Checking connection...

Asus Merlin and Mullvad VPN

ROUTERS

Last updated: 10 June 2020


This guide walks you through how to setup your Asus router running Merlin to connect to the Mullvad VPN servers.

Asuswrt-Merlin is a third-party firmware for Asus routers and is open source firmware and a custom version of Asuswrt with advanced OpenVPN client.

Supported router models

Asuswrt-merlin officially supports the following router models:

  • RT-N66U
  • RT-AC66U
  • RT-AC66U_B1 (same firmware as the RT-AC68U)
  • RT-AC56U
  • RT-AC68U  (including revisions C1 and E1)
  • RT-AC68P (same firmware as RT-AC68U)
  • RT-AC87
  • RT-AC3200
  • RT-AC88U
  • RT-AC3100
  • RT-AC5300
  • RT-AC1900 (same firmware as RT-AC68U)
  • RT-AC1900P (same firmware as RT-AC68U)

Set-up instructions

Open a web browser and enter the IP address of your router, which is normally 192.168.1.1. It is possible to change it in Advanced Settings > LAN. In this tutorial, we use 192.168.1.1.

In Advanced Settings click on VPN.

Click on the VPN Client tab at the top of your screen and then click on OpenVPN in order to create a VPN connection.

Download the Android configuration file from Mullvad's website and then click on Choose File.

Click on the Mullvad configuration file and then Open.

After selecting the configuration file, click on Upload.
This loads the required settings in the GUI and then clears the uploaded file field.
Also enable Automatic start at boot time.
 

You will now see the OpenVPN client settings. Double-check that your settings match the ones in the image below. For Username/Password Authentication, choose Yes. For Username, enter your Mullvad account number (without any spaces). For Password, use "m".
The server address and port may vary.

Rules for routing client traffic through the tunnel

Description: Mullvad
Source IP: 192.168.1.0/24
Destination IP: 0.0.0.0/0

In Custom Configuration, add comp-lzo no in the bottom of the text list

Press the Apply button and then go to lan -> DHCP Server -> Enter DNS :

DNS Server 1: 193.138.218.74
DNS Server 2: 10.8.0.1

Next to Advertise router's IP in addition to user-specified DNS, select No and press the Apply button

Go to IPv6 -> Basic Config. Change Connection type to Native. Then press the Apply button

Go back to VPN -> VPN Client and then under Client control, find Service state and switch the button to ON in order to connect to Mullvad servers.

Click on VPN Status to see information about your VPN connection.

You should now be connected to Mullvad. Easily verify your connection status by visiting https://am.i.mullvad.net in a browser on a device that is connected to the router.

Port Forwarding (optional)

  1. Go to Administration -> System -> Enable JFFS custom scripts and configs
  2. Enable SSH(LAN only) in the router on the same page.
  3. SSH into the router.

Copy and paste the following text this into the terminal (replace YOURPORT with the assigned port and replace THECOMPUTERSIP with the device IP that you wish to forward the port to).

echo -e "#!/bin/sh \niptables -t nat -A PREROUTING -i tun+ -p udp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP \niptables -t nat -A PREROUTING -i tun+ -p tcp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP" > /jffs/scripts/nat-start && chmod +x /jffs/scripts/nat-start

Troubleshooting
 

Username/password

When you enter the username you should use your Mullvad account number without any spaces. The password is "m".

IPv6

You have to enable IPv6 on the router (on the left side under Advanced Settings > IPv6). Set it to "Native".

"Unrecognized option"

Download the OpenVPN configuration file for Android, not another platform. Use Chrome when downloading.

"Cannot resolve host address"

Check the option "Use IP addresses" in the Advanced Settings of the OpenVPN configuration file generator.

"certificate verify failed / TLS handshake failed"

Set the time and date correctly in the router.

Log file

If you get into any trouble you can send us the log from Advanced settings > System Log > General Log.