matomo

Port forwarding in AsusWRT Merlin

Before you continue with this guide it is strongly recommended that you set a static IP address and activate the killswitch. You will also need to open the designated ports over the VPN connection, you can find instructions for that here.

One of the issues in AsusWRT is that the normal Web user interface can only forward ports over your WAN connection. If you want to forward ports over the VPN connection you need to follow these instructions.

Step 1: Log in to the administrative interface

Log in to your router's web interface. This can be done by entering the IP address of your router into the URL field of your browser. By default, AsusWRT Merlin use 192.168.1.1. The default username and password is admin for both, but it is strongly recommended that you change the username and password.

Step 2: Activate SSH

Go to Administration -> System

Under SSH Daemon, set Enable SSH to Yes
Set Allow SSH password to login to Yes
Set Enable SSH Brute Force Protection to Yes
It is also recommended that you set Allow SSH access from WAN to No.

Click Apply

Step 3: SSH to your AsusWRT Merlin router

The method used here depends on your operating system.

MacOS and Linux

Open your Terminal
Type:

ssh your_router_username@your_router_ip

When prompted, enter your password for the router admin interface

Replace your_router_username with the username used to log in to the router administrative interface. Replace your_router_ip with the IP address your Asus router use. The default IP address is 192.168.1.1.

Windows 10

Open the command prompt
Type:

ssh your_router_username@your_router_ip

When prompted, enter your password for the router admin interface

Replace your_router_username with the username used to log in to the router administrative interface. Replace your_router_ip with the IP address your Asus router use. The default IP address is 192.168.1.1.

Windows 8 and older

Download Putty or another SSH client of your choice.
In the Host Name (or IP address) field, enter the IP address of your router. By default, this is 192.168.1.1.
When prompted, enter the username for the router web interface.
When prompted, enter your password for the router admin interface.

Step 4: Set up the port forwarding rules

Enter the following information:

iptables -t nat -A PREROUTING -i tun+ -p udp --dport PORT -j DNAT --to-destination IP_ADDRESS
iptables -t nat -A PREROUTING -i tun+ -p tcp --dport PORT -j DNAT --to-destination IP_ADDRESS

Replace PORT with the port you want to forward and IP_ADDRESS with the local device you want to forward to.

The ports are now forwarded over the VPN connection and the service is reachable externally. Do note that if you restart your router you will need to repeat step 4 again for each forwarded port.