Asus Merlin and Mullvad VPN

ROUTERS

Last updated: 28 October 2021


This guide walks you through how to setup your Asus router running Asuswrt-Merlin to connect to the Mullvad VPN servers.

Asuswrt-Merlin is an open source third-party firmware for Asus routers based on Asuswrt (the firmware developed by Asus) with an advanced OpenVPN client. It's recommended to use this over the default stock firmware as it often uses a newer version of the OpenVPN client.

The VPN speed is dependent on the router's CPU. OpenVPN can only use one CPU core, and AES encryption takes quite some processing power. However some newer Asus routers have an AES-NI hardware acceleration chip that takes that care that. Here are some speed estimates from around the Internet:

RT-AC86U = 247 Mbps
RT-AC88U = 40-60 Mbps
RT-AC55U = 48-80 Mbps
RT-AC56U = 25 Mbps
RT-AC68U = 25 Mbps

What this guide covers

Set-up instructions

Open a web browser and enter the IP address of your router, which is normally 192.168.1.1. It is possible to change it in Advanced Settings > LAN. In this tutorial, we use 192.168.1.1.

In Advanced Settings click on VPN.

Click on the VPN Client tab at the top of your screen and then click on OpenVPN in order to create a VPN connection.

Uploading a configuration file

First download the Android configuration file from Mullvad's OpenVPN configuration file generator and then click on Choose File.

Click on the Mullvad configuration file and then Open.

After selecting the configuration file, click on Upload.
This loads the required settings in the GUI and then clears the uploaded file field.
Also enable Automatic start at boot time.
 

Setting up the VPN Client

You will now see the OpenVPN client settings. Double-check that your settings match the ones in the image below. To see the full contents of the "Custom Configuration" text area you can use the scroll bar inside it.

  • For Protocol the default is UDP. If you need to change to TCP then also change Port to 443.
  • The Server Address and Port may vary and you can change the Address to change servers.
  • For Username/Password Authentication, choose Yes.
  • For Username, enter your Mullvad account number without any spaces.
  • For Password, use "m".

In the Custom Configuration text area use the scroll bar on the right side inside it and do the following:

  • Remove tun-ipv6
  • Add comp-lzo no in the bottom of the text list

Press the Apply button.

Setting up the routing

Older versions

In Merlin versions older than 386.3 you can select the following on the VPN Client tab.

Rules for routing client traffic through the tunnel

  • Description: Mullvad
  • Source IP: 192.168.1.0/24
  • Destination IP: 0.0.0.0/0
  • Iface: VPN

Then press the Apply button.

Newer versions

In Merlin versions starting with 386.3 you can instead do the following.

  • The Redirect Internet traffic setting has been moved up on the OpenVPN Client page and is now under the Network Settings in the top. Set this to VPN Director (policy rules).
  • Below that you should find Killswitch - Block routed clients if tunnel goes down. Set that to Yes.
  1. Click on the VPN Director tab.
  2. Click on Add new rule and add the following:
    • Interface: OpenVPN 1 / OVPN1
    • Enable: Yes (checkmark)
    • Description: Mullvad
    • Local IP: 192.168.1.0/24
    • Remote IP: 0.0.0.0/0
  3. Click on Apply.

Check the Source IP / Local IP

Make sure that the Source IP or Local IP above is set to the local IP address range that the computer/device which is connected to the router is using. You may have to refresh the IP on the computer/device or restart it if it's using the DHCP server on the router.

Setting up the DHCP Server DNS

Go to lan -> DHCP Server -> Enter DNS :

DNS Server 1: 193.138.218.74
DNS Server 2: 10.8.0.1

Next to Advertise router's IP in addition to user-specified DNS, select No and press the Apply button

Setting up IPv6

Go to IPv6 -> Basic Config. Change Connection type to Native. Then press the Apply button.

Connecting to the VPN

Go back to VPN -> VPN Client and then under Client control, find Service state and switch the button to ON in order to connect to Mullvad servers.

Click on VPN Status to see information about your VPN connection.

You should now be connected to Mullvad. Easily verify your connection status by visiting our Connection check in a browser on a device that is connected to the router.

Port Forwarding (optional)

  1. Go to Administration -> System -> Enable JFFS custom scripts and configs
  2. Enable SSH(LAN only) in the router on the same page.
  3. SSH into the router.

Copy and paste the following text this into the terminal (replace YOURPORT with the assigned port and replace THECOMPUTERSIP with the device IP that you wish to forward the port to).

echo -e "#!/bin/sh \niptables -t nat -A PREROUTING -i tun+ -p udp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP \niptables -t nat -A PREROUTING -i tun+ -p tcp --dport YOURPORT -j DNAT --to-destination THECOMPUTERSIP" > /jffs/scripts/nat-start && chmod +x /jffs/scripts/nat-start

Troubleshooting
 

Username/password

When you enter the username you should use your Mullvad account number without any spaces. The password is "m".

IPv6 issues / DNS leaks

You normally have to enable IPv6 on the router (on the left side under Advanced Settings > IPv6). Set it to "Native". In case our Connection check shows an IPv6 leak you can go to the IPv6 settings and disable "Enable Router Advertisement". Another option is to disable IPv6 and edit the OpenVPN configuration file and make the following changes before you import it:

    replace proto udp with proto udp4.
    replace proto tcp with proto tcp4.
    add pull-filter ignore "route-ipv6"
    add pull-filter ignore "ifconfig-ipv6"

"Unrecognized option"

Download the OpenVPN configuration file for Android, not another platform. Use Chrome when downloading.

"Cannot resolve host address"

Check the option "Use IP addresses" in the Advanced Settings of the OpenVPN configuration file generator.

"certificate verify failed / TLS handshake failed"

Set the time and date correctly in the router.

"You must define CA file (--ca) or CA path (--capath)"

Try to go to Administration > System and select the option to format JFFS on next boot. Click on Apply and then Reboot. Wait a couple of minutes after it reboots and then reboot again. If it does not help then log in with SSH and run "df" and check that you have a jffs partition. The certificate should normally appear in VPN Client > Crypto Settings > Keys and Certificates > Edit > Certificate Authority.

The router connects to the VPN and gets a Mullvad IP address, but the computer/device does not.

Make sure that the Source IP in "Rules for routing client traffic through the tunnel" is set to the local IP address range that the computer/device which is connected to the router is using. You may have to refresh the IP on the computer/device or restart it if it's using the DHCP server on the router.

Log file

If you get into any trouble you can send us the log from Advanced settings > System Log > General Log.

Something is missing in the guide

Check the Asuswrt-Merlin 386/NG Changelog for late breaking changes.

Supported router models

Asuswrt-merlin officially supports the following router models.

Older platform:

  •     RT-AC66U_B1 (same firmware as the RT-AC68U)
  •     RT-AC68U (including revisions C1 and E1)
  •     RT-AC68P (same firmware as RT-AC68U)
  •     RT-AC68UF (same firmware as RT-AC68U)
  •     RT-AC68U V3 (same firmware as RT-AC68U)
  •     RT-AC1900 (same firmware as RT-AC68U)
  •     RT-AC1900P (same firmware as RT-AC68U)
  •     RT-AC88U
  •     RT-AC3100
  •     RT-AC5300

Newer platform:

  •     RT-AC86U
  •     RT-AC2900 (same firmware as RT-AC86U)
  •     GT-AC2900
  •     RT-AX88U
  •     GT-AX11000
  •     RT-AX56U
  •     RT-AX58U
  •     RT-AX3000 (same firmware as RT-AX58U)
  •     RT-AX86U
  •     RT-AX68U