How to set up OpenVPN client on Asus routers with ASUSWRT

Asus’s higher-end router models are some of the only consumer routers in the marketplace with built-in OpenVPN support. ASUSWRT (Asus’s custom router firmware) has native support for OpenVPN in both client and server mode.

This tutorial will show you how to configure your ASUS router to run as an OpenVPN client, which will set up a permanent VPN tunnel from the router.

This setup allows you to connect an unlimited number of devices to the same VPN connection.

This is perfect for devices that don’t have built-in VPN support such as:

  • AppleTV
  • FireTV
  • Xbox (Xbox 360 & Xbox One)
  • Playstation (PS3/PS4)
  • Chromecast
  • Roku

When you use our recommended Dual-Router VPN setup, it makes initiating a VPN connection as easy as switching wireless networks, allowing all of your computers and devices quick, secure access to VPN encryption.

ASUSWRT also supports the PPTP and L2TP VPN protocols, but OpenVPN is much more secure/flexible, and is definitely the recommended protocol.

RELATED: OpenVPN vs. L2TP/IPsec vs. PPTP

Supported Routers

This tutorial will work for any ASUS router that comes with ASUSWRT firmware. Here is the current list of supported routers:

  • RT-N66U
  • RT-AC56U
  • RT-AC66U
  • RT-AC68U
  • RT-AC68P
  • RT-AC87U
  • RT-AC3200
  • RT-AC88U
  • RT-AC3100
  • RT-AC5300

What you need for this tutorial:

  1. A router running ASUSWRT (list in the previous section)
  2. An active VPN subscription to a provider with ASUSWRT-compatible OpenVPN configs
  3. The OpenVPN configuration (.ovpn) and files from your VPN service
  4. The Certificate Authority .crt file from your provider (some providers embed the certificate in the .ovpn file. We’ll go into more detail in the step-by-step instructions).

Almost all VPN providers will make their .ovpn files for all servers easily downloadable from either their knowledgebase/tech support pages, or from inside your account panel. If you aren’t sure where to find them, just ask live chat or submit a support ticket.

Which VPNs are compatible with ASUSWRT?

Most (but not all) VPN providers are currently capable with ASUSWRT. The reason being, that ASUSWRT firmware doesn’t support any advanced VPN configuration options beyond importing an OpenVPN config (.ovpn) file. Some VPN providers config files require the ability to add custom instructions to the routers’ openVPN client.

Don’t worry, if your VPN provider doesn’t natively support ASUSWRT, you have 4 options:

  1. Ask them to create a custom .ovpn file for you (most VPNs will probably do it if they are able)
  2. Install ASUSWRT-MERLIN firmware on your router (which allows advanced OpenVPN configurations).
  3. Flash the Tomato-shibby or DD-WRT firmware on your router (advanced users).
  4. Edit the .ovpn file yourself to include the advanced configuration options

A non-exhaustive list of compatible VPNs

This list includes only VPNs that I have personally tested an confirmed to be working with ASUSWRT. If your VPN is not on the list, it may well still work with an ASUSWRT router. My best advice is to contact your provider for support if you’re having difficulties.

VPNs confirmed to work with ASUSWRT routers:

  • Private Internet Access
  • Proxy.sh (using iOS/Android configs. Not windows configs)
  • Torguard (they provide custom ASUSWRT configs)
  • IPVanish (requires manually importing CA file after uploading .ovpn)
  • Hidemyass
  • VPN.ac

If you’ve gotten other providers to work, please let me know in the comments and I’ll add them to the list. Thanks!

Video Tutorial

Here’s the video setup guide. You can also use the text walk-thru in the remainder of the article.

How to access ASUSWRT OpenVPN client settings:

  1. Log in to your asus router control panel by typing the router IP address into your URL bar of your web browser. Since I’m using a dual-router setup, I changed my router to 192.168.2.1 but yours may be different. The default IP for Asus routers is 192.168.1.1
Asus router login screen
Login to your ASUS router admin panel

2. Under the advanced settings tab on the left side, go to ‘VPN’ (shown below)

3. Then click on the ‘VPN Client’ tab (shown below)

Go to ASUSWRT VPN Settings
Go to ‘VPN’ settings then ‘VPN Client’

You should now be at the VPN Client screen, which should look something like the image below. You can click the ‘Add Profile’ button to create a new VPN connection.

Asus VPN Client settings
Click ‘Add Profile’ to create a new VPN profile

Set up the OpenVPN connection

Now we’re ready to create a new OpenVPN profile for your router. You’ll need 3 pieces of information from your VPN provider:

  1. Your VPN Login/Password
  2. The .ovpn config file of the server location you want to use
  3. Your CA certificate file (some VPNs include the CA in your .ovpn file, others provide a separate .crt file)

Some info about .ovpn and CA certificates

Fortunately, ASUSWRT allows you to manually import the certificate file if your VPN provider doesn’t include it in your .ovpn files. When we setup the connection, ASUSWRT will actually warn you if the .ovpn file does not contain a CA, but we can also check in advance by opening your .ovpn file with a simple text editor like notepad.

If your .ovpn file does have a CA embedded, it will include something that looks like this:

<ca>
—–BEGIN CERTIFICATE—–
MIIDljCCAv+gAwIBAgIJANMiwLWxktowMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYD
VQQGEwJSTzEMMAoGA1UECBMDQlVDMRIwEAYDVQQHEwlCdWNoYXJlc3QxDzANBgNV
BAoTBlZQTi5BQzEPMA0GA1UECxMGVlBOLkFDMQ8wDQYDVQQDEwZWUE4uQUMxDzAN
BgNVBCkTBlZQTi5BQzEaMBgGCSqGSIb3DQEJARYLaW5mb0B2cG4uYWMwHhcNMTIx
MTI2MTI0NDMzWhcNMjIxMTI0MTI0NDMzWjCBjzELMAkGA1UEBhMCUk8xDDAKBgNV
BAgTA0JVQzESMBAGA1UEBxMJQnVjaGFyZXN0MQ8wDQYDVQQKEwZWUE4uQUMxDzAN
BgNVBAsTBlZQTi5BQzEPMA0GA1UEAxMGVlBOLkFDMQ8wDQYDVQQpEwZWUE4uQUMx
GjAYBgkqhkiG9w0BCQEWC2luZm9AdnBuLmFjMIGfMA0GCSqGSIb3DQEBAQUAA4GN
qRI4JvSeZc4/ww==
—–END CERTIFICATE—–
</ca>

If not, it will be a much shorter config file (and won’t contain the ‘—-BEGIN CERTIFICATE—-‘ or ‘—-END CERTIFICATE—-‘ lines. Below is a full .ovpn file from IPVanish:

IPVanish ovpn config file
IPVanish .ovpn file (Chicago server)

Step #1 – Create your OpenVPN profile

Click the ‘Add profile’ button to create a new VPN profile.

add profile button
Click ‘Add Profile’

Select the ‘OpenVPN’ tab from the window that pops up.

OpenVPN profile
OpenVPN profile dialog

Add a description of the profile. This will be the name that shows up in your list of available VPN connections. I like to use the following formula:

VPN name + server location

For this tutorial I’m using IPVanish’s Texas server so I’ll call it ‘IPVanish Texas’. Simple.

