There are many reasons to install VPN on your home router. First, running VPN on your home router provides a layer of protection to all devices on your network so you don’t need to set up VPN on each device. Second, Apple TV, Fire TV and other media players generally don’t allow you to install VPN on them, so running VPN on your router is often the best option to access restricted content. Finally, most VPN providers allow only three concurrent connections. By installing VPN on your router instead of each device you bypass this limitation. In this article I’ll show you how to set up an OpenVPN client on an Asus router running Asuswrt-Merlin firmware. (If you want to read my upcoming article about setting up VPN on dd-wrt routers be sure to sign up for my newsletter.)
I use an Asus RT-AC68R, which is hands down one of the best (VPN) routers on the market. Before we set up the OpenVPN client let’s first replace the router’s firmware with the awesome “Asuswrt-Merlin” version. This custom-built firmware offers advanced VPN features that let you configure up to five OpenVPN clients and also offers a “Routing Policy” feature to specify which devices can use VPN and which can’t, a true pro level function. To download the latest Asuswrt-Merlin firmware and instructions click here. Backup your existing settings before installing the new firmware.
- First, download and save the OpenVPN configuration files (.ovpn) from the VPN provider’s website. Some providers (HideMyAss) offer separate configuration files for connections using TCP or UDP protocols. I almost always use UDP. The difference between UDP and TCP is minor. Here are the links to each provider’s OpenVPN configuration files.
First, log in to the AirVPN Client Area. Click Config Generator to load the OpenVPN Configuration Generator. Follow the instructions to generate and download your configuration file. Next, on the router, simply import the OpenVPN file you downloaded and click Apply.That's it. You can skip the rest of the instructions.First, download the proXPN OpenVPN configuration file: proxpn.ovpn. This file includes all the default settings you need. Second, go to the proXPN server location page, choose an OpenVPN server, and then copy its IP address. Next, edit proxpn.ovpn in a text editor; replace the IP address on the first line with the IP address you copied from the location page. Then, on the router, import the edited proxpn.ovpn file. Finally, next to Redirect Internet traffic, choose "All traffic" and click Apply. That's it. You can skip the rest of the instructions.
- Open a web browser and enter the IP address of the router. Once logged in successfully you’ll see the Administrative page, as shown in Figure 1-1. Navigate to Advanced Settings and select VPN > OpenVPN Clients.
- Client Control
- Underneath the Client control section, right next to the Select client instance option, choose a VPN client instance from the drop down list.
- Next, click Choose File, select a configuration file you downloaded earlier, and click Upload. This applies the default settings for you.
- Next, we’ll go through and fine-tune each setting. Let’s start with changes to the Basic Settings.
- Basic Settings
- Start with WAN: Select
Yesif you want the VPN to start automatically when the router boots; select
Noif you want to manually start the VPN.
- Interface Type:
- Protocol: This setting is pre-selected by the file you imported.
- Server Address and Port: The “Address” and “Port” fields are pre-selected by the file you imported.
- Authorization Mode:
- Username/Password Authentication:
Fill in the username of your VPN account
Fill in the password of your VPN account
- Extra HMAC authorization:
- Create NAT on tunnel:
- Start with WAN: Select
- Advanced Settings
- Poll Interval:
- Accept DNS Configuration: Choose
Strictto use the provider’s DNS settings; choose
Disabledto not use the provider’s DNS settings.
- Encryption cipher:
- TLS Renegotiation Time:
- Connection Retry:
- Verify Server Certificate:
- Redirect Internet traffic:
No. Using the “Policy rules” option allows you to specify which devices connect to the Internet through VPN, and which devices connect directly.
- Poll Interval:
- Custom Configuration
persist-remote-ip keysize 256 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
tls-client remote-cert-tls server reneg-sec 0 disable-occ
remote-cert-tls server tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 fast-io ping-restart 0 route-delay 2 route-method exe script-security 3 system mute-replay-warnings
ping 5 ns-cert-type server route-metric 1 ping-exit 30
auth MD5 ping 5 ping-exit 60 ping-timer-rem explicit-exit-notify 2 script-security 2 remote-cert-tls server route-delay 5 tun-mtu 1500 fragment 1300 mssfix 1300 cipher AES-256-CBC
- Now, scroll back up to the Basic Settings section, click on the link Content modification of Keys & Certificates, and a pop-up window will appear, as shown in Figure 1-2.
- Next, go to the folder containing the OpenVPN configuration files you downloaded earlier. Open the key and certificate files using a text editor. Copy and paste the entire contents of each file into its corresponding text box in Figure 1-2. Open ca.ipvanish.com.crt. Copy and paste its contents into the Certificate Authority text box.Open ca.rsa.2048.crt. Copy and paste its contents into the Certificate Authority text box.Open ca.crt. Copy and paste its contents into the Certificate Authority text box.No action is required.
Open ca.crt. Copy and paste its contents into the Certificate Authority text box.
Open client.crt. Copy and paste its contents into the Client Certificate text box.
Open client.key. Copy and paste its contents into the Client Key text box.
- Click the Apply button.
- Return to the Client control section and make sure the Service state is switched to
- Now verify your VPN client status by navigating to VPN > VPN Status, as shown in Figure 1-3.
By setting up VPN on your router you’ve added an extra layer of protection for devices connected to your home network. I appreciate all the wonderful feedback. Keep commenting, your support makes this site better!
Q & A
Fix for the “routing conflict” error
A couple of readers said they got a “routing conflict” after they made changes to the VPN settings. After testing this issue with IPVanish, PIA and Torguard it seems this problem is exclusive to IPVanish.
When disconnecting from the IPVanish server the remote IP address assigned to the router’s WAN interface should be removed automatically, but it isn’t. This causes the “routing conflict” error when you re-connect by toggling the “service state” button, or by clicking the “apply” button. This error shouldn’t interfere with your VPN connection, but it does mess up routing tables, and it’s annoying. I have submitted this issue to Erich – Asuswrt-Merlin FW developer, and IPVanish. I’m hoping to see an official solution soon.
Until there is a solution to this problem you can temporarily fix the “routing conflict” by manually removing the route that should’ve been automatically removed by the VPN server when it disconnected. This manual fix is required each time you disconnect from the VPN server, or after you make changes to the router settings. Here are my brief instructions:
- Log into the router using SSH
- Delete the route associated with the VPN server as shown below (s.s.s.s is the IP address of the VPN server).
ip route delete s.s.s.s
Got a question? Post it in our forums. We’ll work it out.