loading

In an age of Big Data and mass surveillance, a consumer VPN is a great way to stay more secure and private on the Internet. Running a VPN client on your router offers the benefit of seamlessly routing traffic from all devices connected to your LAN through the VPN. This guide shows a DD-WRT user how to configure the OpenVPN Client on an older DD-WRT router (see version notes below) to use the Private Internet Access VPN provider to encrypt and anonymize all Internet traffic on their LAN.

Why Private Internet Access?

There are tons of great consumer VPN companies to choose from. Why Private Internet Access (PIA)? First, you can tell them to donate a portion of your subscription to a worthy non-profit that works for Internet freedom, FightForTheFuture.org. Second, the company has gone on record about their opposition to government mass surveillance. Third, they have no restrictions on running a Tor relay inside their VPN. Finally, they are one of the least expensive VPN services. Bonus! This guide assumes you are a paid subscriber to Private Internet Access, with a PIA username and password.

Full disclosure: I am a (satisfied) customer of PIA, but I have in no way been paid, contacted, encouraged, etc. by them to write this guide. For recommendations for other VPN providers, see the end of this guide.

Note on Download Speeds

Using the OpenVPN Client feature of DD-WRT will likely reduce the maximum Internet download speed on older routers. For example, in my tests, an Asus RT-N16, which has a 480 MHz Broadcom BCM4716 CPU, could deliver a maximum download speed of about 14 Mbps. While this is still fast enough for HD video streaming and most activities, it is a trade-off between performance and privacy.

This is less of an issue with newer, faster routers; those looking for high-performance hardware suggestions should see my guide on how to Install and Configure a DD-WRT Kong Router.

Note on Older vs Newer DD-WRT Revisions

The OpenVPN setup differs between newer and older revisions of DD-WRT. This guide is for older DD-WRT installs, specifically K26 or K3 revision numbers <24710 (this includes Kong build 22000++). If you are running a DD-WRT version greater than that, please see this other guide instead.

A quick way to verify the guide you need: if you have a field named "User Pass Authentication" in the OpenVPN Client settings under the Services > VPN tab in DD-WRT, you have the newer version and need the other guide.

Materials

  • Router with DD-WRT K26 or K3 revision <24710
  • A PC
  • Private Internet Access VPN paid subscription, with a strong password
  • High-speed Internet service

Step 1: Select a VPN Server

You are free to pick any Private Internet Access VPN server you like, but generally OpenVPN connections are faster and more stable with a physically closer server.

  1. In a browser, go to https://www.privateinternetaccess.com/pages/network/
  2. Note the full Hostname of the nearest VPN server. For example, if you reside in Cascadia, pick us-seattle.privateinternetaccess.com

Step 2: Download the PIA OpenVPN Configuration Files

  1. Navigate to the Private Internet Access Client Support page at https://www.privateinternetaccess.com/pages/client-support/
  2. Scroll down to Advanced OpenVPN SSL Usage Guides, and select OPENVPN CONFIGURATION FILES (DEFAULT) to download some files you'll need later.

Step 3: Modify the DD-WRT Basic DNS Settings

By default, DD-WRT uses your ISP's DNS servers. For privacy reasons, we'll instead configure DD-WRT to explicitly use PIA's DNS servers (which technically belong to a company called Level 3); these DNS servers are something of an IT legend in their own right, and superior to OpenDNS or Google in this author's opinion. As a PIA subscriber, you should take advantage of them.

  1. In the DD-WRT Control Panel page, navigate to Setup > Basic Setup.
  2. Under Network Address Server Settings (DHCP), set:
    • Static DNS 1 = 4.2.2.1
    • Static DNS 2 = 4.2.2.2
    • Static DNS 3 = 4.2.2.3
    • Use DNSMasq for DHCP = Checked
    • Use DNSMasq for DNS = Checked
    • DHCP-Authoritative = Checked
  3. Save and Apply Settings.