Also add your VPN username/password.

OpenVPN setup
Add a profile name and your Username/Password

Step #2 – Import the .ovpn file

Click the ‘Browse…’ button to locate your .ovpn file.

Click 'Browse...' to locate .ovpn file
Click ‘Browse…’ to locate .ovpn file

Then find the directory where you saved it double click to open it in ASUSWRT.

.ovpn file
Open the .ovpn file

Click ‘Upload’ to send the .ovpn file to your router.

Upload .ovpn file to router
Upload the .ovpn to router

You should now get a message saying ‘Upload Complete’. If it also says ‘Lack of certificate authority’ (meaning your .ovpn file doesn’t contain a certificate) then proceed to the next step to add one manually.

Message will indicate a successful upload (and tell you if you need to manually import a CA file)
Message will indicate a successful upload (and tell you if you need to manually import a CA file)

Step #3 – Add a CA client certificate (Optional)

This step is only required if your .ovpn file doesn’t contain a certificate already. You can either upload the .crt file to the router(provided by your VPN provider) or just copy and paste the certificate text (usually found in a how-to guide on your VPN’s website).

To import your CA file, follow these steps:

  1. Check the box ‘Import the CA file or edit the .ovpn file manually’
  2. Click ‘Browse…’ to locate your .crt file you downloaded from your provider
  3. Click ‘Upload’ to send it to the router.
Import CA certificate
Manually import your CA (.crt) file if necessary
CA certificate uploaded to router
.crt file successfully uploaded

So now our .crt file is successfully uploaded to the router. All that’s left to do is click ‘OK’ to save your profile. Now we can test the setup to make sure it’s working.

Step #4 – Test the VPN setup

Click the ‘Activate’ button to test your new VPN connection.

Click 'activate' to test vpn
Click ‘Activate’ to connect to the VPN

If the connection is successful, you’ll get a blue checkmark in the ‘Connection Status’ column like this:

Successful VPN connection
Successful connection. Your router traffic is now encrypted.

Step #5 – Troubleshooting

If you get an ‘X’ instead of a checkmark, it means your settings are incorrect. Redo the setup and double-check that your username, password, and .crt file are all correct.

If all else fails, check your router’s log. Most .ovpn files will tell the router to log the VPN connection process to the primary router log for troubleshooting purposes. You can then share the log file with your VPN’s tech support team and they can help you troubleshoot the issue.

To access your router’s logs, go to: Advanced settings > System Log > general log

Router VPN logs
Sample router logs for the VPN connection

Wrapup and resources

Thanks for checking out this tutorial. Hopefully if you’ve made it this far, you’ve got yourself a fully functional VPN router.

Make sure to leave any questions or tips in the comment section, we go through and respond as often as possible.

Be well, and stay encrypted!

 

147 thoughts on “How to set up OpenVPN client on Asus routers with ASUSWRT”

  1. Please note that private Internet access does not supply .ovpn files. That was the reason I did not use them.

    However, to be sure I checked again and mailed them again:

    “Jul 26, 07:40 PDT

    Do you supply .ovpn files for setting up an Asus router as a VPN client?”

    I got this answer:

    “Almost any router with VPN capability could work with our service. However, we only offer ready VPN setup guides for routers using specific router firmware. Here is a list of routers compatible with each of the currently supported firmware types:

    DD-WRT

    Tomato

    Pfsense –

    ( actual links removed because they gave spam indication when submitting)

    The directions for router based VPN setups for these firmware can be found on this page ( removed Link)

    In all likelihood, you will need to install (“flash”) such custom router firmware onto your router. Please note that router flashing falls outside our support scope, and doing so would be at your own discretion and liability.

    It may be possible to configure VPN use on stock or other firmware, provided it has VPN configuration options, but we would not have a ready guide for its use. You could try to find help with such a setup on the PIA forum:

    ( removed Link)

    Regards

    Trevor F.
    Technical Support Specialist
    Private Internet Access™”

    Reply
    • Stefan,

      PIA definitely has .ovpn files available. I think what the tech rep was saying is they don’t have specific setup tutorials for ASUSWRT or dedicated .ovpn files specifically for ASUSWRT.

      However, the ‘default’ .ovpn files provided by private internet access on their support page work flawlessly with the setup described in our tutorial. I have used PIA on my router successfully for over a year, and I’ve verified both the VPN connection as well as proper encryption.

      Here’s the link to their support page to download the files: https://www.privateinternetaccess.com/pages/client-support/

      And the direct .ovpn download link: https://www.privateinternetaccess.com/openvpn/openvpn.zip

      Reply
  2. Nice guide, thank you!

    I have 2 ASUS RT-AC88U routers; one for VPN and the other non-VPN. Ideally, I would like to just have one router, but use the guest WiFi network for VPN purposes, so I could just switch between WiFi networks when I want to connect to the internet via VPN or non-VPN.

    Is this possible? Can I route internet traffic this way?

    Thanks!

    Reply
    • That’s a good question. On the stock ASUS firmware I don’t think it’s possible, however if you were to upgrade to ASUSWRT-Merlin (which is basically an ASUS-specific version of Tomato’s router firmware) I think you might be able to achieve this with some advanced routing/ip-tables tweaking.

      Unfortunately, that level of networking sophistication is beyond my ability. Perhaps an IT pro will weigh in on the topic eventually. A good place to get a real answer would be stackexchange. If you do get a better answer, I’d be thrilled if you stop back and let me know how it works, and we’ll do our best to turn it into a tutorial. That would be a really useful trick.

      For the record, I currently use a 2-router setup (though my ISP requires me to use their router as my primary, so I couldn’t drop it to one even if I wanted to).

      Reply
        • First off, I want to point out that these scrips (and the entire wiki) are devoted to ASUSWRT-merlin which is an unofficial (but excellent) third-party firmware designed to work natively with all ASUSWRT routers. These scrips won’t work with the stock firmware, you must upgrade to merlin. ASUSWRT-merlin is basically TomatoUSB firmware ported specifically for ASUS routers, and the functionality is virtually identical.

          The wiki you found seems like a phenomenal resource, and it appears they have tons of plug and play scripts. However, the specific article you reference actually has a note at the start stating: “This WIKI is not complete. If you understand the script and would like to use it, feel free…” The script is also over my head as well, however it’s worth a shot trying to get it to work if having separate VPN routing on the same router is very important to you.

          I also think you much be able to achieve the same effect easier by using policy-based routing: https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing, and simply route all traffic from your Guest SSID to the WAN and all traffic from your Primary SSID to the VPN. The wiki article doesn’t have a specific example for this use-case, but I bet with some trial and error and googling you can figure it out.

          Reply
          • Hello,
            If you already have 2 routers, isn’t the obvious solution to run your WAN into “Router A” (non-VPN), use it normally, then connect your “Router B” as a client of Router A, and install the VPN client on Router B? Connecting to Router A’s SSID should then put you ‘in front of’ the router running the VPN and be an open connection, whereas connecting to Router B’s SSID would always be a VPN connection.

  3. I was successfully able to reach to the last step and I do get the green check mark, however none of my devices are able to access internet if I leave the openVPN activated. Not sure what is going on, I have to deactivate and then only my android phone and fire stick will be connected to internet. Any thoughts on that?

