loading

In an age of Big Data and mass surveillance, a consumer VPN is a great way to stay more secure and private on the Internet. Running a VPN client on your router offers the benefit of seamlessly routing traffic from all devices connected to your LAN through the VPN. This guide shows a DD-WRT user how to configure the OpenVPN Client on a DD-WRT router to use the Private Internet Access VPN provider to encrypt and anonymize all Internet traffic on their LAN.

Why Private Internet Access?

There are tons of great consumer VPN companies to choose from. Why Private Internet Access (PIA)? First, you can tell them to donate a portion of your subscription to a worthy non-profit that works for Internet freedom, FightForTheFuture.org. Second, the company has gone on record about their opposition to government mass surveillance. Third, they have no restrictions on running a Tor relay inside their VPN. Finally, they are one of the least expensive VPN services. Bonus! This guide assumes you are a paid subscriber to Private Internet Access, with a PIA username and password.

Full disclosure: I am a (satisfied) customer of PIA, but I have in no way been paid, contacted, encouraged, etc. by them to write this guide. For recommendations for other VPN providers, see the end of the guide.

Note on DD-WRT Older vs Newer Revisions

OpenVPN setup on DD-WRT differs between older and newer revisions. Some older routers are actually more stable on old K26 builds, or even require it, so I have written a guide specifically for those older DD-WRT versions. This guide, however, is written for newer builds, specifically Kong revisions >24710. If you followed my Instructable on how toInstall and Configure a DD-WRT Kong Router on the NETGEAR R7000 router, you are all set for this VPN guide.

Materials

  • Router with DD-WRT revision greater than 24710 installed (recommend the NETGEAR R7000)
  • A PC
  • Private Internet Access VPN paid subscription, with a strong password
  • High-speed Internet service

Step 1: Select a VPN Server

You are free to pick any Private Internet Access VPN server you like, but generally OpenVPN connections are faster and more stable with a physically closer server.

  1. In a browser, go to https://www.privateinternetaccess.com/pages/network/
  2. Note the full Hostname of the nearest VPN server. For example, if you reside in Cascadia, pick us-seattle.privateinternetaccess.com

Step 2: Download the PIA OpenVPN Configuration Files

  1. Navigate to the Private Internet Access Client Support page at https://www.privateinternetaccess.com/pages/client-support/
  2. Scroll down to Advanced OpenVPN SSL Usage Guides, and select OPENVPN CONFIGURATION FILES (DEFAULT) to download some files you'll need later.

Step 3: Modify the DD-WRT Basic DNS Settings

By default, DD-WRT uses your ISP's DNS servers. For privacy reasons, we'll instead configure DD-WRT to explicitly use PIA's DNS servers (which technically belong to a company called Level 3); these DNS servers are something of an IT legend in their own right, and superior to OpenDNS or Google in this author's opinion. As a PIA subscriber, you should take advantage of them.

  1. In the DD-WRT Control Panel page, navigate to Setup > Basic Setup.
  2. Under Network Address Server Settings (DHCP), set:
    • Static DNS 1 = 4.2.2.1
    • Static DNS 2 = 4.2.2.2
    • Static DNS 3 = 4.2.2.3

    • Use DNSMasq for DHCP = Checked

    • Use DNSMasq for DNS = Checked

    • DHCP-Authoritative = Checked

  3. Save and Apply Settings.

Step 4: Disable IPv6

  1. Navigate to Setup > IPV6.
  2. Make sure IPv6 is set to Disable, thenSave & Apply Settings.

Step 5: Enable Local DNS

  1. Navigate to Services > Services.
  2. We'll remove the ISP's DNS suffix from LAN clients. Under DHCP Server, set Used Domain = LAN & WLAN.
  3. Under DNSMasq, make sure DNSMasq, Local DNS, & No DNS Rebind are all set to Enable.
  4. Save and Apply Settings.

