137

How to Install VPN (Client) on Your Router

router with green lights

There are many reasons to install VPN on your home router. First, running VPN on your home router provides a layer of protection to all devices on your network so you don’t need to set up VPN on each device. Second, Apple TV, Fire TV and other media players generally don’t allow you to install VPN on them, so running VPN on your router is often the best option to access restricted content. Finally, most VPN providers allow only three concurrent connections. By installing VPN on your router instead of each device you bypass this limitation. In this article I’ll show you how to set up an OpenVPN client on an Asus router running Asuswrt-Merlin firmware. (If you want to read my upcoming article about setting up VPN on dd-wrt routers be sure to sign up for my newsletter.)

I use an Asus RT-AC68R, which is hands down one of the best (VPN) routers on the market. Before we set up the OpenVPN client let’s first replace the router’s firmware with the awesome “Asuswrt-Merlin” version. This custom-built firmware offers advanced VPN features that let you configure up to five OpenVPN clients and also offers a “Routing Policy” feature to specify which devices can use VPN and which can’t, a true pro level function. To download the latest Asuswrt-Merlin firmware and instructions click here. Backup your existing settings before installing the new firmware.

Below you’ll find instructions to configure OpenVPN clients for IPVanish, PIA, Torguard, HideMyAss , AirVPN, and proXPN.

Instructions

  1. First, download and save the OpenVPN configuration files (.ovpn) from the VPN provider’s website. Some providers (HideMyAss) offer separate configuration files for  connections using TCP or UDP protocols. I almost always use UDP. The difference between UDP and TCP is minor. Here are the links to each provider’s OpenVPN configuration files.

    Download IPVanish OpenVPN client settings.
    You need to download two files:
    Download Private Internet Access OpenVPN client settings.
    Download the Certificate Authority file.
    Download TorGuard OpenVPN client settings.
    Download HideMyAss OpenVPN client settings.
    Log in to your CyberGhost account. Next, follow the instructions here to generate your login credentials. Finally, download the OpenVPN configuration files.
    First, log in to the AirVPN Client Area. Click Config Generator to load the OpenVPN Configuration Generator. Follow the instructions to generate and download your configuration file. Next, on the router, simply import the OpenVPN file you downloaded and click Apply.That's it. You can skip the rest of the instructions.
    First, download the proXPN OpenVPN configuration file: proxpn.ovpn. This file includes all the default settings you need. Second, go to the proXPN server location page, choose an OpenVPN server, and then copy its IP address. Next, edit proxpn.ovpn in a text editor; replace the IP address on the first line with the IP address you copied from the location page. Then, on the router, import the edited proxpn.ovpn file. Finally, next to Redirect Internet traffic, choose "All traffic" and click Apply. That's it. You can skip the rest of the instructions.

  2. Open a web browser and enter the IP address of the router.  Once logged in successfully you’ll see the Administrative page, as shown in Figure 1-1. Navigate to Advanced Settings and select VPN > OpenVPN Clients.
    OpenVPN Client Settings

    Figure 1-1

  3. Client Control
    • Underneath the Client control section, right next to the Select client instance option, choose a VPN client instance from the drop down list.
    • Next, click Choose File, select a configuration file you downloaded earlier, and click Upload. This applies the default settings for you.
    • Next, we’ll go through and fine-tune each setting. Let’s start with changes to the Basic Settings.
  4. Basic Settings
    • Start with WAN: Select Yes if you want the VPN to start automatically when the router boots; select No if you want to manually start the VPN.
    • Interface Type: TUN
    • Protocol: This setting is pre-selected by the file you imported.
    • Firewall: Automatic
    • Server Address and Port: The “Address” and “Port” fields are pre-selected by the file you imported.
    • Authorization Mode: TLS
    • Username/Password Authentication: Yes
    • Username: Fill in the username of your VPN account
    • Password: Fill in the password of your VPN account
    • Extra HMAC authorization: Disabled
    • Create NAT on tunnel: Yes
  5. Advanced Settings
    • Poll Interval: 0
    • Accept DNS Configuration: Choose Strict to use the provider’s DNS settings; choose Disabled to not use the provider’s DNS settings.
    • Encryption cipher: Default
    • Compression: Adaptive
    • TLS Renegotiation Time: -1
    • Connection Retry: -1
    • Verify Server Certificate: No
    • Redirect Internet traffic: No.  Using the “Policy rules” option allows you to specify which devices connect to the Internet through VPN, and which devices connect directly.
  6. Custom Configuration
    persist-remote-ip
    keysize 256
    tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
    
    
    tls-client
    remote-cert-tls server
    reneg-sec 0
    disable-occ
    
    remote-cert-tls server
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    fast-io
    ping-restart 0
    route-delay 2
    route-method exe
    script-security 3 system
    mute-replay-warnings
    ping 5
    ns-cert-type server
    route-metric 1
    ping-exit 30
    auth MD5
    ping 5
    ping-exit 60
    ping-timer-rem
    explicit-exit-notify 2
    script-security 2
    remote-cert-tls server
    route-delay 5
    tun-mtu 1500
    fragment 1300
    mssfix 1300
    cipher AES-256-CBC

  7. Now, scroll back up to the Basic Settings section, click on the link Content modification of Keys & Certificates, and a pop-up window will appear, as shown in Figure 1-2.
    IPVanish CA Certificate

    Figure 1-2

  8. Next, go to the folder containing the OpenVPN configuration files you downloaded earlier. Open the key and certificate files using a text editor. Copy and paste the entire contents of each file into its corresponding text box in Figure 1-2.
    Open ca.ipvanish.com.crt. Copy and paste its contents into the Certificate Authority text box.
    Open ca.rsa.2048.crt. Copy and paste its contents into the Certificate Authority text box.
    Open ca.crt. Copy and paste its contents into the Certificate Authority text box.
    No action is required.