    Reply
    • Found out what the issue was, basically whenever the openVPN was active, it would change the route settings and hence there were 3 routes with the interface (iface) tunX. So I had to remove those routes and once I did that, everything is working smoothly.

      Reply
  4. Hello,

    This information is extremely helpful. I have found documentation on VPN providers websites that support ASUSWRT for both ExpressVPN and NordVPN, specifically for the ASUS models. However I have received zero helpful information from IPVanish, and limited helpful information from Private Internet Access. How would I know which files I need to download and install if they absolutely offer no support regarding my needs? Any ideas?

    The response from IPVanish is as follows.

    Hello

    For routers we only support DD-WRT and Tomato configuration. We cannot answer any of your questions if they do not pertain to any of this firmware.

    We have .ovpn files and .crt files available but we only use them for manual OpenVPN configuration for Windows and Mac. We do not support router configuration using our OpenVPN and certificate files.

    We do not offer killswitch.
    Regards,

    IPVanish Support

    Reply
    • IPVanish only has one set of OpenVPN config files available for download, but they should work just fine for any device that is openVPN compatible. The configs can be found here: https://www.ipvanish.com/software/configs/.

      Don’t worry if IPVanish support told you they only support DDWRT or Tomato. ASUSWRT works perfectly with almost any OpenVPN compatible VPN. I haven’t yet come across a provider that isn’t compatible. One quirk about IPVanish is if you disconnect and reconnect to the connection using your router control panel, it will often generate a routing error. This is a known issue on IPVanish’s side. It’s more of an annoyance than an actually security risk and your connection will still work correctly even if you get that message (but it’s good to verify your IP and location has changed by using a tool like ipleak.net iplocation.com.

      Routers don’t have native support for advanced features like a VPN kill-switch, however you can ‘roll-your-own’ kill switch if you have some technical know-how and are willing to upgrade to a third-party firmware like TomatoUSB or ASUSWRT-Merlin. In the future this site will have some Merlin DIY tutorials, but honestly that’s a ways off.

      Reply
      • Hi, I have set up IPVanish on my DSL-AC68U according to your instructions above however I am unable to get to any websites once I activate the vpn. I get the blue tick to say the connection is up but no websites will come up. Any ideas?

        Reply
        • Which set of .ovpn files are you using for IPVanish? I think they recently upgrade their configs, making all previous files useless.

          Reply
          • I have the same issues and I have the latest version from the ipvanish website.
            VPN is connected and activated however all internet access is lost.

            I was reading the HMA and i see that they say to enter their dns settings under your WAN settings. I have not tried this yet but will do soon.

        • I found a fix for this.

          Under you WAN settings, select NO for Connect to DNS Server automatically?

          Use googles DNS servers as listed below;

          DNS Server 1 = 8.8.8.8
          DNS Server 2 = 8.8.4.4

          You should now be able to browse the internet.
          There are other public DNS servers but I chose googles as the ping to them is some of the lowest found.

          Regards,

          Dean

          Reply
          • Fantastic! Thank you Dean this has fixed it!

            Many thanks for your time in responding.

            Regards,

            Brian

          • Hi, I did the fix you posted above and am still not able to get anything to load. I keep getting a notification that the WAN IP is not the external IP so no external IP services will work. Any ideas?

          • This sounds like a router setup issue, not a VPN issue. Try the following…
            1. Set your WAN ip to ‘automatic ip’
            2. Make sure DHCP is enabled
            3. Make sure WAN status shows ‘connected’ in the Network map tab

            If there is a firmware update available, make sure to update. And it’s a good idea to restart your router after changing these settings regardless.

          • Thanks for the reply, everything is up to date including the most recent config files. I have everything above enabled and when I go to a page I get the following message:

            site can’t be reached
            DNS_PROBE_FINISHED_BAD_CONFIG

          • Thank you Dean. been 2 days figuring it out. I have a ASUS RT-AC68U and just ipvanish and activated the openvpn client ok (blue check mark) but would receive ‘… DNS address could not be found. … DNS_PROBE_FINISHED_BAD_CONFIG’. Changing the DNS servers under the WAN settings to the google servers fixed the problem. Curious as to how you figured that out. Thanks again so much!

          • Hi Jarjar,

            I had the same issues as you all did here. I could see that there wan an active internet connection however nothing was being resolved.

            If you typed an IP address of a website into your browser, you could browse to the site however when using the domain name, the domain name was not resolving to an IP.

            I initially tried entering my ISP’s DNS servers to force them to resolve however that failed so I then tried Googles and they worked. I tried some other from OpenDNS too and they worked as well however doing a speed test between the few that I tried, Googles proved to have the lowest ping.

            From what I understand, after doing some testing on the IPVanish Windows client, it uses Googles DNS server anyway.

            I am glad that this has helped so many. It is quite frustrating when working on it for a few days with no result.

            Happy VPNing!

          • dear god, isn’t using google about the opposite of why you would ever want to run an VPN in the first place? if your VPN provider has DNS servers, why wouldn’t you use them?! I have the same model ASUS and when I tried putting my VPNs DNS servers in the WAN settings nothing would connect (PIA vpn); however, editing the config (.ovpn) file and adding “dhcp-option DNS a.b.c.d” (it allowed me to give it 2 such lines so I have a primare and secondary DNS lookup) worked flawlessly.. hope this helps?

  5. I signed up to IPVanish because they claim to have multiple servers in the Atlanta area. I downloaded the OpenVPN and certificate file. It did not work on my new ASUSWRT router. I had to cancel the service.

    Reply
  6. If my asus rtac66u works like an vpnclient, how do i acces my Synology NAS DS216+ when i am away from home

    Aka
    Router is vpnclient
    Nas behind the router , this should be a vpn server to be able to get acces from anywhere from the world.

    Any ideas , info how to set this up ( besides setting up de vpnclient on the router as this is explained here)

    Thx
    Regards Niels

    Reply
  7. Same as Nick. merlin 380.61 on RT-AC68U doesnot give me the option to upload a .ca file. I can get to manually input the CA (between the BEGIN and END tags) but that doesn’t work:
    Nov 29 16:15:40 rc_service: httpd 450:notify_rc start_vpnclient1
    Nov 29 16:15:40 kernel: tun: Universal TUN/TAP device driver, 1.6
    Nov 29 16:15:40 kernel: tun: (C) 1999-2004 Max Krasnyansky
    Nov 29 16:15:41 openvpn[10513]: Options error: You must define CA file (–ca) or CA path (–capath)
    Nov 29 16:15:41 openvpn[10513]: Use –help for more information.
    Nov 29 16:15:41 syslog: VPN_LOG_ERROR: 452: Starting OpenVPN failed…

    Reply
    • So far I don’t have any experience with Merlin, however I do know that it is basically a skin of the Tomato router firmware, so you may be able to follow VPN setup instructions for tomato and adapt them to Merlin.

      There are also a couple Merlin guides for specific VPN providers floating around, which can probably help you troubleshoot what you’re doing wrong…

      It is a priority for us to get an ASUSWRT-Merlin guide up early in 2017, but I’m sure you’d rather just get this done ASAP. I hope this helps!

