Asuswrt-Merlin yönlendiricide Linux için AdGuard VPN nasıl kurulur
- AdGuard VPN CLI requires at least 22 MB of free storage space on your router’s disk or external USB after installing necessary packages.
- Asuswrt-Merlin donanım yazılımı: Yönlendiricinizin Asuswrt-Merlin donanım yazılımını çalıştırdığından emin olun.
- USB belleği: Yerel bir Linux dosya sisteminde (ext2, ext3 veya ext4) biçimlendirilmiş bir USB belleği. Bu kılavuzda biçimlendirme sürecini ele alacağız.
1. Yönlendiricinin IP adresini belirleme
Çoğu yönlendirici için varsayılan IP adresi 192.168.1.1
veya 192.168.0.1
dir. IP adresini değiştirdiyseniz veya emin değilseniz, bağlı bir cihazdaki IP yapılandırmasını kontrol ederek bulabilirsiniz.
On Windows
Komut İstemi'ni açın:
ipconfig
Look for the Default Gateway under your active network connection. Bu, yönlendiricinizin IP adresidir.
On Mac/Linux
Terminal'i açın ve Linux için şu komutu çalıştırın:
ip route | grep default
Or this one for Mac:
route -n get default
Look for the default entry. Yanındaki IP adresi ise yönlendiricinizin IP adresidir.
2. Make sure SSH and JFFS custom scripts are enabled on the router
First, make sure that SSH access is enabled on your router. This setting is usually found in the router’s web interface. JFFS custom scripts will be used to set routing rules.
Log in to the web interface. This is usually accessible via a web browser at
http://192.168.1.1
. Otherwise, replace192.168.1.1
with your router’s IP address.Scroll down to Advanced settings, Administration → System.
Scroll to Service, click Enable SSH → LAN.
Select 22 in Port and Yes in Allow Password Login.
Go up to Persistent JFFS2 partition and enable JFFS custom scripts and configs.
Click Apply at the bottom of the page.
3. Use an SSH client to connect to the router
You’ll need an SSH client. Most Linux and macOS systems come with an SSH client pre-installed. For Windows, you can use PowerShell, the built-in SSH client in Windows 10/11, or a third-party application like PuTTY.
Built-in SSH client (Linux, macOS, and Windows 10/11)
Open Terminal or PowerShell.
Run the SSH command:
ssh admin@192.168.1.1
Replace
192.168.1.1
with your router’s IP address andadmin
with your admin username.If this is your first time connecting to the router via SSH, you’ll see a message like this:
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is SHA256:...
Are you sure you want to continue connecting (yes/no/[fingerprint])?Type
yes
and press Enter.Enter the router’s password when prompted. The SSH login username and password are the same as the admin credentials.
PuTTY (Windows below 10)
- Download and install PuTTY from the official website.
- Open PuTTY.
- In the Host Name (or IP address) field, enter your router’s IP address (e.g.,
192.168.1.1
). - Make sure the Connection type is set to SSH.
- Click Open.
- When the Terminal window opens, enter the router’s credentials. The SSH login username and password are the same as the admin credentials.
4. Install Entware using SSH
Once logged into your SSH client, you can use various commands to interact with your router’s Linux-based operating system. To proceed, you will need to install Entware OPKG Manager. It allows you to install third-party software packages to expand router capabilities. Skip to the next step if you already have it installed.
Note that you cannot use both Optware (outdated alternative) and Entware at the same time.
The Asus DownloadMaster is based on Optware, and therefore is not compatible with Entware. You will have to uninstall DownloadMaster and look at the alternatives provided by Entware.
After uninstalling, make sure that "asusware.arm" or "asusware.*" dir on the mounted disk partition is deleted. Otherwise, Entware won't work properly. After uninstalling DownloadMaster, make sure the router is rebooted.
You will need to plug a USB disk that's formatted in a native Linux file system (ext2, ext3 or ext4). To format a disk, use amtm. Plug a USB disk into your router, then start amtm with:
amtm
Use this option to format a disk and mount it to router:
fd
Go through the formatting process and select the recommended options. All files from the USB disk will be deleted. For this setup to work, USB disk should always stay connected.