    Open ca.crt. Copy and paste its contents into the Certificate Authority text box.

    Open client.crt. Copy and paste its contents into the Client Certificate text box.

    Open client.key. Copy and paste its contents into the Client Key text box.


  9. Click the Apply button.
  10. Return to the Client control section and make sure the Service state is switched to ON.
    Asus RT-AC68U Service state
  11. Now verify your VPN client status by navigating to VPN > VPN Status, as shown in Figure 1-3.
    Asus RT-AC68U VPN status

    Figure 1-3

By setting up VPN on your router you’ve added an extra layer of protection for devices connected to your home network. I appreciate all the wonderful feedback. Keep commenting, your support makes this site better!

Q & A

Fix for the “routing conflict” error


A couple of readers said they got a “routing conflict” after they made changes to the VPN settings. After testing this issue with IPVanish, PIA and Torguard it seems this problem is exclusive to IPVanish.

When disconnecting from the IPVanish server the remote IP address assigned to the router’s WAN interface should be removed automatically, but it isn’t. This causes the “routing conflict” error when you re-connect by toggling the “service state” button, or by clicking the “apply” button. This error shouldn’t interfere with your VPN connection, but it does mess up routing tables, and it’s annoying. I have submitted this issue to Erich – Asuswrt-Merlin FW developer, and IPVanish. I’m hoping to see an official solution soon.

Until there is a solution to this problem you can temporarily fix the “routing conflict” by manually removing the route that should’ve been automatically removed by the VPN server when it disconnected. This manual fix is required each time you disconnect from the VPN server, or after you make changes to the router settings. Here are my brief instructions:

  1. Log into the router using SSH
    ssh 192.168.1.1
  2. Delete the route associated with the VPN server as shown below (s.s.s.s is the IP address of the VPN server).
    ip route delete s.s.s.s

Got a question? Post it in our forums. We’ll work it out.

Notable Replies

  1. Hello, I have successfully gotten to the end of the router config but when I entered the new static IP address in my browser to log in and install the Open VPN I cannot get to the router. I am not able to get to it on any device or browser. Any help is appreciated.

  2. Going back through the thread on the Access Geo Restricted Content article, there was a similar issue encountered by user Guy, on July 25th 2016, that does not look like it was answered.

    My internet router is a Vz Gateway 1100, which has about as unfriendly an interface as you can imagine, but as I have the VPN router giving me access I think I have followed all of the steps. Again any suggestions are appreciated.

  3. To log into the VPN router, you need to connect to it wirelessly or by an ethernet cable. Do you know the IP address of your VPN router?

  4. Thanks for the guide on installing a VPN client on a router. I was trying to setup for PIA (private internet access) on an Asus RT-N66U that I loaded Merlin on. When I loaded the config file, I got an error 17 message although many of the router VPN fields got filled in with PIA specific info. I was getting very close (the VPN status of the router showed "connected"), but I was not able to get any internet traffic. Putting "service state" to off let me connect to the internet. I found this tutorial for Merlin based routers on the PIA website https://helpdesk.privateinternetaccess.com/hc/en-us/articles/227852327-Setting-up-an-Asus-Router-running-Merlin-Firmware The setup was very similar to this page with the "custom configuration" area being quite a bit different. Bamn! It worked. The guide was written recently (January 2017).
    One other bit of information. At first I was unable to get to my VPN router from a computer plugged into my internet router. I was typing in the IP address of the VPN router. I then tried adding port numbers after the IP address (don't know much IT stuff, but have played a lot with IP cameras). That did the trick. So instead of 192.168.1.200 (my VPN router static IP address), I put in 192.168.1.200:8080 and connected.
    Thanks again.

  5. Ricks says:

    Great, thnaks for the quick reply.

    I can't see any builds of that for my device, do you know if the build on there is compatible across devices?

Continue the discussion Here

10 more replies

Participants

Comments 137

  1. I’m trying to configure my home RT-AC66U (running Merlin firmware) so that only Asus’s router embedded DownloadMaster uses PIA, and all other wired/wirless devices using the router do not use the VPN. I’ve got PIA up and running, but all traffic uses the VPN which is problematic for our work computers that must connect with corporate VPN’s (we work from home).

    Thanks for your superb information, and in advance for your suggestion(s) on how to make this work.

  2. Hello. I am a networking noob and can’t seem to get this to work. The green switch is on at the end but it will not connect to IPVanish, it just keeps clocking. Any suggestions?

  3. i get to the certificatepart and ca.ipvanish.com.crt. says certificate is already installed. What can I do now?

  4. Thank you very much for the instructions! Running an Asus router with AsusWRT-Merlin (latest version as of writing this) and your instructions for connecting it to Ipvansih are spot on! Setting all the traffic leaving my router to use the vpn rather then having to set up each and every machine in my house, (voip box, internet connected printer, appletv box, laptop, ipad, iphone, Kodi box, etc.) is a royal pain, not to mention that most of them don’t even support setting up a VPN! Those that do are difficult at best to configure and get to work! I also offer free wifi connections to people visiting, on a separated ssid of course, and by having the router itself connected to my vpn provider, I can protect them as well!
    This is one of the reasons I support large companies that allow for third party firmware on their devices. Asus has been a big supporter of open source firmware on their routers and the community hasn’t disappointed. Both is supplying working firmware, thanks AsusWRT-Merlin, and thank you for the documentation on how to connect everything!