      Reply
    • This is my log:
      TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      TLS Error: TLS handshake failed

      Reply
      • The handshake is the initial part of the VPN connection, where you and the VPN server securely exchange the 256-bit or 128-bit session encryption key. If the TLS handshake failed, most likely you either uploaded the wrong CA (certificate) file, or forgot to upload one altogether. Sometimes I forget to remember to save the changes after uploading the CA file also.

        Reply
    • That happens to me occasionally. Typically I will just hit activate again, or refresh the page if the ‘activation’ refuses to time out.

      Reply
  8. I came across this site/thread after much frustration trying to reach a goal. I recently upgraded to the Asus RT-AC5300 router. My current 3rd party VPN service is Private Internet Access (PIA). Support through email with them has been a challenge.
    My goal:
    1. Have the ethernet ports on my network to have my local ISP IP address. (Most of these items are smart plugs or low traffic type items).
    2. First 5 GHz connected to VPN using PIA within the US on a server on the east coast.
    3. Second 5GHz connected to VPN using PIA outside of the US (example UK)

    Could this all be running at the same time on this router?
    Any advice, feedback or instruction would be much appreciated.

    Reply
    • What you’re describing is not possible with ASUSWRT stock firmware, however it is (probably) possible with the 3rd-party ASUSWRT-Merlin firmware. Or at least you can likely achieve the same effect a different way (routing internal IP-ranges to the preferred encrypted/non-encrypted tunnel). Unfortunately, the actual implementation is beyond my technical knowledge. You can probably find help with the merlin firmware on snbforums.com, as several members are hardcore users. http://www.snbforums.com/threads/vpn-guest-network-rt-ac86u.25391/ is a thread discussing a similar goal.

      Just FYI, on the stock firmware it isn’t possible to have 2 active VPN connections simultaneously on 1 router (1 active connection for each wifi network) which seems to be what you’re looking for. It’s conceivable that Merlin could do it, but I’d say odds are against it.

      Reply
  9. Why is a 3rd party VPN provider necessary? I thought VPNs consisted of VPN software on my remote PC talking to VPN software on the router which allowed me access to a PC behind the router.

    Reply
    • There are two different VPN modes on ASUSWRT routers: Client Mode, and Server mode.

      What you’re talking about is running your router in VPN server mode, which allows remote access to your home network while you’re away.

      This guide is about ‘Client’ mode, which allows you to route all of your home network’s devices through a remote VPN server. The purpose of this mode is usually to:

      1. Encrypt your traffic to prevent ISP spying or throttling
      2. Change your geo-location to access certain websites/services
      3. Keep your real IP address private so websites only see the VPN server’s IP
      4. Give VPN access to devices without built-in VPN support, like the Chromecast/Fire Stick
      Reply
      • Once I sign up for and begin using a VPN, will I have to learn how to use Server mode to access my ethercorded local network machines from remote locations using remote access software like Teamviewer, or will a VPN break their connectability functions?

        Reply
  10. Hi,

    I have been playing around recently with my AC88U and the VPN. No real issues so far with the exception of the VPN dropping out and all devices being exposed and the surprise of how much performance I lost with the connection. I have just applied the Merlin firmware and followed this tutorial (https://www.youtube.com/watch?v=oBLS7Wkn0C4). Working well so far and thought I would and I have seen an improvement as the Merlin firmware also allows you to reduce the MTU setting in the custom scripts so another win. Finally I have used PIA, ToRVPN but have had the best performance with NordVPN (all of which were set up easily using the steps above)

    Reply
    • Yep, if you choose to run a VPN on your router instead of your PC/smartphone there will be a speed hit because the router’s CPU is very weak compared to a traditional device. Dual-core router CPU’s max out around 25-35mbps depending on the VPN configuration. You can use PPTP instead for faster speeds, but the encryption on PPTP is basically broken at this point.

      Reply
  11. Could you please tell me what firmware version you use?

    Reason for asking: yesterday I purchased the same router just to setup a VPN client for PIA.
    When I switched on the device it reported there was a firmware update, which I told it to install.
    I configured everything to my best knowledge, as far as I can tell everything works, the connected devices have internet access, speed is about what it was before.

    When I follow your steps to set-up the VPN client everything goes OK, it tells me the VPN is connected, so far so good.
    However….. my connected devices have no internet now.

    When I go to the router network tools and ping my ISP nothing happens, the result panel stays blank.
    When I want to switch-off the VPN client the window “hangs” for a couple of minutes when I click the Client tab.

    I use firmware version 3.0.0.4.380_7378 (which is not listed on the Asus site…..??)

    Any advise welcome, I don’t expect you to troubleshoot this remotely but knowing which firmware version you use would be welcome.

    Reply
    • Herman,

      380_7378 is the latest firmware listed on the ASUS support website (for the AC68U) and I just updated to test out the VPN connection. It works flawlessly, so I’m guessing you have a configuration issue rather than a firmware issue. I recommend checking the router log for clues as to what’s going wrong, it will show the OpenVPN connection logs.

      Also, just doublecheck to make sure you copied the CA certificate file manually as PIA doesn’t include one in their .ovpn config files.

      If you still have concerns that the latest firmware is causing the problem you can simply flash a previous version from the ASUS support website. Let us know if you figure out the issue!

      Reply
  12. Never mind, got it!

    It is as Dean said on the 20th of February.
    I had the “Connect to DNS server automatically” set to “Yes”.
    It makes sense, when the tunnel does not offer an automatic DNS server I have to provide one…..

    Things are working now “as advertised”, all singing and dancing :-)

    FWIW we know now that the VPN client works under firmware version 3.0.0.4.380_7378 :-)

    Reply
    • Ah just saw this after posting my earlier reply. Thanks for the update and glad to hear you got it working.

      Reply
  13. It seems that these instructions may be a little outdated? the new interface for ASUS RT-AC88U using WRT 380.65_4 is totally redesigned. I was trying to use this guide but it doesn’t really fit the new GUI. Any chance we can get an updated one?

    Reply
    • The 380.65 firmware is the unofficial ‘Merlin’ build. My tutorial shows the ‘stock’ firmware which is provided directly by ASUS. We will have ASUSWRT-MERLIN tutorials coming out in the near future.

      Reply
  14. Does anything need to be set on the LAN DHCP SERVER tab? Do you need IP Pool address or domain name when setting up the PIA Client?

    Also, my opvn from PIA came with a .crt file I was told to use as the certification. Do I still need to add a CA file manually? How do you do that and where can I find the CA info to add?

    Reply
    • You will usually want DHCP to be turned ‘ON’ with your VPN router. This will allow the router to assign local IP addresses to all your connected devices. The only reason to turn it off would be if another router was handling the IP assignments. Even with a 2-router setup, we keep DHCP ‘On’ with each router on a different subnet (192.168.1.xxx vs 192.168.2.xxx)

      The CA.crt file is what you need to upload manually as the CA file. When you’re configuring the VPN on ASUSWRT, after you load the .ovpn file, it will tell you whether the ovpn file is missing a CA, and that you need to upload it manually.

      Reply
  15. Here is a sys log after trying to activate my client. What do I need to do to get this to activate because Im just getting a blue X instead of a check mark? However my wan is showing connected. Sooo confused.