Step 4: Disable IPv6

  1. Navigate to Administration > Management.
  2. Under IPv6 Support, set IPv6 = Disable.
  3. Save and Apply Settings.

Step 5: Enable Local DNS

  1. Navigate to Services > Services.
  2. We'll remove the ISP's DNS suffix from LAN clients. Under DHCP Server, set Used Domain = LAN & WLAN.
  3. Under DNSMasq, make sure DNSMasq, Local DNS, & No DNS Rebind are all set to Enable.
  4. Save and Apply Settings.

Step 6: Set the OpenVPN Client Parameters

  1. Navigate to Services > VPN.
  2. Under OpenVPN Client, set Start OpenVPN Client = Enable. Other options will appear.
  3. Set Advanced Options to Enable. More options will appear.
  4. Set the following:
    • Server IP/Name = The full hostname of the VPN Server you noted in Step 1: Select a VPN Server
    • Port = 1194
    • Tunnel Device = TUN
    • Tunnel Protocol = UDP
    • Encryption Cipher = Blowfish CBC
    • Hash Algorithm = SHA1
    • TLS Cipher = None
    • LZO Compression = Yes
    • NAT = Enable

Step 7: Set the OpenVPN Additional Config Settings

  1. Enter this for Additional Config:
auth-user-pass /tmp/password.txt

persist-key

persist-tun

tls-client

remote-cert-tls server

Step 8: Set the OpenVPN CA Cert

  1. On your PC, unzip the file openvpn.zip which you downloaded earlier.
  2. Open Notepad, then drag the file ca.crt onto Notepad, to open the Private Internet Access CA certificate as a text file.
  3. Ctrl-A to select all text, then Copy it.
  4. In the the DD-WRT VPN page, paste the entire CA certificate text into the CA Cert field. Be sure the entire text gets pasted in, including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
  5. Save and Apply Settings.

Step 9: Create a Startup Script With VPN Username and Password

  1. Navigate to Administration > Commands.
  2. Paste the following commands into the Command Shell:
echo *username* > /tmp/password.txt

echo *password* >> /tmp/password.txt

/usr/bin/killall openvpn

/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon

Note: Replace *username* and *password* with your actual PIA username and password. For example, if your PIA username was MyGreatN4me and password was SuperP455w0rd, the first couple of lines would look like this:

echo MyGreatN4me > /tmp/password.txt

echo SuperP455w0rd >> /tmp/password.txt

3. Select Save Startup.

4. The commands you entered should now show in the Startup box.

5. Navigate to Administration > Management.

6. Select Reboot Router. Wait for the router to reboot, then reconnect to it.

Step 10: Verify the VPN Is Working

  1. Navigate to Status > OpenVPN.
  2. In the State text, you should see the message "Client: CONNECTED: SUCCESS". If not, check your configuration for typos.

Step 11: Backup the Settings

Backup your settings, in case you need to roll back later.

  1. Navigate to Administration > Backup.
  2. Select the Backup button, and a configuration file called nvrambak.bin will be downloaded to your PC.
  3. Done!

Step 12: Conclusion and Additional Info

Conclusion

Congratulations, you now have your DD-WRT router setup to automatically encrypt and anonymize the Internet traffic for all devices on your LAN.

Additional Info

Good article on other consumer VPN companies/providers and general info: http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs

VPN Listings and features: That One Privacy Guy’s VPN Comparison Chart

PIA official DD-WRT configuration guide (has some errors): https://www.privateinternetaccess.com/pages/client-support/#ddwrt_openvpn

DD-WRT wiki page on OpenVPN (good info, but not 100% relevant to this guide): http://www.dd-wrt.com/wiki/index.php/OpenVPN

FightForTheFuture.org About page: https://www.fightforthefuture.org/aboutus/index.html

OpenVPN homepage: http://www.dd-wrt.com/wiki/index.php/OpenVPN

Special Thanks

Kong, BrainSlayer, Fractal, Eko, Quidagis, Adam Dachis, Alan Henry, kh1349

Non-Commercial Statement

I haven't been incentivized or compensated in any way by the organizations I've linked or recommended in this guide.

