Before you continue with this guide it is strongly recommended that you set a static IP address and activate the killswitch. You will also need to open the designated ports over the VPN connection, you can find instructions for that here.
One of the issues in AsusWRT is that the normal Web user interface can only forward ports over your WAN connection. If you want to forward ports over the VPN connection you need to follow these instructions.
Step 1: Log in to the administrative interface
Log in to your router's web interface. This can be done by entering the IP address of your router into the URL field of your browser. By default, AsusWRT Merlin use 192.168.1.1. The default username and password is admin for both, but it is strongly recommended that you change the username and password.
Step 2: Activate SSH
Go to Administration -> System
Under SSH Daemon, set Enable SSH to Yes
Set Allow SSH password to login to Yes
Set Enable SSH Brute Force Protection to Yes
It is also recommended that you set Allow SSH access from WAN to No.
Click Apply
Step 3: SSH to your AsusWRT Merlin router
The method used here depends on your operating system.
MacOS and Linux
Open your Terminal
Type:
ssh your_router_username@your_router_ip
When prompted, enter your password for the router admin interface
Replace your_router_username with the username used to log in to the router administrative interface. Replace your_router_ip with the IP address your Asus router use. The default IP address is 192.168.1.1.
Windows 10
Open the command prompt
Type:
ssh your_router_username@your_router_ip
When prompted, enter your password for the router admin interface
Replace your_router_username with the username used to log in to the router administrative interface. Replace your_router_ip with the IP address your Asus router use. The default IP address is 192.168.1.1.
Windows 8 and older
Download Putty or another SSH client of your choice.
In the Host Name (or IP address) field, enter the IP address of your router. By default, this is 192.168.1.1.
When prompted, enter the username for the router web interface.
When prompted, enter your password for the router admin interface.
Step 4: Set up the port forwarding rules
Enter the following information:
iptables -t nat -A PREROUTING -i tun+ -p udp --dport PORT -j DNAT --to-destination IP_ADDRESS iptables -t nat -A PREROUTING -i tun+ -p tcp --dport PORT -j DNAT --to-destination IP_ADDRESS
Replace PORT with the port you want to forward and IP_ADDRESS with the local device you want to forward to.
The ports are now forwarded over the VPN connection and the service is reachable externally. Do note that if you restart your router you will need to repeat step 4 again for each forwarded port.