    Apr 11 09:57:28 rc_service: httpd 472:notify_rc restart_vpncall
    Apr 11 09:57:32 rc_service: httpd 472:notify_rc restart_vpncall
    Apr 11 09:57:33 openvpn[2534]: OpenVPN 2.3.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Mar 15 2017
    Apr 11 09:57:33 openvpn[2536]: UDPv4 link local: [undef]
    Apr 11 09:57:33 openvpn[2536]: UDPv4 link remote: [AF_INET]104.200.151.43:1198
    Apr 11 09:57:33 openvpn[2536]: WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    Apr 11 09:57:34 openvpn[2536]: [b5c7b32177572dd127bfb91a19b1db53] Peer Connection Initiated with [AF_INET]104.200.151.43:1198
    Apr 11 09:57:37 openvpn[2536]: AUTH: Received control message: AUTH_FAILED
    Apr 11 09:57:37 openvpn[2536]: SIGTERM[soft,auth-failure] received, process exiting

    Reply
    • You got this error either because you didn’t manually add the latest CA.crt file, or your username/password is incorrect. We will have a ASUSWRT video tutorial coming out shortly, specifically for PIA. This should help w/ your setup if you’re still having troubles.

      Reply
  16. This is a great guide! Thank you!

    One question about using IPVanish: How do I know which .ovpn file I should download from this page: https://www.ipvanish.com/software/configs/

    For example, if I select one of the London .ovpn files will I need to connect the IPVanish application on my computer to the exact same server? Or will it simply mean that my router connects to that server?

    Thanks!

    Reply
    • Choose whichever ovpn file matches the location that you want your IP to originate from (and your traffic to be routed through). The router connects directly so you won’t need to use the IPVanish application on your devices at all.

      Thanks for the positive feedback! We’re always encouraged to hear people are finding the guide helpful.

      Reply
  17. Is there a tutorial for setting up the Dual-Router thing? I’d like to add an AC-68U as a second router for VPN access but I don’t know how to make it a “sub-router” on the same network.
    Thanks!

    Reply
    • Hey,

      Great question. We have a full video tutorial coming on that exact setup option soon, but here’s the quick summary of how to do it:
      You’ve got two routers. We’ll call the non-vpn router the ‘main router’ and the 2nd, vpn-enabled router the ‘vpn router.’

      There are really only 3 or 4 steps:

      1) Connect to main router and access the management portal of the main router by typing it’s local IP address into your URL bar. Usually it’s 192.168.1.1 by default. You want to check in the router settings to make sure ‘VPN-passthru’ is enabled. This will make sure the main router’s firewall doesn’t block the encrypted VPN connection as it passes through to the modem.
      2) Now connect to the wireless network of the VPN router. We want to put the VPN router on a different subnet than the main router. In the ASUSWRT control panel, click on the ‘LAN’ tab under ‘advanced settings’. Then change the IP address of the router to 192.168.x.1 where ‘x’ is a different number than the main router. If your main router is …1.1, then use …2.1.
      3) Still under the ‘LAN’ tab, choose ‘DHCP server’ from the tabs at the top. Make sure DHCP is enabled, we want the VPN router to hand out unique IP addresses on the routers own subnet. This way, all devices connected to the main router will have local IP 192.168.1.xyz and all devices on the VPN network will have IP 192.168.2.xyz
      4) Now to connect the routers together, run an ethernet cable from any LAN port of the main router to the WAN (internet IN) port of the VPN router.

      That’s pretty much it. They you can follow the OpenVPN setup steps in this tutorial to configure the VPN connection on your VPN router. One tip, is sometimes people find this setup doesn’t work correctly unless you set the DNS to ‘Automatic’ under the WAN tab of the ASUS control panel. Personally, I just use GoogleDNS or the DNS of my VPN provider and it works great.

      Reply
      • Hello,

        I have two routers I plan to set up with one being the VPN router. One router is the ASUS RT-Ac68P, and the second router is the ASUS RT AC3100 which is supposedly a more powerful router. Which one would you recommend using as the main router, and which one to use as the VPN router?

        Thanks

        Reply
        • Definitely use the AC3100 as the VPN router as you’ll get a bit more speed from thanks to the faster CPU. If the 68P is brand new (and returnable) you could downgrade to a mid-range router if you wanted. Assuming most devices will be connected to the ‘VPN router’ you don’t really need much power in the primary router. And for more control, you could install ASUSWRT-Merlin on the ac3100, allowing you to selectively route certain devices inside/outside the VPN.

          Reply
  18. Hello,
    I have PIA and was able to set it up on an Asus RT N66U with stock firmware as you explain. However, when VPN is connected I am losing 90% or more of my speed (from about 75 mbps to only 5-7 mbps).
    If I connect an individual laptop (not the router), speed goes down from 75 to around 60, which is acceptable for me.
    What is the reason for the speed being hit so hard when I connect the VPN on the router? Is there anything I can do to fix the speed issue (as I will not be able to use the VPN from the router at these speeds)?
    Many thanks!

    Reply
    • The reason your speed is so slow on the N66U is it’s only a single-core CPU (much slower than your PC/phone). We also have an n66u for testing and can get 11-12mbps by choosing an ovpn file with 128-bit encryption. 256-bit encryption is the same speeds you’re getting (6-7mbps). That’s we recommend the ac68U as our top VPN router, it’s the cheapest dual-core CPU router ASUS makes and can handle 25-40 mbps speeds.

      However all consumer-grade routers will eventually hit a speed limit because of their CPU. Even $300-400 routers will still max out around 50-75mbps when using openVPN. If you need faster speeds than that, you’ll have to run the VPN app on your pc instead.

      Reply
  19. I manually added the cert to the ovpn config file. The VPN panel of the Asus admin portal now shows the VPN as enabled. However, wireless devices still have no connectivity to the Internet. They remain connected to the SSID, but there’s no upstream connectivity for any wireless connection.

    Reply
    • Did you end up figuring out the connectivity issue? Usually the ASUS router log can pinpoint the reasons for any VPN connection failure. For example, if you get an authorization error, then the username/password combo is wrong. With some VPNs you could also be using the wrong .ovpn files, but if memory serves PIA only has one set of .ovpn configs that get used for all devices.

      Reply
  20. A friend had a router-based openvpn setup on a linksys router. (ExpressVPN) It provided a very nice interface where you could easily switch between server choices and easily exclude or include specific devices. Yet when I installed the same software on an Asus router, no such exclusion/inclusion options are on the interface. Is there a way to do this?

    Reply
  21. I apologize if this has already been covered, but I recently purchased the RT-AC88u and am using for my home router. With all previous routers I have had, I could connect to home from my office using remote desktop. However, this router apparently does not allow this RD connection. I called up Asus and they said that I need third-party software to accomplish what I want to do. I hope I can find good advice on how to succeed with this here. Thank you for any comments! Joe

    Reply
    • I’m 99.9% certain this can be accomplished, but I don’t quite have the technical expertise to guide you. I’d recommend posting a help request on the smallnetbuilder forums. Out of curiosity, is the AC88U your primary router or are you running it as a VPN router behind another router?

      Also, if you’re running a VPN on this router, that could be the reason you can’t access the RD connection. You may need to install ASUSWRT Merlin that allows for selective routing inside/outside the VPN tunnel.

      If you’re not running a VPN and this is the primary router, I expect it’s a pretty simple fix. Likely something you can fix with ‘static routes’ or adjusting the router’s NAT/Firewall settings.

      Reply
  22. Hi please can someone help.

    First of all, apologies if this has been covered before, but I have no experience of router settings and am new to VPN. I am trying to install PIA on my ASUS RT-N66U router. I followed the tutorial video at the top of this page and got as far as successfully adding an Open VPN client profile, and could see the blue check mark in the circle when activated. Only now I cannot access anything online. Opening a new Chrome tab gives me the Google hompage, but webpages fail to load, and I get the following message:

    “*webpage’s* server DNS address could not be found.

    Try: Checking the proxy, firewall and DNS configuration
    Running Windows Network Diagnostics

    DNS_PROBE_FINISHED_BAD_CONFIG”

    I had to factory reset my router before starting the whole process as I’d forgotten the security credentials, and there was a firmware update which I accepted (version 3.0.0.4.380_7743)

    I noticed a post earlier by ‘Dean’, who suggests changing:

    Use googles DNS servers as listed below;

    DNS Server 1 = 8.8.8.8
    DNS Server 2 = 8.8.4.4

    On doing this, I can now access webpages with the VPN activated, but when I check iplocation.net, my IP address and server info is still the same?

    And on a slightly different note, I read earlier that my router has only a single core processor and the AC68U is dual core. If successfully get the VPN up and running on my router, will it become too slow for streaming? Should I upgrade to AC68U?

    Apologies once again for all of the questions – this is driving me mad as it looks so simple in the video!

    Thanks in advance.

    Reply
    • So apparently some VPNs don’t push a DNS configuration to their clients. PIA may be one of them. You can specify your own DNS like 8.8.8.8 (as you did) in the ASUS router control panel under: LAN > DHCP Server (tab) > DNS Server.

      Alternatively, you can try editing your .ovpn config file before uploading to add the line:
      “dhcp-option DNS 8.8.8.8” (Without the quotes). Just substitute whatever DNS server you want instead of 8.8.8.8. Preferably you would use your VPNs own DNS if they have one.

      Enough people have asked this question (mostly on youtube) that we’ll be adding an article shortly.

      Reply
  23. I am trying to use my Android phone as my modem. I have an ASUS AC68U router and NordVPN currently. However, I still get DNS leaks with the WAN DNS settings set to not automatically connect and NordVPN DNS servers manually inputted (Netflix and Hulu still block me even with a working OpenVPN NordVPN client). It seems that connecting my phone as a 3G/4G USB application uses the same WAN menu interface and doesn’t allow me to both use my phone as a USB modem AND have the ASUS set up as a VPN router. Can I do this (USB phone modem + VPN router simultaneously) with ASUSWRT?

    Also, kind of unrelated. PIA doesn’t work directly with Netflix, but if you set up a PIA OpenVPN on the router directly, would Netflix work under that scenario?

    Reply
    • I’ll answer the easy question first. PIA won’t work with Netflix no matter how you set it up.

      Can you explain your phone/router setup a bit more clearly? You’re currently using your phone tethered to the router as a 4G connection, and running NordVPN using ASUS’s built-in openvpn client?

      We do have an android 4G tethering-to-router guide if you haven’t seen it already: https://www.vpnuniversity.com/tutorial/how-to-share-unlimited-4g-data-with-your-router

      Reply
      • Yes, I followed Method 1 in that link to the letter, but as it states you must default WAN to USB mode which does not allow you to manually specify DNS servers. To manually specify DNS servers within the ASUSWRT menus, you must change the WAN Type from “USB” to “WAN”.

        Basically, it seems to me that it is one or the other in ASUSWRT: either you specify DNS servers manually or you switch over to USB mode and tether your phone as a 4G WAN. I need both to occur simultaneously: I need my phone to provide 4G internet while also funneling DNS traffic manually through the NordVPN servers.

        The way my ASUS router is setup now, it uses my phone’s 4G internet, but still has DNS leaks which indicates to me that it isn’t or can’t do both. I am wondering if I am missing something, need more than one router to get this done, or this setup just can’t be accomplished in general.

        Reply
  24. Hi, is it possible to connect to multiple openvpn on ASUS AC88U at the same time?

    I was able to do that on my laptop, but when I tried that on AC88U, when I activated one, the other got deactivated.

    Thanks.

    Reply
    • Actually, it IS possible with ASUS-WRT Merlin. By combining multiple VPN clients with selective routing, I was able to have different devices use different VPN tunnels simultaneously (at least I’m pretty sure this worked, it was over a year ago). You will have diminished speeds by running multiple VPNs at once though. If it’s economically practical, 2 separate routers might be a better solution.

      Reply
  25. I have a question about whether the Asus router can be set to automatically connect to the VPN when switched on – I’m having to connect the router to a laptop via Ethernet cable in order to force the connection.

    By way of background I have a UK V:rgin Hub connected to the Asus AC-RT66U running the stock firmware with a PIA OpenVPN account which, in turn, is connected to a Samsung smart TV.

    It’s just a bit of a pain to have to connect a laptop to the Asus for it to connect to the PIA – I can’t see any kind of ‘auto connect’ option in the Asus Firmware. Any clues if it’s possible?

    Reply
  26. I’m having significant issues with connecting my brand-new Asus AC-2600 CM-32 (Cable/Modem Router) to Nord. I have followed all of the tutorials to the letter and everytime I press the Activate button, it cycles for a couple of seconds before the Activate button reappears. I’ve tried it numerous times and have talked to the Nord folks extensively without any success. Not sure if there is an additional setting change that needs to be made on the router side that isn’t covered in the videos. I’m about to return the dang thing out of frustration but figured I’d check here before throwing in the towel. Any help/guidance would be greatly appreciated.

    Reply
    • The first step is to diagnose the issue. Go into the ‘logs’ panel of your asus router immediately after a failed VPN connection. It should show you the point at which the VPN connection failed. The most common reasons however are outdated config files or incorrect username/password.

      In rare cases, you may need to upgrade to ASUSWRT-Merlin firmware for more finegrained control of the VPN handshake, but I personally haven’t encountered a OpenVPN provider that didn’t work with the stock firmware.

      Reply
      • I have been having the same problem with the ASUS CM-32. Both IPVanish and Private Internet Access have confirmed that this device is not supported. Has anyone found a VPN provider that works with ASUS CM-32? This is the recommended “buy your own” device for many ISPs so surprised there is not a VPN that supports it. Thanks.

        Reply
        • As long as the router runs the ASUSWRT firmware, then ANY openvpn-capable VPN provider should work. Have you followed the tutorial and not had success? Check the router logs and see what step in the handshake/connection process is causing the issue.

          Reply
          • Hopefully, someone has figured this out. I have tried OpenVPN Private Tunnel, IPVanish, and one other I can’t remember. Gave up a few months ago after wanting to cause harm to the ASUS tech support team for aimlessly stringing me along for a solid month. I would love to help work through this if necessary. Asuswrt has support for client and server built in, but there is no support for Merlin (I’m assuming due to the fact that it is a modem/router combo. I tried many different combinations of opvn and ca files before cancelling the vpn memberships. If anyone hasn’t found a solution, please let me know and I’ll start the process over again. I’m relieved to not be the only one with this issue.