<p>The error message says</p><p> file system is readonly....How do I save the password now?</p>
<p>Huge help, thanks! Buffalo WZR-HP-G300NH2 router running DD-WRT v21061.</p><p>No problems getting it to work, except at first - but it was a mistyped password. :-]</p>
<p>Great Help. A more easy way to do it through entering services than follow VPN tab.</p><p><a href="http://www.purevpn.com/vpn-service/router-vpn.php" rel="nofollow">Router VPN by PureVPN</a></p>
<p>Great guide! I fixed an issue with a RESOLVE error by adding the DIRECT IP of the server instead of the hostname that PIA provides. You can get it by asking support or nslookup that server</p>
<p>Thank you for these, I was using the cumbersome script as described in another thread. I tried this process, but it doesn't seem to be working for me. I've tried 4 times now, double checking every line, resetting to factory defaults, and confirming using whatismyipaddress. The open vpn status state box reads &quot;Server: : Local Address: Remote Address: Client: : Local Address: Remote Address:&quot;</p><p>I'm using Kong build 24345M with an r7000 router.</p><p>I've tried, retried, checked and re-checked, and everything is correct. Is there anything I can try, check, or test that might help? Thanks in advance for your help!</p>
<p>Some folks use &quot;&gt;&gt;&quot; instead of &quot;&gt;&quot; at a place in the Startup script they shouldn't, because the privateinternetaccess official page tells them to. The exact syntax in this guide is the correct one.</p><p>But if you've double-checked the DD-WRT config already, could be something else outside of DD-WRT, like a problem with the ISP's wiring on your house, or an ISP outage in the area. There was a period for a couple months when my connection would drop randomly, and OpenVPN status read &quot;RESOLVE&quot; or the message you posted. Turned out I had a corroded coaxial junction on the outside of my building. The ISP sent a technician who fixed it, and everything was happy after that.</p><p>You might also make sure that QoS is disabled under <strong>NAT / QoS &gt; QoS</strong>.</p><p>You might also try to go to the Command Shell and do a Run Commands for this:</p><p>nvram erase <br>nvram commit<br>reboot</p><p>...it might erase some remnant of the script you referred to that Factory Reset didn't.</p><p>It's hard to say what's going on without seeing more of the OpenVPN log (the stuff below the Status line) in your environment, but instead of attempting a resolution here at Instructables, I'd recommend posting it in the DD-WRT forums where a lot more people than just me will be able to analyze your issue &amp; help.</p><p>Good luck!</p>
<p>In step 8, make sure you select <strong>ALL</strong> the text in that ca.crt file. This INCLUDES the &quot;-----BEGIN CERTIFICATE-----&quot;, AND &quot;-----END CERTIFICATE-----&quot;.</p>
<p>Thanks, that detail is easy to omit when first starting to work with certificates. I've added to the guide.</p>
<p>Btw, a HUGE thank you to the OP for this guide. It was very easy to follow, and I greatly appreciate the time you took for it.</p><p>This guide worked for me on an Asus RT-N66U B1, using </p><p>DD-WRT v24-sp2 (05/27/14) mega - build 24160 (found at http://www.dd-wrt.com/site/support/other-downloads... </p><p>Downloads &rsaquo; others &rsaquo; eko &rsaquo; BrainSlayer-V24-preSP2 &rsaquo; 2014 &rsaquo; 05-27-2014-r24160 &rsaquo; broadcom_K3X &gt; dd-wrt.v24-24160_NEWD-2_K3.x_mega_RT-N66U.trx</p><p>I am also a proud supporter of PIA.</p>
<p>Interesting. Thanks for sharing.</p>

About This Instructable

42,040views

18favorites

License:

More by f1r_CTLF:Configure VPN Settings on Older DD-WRT Routers for Private Internet Access Configure VPN Settings on a DD-WRT Router for Private Internet Access Install and Configure a DD-WRT Kong Router 
Add instructable to: