In an age of Big Data and mass surveillance, a consumer VPN is a great way to stay more secure and private on the Internet. Running a VPN client on your router offers the benefit of seamlessly routing traffic from all devices connected to your LAN through the VPN. This guide shows a DD-WRT user how to configure the OpenVPN Client on an older DD-WRT router (see version notes below) to use the Private Internet Access VPN provider to encrypt and anonymize all Internet traffic on their LAN.
Why Private Internet Access?
There are tons of great consumer VPN companies to choose from. Why Private Internet Access (PIA)? First, you can tell them to donate a portion of your subscription to a worthy non-profit that works for Internet freedom, FightForTheFuture.org. Second, the company has gone on record about their opposition to government mass surveillance. Third, they have no restrictions on running a Tor relay inside their VPN. Finally, they are one of the least expensive VPN services. Bonus! This guide assumes you are a paid subscriber to Private Internet Access, with a PIA username and password.
Full disclosure: I am a (satisfied) customer of PIA, but I have in no way been paid, contacted, encouraged, etc. by them to write this guide. For recommendations for other VPN providers, see the end of this guide.
Note on Download Speeds
Using the OpenVPN Client feature of DD-WRT will likely reduce the maximum Internet download speed on older routers. For example, in my tests, an Asus RT-N16, which has a 480 MHz Broadcom BCM4716 CPU, could deliver a maximum download speed of about 14 Mbps. While this is still fast enough for HD video streaming and most activities, it is a trade-off between performance and privacy.
This is less of an issue with newer, faster routers; those looking for high-performance hardware suggestions should see my guide on how to Install and Configure a DD-WRT Kong Router.
Note on Older vs Newer DD-WRT Revisions
The OpenVPN setup differs between newer and older revisions of DD-WRT. This guide is for older DD-WRT installs, specifically K26 or K3 revision numbers <24710 (this includes Kong build 22000++). If you are running a DD-WRT version greater than that, please see this other guide instead.
A quick way to verify the guide you need: if you have a field named "User Pass Authentication" in the OpenVPN Client settings under the Services > VPN tab in DD-WRT, you have the newer version and need the other guide.
- Router with DD-WRT K26 or K3 revision <24710
- A PC
- Private Internet Access VPN paid subscription, with a strong password
- High-speed Internet service
Step 1: Select a VPN Server
You are free to pick any Private Internet Access VPN server you like, but generally OpenVPN connections are faster and more stable with a physically closer server.
- In a browser, go to https://www.privateinternetaccess.com/pages/network/
- Note the full Hostname of the nearest VPN server. For example, if you reside in Cascadia, pick us-seattle.privateinternetaccess.com
Step 2: Download the PIA OpenVPN Configuration Files
- Navigate to the Private Internet Access Client Support page at https://www.privateinternetaccess.com/pages/client-support/
- Scroll down to Advanced OpenVPN SSL Usage Guides, and select OPENVPN CONFIGURATION FILES (DEFAULT) to download some files you'll need later.
Step 3: Modify the DD-WRT Basic DNS Settings
By default, DD-WRT uses your ISP's DNS servers. For privacy reasons, we'll instead configure DD-WRT to explicitly use PIA's DNS servers (which technically belong to a company called Level 3); these DNS servers are something of an IT legend in their own right, and superior to OpenDNS or Google in this author's opinion. As a PIA subscriber, you should take advantage of them.
- In the DD-WRT Control Panel page, navigate to Setup > Basic Setup.
- Under Network Address Server Settings (DHCP), set:
- Static DNS 1 = 184.108.40.206
- Static DNS 2 = 220.127.116.11
- Static DNS 3 = 18.104.22.168
- Use DNSMasq for DHCP = Checked
- Use DNSMasq for DNS = Checked
- DHCP-Authoritative = Checked
- Save and Apply Settings.
Step 4: Disable IPv6
- Navigate to Administration > Management.
- Under IPv6 Support, set IPv6 = Disable.
Save and Apply Settings.
Step 5: Enable Local DNS
- Navigate to Services > Services.
- We'll remove the ISP's DNS suffix from LAN clients. Under DHCP Server, set Used Domain = LAN & WLAN.
- Under DNSMasq, make sure DNSMasq, Local DNS, & No DNS Rebind are all set to Enable.
- Save and Apply Settings.
Step 6: Set the OpenVPN Client Parameters
- Navigate to Services > VPN.
- Under OpenVPN Client, set Start OpenVPN Client = Enable. Other options will appear.
- Set Advanced Options to Enable. More options will appear.
- Set the following:
- Server IP/Name = The full hostname of the VPN Server you noted in Step 1: Select a VPN Server
- Port = 1194
- Tunnel Device = TUN
- Tunnel Protocol = UDP
- Encryption Cipher = Blowfish CBC
- Hash Algorithm = SHA1
- TLS Cipher = None
- LZO Compression = Yes
- NAT = Enable
Step 7: Set the OpenVPN Additional Config Settings
- Enter this for Additional Config:
auth-user-pass /tmp/password.txt persist-key persist-tun tls-client remote-cert-tls server
Step 8: Set the OpenVPN CA Cert
- On your PC, unzip the file openvpn.zip which you downloaded earlier.
- Open Notepad, then drag the file ca.crt onto Notepad, to open the Private Internet Access CA certificate as a text file.
- Ctrl-A to select all text, then Copy it.
- In the the DD-WRT VPN page, paste the entire CA certificate text into the CA Cert field. Be sure the entire text gets pasted in, including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
- Save and Apply Settings.
Step 9: Create a Startup Script With VPN Username and Password
- Navigate to Administration > Commands.
- Paste the following commands into the Command Shell:
echo *username* > /tmp/password.txt echo *password* >> /tmp/password.txt /usr/bin/killall openvpn /usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon
Note: Replace *username* and *password* with your actual PIA username and password. For example, if your PIA username was MyGreatN4me and password was SuperP455w0rd, the first couple of lines would look like this:
echo MyGreatN4me > /tmp/password.txt echo SuperP455w0rd >> /tmp/password.txt
3. Select Save Startup.
4. The commands you entered should now show in the Startup box.
5. Navigate to Administration > Management.
6. Select Reboot Router. Wait for the router to reboot, then reconnect to it.
Step 10: Verify the VPN Is Working
- Navigate to Status > OpenVPN.
- In the State text, you should see the message "Client: CONNECTED: SUCCESS". If not, check your configuration for typos.
Step 11: Backup the Settings
Backup your settings, in case you need to roll back later.
- Navigate to Administration > Backup.
- Select the Backup button, and a configuration file called nvrambak.bin will be downloaded to your PC.
Step 12: Conclusion and Additional Info
Congratulations, you now have your DD-WRT router setup to automatically encrypt and anonymize the Internet traffic for all devices on your LAN.
Good article on other consumer VPN companies/providers and general info: http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs
VPN Listings and features: That One Privacy Guy’s VPN Comparison Chart
PIA official DD-WRT configuration guide (has some errors): https://www.privateinternetaccess.com/pages/client-support/#ddwrt_openvpn
DD-WRT wiki page on OpenVPN (good info, but not 100% relevant to this guide): http://www.dd-wrt.com/wiki/index.php/OpenVPN
FightForTheFuture.org About page: https://www.fightforthefuture.org/aboutus/index.html
OpenVPN homepage: http://www.dd-wrt.com/wiki/index.php/OpenVPN
I haven't been incentivized or compensated in any way by the organizations I've linked or recommended in this guide.