  27. I set up open client with IPvanish, i get blue check mark but no internet traffic, shows im connected to router but no internet . Router is Asus AC5300

    Reply
    • Try manually setting DNS servers to either 8.8.8.8 or your VPN provider’s DNS if they have one. This step fixed the issue for nearly all users.

      Reply
  28. Thank you for this guide. I subscribe to Trust.Zone, and they don’t officially support or provide a help file to enable VPN on a Asus router. Following your guide got it working for me, so thanks a lot :-)

    Reply
  29. I have an ASUS RT-AC68U router running in PPPoE Bridged mode behind a TP Link Modem.
    Is it possible to run the OpenVPN Client on the Asus router in this mode?

    Reply
  30. Help
    I am a nooby and have run into a serious problem. At least serious to me. when attempting to put ipvanish on my ac-66u routerI have gotten as far as uploading the opvn file for the server I want and I get the message that there is a lack of certificate of authority. On download of the ip vanish server list the first item is
    ca.ipvanish.com then the description is that it is the security certificate. When I try to open this file I get a certificate information screen which says it is a root certificate that I am unable to access. Where is the certifiticate of authority file that I need?

    Reply
    • ca.ipvanish.com.crt is the correct file. Don’t try to run it on your machine as that’s what’s causing the error. Simply download the file and then upload it to your router under the ‘manually add certificate authority’ dialog.

      Reply
  31. Many thanks for this guide, got it working on a Asus RT-AC87U running Merlin, using Newshosting VPN, which actuallly seems to use IPVanish according to speedtest.net. I also used policy rules so that only my download server uses the VPN. It was very easy.

    Reply
    • Interesting, I haven’t heard of Newshosting but it is probably a white-label service that uses IPVanish’s network.

      Reply
  32. To be ready for this tutorial I read your related article to help decide which router to buy:

    https://www.vpnuniversity.com/routers/best-asus-asuswrt-routers-for-vpn-torrents-nas

    I followed that guide and ordered the RT-AC68U from Amazon & was very happily surprised that the one I received has an upgraded dual-core 1.4 GHz CPU for the same price ~$140. I did some research and evidently I received the B2 Hardware version as referenced in this forum:

    https://www.snbforums.com/threads/rt-ac68u-rt-ac68p-rt-ac1900-rt-ac1900p.35759/

    The RT-AC68Us are all sold out on Amazon right now and prices are high until more stock comes in but this could be a great boon going forward if 1.4 GHz is consistent going forward. At a minimum though your article should now say at least 1 GHz instead of 800 MHz.

    On a related note you may also want to add the RT-AC86U as it seems to be in between the 68U & 88U price-wise at ~$197 but may be the best performance for dedicated VPN with a 1.8 GHz dual-core plus it has some features that gamers may want.

    Reply
  33. Thanks again for all the information. I did some more digging including SSHing into my new 1.4 GHz RT-AC68U from Amazon and found out that it looks like the OpenVPN is typically a single core activity and thus the higher 1.4 GHz RT-AC68U should hit about 55 Mbps on OpenVPN which is pretty nice.

    That being said the 1.8 GHz RT-AC86U should hit about 200+ Mbps which is essentially 400% (4X) more even though it is only 400 MHz faster (or 200 MHz in the single core behind OpenVPN). If I understand correctly this is because the RT-AC86U has AES-NI implemented in the chip at the hardware level…

    With this in mind I respectfully recommend you update your article ‘Best VPN-Enabled ASUS Routers for VPN, Torrenting, or Cloud Drive’ to add the RT-AC86U as it is likely also potentially 400% faster than even the RT-AC5300 at 50% of the cost (~$200 for ~200 Mbps compared to ~$400 for ~$50 Mbps).

    For more details you can reference this thread as it coupled with your two posts have really spurred my thinking:

    https://www.snbforums.com/threads/openvpn-performance-of-the-rt-ac86u.41217/page-8#post-409529

    Reply
    • I’ve had the most consistently good experiences with IPVanish, PIA, and ExpressVPN. NordVPN can be great, but seems to have problems on certain devices with no clear explanation. IPVanish and PIA are definitely the best value of the 3 (Express is over $10/month).

      You can save an extra 25% off IPVanish with this coupon if you’re interested ($4.87/month).

      Reply
  34. Hi,

    I’m trying to program my VPN into the ASUS RT-AC5300 router through OpenVPN, but after initial hardware setup, going into my control panel, there are no VPN or WAN tabs under the Advanced Settings header. I was instructed by ASUS to upload older firmware, which I did. I tried (3.0.0.4.384.32738, 3.0.0.4.384.21140, 3.0.0.4.384.21045, 3.0.0.4.384.20942), but no luck (3.0.0.4.380.1355 on back gave me invalid pop ups). Anyone have any ideas on how this can be fixed? Thank you!

    Reply
    • There should definitely be VPN settings in the AC5300 firmware unless you’re using a modified router provided by your ISP. Your router is also officially supported by ASUSWRT Merlin so you should consider flashing that firmware if you can’t find the VPN settings in your stock firmware.

      Reply
  35. i have a Asus RT-AC68U wireless router. i use expressvpn and downloaded the the files and crt files under vpn openvpn and made prfiles for servers and it works fine. but i have to turn the vpn on and off from my laptop. is there a way i can turn on and off the VPN client from an android app on my cell phone??

    Reply
  36. expressvpn works with asus RT-AC68u wireless router, they have the ovpn and crt files you can download and install. works fine i checked it

    Reply
    • It’s almost certainly because the AC51U has slow, single-core CPU which can’t really handle the complex math required by VPN encryption. Also, NordVPN forces you to use 256-bit encryption on OpenVPN which is much more resource-intensive than 128-bit encryption which is optional on other VPNs like PIA. If you’re looking for a more VPN-worthy router, check out our guide.

      Reply
  37. Hello,

    I’m completely new to this but have been doing as much reading as I can. At this stage my eyes are bulging and I’m going in circles!

    My Premiss is to have the ASUS RC-53 router that I have daisy chained to my modem pair through NordVPN. That way all of my devices will be under the NordVPN Umbrella ;)

    At the recommendation of a friend they advised I purchase the ASUS RT-AC53 (NOT the AC5300 that I see posted on here). Reading through several articles/videos they all seem to advise that I go into the router config
    Select VPN on the left> VPN Client> Add Profile> THEN SELECT “OPEN VPN”
    HOWEVER my options at this pop-up window are only to select “PPTP” or “L2TP”.

    Am I missing a vital step or is it quite simply that the router does not support this feature?

    Kind regards

    Reply
    • I haven’t used the AC53 personally, but I do know that it is a single-core CPU running at only 300mhz. That’s half the cores and half the frequency of our recommended ‘value’ router the AC68U. Unfortunately, OpenVPN is quite CPU-intensive and the AC53 simply doesn’t have the muscle to use it efficiently even if it was built into the software. As such, it’s quite possible that ASUS decided to leave OpenVPN client functionality out of the firmware for that model. The N66U is the only (600mhz single-core) is the lowest-powered ASUS router we’ve tested and confirmed works with OpenVPN.

