TorGuard OpenVPN 2.4 Client Setup for Asuswrt-Merlin Firmware

This guide will show you how to configure the OpenVPN client on a Asus router utilizing Asuswrt-Merlin firmware version 384.4 with the TorGuard VPN service.

You have two options to select from in determining how you want to route traffic thru the VPN tunnel.  You can select All Traffic or Policy Rules.  All Traffic will route all of your network thru the VPN tunnel.  Policy Rules give allows you to configure which clients will use the WAN and which ones will use the VPN tunnel.  For advanced users, you can also chose to selectively route certain traffic to the WAN interface or one or more VPN tunnels.  For example, you can define the routing for  one or more websites and streaming media traffic.

Download the OpenVPN Configuration File

Logon to TorGuard web site.  There are web pages you will need to refer to that are only available if you are logged into your account.

Note the domain name of the TorGuard Server you want to utilize.

Determine the cipher level you want to use on the TorGuard Spec page.

Access the OpenVPN Config Generator.  You can also access the config generator from the TorGuard Client Area menu system by selecting Tools > OpenVPN Config.

Select the ASUS radio button.  Select the VPN Server Hostname/IP and VPN Cipher and VPN Port that you want to use.  For this example, I selected the USA-LA server and selected cipher AES-128-GCM for best OpenVPN performance.  I want to use port 443.  But, it is not available in the drop down list.  I will show you how to change this later.  Select the Generate Config button.

A download pop-up window appears.  Select the option to save the configuration file.  Note the directory path and file name where you saved it to.

Import the OpenVPN Client Configuration file

In the router menu, select VPN > OpenVPN Clients tab.  Choose the Select client instance using the drop down list that you prefer in the Client control section.  I selected Client 2 for this tutorial.  Select the Browse button on the Import .opvn file and select the configuration file you downloaded from TorGuard.  Select Upload.

Configurations required for All Traffic

Follow these instructions if you want all LAN clients on you router to use the OpenVPN client.

­

Description: TorGuard LA Server

Start with WAN: Yes (Have VPN auto connect on boot)

Server Address and Port: Update the port number if desired to match ports listed on the blah

Username/Password Authentication: Enter your TorGuard VPN Username and Password.

Username/Password Auth. Only: Yes

Accept DNS Configuration: Exclusive

Cipher Negotiation: Enable (with fallback)

Redirect Internet Traffic:  ALL

Select the Apply button to save the settings.  Change Choose Service state to ON to enable the VPN Client.

You can verify successful connection by going to the VPN Status tab.  You can also navigate to TorGuard’s IP detection site for validation and dnsleak.com or ipleak.net  to perform DNS leak tests.  If successful, the sites should report the IP address of the TorGuard server configured on the OpenVPN Client page.

Configurations required for Policy Rules using Diversion Ad-Blocker

Diversion is the ad blocking solution for Asus routers using Asuswrt-Merlin firmware.  There are some special configuration changes required if you want to use Diversion over the VPN tunnel when using Policy Rules.  For Policy Rules to work, you must first define static DHCP IP addresses for devices that you want to route thru the VPN tunnel.  Navigate to LAN > DHCP Server tab to create the required entries.

After importing the OpenVPN configuration file, make the following changes if you want some clients on your router to use the VPN Tunnel and others to use the WAN interface.

Description: TorGuard LA Server

Start with WAN: Yes (Have VPN auto connect on boot)

Username/Password Authentication: Enter your TorGuard VPN Username and Password.

Username/Password Auth. Only:  Yes

Accept DNS Configuration: Strict or Disabled (See DNSMASQ and OpenVPN Section below)

Cipher Negotiation: Enable (with fallback)

Redirect Internet Traffic:  Policy Rules (Strict)

Block Routed Traffic if Tunnel Goes Down:  Yes will prevent traffic from egressing to the WAN interface if the VPN tunnel goes down.  No will allow traffic to egress to the WAN interface if the VPN tunnel goes down.

Custom Configuration:  dhcp-option DNS some.public-dns.ip (e.g. dhcp-option DNS 9.9.9.9).  You can list more than one public DNS server (See DNSMASQ and OpenVPN Section below).  If you prefer, you can use TorGuards public DNS servers listed below:

Rules for routing client traffic thru the tunnel

For Policy Rules to work, you must configure the router IP address to use the WAN interface.  Especially if you have more than one OpenVPN client active.  For example:

Description: MyRouter

Source IP: 192.168.22.1

Destination IP: 0.0.0.0

Iface: WAN

Press the + sign to add the entry to the list.  Entering the LAN clients you want to route thru the WAN interface is optional.  This entry defaults client traffic to the WAN if they are not defined to use the VPN.

You must enter clients that will use the VPN tunnel.

