Configuration of Asus Routers Running Merlin Firmware with OpenVPN

Configuration of Asus Routers Running Merlin Firmware with OpenVPN

NOTE: This is now outdated and Matthew has emailed me to let me know he'll be doing a new write-up soon.

Here's a guest blog post by Matthew Burkett on configuring the Merlin router firmware for OpenVPN.

Initial Setup

So starting from the point of opening the box or using the reset button, when you first power on the device you will need to enter the basic information. Secure username and password for the router login, wireless SSID (Name) and password for both 2.4 and 5 Ghz channels, and your internet connection info if it was not automatically detected by the router. At this point you should have a fast useable router with great wireless coverage, if you are a standard user congratulations your done. Get on face book and tell your friends, if you are like me however you have only just started.

Merlin firmware installation

Go to and on the navigation menu go to Asuswrt-Merlin sub link Download, from here find the model that matches your router. (If you can't find your model then it is not supported by the Merlin build) Once your file is downloaded and extracted somewhere you can easily find it, go back to the web GUI of your router. Go to Administration under Advanced settings from there to Firmware Upgrade using the tabs at the top. Next to New Firmware File click Choose File and navigate to where you saved the files that you extracted from the download from Merlin's site, click on the file that is the type TRX then click open. The file that you have chosen should now be listed on the page once it is click on Upload. Once the update is done double check all of you settings from the 1st step and fix them if necessary.

Peperations for OpenVPN and other enhanced router features

Once again go to the Administration section under Advanced Settings, then this time around go to the System tab at the top of the page. Under Persistent JFFS2 partition check both Enable JFFS partition and Format JFFS partition at next boot. Under Miscellaneous make sure you have the correct time zone checked, also check Yes on Enable SSH then select Apply at the bottom of the page. At this point you should install putty from if you are on windows. If you are using Mac or Linux the terminal will do just fine, just use (ssh userip) to connect to your router from terminal. For this tutorial I will be using putty on windows. There are multiple ways to modify the vars file if you know vi it is the fastest way, however I do not so I like to use nano or winscp from a windows machine. In order to install nano onto the Asus routers you need a flash drive or USB hard drive plugged into the router. All you need to do is connect to the router with SSH (putty) or a terminal and type "" without the quotes.

I will add details here in regards to setting up the usb storage and 
commands like mkfs.ext3 sometime in the future. As long as you have 
ssh enabled you can connect to the router and modify the vars file 
with relative ease.

Setting up the envrionment for the key creation

I am going to use the mount point of the JFFS for this part of the walkthrough. If you have a USB drive you can use that as well, I like the JFFS because it is built in and the Easy RSA file are small. To verify that you have the JFFS mounted correctly run "df -h" without quotes from putty and it will list all the mount points in your router, and you should see a file system mounted on /jffs with roughly 6% used. At this point run " /jffs" to copy the setup files to the jffs partition. Go to the location that was just made using the command "cd /jffs/easy-rsa". Now you can edit the vars file, either through the built-in "vi" editor (not recommended for novice users), or by installing the "nano" editor using Optware or entware, or simply by copying the file over to your computer with a program like WinSCP that can be downloaded from When using WinSCP it will default to the SFTP File Protocol be sure to change it to SCP. The vars file is located at /jffs/easy-rsa/vars. You can edit it with WinSCP simply by double clicking on it. The main fields that you will want to change would be these:

export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL=mailhost.domain
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme

Once you are happy with the vars file save it to the router (with WinSCP just click the little icon of the floppy drive or click file then save) with nano it is (Ctrl+o to save then Ctrl+x to leave nano). Now setup the environment by running the command "source ./vars" ,then initialize the environment with the command "./clean-all". The environment on your router is now ready to build your key files for the OpenVPN server.