  5. I am having difficulties for tigervpn to work with Asus merlin software! says error in tls and I am coping the exact text for the client certificate! Does anybody have the solution?

  6. I have read this, but somehow cannot get it to work on my ASUS RT-AC68U with standard ASUS firmware. I want to be able to connect to my router/LAN via OpenVPN from a hotel room 1,000 miles away so I can use Microsoft Remote Desktop via VPN to connect to one of the computers on the LAN.

    I enabled OpenVPN and created a Username/Password and downloaded the config file. Then, I went to the VPN Client tab and created and activated a VPN Client (not sure why … is this for my laptop in the remote hotel room?). It asked for the VPN Server config file during the process.

    Now that both the VPN Server is created and a VPN client is activated, what do I do with my laptop to access the router/LAN via VPN?

    Thanks.

  7. Hi,

    I’m wondering how many VPN IP SEC supported on ASUS RTAC68? Could you let me know.
    Thank you so much,

    -Tien

  8. Hello! I’m using PIA and have followed the directions to a “T” , but my VPN status always says “connecting……”. I’;m using an Asus AC68U flashed with Asuswrt-Merlin. Any ideas? Thank you!

      1. same here, PIA with an ASUS RT-AC68U and my VPN status always says “connecting” but never accomplishes that feat…

  9. Dude! I can’t thank you enough! I needed to set up an AC87U with IPVanish, and their support wasn’t willing to give me any love at all and I couldn’t find these instructions anywhere else in the “Internets” LOL.

    You’ve saved the day (actually several days…).

    1. William C. Post
      Author
  10. I just went through both your tutorials for setting up a 2nd router with VPN and this one. I am using PIA and an Asus RT-N12D1 with Asuswrt-Merlin firmware loaded. I am able to follow all the steps in you guides successfully, but after I set up all the settings on the OpenVPN client page (the .ovpn file, username & pw, and paste the certificate authority) and click apply. I then switch the service state to On and it wont connect. The VPNrouter has internet access and is plugged into another router that is plugged into a cable modem.
    When I look at the router logs I am seeing this error “openvpn[436]: ERROR: username from Auth authfile ‘up’ is empty”. Any ideas what the problem is and how to fix it? It sounds like it is not reading my username or something, but I have made sure I am putting in the correct username and PW for my PIA account.
    Thanks for the guides.

  11. Hi,
    First, I would like to say thank you very much sharing the knowledge of setting up VPN. You did a superb job educating me the importance of VPN and with your instructions are easy to follow and to understand. I have question….. currently, I have proXPN as my VPN service. I would to know if I can use your setup with proXPN. If you do know how, would you mind help me to setup? I’m having a hard of getting the openVPN list.
    Thank you, and I will do my best to pass down your site to other people that I know who would like to setup a VPN on their routers.

    Thanks,
    Jarod

    1. William C. Post
      Author
      1. i have a premium paid account with proXPN, how do I follow guide to input username and password? I only ask as the part for proXPN say’s “you can skip rest of the instructions”!

    2. Jarod, do you have the premium/paid version of proXPN? If so how did you finish this setup? I mean it states after importing the file to the router you can skip the rest of the instructions! I’m new to this and just a tad confused on how i enter my username and password for proXPN. Thanks for the help and sorry for being such a newbie!!

      1. William C. Post
        Author
  12. hello
    i have tp link acher c9 with dd wrt. i have a vpn ipvanisch vpn. can you tell me how to set a open vpn and i want only the vpn for my wan port 4, if i go to follow vpn setting bij ipvaish i have a problem with tl cipher
    TLS Cipher
    TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
    TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
    TLS-DHE-RSA-WITH-AES-128-CBC-SHA
    TLS-RSA-WITH-AES-256-GCM-SHA384
    TLS-RSA-WITH-AES-256-CBC-SHA256
    TLS-RSA-WITH-AES-128-CBC-SHA
    TLS-RSA-WITH-RC4-128-MD5
    None
    with one i need to take

  13. Excellent guide, thanks for posting! Would you be able to add settings for NordVPN, as their own tutorial section is shall we say lacking?

  14. Hi,

    Great article, do you have instructions/settings for AirVPN by anychance, I have a Asus RT-AC68U router with latest AsusWRT Merlin Firmware and would like to setup for AirVPN.

    Thank you

    1. William C. Post
      Author
  15. I’m having issues with the Routing conflict and am unable to SSH to my router. I am using Putty on my laptop and trying to SSH to my VPN router IP address. The laptop can connect as I have the router Admin page open on it. Any help connecting so that I can delete the route .
    Also in my VPN router when the VPN is turned off I have a TX rate to my fire stick of 30Mbps however when I turn on the IPVanish VPN it goes down to 6 which in turn is causing me all kinds of buffering issues….any advice.
    Thanks in advance

    1. I have managed to SSH to my router now but unsure of which route to delete, there are several in there

  16. Thank you for the great step by step guide and screenshots. My basic question is now that I have my VPN router configured using one of the IPVanish ovpn files that effectively “hard configured” my router to point to that server. I am guessing that I do not need to run the IPVanish software on my desktop/internet router any more.