Step 6: Set the OpenVPN Client Parameters

  1. Navigate to Services > VPN.
  2. Under OpenVPN Client, set Start OpenVPN Client = Enable. Other options will appear.
  3. Set Advanced Options to Enable, More options will appear.
  4. Set the following:
  • Server IP/Name = The full hostname of the VPN Server you noted in Step 1: Select a VPN Server
  • Port = 1194
  • Tunnel Device = TUN
  • Tunnel Protocol = UDP
  • Encryption Cipher = Blowfish CBC
  • Hash Algorithm = SHA1
  • User Pass Authentication = Enable
  • Username, Password = Your PIA username & password
  • TLS Cipher = None
  • LZO Compression = Yes
  • NAT = Enable

5. (Optional) This VPN provider offers an undocumented and unsupported AES128 cipher option that may give a modest (~9%) download speed improvement. If you're OK with all that, change these settings:

  • Port = 1196
  • Encryption Cipher = AES-128 CBC

Step 7: Set the OpenVPN Additional Config Settings

  1. Enter this for Additional Config:
persist-key
persist-tun
tls-client
remote-cert-tls server

Step 8: Set the OpenVPN CA Cert

  1. On your PC, unzip the file openvpn.zip which you downloaded earlier.
  2. Open Notepad, then drag the file ca.crt onto Notepad, to open the Private Internet Access CA certificate as a text file.
  3. Ctrl-A to select all text, then Copy it.
  4. In the the DD-WRT VPN page, paste the entire CA certificate text into the CA Cert field. Be sure the entire text gets pasted in, including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
  5. Save and Apply Settings.

Step 9: Verify the VPN Is Working

  1. Navigate to Status > OpenVPN.
  2. Under State, you should see the message "Client: CONNECTED SUCCESS". If not, check your configuration for typos.

Step 10: (Optional) Overclock the Router CPU

WARNING!

Overclocking has real benefits, but could overheat your router and damage it. Don't sue if you break your stuff! The following instructions and statements pertain specifically to the NETGEAR R7000 router (Broadcom BCM4709A0 CPU), which is the recommended router for this guide.

That being said, overclocking is known to increase NAT Routing Performance and OpenVPN performance. Kong's changelog shows some test results where a 20% CPU overclock increased WAN-LAN throughput by about 20% in very high throughput scenarios.

What Is the Safe CPU Temperature Range?

Kong has stated in the DD-WRT forums that this router has a good amount of thermal headroom: "...the R7000 definitely does not need any extra cooling as these chips can easily do 90 degrees." Other posts about ARM CPUs generally agree under 80-90 C core temp is considered safe.

What Is the Recommended Overclock?

The DD-WRT wiki page for the NETGEAR R7000 states this router "supports CPU overclocking (1200MHz and 1400MHz possible)". Higher than that will be unstable. In general, avoid overclocking the RAM on this router. Further discussion of overclocking settings can be found in the DD-WRT forums.

1200 MHz or 1400 MHz are good bets.

Analysis

Below are some of my own real-world VPN performance results with CPU temperatures under load, comparing stock speed to overclocked. All VPN speed tests were performed using a 50 Mbps Internet speed tier, running speedtest.net 3 times on a wired client, and averaging the results.

CPU Clock (Mhz) = 1000 MHz (stock)
Avg Download Speed (Mbps) = 37.10
Avg Load CPU Temp (C) = 67.10


CPU Clock (Mhz) = 1200 MHz
Avg Download Speed (Mbps) = 38.63
Avg Load CPU Temp (C) = 66.9


CPU Clock (Mhz) = 1400 MHz
Avg Download Speed (Mbps) = 42.90
Avg Load CPU Temp (C) = 67.30

The highest measured VPN throughput achieved in the 1400 MHz test was 44.17 Mbps; that's not much less than the non-VPN speed of 50 Mbps! As these numbers show, it's possible to achieve the maximum stable overclock of 1400 MHz with little impact to CPU temps, even under the load of an Internet speed test. It would seem VPN throughput is CPU-bound, as the router crunches the crypto math for the VPN, so every bit of CPU speed helps.

