TP-Link ER605 V2路由器配置NordVPN IKEv2客户端的方案及替代设备咨询
Hey Blake, let's break down your problem into two clear parts: getting IKEv2 working on your ER605 V2, and alternative devices if you'd rather avoid firmware tinkering.
一、TP-Link ER605 V2 配置NordVPN IKEv2的可行方案
原厂固件的硬限制
First off, you're right—TP-Link's stock firmware for the ER605 V2 only supports IKEv2 with pre-shared key (PSK) authentication, which NordVPN doesn't offer for their IKEv2 service. They rely solely on EAP-MSCHAPv2 (username + password) for IKEv2, so stock firmware is a dead end here.
自定义固件(OpenWrt)解决方案
Good news: the ER605 V2 is officially supported by OpenWrt! Once you flash OpenWrt, you can use strongSwan (a robust open-source IPsec/IKEv2 tool) to set up an IKEv2 client that works with NordVPN's authentication method, no PSK required.
Here's a quick step-by-step to get you started:
- Flash OpenWrt: Grab the correct firmware from the OpenWrt official site, follow their flashing guide (don't forget to back up your stock firmware first—bricking is rare but possible!).
- Install strongSwan: Either use the LuCI web interface to search for and install the
strongswan,strongswan-eap-mschapv2, andstrongswan-mod-opensslpackages, or SSH into the router and run:opkg update && opkg install strongswan strongswan-eap-mschapv2 strongswan-mod-openssl - Configure the IKEv2 client:
- Edit
/etc/ipsec.confand add this configuration (replace<NordVPN服务器地址>with a nearby IKEv2 server from NordVPN's official list, and<你的NordVPN用户名>with your actual username):conn nordvpn-ikev2 keyexchange=ikev2 left=%defaultroute leftauth=eap-mschapv2 leftsourceip=%config right=<NordVPN服务器地址> rightauth=pubkey rightid=%any rightsubnet=0.0.0.0/0 eap_identity=<你的NordVPN用户名> auto=start - Edit
/etc/ipsec.secretsto add your NordVPN credentials:<你的NordVPN用户名> : EAP "<你的NordVPN密码>"
- Edit
- Set up firewall rules: Make sure the router allows IPsec traffic—either use LuCI to enable IPsec forwarding in the firewall settings, or add rules to allow UDP ports 500 and 4500.
- Start the service: Run
ipsec startto launch the tunnel, then enable auto-start on boot with/etc/init.d/strongswan enable.
This setup should give you much better speeds than OpenVPN, since IKEv2 is more efficient and OpenWrt's optimizations fix the stock firmware's performance bottlenecks.
二、替代VPN网关设备推荐
If flashing firmware feels too risky or you just want a plug-and-play solution, these bare-bones devices work perfectly as dedicated IKEv2 client gateways (you can disable WiFi on all of them if you don't need it):
1. Raspberry Pi系列(软路由)
- Raspberry Pi 4 (2GB+ RAM): Super cost-effective, handles up to 500Mbps VPN traffic easily. Install OpenWrt or Ubuntu Server, then configure strongSwan just like the ER605 V2 setup above. Pick the non-WiFi model to save a few bucks, or disable WiFi in the system settings.
- Raspberry Pi Zero 2 W: Cheaper option for lower-bandwidth networks (100Mbps or less), still works great for IKEv2 tunneling.
2. GL.iNet 迷你路由器
- GL-AR750S: A tiny, reliable device with stock firmware that directly supports IKEv2 clients. Just plug in your NordVPN username, password, and server address, disable WiFi in settings, and you're done. It can handle up to 300Mbps VPN traffic.
- GL-MT300N-V2: Even smaller and more affordable, perfect for small households with lower bandwidth needs. Same easy IKEv2 configuration as the AR750S.
3. 入门级华硕路由器
- RT-AX55: Stock firmware supports IKEv2 clients with EAP authentication (no PSK needed). Disable WiFi in settings, connect its WAN port to your modem and LAN port to your main switch, and it'll route all your network traffic through NordVPN's IKEv2 tunnel. It's stable and can handle 500Mbps+ bandwidth.
小提示
- Always pick a NordVPN IKEv2 server close to your location for the best speed—you can find the full list on their official website.
- For any gateway device, make sure the WAN port connects to your modem and the LAN port connects to your main switch to route all network traffic through the VPN.
备注:内容来源于stack exchange,提问作者Blake