    1. William C. Post
      Author
  17. I have PIA installed on mt ASUS router using the Open VPN. Now that Netflix is blocking my service I want to disable the VPN on my router so the kids can view Netflix on their tablets. I switch the service state to off and all is fine but if I re-boot my router the service state in Open VPN Clients goes back on. Is there a way that I can permanently disable the PIA VPN on my router?

    1. William C. Post
      Author
      • Next to Select client instance, choose a client that isn’t configured.
      • Make sure Service state is set to OFF
      • Start with WAN should be set to No
      • Save your changes by clicking Apply
    2. Download Private Internet Access OpenVPN client settings. This files has 18 different .ovpn, which do I choose.

      1. William C. Post
        Author

        Each .ovpn file corresponds to a specific location. You get better speeds by choosing one that is closer to your actual location. However, if you plan to use VPN to bypass geo-blocking, choose the location where you want to appear to be.

  18. Hi. I am across this site on a google search for tweaking vpn settings. I have a ASUS N66U running the latest version of merlin 380.57. I messed around with the VPN custom config file for tor-guard. Tor-guard’s default are (below) I changed the MTU to 1500 and the mssfix to 1492 as shown in this article. Is this something that is recommended to do?

    Tor-guard default
    remote-cert-tls server
    tun-mtu 48000
    mssfix 0
    fragment 0
    sndbuf 393216
    rcvbuf 393216
    push sndbuf 393216
    push rcvbuf 393216
    fast-io
    ping-restart 0
    route-delay 2
    route-method exe
    script-security 3 system
    mute-replay-warnings

    1. William C. Post
      Author
  19. Thanks for the information. This save me a bunch of time troubleshooting. For some reason the torguard OPVN files won’t work but your customer configuration does. I tried to nail down the differences and found:

    client
    dev tun
    proto udp
    resolv-retry infinite
    nobind
    ca ca.crt
    auth-user-pass
    comp-lzo

    These were the only things different however I could never connect when these lines were added to the configuration. Strange.

    In anycase Thanks for you work its appreciated!

  20. I’ve got my VPN client running on my RT-N66, but now how do I see my server behind it?

    I can get the VPN’s IP address via whatsmyip services or DDNS. I am able to access the FTP server for the flash drive on my router, so it doesn’t look like my VPN provider is all the ports, but except for the FTP server on the router itself, I cannot see anything else. And yes, I have port forwarding set up properly- I am able to see that server without the VPN client running.

    On the off chance that my VPN provider is blocking some ports, I’ll set the FTP to a different port and set the server to the old FTP port (21), but assuming that’s not the problem then what should I do?

    Would changing my policy rules allow incoming connections from my ISP to get routed correctly? I guess that’s something else I could try. Nonetheless, I’d prefer to have my server accessible via the VPN and not through my ISP.

    1. Thanks for the great tutorial. I am not well skilled in these things but the tutorial was great! One question I had was once I have IPVanish installed on the router, is there a way to have it search for the fastest connection or just use US IP addresses since I am in the US? I ask because I have been on an IP address in Albania for 2 days and it sometimes slows to a crawl?

      Thanks!

      Also for some reason I can’t access the router with Putty on port 22. I did receive a connection conflict yesterday but all is well today so far.

  21. I followed your instructions to enable VPN killswitch on Asus RT-N66R router but the VPN is no longer working. My real IP was showing. I had to disable Redirect Internet Traffic to get the VPN working again. Any thoughts? Thanks,

    “In the Advanced Settings section and next to Redirect Internet traffic, select Policy rules from the dropdown list. Then choose Yes for the Block routed clients if tunnel goes down field.”

  22. Hello,

    I have a RT-AC68U. I follow your instructions. Everything seems to goes well. I see “Running” in the VPN Status tab but no statistics board are shown. The account is with PIA. I setup on New York server. I used this page (http://www.cogipas.com/whats-my-ip/) to see if the VPN is working but it doesn’t look to: I see my city, ISP, country, etc…

    What I am doing wrong ?

    Thank you so much.

    1. William C. Post
      Author
      1. It is not working yet.

        I contacted their help support. They said it was better to try with the IP address directly instead of hostname and to try few differents port, those below:

        I’ve tried 209.95.50.87 (New York server)

        with each one of those:

        UDP 9201, 1194, 8080, 53
        TCP 80, 110, 443

        still getting same error, as:
        for UDP: openvpn[8046]: write UDPv4: Network is unreachable (code=101)
        for TCP: openvpn[8108]: TCP: connect to [AF_INET]209.95.50.87:80 failed, will try again in 5 seconds: Network is unreachable

        Now they said I need to try each IP address linked to the hostname with port too… there are 13 of them… + combination with the port number. will take some time to do it.

        I am wondering, maybe it’s a network problem on my side that I have. My router connected to my computer is connected to another one, I don’t know if it can make trouble ? So right now: modem => router 1 in WAN port => LAN port of router 1 => LAN port of router 2. I am no expert in network maybe this way to do it is not good. You may wonder why I have two router… I got a router in one building (the one that have the modem) and another one in another building.

        I tried their Windows little software to connect to the VPN, it works correctly. I wanted to make the router works because it would be less painfull with other connected devices and even those not supported by app or something.

        Thanks for support.