After mounting your USB, the router will reboot. To start the installation process, first reconnect to your router over SSH.
Then launch the amtm application by simply running:
amtm
The menu will offer you the option ep
to initiate the Entware installation.
If you are running a firmware version older than 384.15 (or 384.13_4 for the RT-AC87U and RT-AC3200), then you start the installation by running the following command instead.
entware-setup.sh
If the entware-setup.sh script is not found, download and run the following script to install Entware:
wget -O - http://bin.entware.net/armv7sf-k3.2/installer/generic.sh | sh
Exit amtm by pressing e
.
5. Install AdGuard VPN CLI
Update the package lists:
opkg update
Install required packages:
opkg install curl ca-certificates
Go to /opt folder by running cd /opt
and run the AdGuardVPN CLI installation script:
curl -fsSL https://raw.githubusercontent.com/AdguardTeam/AdGuardVPNCLI/master/scripts/release/install.sh | sh -s -- -v
When asked “Would you like to link the binary to /usr/local/bin?“, reply y
. If failed to link the binary, run this line:
ln -s /opt/adguardvpn_cli/adguardvpn-cli /opt/bin
Import the SSL certificate and the tun module and set an alternative folder for the user directory. By default, it will be stored in /tmp and you’ll lose your settings after a reboot. Run this before each new session.
export SSL_CERT_FILE=/opt/etc/ssl/certs/ca-certificates.crt
export HOME=/opt/home/admin
modprobe tun
6. Set up AdGuard VPN CLI
Log in to your account
To use AdGuard VPN for Linux, you need an AdGuard account.
You can sign up on our website or in the Terminal.
To sign up or log in, type:
adguardvpn-cli login
Connect to VPN
Select a VPN server location that best suits your needs.
In general, the closer the server, the faster the connection.
To view available locations, type:
adguardvpn-cli list-locations
To connect to a specific location, type:
adguardvpn-cli connect -l LOCATION_NAME
Replace LOCATION_NAME with the city, country, or ISO code of the location you want to connect to.
For quick connect, type:
adguardvpn-cli connect
AdGuard VPN will choose the fastest available location and remember it for future quick connections.
Enter
yes
when asked “Would you like to set default routes in TUN mode?”AdGuard VPN CLI will create a tun0 interface for VPN tunneling.
Adjust your settings
Get a list of all available AdGuard VPN commands and customize the VPN client to your needs.
To view all commands, type:
adguardvpn-cli --help-all
7. Set up your firewall rules and auto-launch for AdGuard VPN
This step configures firewall rules on an Asuswrt-Merlin router to route traffic through AdGuard VPN.
Create a new script by running the following command:
cat << 'EOF' > /jffs/scripts/wan-event
#!/bin/sh
if [ "$2" = "connected" ]; then
export SSL_CERT_FILE=/opt/etc/ssl/certs/ca-certificates.crt
export HOME=/opt/home/admin
modprobe tun
/opt/adguardvpn_cli/adguardvpn-cli connect &
for ipt in iptables ip6tables; do
$ipt -D FORWARD -j ADGUARD_FORWARD || true
$ipt -F ADGUARD_FORWARD || true
$ipt -X ADGUARD_FORWARD || true
$ipt -N ADGUARD_FORWARD
$ipt -I FORWARD -j ADGUARD_FORWARD
$ipt -A ADGUARD_FORWARD -i br0 -o tun0 -j ACCEPT
done
exit 0
fi
EOFAnd make it executable:
chmod a+rx /jffs/scripts/wan-event
If you have more brX interfaces, make sure to include them in the script as well to route their traffic. Alternatively, make sure to specify a different routing rule for those interfaces.
This script will ensure that all traffic goes through the VPN tunnel. After rebooting or reconnecting to the Internet, AdGuard VPN will connect automatically to your last used location.
Reboot your router to finish setup.
Congrats! Now you have a router secured with AdGuard VPN.
If you want to SSH into your router again to send any commands to AdGuard VPN, make sure to run this first:
export SSL_CERT_FILE=/opt/etc/ssl/certs/ca-certificates.crt
export HOME=/opt/home/admin
modprobe tun