The numbers also suggest that, if you have Internet service slower than 37 Mbps, there would be no benefit from overclocking, so don't bother. Likewise, if you have Internet service faster than 50 Mbps, you might want to experiment with the max speed to can get over VPN, then downgrade your Internet service to match it, saving money on your ISP bill in the process.

How to Overclock

Here are the steps to achieve the highest stable (YMMV) overclock:

  1. Navigate to Administration > Commands.
  2. Paste the following commands into the Command Shell:
nvram set clkfreq=1400,800
nvram commit && reboot

- Note: The factory clock setting for the NETGEAR R7000 is 1000,800 (1000 MHz CPU, 800 MHz RAM).

3. Select Run Commands. The router will reboot.

4. Once rebooted, navigate to Administration > Commands again, and enter the following command to check the speed settings:

 nvram get clkfreq

- Note: You should see output of "1400,800".

5. You can also see CPU Clock, Load, and Temperature on DD-WRT's Status > Router page, under CPU.

Step 11: Backup the Settings

Backup your settings, in case you need to roll back later.

  1. Navigate to Administration > Backup.
  2. Select the Backup button, and a configuration file called nvrambak.bin will be downloaded to your PC.
  3. Done!

Step 12: Conclusion and Additional Info

Conclusion

Congratulations, you now have your DD-WRT router setup to automatically encrypt and anonymize the Internet traffic for all devices on your LAN.

Additional Info

Good article on other consumer VPN companies/providers and general info: http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs

VPN Listings and features: That One Privacy Guy’s VPN Comparison Chart

PIA official DD-WRT configuration guide (has some errors): https://www.privateinternetaccess.com/pages/client-support/#ddwrt_openvpn

DD-WRT wiki page on OpenVPN (good info, but not 100% relevant to this guide): http://www.dd-wrt.com/wiki/index.php/OpenVPN

FightForTheFuture.org About page: https://www.fightforthefuture.org/aboutus/index.html

OpenVPN homepage: http://openvpn.net/

Special Thanks
Kong, BrainSlayer, Fractal, Eko, Magnetron1.1, Quidagis, Adam Dachis, Alan Henry, kh1349

Non-Commercial Statement

I haven't been incentivized or compensated in any way by the organizations I've linked or recommended in this guide.