Description: MyLaptop

Source IP: 192.168.22.152

Destination IP: 0.0.0.0

Iface: VPN

Press the + sign to add the entry to the list.  Repeat for other LAN clients you want to route thru the VPN tunnel.

Select the Apply button to save the settings.

Follow the same process for configuring other OpenVPN clients that you require.  The firmware supports up to five OpenVPN clients.  OpenVPN Client 1 has first routing priority, followed by OpenVPN Client 2, 3, 4 and 5.  If you use more than one OpenVPN client, the Router Source IP entry is the OpenVPN client that has the highest priority.  For example, if you use OpenVPN Client 1, 2 and 3, the Router Source IP entry is only required in Client 1.

DNSmasq and OpenVPN DNS

Diversion is the ad blocking solution for Asus routers using Asuswrt-Merin firmware.  Diversion requires dnsmasq to work properly.  With Asuswrt-Merlin firmware, OpenVPN clients use the VPN tunnel’s DNS.  As a result, Diversion will not work for LAN clients connected to the VPN tunnel when using Policy Rules since dnsmasq is by-passed.  Diversion will still work for devices connected to the WAN though.

John9547 LTS fork has implemented DNS differently than Asuswrt-Merlin.  The DNS rules are reversed.  With Accept DNS Configuration set to Exclusive, the VPN clients will use dnsmasq and Diversion will work.  There is also a check box on how you want to handle the WAN clients.  If you leave it unchecked, the WAN clients will also use the VPN DNS servers (but not the tunnel) and they can use Diversion.  If you check the box, the WAN client requests are sent directly to the WAN DNS servers and Diversion will not be available.

You have two options available to resolve the DNS and routing issues when using Policy Rules with Asuswrt-Merlin:

  1. Set Accept DNS Configuration to “Strict” and specify the DNS server for the VPN tunnel to use by adding the dhcp-option DNS command in the Custom Configuration section.  Without the dhcp-option command, Diversion updates will fail, the Diversion email function will no longer work and the wget command will not able to resolve the domain name. 
  2. My preferred recommendation is to install Stubby DNS over TLS.  Stubby will encrypt DNS queries.  To enable the OpenVPN Client to use Stubby, set Accept DNS Configuration to “Disabled”.

Troubleshooting Section

  1. If you want to change Server Address, enter one of the TorGuard hostnames in the VPN Client menu and select Apply.
  2. If you want to change Legacy/fall back cipher, select the cipher from the drop down menu in the VPN Client menu.  If you change the cipher, the Port number also requires updating to a port associated with the cipher level.  See the TorGuard specs page.
  3. Depending on your router’s CPU, you may want to change the cipher to achieve the best performance.  If speed is the primary concern rather than encryption, then select “None” for the fastest performance.  From my testing, I am able to achieve the best encryption performance using the AES-128-GCM cipher and the SHA1 Auth Digest.  The more horse power the router has, the higher the encryption could be set with less impact on throughput.
  4. If you are also using the OpenVPN Server on your router, make sure you select a TorGuard port that does not overlap with the OpenVPN Server port.
  5. The definition of the Accept DNS Configuration field values are as follows:
    • Disabled: DNS servers pushed by VPN provided DNS server are ignored.
    • Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
    • Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN provided ones don’t respond).
    • Exclusive: Only the pushed VPN provided DNS servers are used.
  6. MTU warning messages in System Log file – Try removing the tun-mtu-extra 32 option from the Custom Configuration section if you see messages similar to the following in the Systems Log file (according TorGuard support, the warning messages do not cause any issues):
    • WARNING: ‘link-mtu’ is used inconsistently, local=’link-mtu 1558′, remote=’link-mtu 1526′
    • WARNING: ‘tun-mtu’ is used inconsistently, local=’tun-mtu 1532′, remote=’tun-mtu 1500′
  7. One reader was able to improve their overall OpenVPN speed by using Adaptive QoS.  Navigate to  Adaptive QoS > QoS tab.  Select Enable QoS.  Select the manual bandwidth setting and enter your ISP internet package speed in both the Upload Bandwidth and Download Bandwidth boxes.  Select Media Streaming and Apply.
  8. Optional Custom Configuration Options – You may want to experiment with the OpenVPN option fast-io.  According to the OpenVPN 2.4 Man Page, it is an experimental option to optimize TUN/TAP/UDP I/O writes by avoiding a call to poll/epoll/select prior to the write operation.  The purpose of such a call would normally be to block until the device or socket is ready to accept the write.  Such blocking is unnecessary on some platforms that do not support write blocking on UDP sockets or TUN/TAP devices.  In such cases, one can optimize the event loop by avoiding the poll/epoll/select call, improving CPU efficiency by 5% to 10%.  This option can only be used on non-Windows systems, when –proto udp is specified, and when –shaper is NOT specified.

OpenVPN 2.4 Man Page

For more information on OpenVPN 2.4 configuration options, visit the OpenVPN Man page.