PIA Setup Asus Merlin Firmware with Selective Routing

I have a QNAP TS-451 and the OpenVPN client sucks and doesn't stay connected for more than a few minutes.  I also had other issues as well so I decided to approach the problem a different way.  I bought an Asus RT-66U installed Merlin Firmware (378.55) latest as of this writing.  I also wanted to use selective routing and direct only the QNAP NAS through the VPN.  Here is how I setup

1.  Ensure you have static IP address assigned to NAS box.  I give credit where it's due and I used lweddin1 instructions as a foundation for success.  However, if you download the OVPN config file it will import all the settings needed minus the certificate.
2.  Copy the certificate below and paste into the Certificate Authority area.  (show by lweddin1)   


3. Enter your PIA user credentials and you should be able to connect.

The instructions above will direct every client on your LAN through the VPN.  I only wanted my QNAP box which hosts my torrent client to use the VPN.  I also noticed a slight slowdown in my connection by using the VPN.  The angy wife theory applies.

4. Log back into your router and click the VPN button and OpenVPN client.  Scroll down to 'Redirect Internet Traffic' and select 'Policy Rules'.
Enter a description.  I put QNAP NAS and enter the ip address of that client.  For destination enter  I checked 'Yes' in the box to 'Block routed clients if tunnel goes down'.  I'd rather the wife not get another nastygram from our ISP.
5.  Click apply and your done.
6.  To verify it's working and you have a different external IP address on the QNAP putty (SSH) into the box.  Open bash and type:  curl -s icanhazip.com     you should get a different IP address as your other clients on LAN.  You can check those by by simply browsing to:  https://www.whatismyip.com/


  • Posts: 1

    Where do you do this?:
    "1.  Ensure you have static IP address assigned to NAS box."

    I do not see anything like "NAS box."
  • Posts: 4,013

    Where do you do this?:
    "1.  Ensure you have static IP address assigned to NAS box."

    I do not see anything like "NAS box."
    NAS means "Network Attached Storage". If you do not have a NAS, then this step is unimportant for you.
  • Hi VicTOErE 

    I follow your guide and is working very good.  I just have a question and sorry if is too elemental.  Is there any way that I can connect to Qnap transmission torrent app from outside of my home. I just read about port forward but I don't really understand too much about openvpn with port forward.

    I have a asus RT-AC87U (merlin firmware 378.55) with a QNAP TS-653 Pro (4.2).  My only limitation is connect to Transmission Torrent from remote.

    I will appreciate any help. (sorry for my english)
  • Jesus,
    I actully had Dropbox as my watch folder for Transmission which worked great until it broke with the QTS 4.2 update.  I wish they would fix DropBox.  I did find a work-around by going through the CloudLink portal to drop torrents into the transmission watch file.  It's not as seamless as the Dropbox solution but it works.  I haven't had time to configure but their may be a way to use the second ethernet port on TS-451 as a management port to remote control Transmission.  I know it's possible but by making this change I would open my torrent client up to ISP monitoring as that IP wouldn't be directed through the VPN tunnel.  

    Anyway, your not going to be able to port forward while your internal interface is being routed through the VPN tunnel.  Not sure you would really need to as you could use the Qnap CloudLink to remotely connect to Transmission.
  • Posts: 1

    I'm just trying to do this on my RT-AC68U withe the current Merlin firmware 380.58. Under the routing rules, I see there is a new dropdown box Iface, which I assume means Interface, with a choice of WAN or VPN. Any idea what I should use? I am a bit of a novice at this stuff.
  • sorry for late reply. if you haven't figured this out already it does mean interface. you selecting where to direct the client traffic either through VPN or unprotected WAN interface.
  • So will this allow me to put the VPN on my router  and  my  ROKU devices around the router so i can still  use AMAZON etc.?  Any particular  setting for this?

    Thanks in advance...
  • Tommybo,
    I think what your asking is can you use selective routing for your ROKU and still use Amazon.  The answer is yes.  If you give your ROKU a static IP address on your network then you can direct that device through the VPN as shown in the guide.  The VPN isn't going to prevent you from visiting any websites.  It's simply going to anonymize your internet traffic.  
  • Update:  I'm no longer using this method for downloading my torrents.  I setup a deluge/vpn client in container station (QNAP).  https://hub.docker.com/r/binhex/arch-delugevpn/

    This is a much better solution then having to route all your QNAP traffic through the VPN.  I wanted to be able to get PlexPass so I could watch things remotely and having the QNAP going though the VPN it wouldn't work.  Now only the deluge torrent client is using the VPN.  If your tech savvy you should look into containerizing your applications.  It works really well and doesn't take a ton of resources.  
  • I know this thread is old, but setup PIA with Merlin this weekend, and the only snag I hit was finding out where to paste the cert.  The images have been removed from the referenced tutorial.  While I think Merlin is great, how hard it is to spot the cert link does bring into question the useability of the design.  See this thread if you get stuck like I did:

Sign In or Register to comment.