        1. William C. Post
          Author
  23. Hello,

    I noticed this was updated 01/08/16 but I did not see a change in any of the steps. Also, after applying these to my
    router, (RT-AC68U) it would work initially, but the speeds are dramatically slower, and after a day or so, it drops my connection. I would then have to go back in to service state and turn it back off to gain connection. Does anyone know what I am doing wrong? One last thing, does anyone know how to use IP Vanish on a TAILS OS?

    1. William C. Post
      Author

      In the Advanced Settings section and next to Redirect Internet traffic, select Policy rules from the dropdown list. Then choose Yes for the Block routed clients if tunnel goes down field.

  24. Is there also an updated tutorial for cyberghost VPN?
    Using it on my AC68U and it doesn’t work anymore since a couple of weeks.
    The tread in the cyberghost forum is quiet old and support couldn’t help me so far.
    Thanks for your efforts!

    1. William C. Post
      Author
  25. I’m using Asus RT-N66R (Asuswrt-Merlin Firmware).
    How do I change the server?
    Do I have to create a new client instance for different server location (ie: Florida, Germany, Canada, etc)?

    1. William C. Post
      Author
  26. Great tutorial, worked a treat for ipvanish, even so much I get the routing conflict error on my AC-68U, be very interested in hearing if there is a fix soon.

  27. I’m not able to reply to the last comment, for some reason.
    I followed all of the steps on the PIA link and step 23 says “To Verify the VPN is Working, Navigate to Status > OpenVPN
    Under State, you should see the message “Client: CONNECTED SUCCESS””
    Mine doesn’t, of course. mine says “Client: RESOLVE ” and a lot of other information below it that doesn’t make any sense to me. I’m not sure what is safe to screenshot and post.

    1. I thought I had it all set up but somewhere in changing all of the router settings, something happened to just make me not able to connect to the internet through it at all. I had to reset the router to factory specs to get a connection through it again.

      I’m in over my head trying to make this work. Might have been a bad idea.

  28. Hi. I’m trying to set up two routers to VPN one of them using your guide at https://vpntips.com/how-to-unblock-any-digital-media-player/
    I think I got through most of it (aside from #6 Under the “Administration” menu, enable the “Allow web access from WAN” – I don’t see this option anywhere), but setting up the VPN on the TP-LINK TL-WDR3600 Wireless N600 Dual Band Router you recommended has me baffled. I have no technical knowledge of these things and I can’t find anything online. I’ll be using a Linksys E2500 as the internet router and the TPLink as the VPN router. I’m stuck at step 2 on this guide. I don’t see anything labelled VPN in this TP Link routers settings.

    1. William C. Post
      Author

      Hi Shawn,

      You can find the settings for OpenVPN under Services > VPN provided that you've replaced the router’s firmware with the dd-wrt firmware for TP-LINK TL-WDR3600. On a dd-wrt router, the settings for the OpenVPN client look similar to this.

      1. Hi William, thanks for the response. I realize that I forgot to mention, I have an account with Private Internet Access. Hopefully it works in this situation.

        I haven’t updates the router firmware. So that’s something I’ll need to do?

        Thanks again.

      2. Strange issue. When I unboxed the router, I had to go to 192.168.0.1 to get into the settings. After using your other guide, and changing the settings, I then had to go to 10.0.0.1 to get into the settings. Now, after updating the firmware one of the ones you linked here (one didn’t do anything, the other updated successfully, but I can tell which is which now), I can’t log into the router settings at either of those addresses anymore. I just get blank “webpage is not available” pages.

        1. William C. Post
          Author

          Yes, it works with PIA. When you’re installing the dd-wrt firmware on your router, make sure you’re connecting to it using an Ethernet cable. Here are instructions of how to install dd-wrt on a TP-LINK TL-WDR3600 router.

          1. I finally figured out what was up with the firmware issue and not being able to get into the router settings. I’m still stuck in a couple places. Step 6 from the other guide I referenced earlier regarding going to Administration and “allowing web access from WAN” – I still don’t see this option in the new firmware either.

            And I’m still stuck on step 2 here. I don’t see anything about VPNs in the advanced settings. I screenshotted the only thing I could find regarding VPNs.

            http://imgur.com/nMQ4Gzo

          2. William C. Post
            Author

            Hi Shawn,

            To allow web access from WAN on a dd-wrt router, follow the instructions here. To setup Private Internet Access on a dd-wrt router, follow the instructions here.

  29. Hello
    I have Asus Merlin 374.43_2 running on my RT-AC68U.
    With this my wifi signal is the best, and I don’t want to change it.
    I have http://www.privatetunnel.com as my VPN
    I downloaded the openvpn config from them for the Miami gateway, since I am in Miami and it’s closer
    Followed the steps above and it looks like it is on but it’s not, or nothing is going thru the VPN client
    The OpenVPN Client1 shows running BUT nothing is going thru the VPN
    Everything just shows ZERO
    So can you help me with this please.
    Thank you
    philmiami

    1. William C. Post
      Author

      Hi philmiami,

      Setting up PrivateTunnel on the router is easy. First, download your OpenVPN profile from PrivateTunnel. Next, on the router simply import the OpenVPN profile you downloaded then click Apply. That’s all you have to do. Check your IP address here. To see your VPN client status, go to VPN > VPN Status. Wait a few seconds then hit Refresh button a couple of times if there is no data.

  30. Thank u for this guid, it helped me setup my open vpn to pia using merlin firmware. I was now looking for a way to open a port for utorrent while on vpn. I read about a thread on pia forum on how to run a script that requests a port. However that did not work for me. I am not that advanced user in scripting. I was wondering if any one can help by putting a step by step guid explaining this.
    Apreciate the help!

