Port forwarding through a VPN connection on ASUS Merlin firmware requires custom iptables rules. This guide explains how to forward TorGuard VPN ports to devices on your local network, enabling services like gaming servers, remote access, and P2P applications while maintaining VPN protection.
⚠️ Prerequisites
- ASUS router with Merlin firmware installed
- Active TorGuard VPN connection on router
- Port forwards requested from TorGuard (in client area)
- SSH access enabled on router
- Basic command line knowledge
Understanding VPN Port Forwarding
When connected to VPN, your router's public IP changes to the VPN server's IP. Port forwarding must be configured through the VPN tunnel:
graph LR
A[Internet] -->|Port 12345| B[VPN Server]
B -->|Forwarded| C[Your Router]
C -->|NAT| D[Local Device]
style B fill:#00d4aa,stroke:#333,stroke-width:2px
Step 1: Enable JFFS Partition
JFFS (Journaling Flash File System) stores custom scripts that survive reboots:
- Access router web interface:
http://192.168.1.1 - Navigate to Administration → System
- Find "Persistent JFFS2 partition"
- Enable both options:
- Format JFFS partition at next boot: Yes
- Enable JFFS custom scripts and configs: Yes
- Click Apply and reboot router
Note: Formatting JFFS will erase any existing custom scripts. Backup if needed.
Step 2: Request Port Forwards from TorGuard
- Login to TorGuard Client Area
- Go to Services → My Services
- Click Manage next to your VPN service
- Select Port Management
- Request ports (up to 5 with standard plan)
- Note your assigned ports and VPN server
Step 3: Access Router via SSH
Option A: SSH (Linux/Mac/Windows 10+)
ssh [email protected]
# Enter router password when promptedOption B: WinSCP (Windows GUI)
- Download and install WinSCP
- Connect using:
- Protocol: SCP
- Host: 192.168.1.1
- Username: admin
- Password: [your router password]
Step 4: Identify VPN Interface
First, identify your VPN tunnel interface:
# Run this command to see network interfaces
ifconfig | grep tun
# Output example:
# tun11 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00Common interface names:
- tun11 - Most common on Merlin
- tun0 - Sometimes used
- tun1 - Older versions
Step 5: Create Port Forwarding Script
Navigate to scripts directory and create the nat-start script:
# Navigate to scripts directory
cd /jffs/scripts
# Create/edit nat-start script
vi nat-startBasic Port Forwarding Script
Copy and paste this template, replacing placeholders:
#!/bin/sh
# Port forwarding script for ASUS Merlin with VPN
# Wait for VPN to establish
sleep 10
# VPN interface (verify with ifconfig)
VPN_IF="tun11"
# Clear any existing rules for our ports
iptables -t nat -F PREROUTING
iptables -F FORWARD
# Enable forwarding between LAN and VPN
iptables -I FORWARD -i br0 -o $VPN_IF -j ACCEPT
iptables -I FORWARD -i $VPN_IF -o br0 -j ACCEPT
# Block direct internet access (VPN kill switch)
iptables -I FORWARD -i br0 -o vlan1 -j DROP
# Reject input from VPN interface (security)
iptables -I INPUT -i $VPN_IF -j REJECT
# Enable NAT for VPN
iptables -t nat -A POSTROUTING -o $VPN_IF -j MASQUERADE
# PORT FORWARD RULES - EDIT THESE
# Example: Forward port 12345 to device 192.168.1.100
DEST_IP="192.168.1.100"
PORT="12345"
# TCP port forward
iptables -I FORWARD -i $VPN_IF -p tcp -d $DEST_IP --dport $PORT -j ACCEPT
iptables -t nat -I PREROUTING -i $VPN_IF -p tcp --dport $PORT -j DNAT --to-destination $DEST_IP:$PORT
# UDP port forward (if needed)
iptables -I FORWARD -i $VPN_IF -p udp -d $DEST_IP --dport $PORT -j ACCEPT
iptables -t nat -I PREROUTING -i $VPN_IF -p udp --dport $PORT -j DNAT --to-destination $DEST_IP:$PORTAdvanced: Multiple Ports Script
For multiple devices/ports:
#!/bin/sh
# Advanced port forwarding with multiple rules
VPN_IF="tun11"