Generating OpenVPN keys using Easy RSA

The first key that you need to generate is the Certificate Authority (CA). This is the master key and certificate, which is used to sign all client certificates, or revoke their access. Make sure once this file is created it is kept in a safe place and taken off of the router. To build this key run "./build-ca", when building this key the most important field is the Common Name (CN) field as it identifies the router. The next thing we need to do is build the routers key/certificate pair by running "./build-key-server server1". When you run this command do it with any name other than server1, but make sure it is exactly the same as the Common Name when asked. When asked to sign and commit new certificates say yes to both. Now we need to build one of the clients key/certificate pairs. Same basic procedure (and again pay close attention that the name in the command line matches the question about Common Name) run "./build-key client1". You can make as many client keypairs as you would like. The CA file will be what determines which keys are allowed to connect. The last key we need to create is the Diffie Hellman parameters file (DH), which is used to secure the key exchange between the two end points. To make this we run "./build-dh"

Configuring the remaining parts of the OpenVPN server

At this point you can go to the web GUI of the router tell it to do a reboot and when it comes back up you could go to the VPN server pages add a user with the same name as your created client common name and turn on the OpenVPN server and it would work, but you would only have traffic from the server to the client. If you're like me that is just not good enough. A few of my clients are on other routers where I need communication both ways across the tunnel, good news that's an easy fix at this point. First in the web GUI go to VPN in the Advanced Settings section then VPN Details at the top of the page. Make sure you are on the OpenVPN section under VPN Server Mode. Under Basic Config I configured server instance 1 with the following.

Interface Type="TUN"
Port="1194 is the default but for security many people use 443 
       or some other random port"
Authorization Mode="TLS"
Username/Password Authentication="Yes"
Username/Password Auth. Only="Yes"
Extra HMAC authorization="Disable"
VPN Subnet/Netmask=any subnet different than your main network 
                   to be different I used and 
                   You can just as easily use and 
                   but where is the fun in that.
Poll Interval="0"
Push LAN to clients"Yes"
Direct clients to redirect Internet traffic="no" 
              with this remote clients must go through the internet service 
              at the servers location in order to brouse the web .. 
              very bad for bandwidth on residential service
Respond to DNS="Yes"
Advertise DNS to clients="Yes"
Encryption cipher="AES-256-CBC"
TLS Renegotiation Time="-1"
Manage Client-Specific Options="Yes"
Allow Client <-> Client="Yes"
Allow only specified clients="No"

Then under the Custom configuration section at the bottom of the page I needed to add two things

"username-as-common-name" and a separate route command for every network based client that is connecting to me so my one friend uses "route" and for another friends network is "route" by adding these here they have full access to me. I have full access to them, and they even have full access to each other. There is one additional thing you must do to actually make the two way communication work as I have described. Now that there networks have been entered into the front side the router know what to look at for routing but so that it knows exactly what to route where you have to do it almost the same way from the terminal, putty, or WinSCP.

You need to create a separate file for each client that you want two way access with, these files must be saved in the JFFS partition as follows "/jffs/configs/openvpn" now inside of the openvpn folder there are two different folders one called "ccd1" and the other is "ccd2". In the web GUI there are two separate OpenVPN server instances and these two folders are for each accordingly. Any user that is connecting to server1 would have their file put in the ccd1 folder and any user that will be connecting to server2 needs there file placed in the ccd2 folder. If you have a username that is on both server 1 and 2 you would need to create two files one for each server instance. The files themselves are quite easy, you name the file the exact same name as the username it will be going to which remember is still the same as the common name from when you made the keys. There is no file extension or anything special about the file it needs to have just one line of basic text inside of it.

This time you need to add the route as "iroute" and "iroute" accordingly. Please note that both of these locations the IP used is the actual network id not just one valid IP from within the range (they all end in 0). Also the web GUI side is only "route" whereas the file you create has "iroute".Once you have added the multiple lines to the GUI section and the one line to the newly created file called Bob or Sally inside of "/jffs/configs/openvpn/ccd1" and or "/jffs/configs/openvpn/ccd2", restart the router for the last time. Once it is up again go back to the VPN section under Advanced Settings and then the VPN Server tab at the top of the page and enable your OpenVPN server

Posted by Tony on Apr 02, 2014 | Networking