  31. Im working on trying to get the PIA VPN up and running on an Asus RT-68R running Merlin Firmware 378.56.2. The Basic WAN settings are mostly default with the exception of UPnP being active and selecting my own DNS servers as opposed to those supplied by the ISP. IPv6 is disabled, etc.

    I have followed this guide to a “T” with no luck on getting the VPN to connect. Instead, in the logs, I get the following errors when attempting to connect:

    Dec 5 12:38:39 openvpn-routing: Refreshing policy rules for client 1
    Dec 5 12:38:39 openvpn-routing: Allow WAN access to all VPN clients
    Dec 5 12:38:39 openvpn-routing: Refreshing policy rules for client 2
    Dec 5 12:38:39 openvpn-routing: Allow WAN access to all VPN clients
    Dec 5 12:38:39 rc_service: udhcpc 3590:notify_rc start_vpnclient1
    Dec 5 12:38:39 dhcp client: bound xx.xx.xx.xx via xx.xx.xx.xx during 3600 seconds.
    Dec 5 12:38:42 openvpn[3736]: Options error: Unrecognized option or missing parameter(s) in config.ovpn:20: tls-remote (2.3.8)
    Dec 5 12:38:42 openvpn[3736]: Use –help for more information.
    Dec 5 12:38:42 dnsmasq[3772]: warning: interface ppp1* does not currently exist
    Dec 5 12:40:57 rc_service: httpd 3389:notify_rc start_vpnclient1
    Dec 5 12:40:59 openvpn[3788]: Options error: Unrecognized option or missing parameter(s) in config.ovpn:20: tls-remote (2.3.8)
    Dec 5 12:40:59 openvpn[3788]: Use –help for more information.
    Dec 5 12:41:00 dnsmasq[3826]: warning: interface ppp1* does not currently exist

    According to PIA website, the dnsmasq parameters usually get set when using DD-WRT firmware on routers running it. However, it doesnt appear that these options are able to be manipulated via the Merlin GUI. Anyone have any ideas?

    PIA DD-WRT link: https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn
    Asus Merlin dmasq WiKi: https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/dnsmasq/dnsmasq.conf.example

    Thanks ahead of time for anyone that might be able to assist.

    1. William C. Post
      Author
  32. I want to run vpn on my asus router . I have flashed dd-wrt on it. But the problem is that in my college I can connect to the internet only through college proxy(with authentication).I have to fill in proxy and userid pass in all tuneling softwares to unblock content. How can I make vpn run on router through proxy settings as I mentioned?

  33. Hi – I’ve followed all your instructions to set up my VPN and INternet routers but when I go to set up the OpenVPN client I don’t have the Tab that you show in your screenshot. It just shows ‘VPN Server’, ‘VPN Details’ and ‘VPN Status’ have i bought the wrong VPN router or is there a way to upgrade with alternative firmware? I’m using an Asus RT-N10U.

    Many thanks

    1. William C. Post
      Author
  34. Thank you for the config. Has been struggling until I saw this….
    The custom config script saves the day.
    Working fine with IPVanish on 2 machines
    1. Asus ac66U on asus merlin firmware and
    2. Netgear R8000 running kong dd-wrt
    Again, thank you

  35. I’m also having issues with IPVanish. When discovering the IP adress with db-ip.com and running “ip route delete 94.242.205.146” I’m getting the error: “RTNETLINK answers: No such process”

    How can I make this work?

    1. William C. Post
      Author
  36. Hi William

    I updated my router with the Asuswrt-Merlin software and followed your instructions in setting up an OpenVPN client using my ipvanish account. On initial setup it worked fine however when I switched the ‘Service state’ from on to off and then on again, a message pops up saying ‘Error – Router conflict! The same message appears when I change the ‘redirect internet traffic’ from All traffic to No. The only way that I can reconnect back to my OpenVPN client is by resetting the modem which is very frustrating.

    The reason I switch from VPN to standard ISP connection is that I don’t want certain devices in my home using the VPN and also using the VPN slows down the internet as I have a standard DSL connection.

    I reside in Australia and recently have purchased a Roku 4 to test my VPN however will not be able to if my router VPN keeps dropping off.

    I am also having problems with my wifi on my HTC one M7 (Android Phone) when my VPN option is switched on in my router. All other devices seem to work well. The phone connects to my wifi signals both (2.4 and 5 ghz) however does not connect to the net or anything online. Why is it doing that?

    My router is a RT-AC68U and internet provided via a DSL modem.

    Please help 🙁

    Thanks

    1. Glad you brought that up Lal -as I just setup IPVanish on the same router (RT-AC68U connected with an external DSL modem) – setup went through perfectly due to the excellent guide on this site and all of my devices function well – the only problem I’m having is the same as yours – if I turn off “redirect internet traffic” (to compare speeds etc) then when I switch it back to all, the router will not connect to the VPN again without a reboot.

      I am currently on Merlin’s latest 378.56_2 stable firmware and have no other problems aside from this – I can live with it but it’s also picking threads out of my normally passive OCD 😉

      1. William C. Post
        Author

        Guys, thanks for the heads-up. I’ve added the solution to the routing conflict problem you experienced in the new Q & A section at the end of the article. Let me know how it goes.