      If you (understandably) don’t feel like shelling out another $150 for a more powerful router, you may be able to get acceptable results running NordVPN with the PPTP protocol on the router.

      Reply
  38. Hi,

    Thank you for the great review.
    Is it possible to set a Static Route to OpenVPN?

    For example, there are a wired ether PC 192.168.1.100 and a guest wifi PC 192.168.1.200.
    And the WAN IP is 88.44.22.11 and WPN tunnel IP is 77.55.33.11.

    Can I add a static route like 77.55.33.11 from 192.168.1.200
    to make the Guest WIFI for a dedicated VPN network?

    Reply
    • I have spent some time trying to figure out how to route the guest network to the VPN, but it doesn’t seem to be possible from the stock firmware. It can be done with some more advanced scripting on ASUSWRT-Merlin but that’s beyond my technical ability.

      Reply
  39. Hello, I’m on stock Asus rc-3100, Private Internet VPN using their Openvpn files. I’m trying to block all traffic if the VPN fails or disconnects in the router. I’ve tried a common Win 7 firewall block but it doesn’t work because those tutorials are using the Openvpn client to connect which give them 2 adapters to alter.

    Would you happen to know of a way to stop, block, cut off my internet, when or if the routers VPN mucks up? Thanks! – Shawn

    Reply
  40. Thanks, it works perfectly with the VPN-provider “ProtonVPN” and the RT-AC68U.
    You can add that to the list.
    With friendly greetings,
    Martin

    Reply
  41. Hello – I am running Merlin on an Asus 86U with 2 VPN clients (PIA and ExpressVPN). How do I configure Selective Routing for each client so that I would use PIA for most of my accesses, but uses EVPN for routing from 1 device (or a limited subset of devices)?

    Reply
  42. Hi,
    Just found this website as I was looking for answers to questions about what happens after a VPN connection is made.

    1: If the VPN connection is broken, will the router automatically re-establish the VPN connection?
    2: Will the router suspend or allow internet access whilst it tries to establish a VPN connection?
    3: What happens if the router is unable to re-establish a VPN connection?

    Reply
    • The basic behavior for the stock ASUSWRT firmware is that the VPN will stay down if it disconnects. While the VPN is ‘connecting’ your connection will go through your normal WAN connection until the connection is established.

      To add security features like a kill-switch (no traffic routed insecurely) or auto-reconnect to the VPN, you need to upgrade to the 3rd-party Merlin firmware. Then set the connection retry attempts to ‘-1’ (infinite) in the VPN settings.

      We have tutorials showing you how to set everything up:

      1. Install Merlin and create a VPN connection
      2. Set up the Kill-switch and policy routing
      Reply
  43. I was easily able to get the VPN to work on my Supported router with ASUSWRT firmware, however several of the services on my Roku, Fire Stick, and Chromecast such as PRIME and HULU would not allow access to a hidden network. I finally able to get Netflix to work after rebooting the router, the interface device (Roku, Fire, or Chrome), but Prime and Hulu continued to give me messages. Any suggestions?

    Reply
    • Several of those services (notably Netflix and Hulu) actively block VPN services. There are a few VPNs that have created workarounds, though some only work when using the VPN app, not a manual configuration. I believe ExpressVPN and NordVPN can work with Hulu even when using a router. I tested this in the past and it works but unfortunately the situation is fluid and it’s a bit of a cat-and-mouse game between the streaming services and VPN providers.

      Reply
  44. Hi there. I have an Asus RT-AC53 which is on the list of supported routers and I tried to follow your steps described here but when I click on add vpn profile I do not get an “open vpn” option. I only get the other 2 ones: PPTP and L2TP but none of them has any choice of importing .ovpn file. Please help!

    Reply
    • Unfortunately, the RT-AC53U is not an OpenVPN-capable router and does not have nearly enough processing power to encrypt data on-the-fly. Our guide does list the AC5300 which is a completely different device (and expensive, around $250).

      Reply
  45. I have followed this setup with my Asus RT-AC66U and it gives the blue tick to show the VPN is connected. It connects and I am able to access the internet but it when I check my IP address it is not using the VPN IP address but my normal BT IP address.

    Any ideas?
    Thanks

    Reply
    • First thing to do would be to check the router logs for clues. You can change the OpenVPN verbosity level in your config file to output more information about the VPN to the router log. Try adding verb 5 on a new line in your config file, then check the logs. Also make sure DHCP is turned on for your router (if using in tandem with a 2nd router).

      Reply
  46. Hi there. I’m trying to setup OpenVPN client with an ovpn profile that works just fine with my software client, but not with my asus router. I keep getting: “Options error: Unrecognized option or missing or extra parameter(s) in config.ovpn:27: connection (2.4.3)”. The problem is that I am not really able to debug it, because i dont know how and where to open the config.ovpn to check that exact line. As far as i understand the config.ovpn gets generated in nvaram. But how can i actually see what is on that line, to start somewhere?

    Reply
    • Well you must have the .ovpn file because you uploaded it to the router, can’t you check there? Sometimes VPNs provide multiple versions of the config files, each for a different OS (Android, iOS, Windows etc). Which VPN are you using? Many of the largest companies offer their own setup tutorials for Asus routers.

      Reply
  47. Hi, thanks for the excellent help on your site. I have been using an ASUS RT-AC3200 router to access Cyberghost via the native OpenVPN firmware for the past 6 months and it works well. The initial setup was a bit fiddly, and cyberGhost don’t officially support it, but they do allow you to download the certificate and key setup files.

    Reply
    • Yeah, some VPN companies aren’t helpful in setting up router configurations because they tend to use more bandwidth. But any OpenVPN provider should work with AsusWRT.

      Reply
  48. ref: RT-AC5300
    3.0.0.4.384_82072
    nordvpn

    Problem: alexa echo-2 able to connect but after I enter the wireless password fails with Error 7:1:17:6:1

    Question: is there anything that I can change in the router?

    Comment: I was going to post this message but I found the solution:
    Disable Smart Check and use band 2.4.
    JIC I change the SSID for both 5 band.
    Connection with echo-2 went ok. Then I redo all the router as it was.
    I decided to post this message so may help other users.

    Reply
  49. My Router is ASUS RT-AC685. I setup the Nord Vpn successfully, following your youtube video. However, my router is telling me that that my Primary WAN is disconnected. Don’t understand this. I am still geting the internet though. Can you explain this?

    Reply
    • It’s hard to know without seeing your router logs. However if your IP address is changed as expected and you have internet access then I wouldn’t worry too much.

      Reply
  50. I just purchased the ROG Rapture GT-AC5300. Looking forward to seeing how OpenVPN will work with a 1.8GHz Quad-core CPU. I’m waiting to set it up once I move at the end of this month. I might have a question or two when I get going with everything. I’m glad I found this page.

    Reply
    • Please let us know what kind of speeds you get. I haven’t been able to test a router with that much power yet. If it can hit +100Mbps on a VPN that would be excellent.

      Reply
  51. Does this work if the router is using USB Tethering to an android phone for internet access?

    Thank you,
    Lisa

    Reply
    • Yes it does (on asus routers anyway). In my testing, the USB-tethered connection was a bit unstable so you have issues with the VPN disconnecting.

      Reply

Leave a Comment