OpenVPN on AsusWRT-Merlin Firmware on Netgear R7000 Router

Stacks Image 25916
A VPN is a Virtual Private Network is almost a necessity these days. In a world of “Free” Wi-Fi hotspots how do you know who is minding the store? Is someone snooping your network packets looking for passwords, logins, or credit card numbers? Could be.

Setting up a VPN creates an encrypted tunnel to a TRUSTED network over a less secure network.
A virtual private network (VPN) is a technology that creates an encrypted connection over a less secure network. The benefit of using a VPN is that it ensures the appropriate level of security to the connected systems when the underlying network infrastructure alone cannot provide it.
Snipped from an article on TechTarget
There are multiple kinds of VPN’s. PPTP, L2TP, and OpenVPN are the most common. OpenVPN in many ways is the best, and fastest, and most secure. And it’s free. What more could you want? Lets get started.

There’s a lot of ways to do this however I want mine on the router at my home. It’s always on, and always connected directly to the internet. I don’t have a desktop computer anymore and sometimes the lid on the laptops gets shut. VPN server is now down.

I have a Netgear R7000 Nighthawk Router. Even though its a few years old it is still one of the best most practical routers and it is battle tested. A very popular model that many super geeks have turned into a very solid platform.

I run AsusWRT-Merlin firmware on mine. I am not a factory firmware kind of guy. Good directions for installing it are here.

Now it’s installed.

One of the biggest challenges of running a server is FINDING IT. Your internet address is really numbers. A system called DNS turns those numbers into words like “”.

Trouble is those numbers change all the time. If you have a static IP address which never changes you can ignore this part. Most of us have Dynamic addresses which change a lot. So in order to find your server you need a Dynamic DNS service. That reports your number changes and resolves them to your domain name.

There are a million services and if you have a webpage you probably already have the service but don’t know it. Not to worry. There are free services. My current favorite is DuckDNS Go there and log in. They will generate a token. Copy this. Then get a domain name. I typed in “hagensieker” making my address
Stacks Image 25924
That’s literally it on that end. You have your token and your domain name. Now log in your router. Bottom left of login click on Admin then the System tab and then enable custom scripts for JFFS.
Stacks Image 25930
Now go to “WAN”
Stacks Image 25928
Then DDNS tab. Set to “Custom” and type in your domain name as provided by DuckDNS
Stacks Image 25936
Okay it gets a little tricky here. Go to this page and go to the DuckDNS section and copy it and paste it into a text file. Replace your subdomain name and paste your token in.


# register a subdomain at to get your token

# no modification below needed
curl --silent
"$SUBDOMAIN&token=$TOKEN&ip=" >/dev/null 2>&1
if [ $? -eq 0 ];
/sbin/ddns_custom_updated 1
/sbin/ddns_custom_updated 0
Now save this file as a plain text file with no extension and name it


There are several ways to get this from your computer to your router. From a Mac here is the easiest way to get this on your router. …..

Go to the terminal and cd to the directory where your file is. In my case I saved it on the Desktop.

cd Desktop

now issue this command using your IP address (which is probably, mine is different)

scp ddns-start admin@

It will then ask for your password and then……BAM….Bob is your f***ing uncle. Done.

Windows has a free program called WinSCP. To Secure Copy (SCP) from Mac costs money for some reason but the scp ability is built into Mac for free. Go figure. Don’t ask me to explain. I can’t. The command above is all you need to know.

The second way to do this it to upload the ddns-start file to the web and issue a wget command to retrieve it.

Now what I did was to upload this file to my website. Then I logged into the router (you may need to enable ssh in your router settings and reboot) and issued this command.

wget locationofyourfile

A good possibility also is to upload your file to Dropbox and then share the link. Then wget that link …..

okay first log in the router and then I’ll run through this.
Stacks Image 26998
Okay I logged in like this

ssh -l admin (your ip address is probably I changed mine.

Enter your password

Then type this

cd /jffs/scripts


wget This of course is an example and not really where I put my file. Type in your exact location where your file exists on the internet. If you really have problems email me and I’ll help you.

Here’s another way to do it but it might be temporary because this program is a trial version. The program is $54. You heard that right. $54. I like my free scp command above better. Download Interarchy then set it for SCP the the Remote Path for /jffs/scripts. Once you list that directory just drag your dans-start file in. Voila’.
Stacks Image 28065
Stacks Image 28067
It will download your file in the directory. Now issue this command (from a terminal, not the program, you still need to ssh or telnet into your box and the /jffs/scripts directory):

chmod a+rx /jffs/scripts/ddns-start

This makes it executable. Now start it (or reboot)


That’s it. Reboot the router. DuckDNS is now set up. You might want to go back to “WAN” > “DDNS” then hit apply. It’ll tell you if it registered or not.

Now your openvpn server can be found by your openvpn client no matter where it is.

Now this is the easy part. Go to VPN in your router settings, turn on your VPN, add a user name and password then export the file.
Stacks Image 27002
Now email that file to your iPhone, iPad or computer and you’ll need some client software. Go to your app store on the iPhone / iPad and download OpenVPN Connect. Mac has a program called TunnelBlock or Viscosity. I have no idea nor care what windows uses.

Once you double click the file you exported on your computer / device it should load the configuration and just work. You may need to go back to the VPN page in your router and change the VPN Details from general to Advanced Settings. I had to change UDP to TCP to get mine to work. Make sure to hit “Apply”.
Stacks Image 27006
NOTE: A brother in Router Arms tells me that lots of free WiFi places such as Starbucks, Dunkin Donuts, etc. block all ports but 80 and 443 and that by setting your advanced settings to UDP (change from TCP) and Service Port 443 (changed from 1194) that it works everywhere. So during your setup you may want to go with “Advanced Settings” and set those values. Your mileage may vary.

Just make sure if you make any changes that you go back and export a new configuration file and load it in your client software.

So now when you are on the road and connect to “FREE HOUSTON AIRPORT WI-FI” then immediately connect to your VPN server and your traffic is tunneled and encrypted back to your more trusted home network.

Cool, huh?