  37. I also am a newbie not just on vpn but on networking as well. However I try to muddle along.

    I was running ipVanish on individual computers. I have now installed it , using your wonderful clear instructions, on my RT AC87U router. I have internet access on the router, VPN client is running as shown, and I can get on the internet on all computers except the Windows 10 one that I used to install on the router.
    I keep getting the message that my DNS settings are wrong.

    Does anyone know how to resolve this problem?

    Should I uninstall ipVanish from this computer?

    New question.
    Can I hook up more than 1 router to my modem? I have several routers including an RT AC68U. My modem has 4 ports so it seems to me I should be able to hook up 4 routers but I don’t know if I can. If possible, I would like a second one that will be less accessible by others in the office.

    Thanks for any help

    1. William C. Post
      Author

      Hi Bill,

      Glad to know you managed to install VPN on your router following my guide 🙂

      You no longer need to keep the IP Vanish VPN on the Windows machine since VPN now runs on the router. It tunnels the traffic from all devices in your home network.

      Yes, you can connect more than 1 router to your modem. How to exactly configure each router so it won’t conflict with others depends on what you’re trying to accomplish, and the capabilities of your modem. Which modem do you use?

  38. My Raspberry Pi is wired to my router. Is there anyway I can set this to only VPN via wired and leave my wifi as normal?

    Or better yet just simply install IP Vanish directly on the raspberry pi running osmc so nothing is affected

    1. William C. Post
      Author

      Hi Joe,

      The easiest approach for you would be to install the IP Vanish VPN on your Raspberry Pi. You need to run a shell script which shapes the traffic using firewall rules if you want to tunnel only specific clients through the VPN connection on the router. I am working on a guide that shows how this can be done. Make sure you subscribe to my newsletter to be notified when it’s complete.

  39. What if I would like to install the client on 3 different laptops, but each of them should have their own private key. How do I send pub key for each client to the router?

    1. Hi Michael! We checked with the developer of the Asuswrt-Merlin firmware; unfortunately, it doesn’t support more than 2 Openvpn profiles.

    1. William C. Post
      Author
  40. Having trouble getting the PIA config to apply on my ASUS WRT-N10P after inputting all of the required information manually or loaded from a .opvn file provided by PIA. Once I apply the settings, it refreshes and doesn’t save anything that was filled in. I have done a factory and settings reset, but still continues. Any ideas?

      1. Ditto Grant & rob m – I too see the same issue on RT-N10P where it doesn’t appear that the VPN settings completely save. After hitting Apply the PIA username and password disappear. Also the certificate authority disappears (sometimes). Also the custom configuration keeps disappearing.

        I tried uploading the *.opvn files from PIA. It looks like some of those settings tend to “stick” like user address and the custom configuration, but others do not (username, password, redirect traffic, etc.)

        Using latest firmware (pre-mod 8-2).

        I will need to flash Tomato soon if I can’t get this resolved.

  41. Mediafire Gegenstelle hat Handshake im alten Stil versucht (angriffsgefährdet). (Fehlercode: ssl_error_unsafe_negotiation)

  42. Hi William,

    I couldn’t figure out how to do it that way, what I did instead was I set my laptop a static IP address via the router, and then redirected all VPN traffic using a polciy rule to the source IP of my laptop.

    Seems to be working fine now.. will let you know how I go still testing things out with this puppy! Thanks for your help!

    Thomas

    1. William C. Post
      Author
  43. Hi there,

    I want to set up my open VPN (I’m using private internet access) to where it is ONLY connected to one port on my router.

    So, I have 4 ethernet ports, and for example, I only want port 1 to have access to the VPN, so when I plug in my laptop to port 1 it will be running off the VPN connection only.

    Is this possible to do with the merlin firmware?

    Obviously I don’t want the wireless to be connected to the VPN or any other connections to my router, just port 1.. please let me know 🙂

    Thomas

    1. William C. Post
      Author
  44. Great tutorial, im a newbi and every thing is clear and presice and everything worked for me thanks…

    1. William C. Post
      Author

      I am glad it eventually worked for you. Don’t hesitate to post if you have further questions.

  45. I see you are using Merlin. In previous comments you stated that this will work on the RT-AC87R/U also. However, I have the AC87R and the configuration screens are very different then what you show. I follow the config as close as possible (login creds, server name, load config file for server in question and add the hash. ) The stock firmware (Non-DD-WRT nor Merlin, updated to 3.0.0.4.378_6117) shows the VPN up and connected however, the IP reporting back to me is the same as non-VPN IP (Using your site or IPCow).

    1. I have the same question. Is this possible to do on stock Asus firmware without installing merlin or anything else? Thanks.

  46. Hi

    I just did this and I just have one question…shouldnt the WAN IP, under Network Map, change? The OVPN is active but the IP-adress is the same as with the OVPN deactivated.

    1. William C. Post
      Author

      Hi,

      VPN doesn’t change your WAN IP, it simply masquerades it. Every time you connect to the Internet, a public IP is assigned to your router by the ISP. This IP address is your WAN IP and it’s used by your router to communicate with other devices on the Internet. As soon as the VPN starts running, it creates a private network interconnecting your router and the VPN server; future communications are carried through this private network, using your existing Internet connection.

