PIA Setup Asus Merlin Firmware with Selective Routing

I have a QNAP TS-451 and the OpenVPN client sucks and doesn't stay connected for more than a few minutes.  I also had other issues as well so I decided to approach the problem a different way.  I bought an Asus RT-66U installed Merlin Firmware (378.55) latest as of this writing.  I also wanted to use selective routing and direct only the QNAP NAS through the VPN.  Here is how I setup

1.  Ensure you have static IP address assigned to NAS box.  I give credit where it's due and I used lweddin1 instructions as a foundation for success.  However, if you download the OVPN config file it will import all the settings needed minus the certificate.
2.  Copy the certificate below and paste into the Certificate Authority area.  (show by lweddin1)   


-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----



3. Enter your PIA user credentials and you should be able to connect.

The instructions above will direct every client on your LAN through the VPN.  I only wanted my QNAP box which hosts my torrent client to use the VPN.  I also noticed a slight slowdown in my connection by using the VPN.  The angy wife theory applies.

4. Log back into your router and click the VPN button and OpenVPN client.  Scroll down to 'Redirect Internet Traffic' and select 'Policy Rules'.
image
Enter a description.  I put QNAP NAS and enter the ip address of that client.  For destination enter 0.0.0.0.  I checked 'Yes' in the box to 'Block routed clients if tunnel goes down'.  I'd rather the wife not get another nastygram from our ISP.
5.  Click apply and your done.
6.  To verify it's working and you have a different external IP address on the QNAP putty (SSH) into the box.  Open bash and type:  curl -s icanhazip.com     you should get a different IP address as your other clients on LAN.  You can check those by by simply browsing to:  https://www.whatismyip.com/

Comments

  • Posts: 1
    Thanks!

    Where do you do this?:
    "1.  Ensure you have static IP address assigned to NAS box."

    I do not see anything like "NAS box."
  • Posts: 4,013
    Thanks!

    Where do you do this?:
    "1.  Ensure you have static IP address assigned to NAS box."

    I do not see anything like "NAS box."
    NAS means "Network Attached Storage". If you do not have a NAS, then this step is unimportant for you.
  • Hi VicTOErE 

    I follow your guide and is working very good.  I just have a question and sorry if is too elemental.  Is there any way that I can connect to Qnap transmission torrent app from outside of my home. I just read about port forward but I don't really understand too much about openvpn with port forward.

    I have a asus RT-AC87U (merlin firmware 378.55) with a QNAP TS-653 Pro (4.2).  My only limitation is connect to Transmission Torrent from remote.

    I will appreciate any help. (sorry for my english)
    Jesus
  • Jesus,
    I actully had Dropbox as my watch folder for Transmission which worked great until it broke with the QTS 4.2 update.  I wish they would fix DropBox.  I did find a work-around by going through the CloudLink portal to drop torrents into the transmission watch file.  It's not as seamless as the Dropbox solution but it works.  I haven't had time to configure but their may be a way to use the second ethernet port on TS-451 as a management port to remote control Transmission.  I know it's possible but by making this change I would open my torrent client up to ISP monitoring as that IP wouldn't be directed through the VPN tunnel.  

    Anyway, your not going to be able to port forward while your internal interface is being routed through the VPN tunnel.  Not sure you would really need to as you could use the Qnap CloudLink to remotely connect to Transmission.
  • Posts: 1
    Hi

    I'm just trying to do this on my RT-AC68U withe the current Merlin firmware 380.58. Under the routing rules, I see there is a new dropdown box Iface, which I assume means Interface, with a choice of WAN or VPN. Any idea what I should use? I am a bit of a novice at this stuff.
  • sorry for late reply. if you haven't figured this out already it does mean interface. you selecting where to direct the client traffic either through VPN or unprotected WAN interface.
  • So will this allow me to put the VPN on my router  and  my  ROKU devices around the router so i can still  use AMAZON etc.?  Any particular  setting for this?

    Thanks in advance...
  • Tommybo,
    I think what your asking is can you use selective routing for your ROKU and still use Amazon.  The answer is yes.  If you give your ROKU a static IP address on your network then you can direct that device through the VPN as shown in the guide.  The VPN isn't going to prevent you from visiting any websites.  It's simply going to anonymize your internet traffic.  
  • Update:  I'm no longer using this method for downloading my torrents.  I setup a deluge/vpn client in container station (QNAP).  https://hub.docker.com/r/binhex/arch-delugevpn/

    This is a much better solution then having to route all your QNAP traffic through the VPN.  I wanted to be able to get PlexPass so I could watch things remotely and having the QNAP going though the VPN it wouldn't work.  Now only the deluge torrent client is using the VPN.  If your tech savvy you should look into containerizing your applications.  It works really well and doesn't take a ton of resources.  
  • I know this thread is old, but setup PIA with Merlin this weekend, and the only snag I hit was finding out where to paste the cert.  The images have been removed from the referenced tutorial.  While I think Merlin is great, how hard it is to spot the cert link does bring into question the useability of the design.  See this thread if you get stuck like I did:
    https://www.vpnuniversity.com/routers/how-to-setup-openvpn-asuswrt-merlin

Sign In or Register to comment.