<p>These instructions are no good. Bricked my R7000 router attempting to overclock. Please, please avoid overclocking, not worth bricking a perfectly good router. Also, the PIA settings are wrong. Ironically, it says the PIA website is wrong. Other way around, pal. Use these from PIA directly. You'll thank me later.</p><p>https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn</p>
<p>any suggestions on how to configure an r7000 with a Static IP for the WAN connection. there are no spaces below the DHCP settings for the three Static DNS entries with the router set for static IP. thanks.</p>
<p>I am using a flashed Cisco e2500 V.1 router . My settings do not have an option for IPV6 under Setup. </p><p>No do I have the following options under Services&gt;VPN:</p><ul><li>User Pass Authentication = <strong>Enable</strong> <li>Username, Password = Your PIA username &amp; password </ul><p>Is there a work around for this?</p>
<p>guide for OLD BUILDS without password option to enable</p><p>you don't have this option &quot;User Pass Authentication = <strong>Enable&quot; ,</strong></p><p><strong>use this guide<br></strong></p><p><a href="https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn-older-build" rel="nofollow">https://www.privateinternetaccess.com/pages/client...</a></p>
<p>link for the certificate if you don't have it yet:</p><p><a href="https://www.privateinternetaccess.com/openvpn/openvpn.zip" rel="nofollow">https://www.privateinternetaccess.com/openvpn/open...</a></p><p>have nice day .</p>
<p>You can try to set up commands on start up. The HMA instructions on their website talks through this quite well, but I don't know if it actually works - never got HMA working!</p>
<p>Hi George, I am in the same boat you are,any solution for this? Maybe we have to flash a different DD-WRT firmaware to the router,please let me know if you got this fixed. thanks</p>
<p>I've done this and it works like a dream. I initially left my router set with the ISPs DNS, but this blocked some sights - even though I was in VPN! So I've changed to using PIA VPNs. They have overcome this but, default Google searches always always default to US results - painful. Are there Good DNS available that will be UK based?</p><p>Thanks</p>
<p>No success sadly. Same as my attempts to get HMA on this build. I'm certain its because I can't connect to the internet out of my WAN port and am connecting to my ISPs router through the LAN port and I'm getting blocked in the ISP router. Any advice greatly appreciated.</p><p>Clientlog: <br> <br>20150830 17:28:02 I OpenVPN 2.3.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 15 2014 <br> <br> <br>20150830 17:28:02 I library versions: OpenSSL 1.0.1i 6 Aug 2014 LZO 2.08 <br> <br> <br>20150830 17:28:02 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16 <br> <br> <br>20150830 17:28:02 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible <br> <br> <br>20150830 17:28:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts <br> <br> <br>20150830 17:28:02 Socket Buffers: R=[180224-&gt;131072] S=[180224-&gt;131072] <br> <br> <br>20150830 17:28:07 N RESOLVE: Cannot resolve host address: uk-london.privateinternetaccess.com: Try again <br> <br> <br>20150830 17:28:12 N RESOLVE: Cannot resolve host address: uk-london.privateinternetaccess.com: Try again <br> <br> <br>20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 <br> <br> <br>20150830 17:28:12 D MANAGEMENT: CMD 'state' <br> <br> <br>20150830 17:28:12 MANAGEMENT: Client disconnected <br> <br> <br>20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 <br> <br> <br>20150830 17:28:12 D MANAGEMENT: CMD 'state' <br> <br> <br>20150830 17:28:12 MANAGEMENT: Client disconnected <br> <br> <br>20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 <br> <br> <br>20150830 17:28:12 D MANAGEMENT: CMD 'state' <br> <br> <br>20150830 17:28:12 MANAGEMENT: Client disconnected <br> <br> <br>20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 <br> <br> <br>20150830 17:28:12 D MANAGEMENT: CMD 'status 2' <br> <br> <br>20150830 17:28:12 MANAGEMENT: Client disconnected <br> <br> <br>20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16 <br> <br> <br>20150830 17:28:12 D MANAGEMENT: CMD 'log 500' <br> <br> <br>19700101 02:00:00 <br> <br><br> <br>ca /tmp/openvpncl/ca.crt <br>management 127.0.0.1 16 <br>management-log-cache 100 <br>verb 3 <br>mute 3 <br>syslog <br>writepid /var/run/openvpncl.pid <br>client <br>resolv-retry infinite <br>nobind <br>persist-key <br>persist-tun <br>script-security 2 <br>dev tun1 <br>proto udp <br>cipher bf-cbc <br>auth sha1 <br>auth-user-pass /tmp/openvpncl/credentials <br>remote uk-london.privateinternetaccess.com 1194 <br>comp-lzo yes <br>tun-mtu 1500 <br>mtu-disc yes <br>fast-io <br>tun-ipv6 <br>persist-key <br>persist-tun <br>tls-client <br>remote-cert-tls server</p>