      1. Thx for answering! I suspected as much.
        I’m a newbe to this VPN-thing…is there a way to check the IP provided by the VPN? Just wanna be sure in these piracyhunting days…

        1. For a quick audit of what info your browser is sharing with websites, check out http://ipleak.net/ . If you go there while on a VPN, the IP address provided by your VPN will be shown at the top of the page. That site will also allow you to test what IP your torrent client is exposing to the public. For a more complete browser privacy audit, try http://www.browserleaks.com/

    1. William C. Post
      Author
  47. Message to Ben.

    Yes, you can install IPVanish on a DSL-AC68U. I have just installed it on a DSL-AC68R:
    1) Go to IPVanish software support site and download two files:
    a) Certificate file: ca.ipvanish.com.crt
    b) openVPN file for the server you are planning to use, eg. ipvanish-US-LAX-a01.ovpn
    2) On your modem, go to VPN, VPN Client, Add Profile.
    3) Enter any name, your login details and load the ovpn file.
    4) Select to upload the certificate and upload the .crt file
    5) Click Save and Activate.

    That should be it 🙂

    1. William C. Post
      Author

      Jens, thanks for verifying this. Are you using the ‘official’ firmware, or a customized firmware?

  48. Awesome read but i can’t work out how to setup my IPVanish Client
    Do you have instructions to install IP vanish client on an DSL-AC68U?
    And is there anything else i need to complete the setup.

    Thanks in advance

    1. William C. Post
      Author

      Hi Ben:
      I don’t think you can install IPVanish client on your modem-router. As far as I know there isn’t any firmware that supports OpenVPN client for DSL-AC68U. To setup IPVanish on a router, get a second (VPN) router that has firmware to support the OpenVPN client, and connect it to DSL-AC68U. My latest article explains how you can set this up and lists some compatible routers. I recommend you give the two-router setup a try.

  49. Do you have instructions to install IP vanish client on an RT-AC66U? Is there any other hardware necessary the open VPN configuration does not match IPvanish instructions.

    Thanks

    1. William C. Post
      Author

      Hi Craig,
      To install IPVanish on your RT-AC66U router, first download and install the Asuswrt-Merlin firmware. Then, simply follow the instructions in the article.

  50. Great read! I am a VPN newbie who just signed up for IP Vanish. I have a Netgear WNR 3500 running DD-WRT v24-sp2 (8/12/10) mega. It supports open VPN; however, the DD-WRT configuration instructions provided by IP Vanish do not match up with the settings available on my router. Any advice on where I could begin to educate myself on how to configure my router? Alternatively, I am considering purchasing an ASUS RT-AC66R and loading with DD-WRT. IP Vanish sells this model on its website, pre-loaded with DD-WRT. I am assuming I could load the same version of DD-WRT on one purchased elsewhere and configure it using their guide. I appreciate any feedback. Thanks

    1. William C. Davis Post
      Author

      You can set up firewall rules on the router using the “iptables” command and control which devices can use VPN. It’s a bit involved to explain how this works in the comment area. But I promise I will add this next time I update the article. Here is a basic outline of it works:
      1. Enable SSH on the router.
      2. SSH into the router and set up JFFS partition.
      3. Create a script file that contains the firewall rules and defines the clients that can’t use VPN.
      4. Run that script.

      1. Your articles are very written for novices like myself. Thank you.

        I would like to do the same thing as Robert asked (How can I make specific devices use IPVanish’s VPN which others devices default to non-VPN?). Would you be open to helping us with an step-by-step article showing how to do this with an ASUS RT-N66U router, running the latest Asuswrt-Merlin firmware? I do not have two routers but I do have a Roku3 and an Amazon Fire TV. These I would like to run on a wireless VPN tunnel connection and my home computers on my ISP’s standard connection.

        Any assistance is greatly appreciated!

        1. William C. Post
          Author

          Hi David,

          My next article will demonstrate how to selectively route traffic on Asus router to allow certain devices to use VPN, and others default to non-VPN. Make sure you subscribe to my newsletter to be notified when it’s complete.

          1. Thanks!

            I should clarify my request a bit. I have seen some fairly confusing posts elsewhere approaching the problem through exclusions to the VPN. For my needs ( a couple of Fire TVs running Kodi) I would think that approach would be inefficient as I have many more computers, iphones, ipads, etc that do not have fixed IP addresses. I was thinking that specifying the two Fire TV IP addresses (or even better their MAC addresses) that need to be routed through the IPVanish VPN would be more efficient and easier to maintain.

            In addition, I would like to learn how to block outbound traffic from theses devices to specific domains to avoid unwanted software updates from taking place. It turns out that one of the domain names is 2 characters too long to block it from within the firmware UI (I suspect its a bug in the firmware UI).

            I would be ever so grateful for one of your step-by-step tutorials on these two topics. I imagine there are many more folks who would be as well.

            Again, thank you!

    1. William C. Davis Post
      Author
  51. Just to be clearer, you could update your article to specify that this is about installing a VPN /client/ on a router.

  52. Great question! If you install IPVanish on the router you protect all devices that use that router, because all outgoing connection are going through the secure tunnel to IPVanish’s VPN server.

    You can also use the ASUS router as a VPN server for “incoming” connections, for example if you want to connect to your home network from a laptop while you are traveling. For that to work you need to install a VPN client on your laptop or mobile device (Tunnelblick for example) that will then connect to your ASUS router.

    You should be able to run both at the same time, so if you wanted to access the Internet via your home router, it should still route your requests via IPVanish. However, if you already have an IPVanish subscription, it would certainly be faster to simply install IPVanish on your laptop or mobile and use it directly 😉

  53. Just wondering why is it necessary to use IPVanish when the router supports its own OpenVPN server? How would one set up OpenVPN on the server and client side?

Leave a Reply

Your email address will not be published. Required fields are marked *