# Function to add port forward
add_port_forward() {
local dest_ip=$1
local port=$2
local proto=$3
iptables -I FORWARD -i $VPN_IF -p $proto -d $dest_ip --dport $port -j ACCEPT
iptables -t nat -I PREROUTING -i $VPN_IF -p $proto --dport $port -j DNAT --to-destination $dest_ip:$port
}
# Setup base rules
iptables -I FORWARD -i br0 -o $VPN_IF -j ACCEPT
iptables -I FORWARD -i $VPN_IF -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan1 -j DROP
iptables -I INPUT -i $VPN_IF -j REJECT
iptables -t nat -A POSTROUTING -o $VPN_IF -j MASQUERADE
# Port forwards - ADD YOUR RULES HERE
# Gaming PC - Multiple games
add_port_forward "192.168.1.100" "25565" "tcp" # Minecraft
add_port_forward "192.168.1.100" "25565" "udp"
add_port_forward "192.168.1.100" "27015" "tcp" # Source games
add_port_forward "192.168.1.100" "27015" "udp"
# Web server
add_port_forward "192.168.1.200" "80" "tcp" # HTTP
add_port_forward "192.168.1.200" "443" "tcp" # HTTPS
# Torrent client
add_port_forward "192.168.1.150" "51413" "tcp" # Transmission
add_port_forward "192.168.1.150" "51413" "udp"
# Log successful execution
logger "VPN port forwarding rules applied"Step 6: Save and Make Executable
In vi editor:
- Press
ESCto exit insert mode - Type
:wq!and press Enter to save
Make script executable:
chmod 755 /jffs/scripts/nat-startStep 7: Test Configuration
Reboot Router
rebootVerify Rules Applied
After reboot, check if rules are active:
# List NAT rules
iptables -t nat -L PREROUTING -n -v
# List forward rules
iptables -L FORWARD -n -v | grep 192.168Test Port Access
From external network, test ports:
- Use Open Port Checker
- Enter VPN server IP (not your real IP)
- Enter forwarded port number
- Should show as "open"
Common Service Configurations
Gaming Servers
| Game | Default Ports | Protocol |
|---|---|---|
| Minecraft | 25565 | TCP/UDP |
| CS:GO | 27015 | TCP/UDP |
| Rust | 28015 | TCP/UDP |
| Valheim | 2456-2458 | UDP |
Applications
| Application | Default Ports | Protocol |
|---|---|---|
| qBittorrent | 6881 | TCP/UDP |
| Transmission | 51413 | TCP/UDP |
| Plex | 32400 | TCP |
| Remote Desktop | 3389 | TCP |
Troubleshooting
Ports Not Opening
- Check VPN connection: Ensure router VPN is connected
- Verify interface: Confirm correct tun interface with
ifconfig - Check TorGuard ports: Ensure using assigned ports from client area
- Firewall on device: Disable local firewall temporarily to test
- Script permissions: Verify script is executable
Rules Lost After Reboot
- Ensure JFFS is enabled and formatted
- Check script exists:
ls -la /jffs/scripts/ - Verify script runs:
sh /jffs/scripts/nat-start - Check system log:
cat /tmp/syslog.log | grep nat-start
VPN Disconnects
Add VPN watchdog to nat-start:
# Add to nat-start script
while [ ! -d /proc/sys/net/ipv4/conf/$VPN_IF ]; do
sleep 5
doneSecurity Best Practices
- Limit port exposure: Only forward necessary ports
- Use non-standard ports: Map external port differently
- IP restrictions: Add source IP filtering if possible
- Regular updates: Keep Merlin firmware updated
- Monitor logs: Check for unauthorized access attempts
Alternative Methods
UPnP (Less Secure)
Enable UPnP on router and in applications, but this bypasses VPN.
VPN on Device
Run VPN directly on device needing ports instead of router-wide.
Reverse Proxy
Use services like ngrok for temporary port forwarding without router config.
✅ Quick Checklist
- JFFS enabled and formatted
- Ports requested from TorGuard
- Correct VPN interface identified
- Script created with proper rules
- Script permissions set (755)
- Router rebooted
- Ports tested and working
Need Port Forwarding Help?
Our support team can assist with router configuration, port forwarding setup, and troubleshooting connectivity issues.
Get Router Support