Hi guys,

as i wrote the previous DD-WRT tutorial, i was happy to get my line covered. But now i am on VDSL 50/10 and i want more speed and something new to work on ;-)

So here is my tutorial for the Merlin (Asus based) Firmware.

This tutorial is made with a Asus RT-87U Router. I decided to buy this one because of a few reasons. Good performance as you can see here and two separate DualCores for each Wifi (which are not as used as good in DD-WRT)! O/C function, alternative Firmware from Merlin, which is based on the original one and etc.

Merlin is common for Asus, but there are a few developers, who port it to other routers as well. So here we are now. At the end you are able to choose which client should use which Gateway (WAN/VPN) for which URL, or all, or nothing Furthermore you are able to connect to all devices in your whole network, if you are connected to the Merlin Router.

VPN gives me 45mbit down, parallel 6mbit up.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Router 1 (LAN Port) - Router 2 (WAN Port)

Router 1: Fritzbox 7170 for ISP connection, used in Router mode on VDSl 50/10
LAN IP: 192.168.178.1
DNS: use secure DNS servers here
DHCP enabled

Router 2 (VPN Router): ASUS RT-87U, Merlin 380.57
LAN IP: 192.168.1.1
DHCP enabled (100-140)
SSH enabled

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Be sure, that you are always connected to the Asus Router and may have to reconnect if you change cables ...

1) WAN internet connection automatic or static, i use Static, go to WAN tab:

You should be able to surf the net and connect to other devices in your subnet 192.168.1.0/24 or 192.168.178.0/24 That's important.

2) VPN Client, go to VPN / OpenVPN clients

Do not play around with other client tabs! I have spent a whole day, because of testing vpn on client 1, at least i use client 2, but the playing around on client 1 had blocked my WAN port, inspite of having this client disabled!

Client control / Basic Settings

In my case, select instance Client 2 (it means tun12 later on). Now browse to your openvpn (YourUsername.ovpn) file and upload it. Select "Start with WAN". Protocol UDP or TCP, Fill in Username / Password. Choose Authorization Mode to TLS and click on "Content ..." next to TLS. 

Put in your complete NVPN cert in "certificate authority" and click SAVE
 

Advanced settings:

- choose your Encryption cipher (you can find this inside your YourUsername.ovpn file, if unsure) but usually it is "AES-256-CBC"
- Redirect traffic to "Policy rules"
- Block routed clients as tunnel goes down (also known as killswitch) - "YES"

Put in your clients, which should use VPN and point them to Iface VPN and Destination 0.0.0.0 (0.0.0.0 means all destinations). I use manual IPs via Mac Adresses (LAN/DHCP Server). If you connect to the Asus your device should be shown in this list and you can choose them.

Clients which are not mentioned use WAN / ISP IP.

If you want all your clients o be routed to the VPN use (in my network) 192.168.1.0/24 - 0.0.0.0

Destination IP could also be used with a single IP, or entire IP range.

Click APPLY - your service state should be green, otherwise check in the system log in this section.

Check on http://check.nvpn.net whether you are successfully connected to the VPN, as in my example my phone is (192.168.1.151), or if you are on WAN (in my case all other devices).

With the tutorial above you are only able to connect ALL devices if your PC is in the ASUS subnet. 

How to get to the Asus subnet, if you are connected to the ISP Router (not to the Merlin one), means your PC is in subnet 192.168.178.x?

1.) At first, put in a static route in ISP router which points to the Asus subnet and WAN IP: 
Network 192.168.1.0, 255.255.255.0, Gateway 192.168.178.7 (WAN IP Asus)

2.) Second, ASUS Router admininstration/ system/ webinterface:
https - enable web access from WAN (8443) - now your ASUS IP is https://192.168.1.1:8443 or alternatively https://192.168.178.7:8443

3.) to get connected to other devices, mayby to my NAS (192.168.1.99) port xxxx:
ASUS Router - WAN - Portforwarding - put in your local IP and Port : 192.168.1.99 port xxxx

4.) Now you are able to connect to your NAS via http://192.168.178.7:xxxx from ASUS AND as well from ISP Router subnetwork! From Asus Router subnet side, there it's always possible via http://192.168.1.99.:xxxx

"System Log - Port Forwarding" should show you now the preroutings via nat-start (if you have such) and the vserver routings which you have added in the last few lines!

Its DONE!!!

A few important final notes to get along:

If you want your devices to be "connectable", then you have to put in some iptables rules in order to get this working. In my case my NAS (192.168.1.99) is behind my router and i want to connect to this via tunnel, or maybe it should be connectable for BT (TCP).

Go to Adminstration / System

Apply & Reboot!

Now connect via ssh and go to /jffs/scripts/

Save a script named "nat-start" with your ports(s), xxxx and IPs:

#!/bin/sh
sleep 4 
iptables -t nat -I PREROUTING -i tun12 -p tcp --dport xxxx -j DNAT --to-destination 192.168.1.99

Give the script the rights via "chmod 777 nat-start"

You should be connectable via VPN IP right now (if the device is in VPN, and the port is also open in your NVPN Firewall in user section).

I overclocked the asus to 1200/800, ssh:

nvram set clkfreq=1200,800 
nvram commit

To get this as permanent (after reboot), use a script named "services-start" in /jffs/scripts/

#!/bin/sh
sleep 4
nvram set clkfreq=1200,800
nvram commit

Do not forget to "chmod 777 services-start"

Have a look a settings guide for your Router, for myself i found one for best Wifi etc. settings. Turn everything off, which is not needed, WPS …

Save your settings and backup JFFS partition.

Good luck!

Thanks to our member netguru for the text tutorial!