<p>I didn't found any errors between this and the instruction from PIA,</p><p>https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn</p><p>Either I didn't notice it or they might have corrected.</p><p>The only part is different than this on PIA is &quot;Step 8. If there is a DNS Suffix, Remove that&quot;</p><p>I did not find this in here, do I have to do anything?</p><p>Other than that all working for now, will get back if anything needed.</p><p>Thank you,</p>
<p>Hello,</p><p>I would like to know, it is possible that I can use on my &quot;netgear r7000 &amp; kongs last dd-wrt) following:</p><p> I use &amp; need it really a dns-service (dns4me.net) for my Sonos Network for Pandora Radio &amp; Songza Music, without I cant live with it in Germany!</p><p>1... is it possible, that i use the dns4me.net IP&acute;s, without the dns IP&acute;s from PIA ???(like 4.2.2.1 &amp; 4.2.2.2 &amp; 4.2.2.3)</p><p>2. What for Settings like &quot;dns-masque&quot; or other stuff i have to change?</p><p>3. Maybee you know other spezial tricks (ip range, port forwarding or triggering, ...)?</p><p>Thank you, for this great Tutorials :))</p>
<p>I use the following tutorial for my iPad and it worked great for me.<br>http://www.vpnranks.com/how-to-setup-vpn-on-ipad/</p>
<p>Cant get this to work. The traffic wont pass through the VPN...</p>
Can you send me ca cert file so i can copy and paste
<p>openvpn ca cert is:</p><p>-----BEGIN CERTIFICATE-----<br>MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD<br>VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK<br>ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl<br>cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50<br>ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow<br>gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx<br>IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2<br>YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy<br>aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ<br>AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m<br>hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt<br>4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB<br>CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU<br>l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD<br>VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50<br>ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD<br>QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j<br>b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH<br>atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge<br>fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2<br>llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6<br>-----END CERTIFICATE-----</p>
<p>Server: </p><p>: </p><p>Local Address: </p><p>Remote Address: <br>Client: </p><p>: </p><p>Local Address: </p><p>Remote Address:</p>
<p>how does this work?</p><p>http://imgur.com/8uDY2P6</p>
<p>http://imgur.com/8uDY2P6</p>
<p>There is a US-based company called FlashRouters that sells PIA pre-configured routers, which is pretty great, as you can avoid the potential for bricking your router, which would void the warranty with the original manufacturer. These guides are super helpful, but if someone is inexperienced (like me), I suggest they take the jump and buy a preconfigured device from FlashRouters.</p>
<p>Before setting up the VPN Server, you must first make sure your installed build of DD-WRT includes the PPTP VPN features. You can configure any vpn setting with DD-WRT by following the simple steps from here http://www.bestvpnservice.com/blog/dd-wrt-vpn-routers-setup-and-list to setup vpn on dd-wrt router with PPTP</p>
<p>Thanks for this! It worked out great. That being said, do you know how to set up my DD-WRT so that only select IPs connect through a VPN instead of all devices going through a VPN? For example, I have a camera that I would like to connect via VPN but I don't want the entire network to have to go through a VPN (because of slower speeds). Thanks again for making this.</p>
<p>I have better VPN than PIA: <br> <br>http://www.purevpn.com/vpn-service/router-vpn.php</p>
<p>It won't let me Apply Settings after save. Do I have to set up something else too or do something differently? Because I meet all the requirements and did the steps 100% (copy-pasted all). Any suggestion?</p>
<p>I have done some experiments. I saved and applied settings 1 by 1. It will let me save and apply settings, except for username and password. When I try to do that, it will not save and will not apply settings, but all the other things I could set up. The problem is that username+password is kinda crucial...</p>
Tks. Can u also do a pptp connection on pia too?
<p>Thank you for the Excellent Setup, used to setup a WNDR3700 Router source with PIA step by step only their is no overclock. worked the 1st time. How ever uncertain about the DNS servers would an open source server be better or just any thing is better then Public or ISP addresses ? </p>
