. The algorithm used will usually be specified in the .ovpn config file.
Redirect Internet Traffic (All, None, Policy rules): This setting lets you specify which connected devices will use the VPN tunnel. If you choose policy rules, you can specify certain devices (by IP or mac address) than will (or won’t) use the VPN connection. You can also specify that certain websites (based on their IP address) will bypass the VPN.
Block routed clients if tunnel goes down: This is a built-in killswitch option. If you choose yes, any client that is normally routed through the VPN will be denied internet access if the VPN tunnel goes down. It’s a useful fail-safe for security-critical VPN uses.
Test & Fix DNS Leaks
If you’re concerned about your internet provider snooping on your browsing history, or you want to access VPN-blocking services like Netflix and Hulu, you need to make sure VPN tunnel is using the correct DNS servers.
So we need to test for DNS leaks
- Go to dnsleaktest.com
- Run the extended test
- You should see DNS servers (usually just 1) that belong to your VPN provider, and no other DNS like google or your ISP.
Results: If you see the wrong DNS, you are leaking DNS queries. The most common fix is the glitch mentioned below:
Important DNS Tip!
While recording our Youtube tutorial, I discovered a glitch in the way Merlin enforces DNS settings for VPN connections.
The issue: It appears that any DNS servers specified under LAN > dhcp > dns can override your VPNs dns configuration, even when set to ‘strict’ or ‘exclusive’.
The fix: Delete the DNS servers from LAN > DCHP and set your VPNs DNS configuration to ‘exclusive’.
Recommended settings for top VPNs
I realize that this stuff can be intimidating and tricky for beginners. It’s kind of like a foreign language at first. So we tested Merlin with several of the world’s most popular VPN providers, and posted configurations that we found effective and secure.
If you find these useful, please take a second and share this site your friends. We’d really appreciate it.
NordVPN ASUSWRT-Merlin Settings
Important: Manual configurations like ASUSWRT-Merlin use a different login/password than the NordVPN software. You have to get this from your account panel.
- Get the ‘manual configuration’ credentials from your NordVPN portal
- Download a server config from the Config list
- Import the config to the router (and upload)
- Enter login/password from step 1
- Set DNS to ‘Exclusive’ for Netflix & Streaming
Private Internet Access Settings
- To get the config files: go to PIA’s Config Generator (login required).
- Servers: Nextgen
- OpenVPN Version: 2.4 and newer (supported by Merlin)
- Platform: Linux (confirmed working)
- Port: UDP/1198 will be the best for most users (fast & secure)
ASUSWRT-Merlin setup for Torguard VPN
Torguard now has an awesome new .ovpn config generator, then will spit out custom config files for any device, including asus routers. Simply specify your preferred encryption/authentication settings and it will generate configs for whatever server location you want. Then just upload the .ovpn file to ASUSWRT-Merlin, enter your username/password, and you’re all set.
Setting up the VPN client is just a fraction of what the Merlin firmware is capable of. Here are some more advanced options you might be interested in:
- Set up a kill-switch and policy-based routing
- Enable the Download Master torrent client
- Get started with custom scripts
If you have any questions, tips or suggestions please let us know in the comments!