For step 6, I recommend the following changes in the configuration to ensure that your speed is much faster:<br><br>Port 1196<br>Cipher encryption: AES-128-CBC<br><br>The one suggested in step 6 is blowfish CBC using port 1194. This setting will slow down your Internet speed big time. <br><br>So use what I suggested instead. <br><br>
<p>Thanks for bringing this up. I've been watching the AES128 chatter about PIA since it was discovered by the user community.</p><p>I've tested with AES128 a bit, either cipher has worked fine for me, and I would recommend either from a purely technical standpoint. That being said, here are some of my thoughts about adding it to my Instructable:</p><p><strong>1) Enduser support:</strong> The AES128 option for routers and open source clients is <u>COMPLETELY UNDOCUMENTED AND UNSUPPORTED</u> by PIA. That means they could end it at any time without warning, leaving my audience (many are novices) with unwanted troubleshooting to do. Blowfish CBC is still the officially supported cipher.</p><p><strong>2) Security:</strong> People who say &quot;AES128 is more secure than Blowfish&quot; or vice-versa are mostly making unsupported claims. I could go on about bit depth and cycles and stuff, but IMHO either is secure enough to get meaningful privacy from corporations and ISPs. Governments, with virtually unlimited resources, are a different beast, and no one should be deluded that a consumer-grade VPN can protect them; the best you could hope for is to avoid being low-hanging fruit. To have hope to secure yourself from government intrusion, you'd get into very strong/more expensive VPNs or VPS-based VPNs + xorpatch + Tor + behavioral adjustment + wishes &amp; dreams. That is beyond the scope of this Instructable. (But I encourage you to Google those terms if you're interested... well, the first few anyway!)</p><p><strong>3) Speed: </strong>IMHO it's safe to generalize that the AES128 cipher was designed with speed in mind more than Blowfish. But that doesn't always translate into astronomical real-world results. There are other things that could affect speed, e.g. the possibility that PIA doesn't allocate as much resource to the UNSUPPORTED AES128 part of their infrastructure than they do for the official Blowfish (or other options available in their closed-source client), but that's just speculation; let's use data instead...</p><p>I replicated some speed tests in my own setup with AES128, using the testing methodology outlined in the overclocking discussion in this Instructable. Here are my numbers:</p><p><u>Cipher = Blowfish CBC</u></p><p>CPU Clock (MHz) = 1400 MHz</p><p>Avg Download Speed (Mbps) = 33.59</p><p>Avg Upload Speed (Mbps) = 11.88</p><p>Avg Load CPU Temp (C) = 68.20</p><p><u>Cipher = AES-128 CBC</u></p><p>CPU Clock (MHz) = 1400 MHz</p><p>Avg Download Speed (Mbps) = 35.58</p><p>Avg Upload Speed (Mbps) = 11.45</p><p>Avg Load CPU Temp (C) = 60.80</p><p>So, here is some small evidence that AES128 will buy a 9% increase in average download speed in this particular hardware setup with PIA as a VPN provider, all other things being identical. Also worth noting that Blowfish had a higher upload speed. One thing I'd also like to mention is that the Broadcom BCM4709 CPU I'm using does NOT have any AES acceleration. In general, AES-NI and other AES acceleration is not widely available in consumer routers, but if it was, the AES128 speeds might look even better. AES-NI might also be a reason that folks report better performance gains with AES128 over Blowfish with a software-based PC client vs DD-WRT.</p><p><u>Bottom line:</u></p><p>I think AES128 is perfectly OK to experiment with, for folks that know what they're doing. I might work it into the Instructable as an optional step, to save people from having to do their own discovery about it. Thanks again for posting about this!</p><p><u>Further reading:</u></p><p><a href="http://www.broadcom.com/products/Wireless-LAN/802.11-Wireless-LAN-Solutions/BCM4707-4708-4709" rel="nofollow">http://www.broadcom.com/products/Wireless-LAN/802....</a></p><p><a href="https://www.privateinternetaccess.com/forum/discussion/3543/encryption-options-using-openvpn-client" rel="nofollow">https://www.privateinternetaccess.com/forum/discus...</a></p><p><a href="https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-openvpn-vs-sstp-vs-ikev2/" rel="nofollow">https://www.bestvpn.com/blog/4147/pptp-vs-l2tp-vs-...</a></p>
<p>That was a great guide to follow even though I use a Wndr3700v1 routher. Thank you for that. </p><p>I need to know how to setup the router so that if the VPN connection drops for whatever reason it does not go back to a regular connection. </p><p>I know there is a way to setup the firewall from reading other forums but need to the exact steps for your guide. I hope I can get this last piece of the puzzle. Thanks</p>
<p>So I figured out how to make a kill switch. I first setup my pc so that I had a static ip address in case it would ever change for some reason.</p><p> - go to network and sharing center</p><p> - change adapter settings</p><p> - select your adapter you use to connect to the router &lt;double click&gt;</p><p> - click properties</p><p> - double click internet protocol version 4 (tcp/IPv4)</p><p> - fill in ip address, subnet mask, default gateway, and preferred DNS server</p><p> - My number were as follows 192.168.1.99, 255.255.255.0, 192.168.1.1, and 192.168.1.1 respectively</p><p>- click ok</p><p>- go back into ddwrt config (Administration===&gt;Commands)</p><p>and add the following firewall rule with your own ip address to prevent your machines IP from reaching the WAN. </p><p>type the following without quotes in the Commands box, then click &quot;Save Firewall&quot;</p><p>&quot;iptables -I FORWARD -s 192.168.1.99 -o $(nvram get wan_iface) -j DROP&quot;</p><p>-Reboot your router</p><p>-you can test that it is working by changing your username or password to something wrong and you should no longer be able to connect to the internet from the machine with the ip address you entered. </p>
<p>for the ip address, you stated you used 192.168.1.99. </p><p>not sure what mine is. where can i get this information in the router. (I use dd wrt / openvpn) and have pia installed. </p><p>right now, my pc is set to connect to the router. </p><p>thanks.</p>
<p>Hi, thank you for the great Howto,</p><p>I have the following question:</p><p>What is the easiest way to change the VPN Server. I usually use european servers, but sometimes I need to use a US located Servers.</p><p>Thank you !</p>
<p>First, pick a different VPN server from PIA's website (from this guide), then change the OpenVPN Client settings in DD-WRT to set &quot;Server IP/Name&quot; to the new server. All the rest of the settings stay the same. Save and Apply those settings, then reboot the router.</p>
<p>HI <a href="/member/f1r_CTLF/" rel="nofollow">f1r_CTLF</a>. I wonder if you can help me. I was able to set up my router using your guide. Everything works well until i setup policy based routing. I want ip 192.168.1.16 to use the tunnel. So i entered 192.168.1.16/32 into policy based routing section. I do a quick google search for whats my ip and google gives me an ip from PIA but when i use whatismyipaddress dot com it shows my real ip. Ive tried several other websites and my real ip is still being leaked. Is there a setting i missed or is it a bug in dd wrt? Can you please help?</p>
<p>I don't use policy based routing, but I did a quick run through the IP lookup sites you mentioned from a client on my own setup, as well as dnsleaktest.com and https://ipdb.at, and all report the correct PIA address. I have heard of DD-WRT's implementation of OpenVPN not doing some advanced features correctly over the VPN, but I don't recall the specifics. The DD-WRT forums are a better place to troubleshoot that feature.</p>
Do you know how to set it up to drop the Internet access if the VPN goes down?
<p>i also would like to know this</p>
<p>Thanks for the reply. I've asked for help there too but those guys never reply. lol</p>
<p>thanks a lot! really easy to follow</p>
<p>This guide worked beautifully, the instructions at PIA's website are FLAWED and these proved invaluable...</p><p>Thank you!</p>
This is exactly what I have been looking for! Thank you. Is there a way to add the kill switch feature?
<p>Fantastic guide. After using the PIA guide (didn't work) then a startup command script (worked, but wasn't the &quot;right&quot; way to get the VPN set up), I came across your guide and it worked perfectly, thanks!</p><p>However, I overclocked to 1400mhz as described in the guide. Rebooted. Everything looked fine. My router is set to reboot daily. I woke up this morning, no wifi, nothing. Can't connect to the router w/ LAN cable via 192.168.1.1. Router lights look fine to me, LAN1 blinking... did a hard reset. Default wifi is &quot;dd-wrt&quot; so that worked, but still can't connect to it via web browser, telnet, tftp, nothing. Can't make connection. Surely the overclocking screwed things up or I'm missing something right in front of my face. Thoughts?</p>
<p>Are these settings still good?</p>
<p>Yes. I use as my daily driver on a R7000 running Kong 24865M.</p>
<p>Thanks for sharing your project! Can't wait to see what you make next.</p>

About This Instructable

333,899views

85favorites

License:

More by f1r_CTLF:Configure VPN Settings on Older DD-WRT Routers for Private Internet Access Configure VPN Settings on a DD-WRT Router for Private Internet Access Install and Configure a DD-WRT Kong Router 
Add instructable to: