Introduction: Configure VPN Settings on a DD-WRT Router for Private Internet Access
In an age of Big Data and mass surveillance, a consumer VPN is a great way to stay more secure and private on the Internet. Running a VPN client on your router offers the benefit of seamlessly routing traffic from all devices connected to your LAN through the VPN. This guide shows a DD-WRT user how to configure the OpenVPN Client on a DD-WRT router to use the Private Internet Access VPN provider to encrypt and anonymize all Internet traffic on their LAN.
Why Private Internet Access?
There are tons of great consumer VPN companies to choose from. Why Private Internet Access (PIA)? First, you can tell them to donate a portion of your subscription to a worthy non-profit that works for Internet freedom, FightForTheFuture.org. Second, the company has gone on record about their opposition to government mass surveillance. Third, they have no restrictions on running a Tor relay inside their VPN. Finally, they are one of the least expensive VPN services. Bonus! This guide assumes you are a paid subscriber to Private Internet Access, with a PIA username and password.
Full disclosure: I am a (satisfied) customer of PIA, but I have in no way been paid, contacted, encouraged, etc. by them to write this guide. For recommendations for other VPN providers, see the end of the guide.
Note on DD-WRT Older vs Newer Revisions
OpenVPN setup on DD-WRT differs between older and newer revisions. Some older routers are actually more stable on old K26 builds, or even require it, so I have written a guide specifically for those older DD-WRT versions. This guide, however, is written for newer builds, specifically Kong revisions >24710. If you followed my Instructable on how toInstall and Configure a DD-WRT Kong Router on the NETGEAR R7000 router, you are all set for this VPN guide.
Materials
- Router with DD-WRT revision greater than 24710 installed (recommend the NETGEAR R7000)
- A PC
- Private Internet Access VPN paid subscription, with a strong password
- High-speed Internet service
Step 1: Select a VPN Server
You are free to pick any Private Internet Access VPN server you like, but generally OpenVPN connections are faster and more stable with a physically closer server.
- In a browser, go to https://www.privateinternetaccess.com/pages/network/
- Note the full Hostname of the nearest VPN server. For example, if you reside in Cascadia, pick us-seattle.privateinternetaccess.com
Step 2: Download the PIA OpenVPN Configuration Files
- Navigate to the Private Internet Access Client Support page at https://www.privateinternetaccess.com/pages/client-support/
- Scroll down to Advanced OpenVPN SSL Usage Guides, and select OPENVPN CONFIGURATION FILES (DEFAULT) to download some files you'll need later.
Step 3: Modify the DD-WRT Basic DNS Settings
By default, DD-WRT uses your ISP's DNS servers. For privacy reasons, we'll instead configure DD-WRT to explicitly use PIA's DNS servers (which technically belong to a company called Level 3); these DNS servers are something of an IT legend in their own right, and superior to OpenDNS or Google in this author's opinion. As a PIA subscriber, you should take advantage of them.
- In the DD-WRT Control Panel page, navigate to Setup > Basic Setup.
- Under Network Address Server Settings (DHCP), set:
- Static DNS 1 = 4.2.2.1
- Static DNS 2 = 4.2.2.2
Static DNS 3 = 4.2.2.3
Use DNSMasq for DHCP = Checked
Use DNSMasq for DNS = Checked
DHCP-Authoritative = Checked
- Save and Apply Settings.
Step 4: Disable IPv6
- Navigate to Setup > IPV6.
- Make sure IPv6 is set to Disable, thenSave & Apply Settings.
Step 5: Enable Local DNS
- Navigate to Services > Services.
- We'll remove the ISP's DNS suffix from LAN clients. Under DHCP Server, set Used Domain = LAN & WLAN.
- Under DNSMasq, make sure DNSMasq, Local DNS, & No DNS Rebind are all set to Enable.
- Save and Apply Settings.
Step 6: Set the OpenVPN Client Parameters
- Navigate to Services > VPN.
- Under OpenVPN Client, set Start OpenVPN Client = Enable. Other options will appear.
- Set Advanced Options to Enable, More options will appear.
- Set the following:
- Server IP/Name = The full hostname of the VPN Server you noted in Step 1: Select a VPN Server
- Port = 1194
- Tunnel Device = TUN
- Tunnel Protocol = UDP
- Encryption Cipher = Blowfish CBC
- Hash Algorithm = SHA1
- User Pass Authentication = Enable
- Username, Password = Your PIA username & password
- TLS Cipher = None
- LZO Compression = Yes
- NAT = Enable
5. (Optional) This VPN provider offers an undocumented and unsupported AES128 cipher option that may give a modest (~9%) download speed improvement. If you're OK with all that, change these settings:
- Port = 1196
- Encryption Cipher = AES-128 CBC
Step 7: Set the OpenVPN Additional Config Settings
- Enter this for Additional Config:
persist-key persist-tun tls-client remote-cert-tls server
Step 8: Set the OpenVPN CA Cert
- On your PC, unzip the file openvpn.zip which you downloaded earlier.
- Open Notepad, then drag the file ca.crt onto Notepad, to open the Private Internet Access CA certificate as a text file.
- Ctrl-A to select all text, then Copy it.
- In the the DD-WRT VPN page, paste the entire CA certificate text into the CA Cert field. Be sure the entire text gets pasted in, including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
- Save and Apply Settings.
Step 9: Verify the VPN Is Working
- Navigate to Status > OpenVPN.
- Under State, you should see the message "Client: CONNECTED SUCCESS". If not, check your configuration for typos.
Step 10: (Optional) Overclock the Router CPU
WARNING!
Overclocking has real benefits, but could overheat your router and damage it. Don't sue if you break your stuff! The following instructions and statements pertain specifically to the NETGEAR R7000 router (Broadcom BCM4709A0 CPU), which is the recommended router for this guide.
That being said, overclocking is known to increase NAT Routing Performance and OpenVPN performance. Kong's changelog shows some test results where a 20% CPU overclock increased WAN-LAN throughput by about 20% in very high throughput scenarios.
What Is the Safe CPU Temperature Range?
Kong has stated in the DD-WRT forums that this router has a good amount of thermal headroom: "...the R7000 definitely does not need any extra cooling as these chips can easily do 90 degrees." Other posts about ARM CPUs generally agree under 80-90 C core temp is considered safe.
What Is the Recommended Overclock?
The DD-WRT wiki page for the NETGEAR R7000 states this router "supports CPU overclocking (1200MHz and 1400MHz possible)". Higher than that will be unstable. In general, avoid overclocking the RAM on this router. Further discussion of overclocking settings can be found in the DD-WRT forums.
1200 MHz or 1400 MHz are good bets.
Analysis
Below are some of my own real-world VPN performance results with CPU temperatures under load, comparing stock speed to overclocked. All VPN speed tests were performed using a 50 Mbps Internet speed tier, running speedtest.net 3 times on a wired client, and averaging the results.
CPU Clock (Mhz) = 1000 MHz (stock) Avg Download Speed (Mbps) = 37.10 Avg Load CPU Temp (C) = 67.10 CPU Clock (Mhz) = 1200 MHz Avg Download Speed (Mbps) = 38.63 Avg Load CPU Temp (C) = 66.9 CPU Clock (Mhz) = 1400 MHz Avg Download Speed (Mbps) = 42.90 Avg Load CPU Temp (C) = 67.30
The highest measured VPN throughput achieved in the 1400 MHz test was 44.17 Mbps; that's not much less than the non-VPN speed of 50 Mbps! As these numbers show, it's possible to achieve the maximum stable overclock of 1400 MHz with little impact to CPU temps, even under the load of an Internet speed test. It would seem VPN throughput is CPU-bound, as the router crunches the crypto math for the VPN, so every bit of CPU speed helps.
The numbers also suggest that, if you have Internet service slower than 37 Mbps, there would be no benefit from overclocking, so don't bother. Likewise, if you have Internet service faster than 50 Mbps, you might want to experiment with the max speed to can get over VPN, then downgrade your Internet service to match it, saving money on your ISP bill in the process.
How to Overclock
Here are the steps to achieve the highest stable (YMMV) overclock:
- Navigate to Administration > Commands.
- Paste the following commands into the Command Shell:
nvram set clkfreq=1400,800 nvram commit && reboot
- Note: The factory clock setting for the NETGEAR R7000 is 1000,800 (1000 MHz CPU, 800 MHz RAM).
3. Select Run Commands. The router will reboot.
4. Once rebooted, navigate to Administration > Commands again, and enter the following command to check the speed settings:
nvram get clkfreq
- Note: You should see output of "1400,800".
5. You can also see CPU Clock, Load, and Temperature on DD-WRT's Status > Router page, under CPU.
Step 11: Backup the Settings
Backup your settings, in case you need to roll back later.
- Navigate to Administration > Backup.
- Select the Backup button, and a configuration file called nvrambak.bin will be downloaded to your PC.
- Done!
Step 12: Conclusion and Additional Info
Conclusion
Congratulations, you now have your DD-WRT router setup to automatically encrypt and anonymize the Internet traffic for all devices on your LAN.
Additional Info
Good article on other consumer VPN companies/providers and general info: http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs
VPN Listings and features: That One Privacy Guy’s VPN Comparison Chart
PIA official DD-WRT configuration guide (has some errors): https://www.privateinternetaccess.com/pages/client-support/#ddwrt_openvpn
DD-WRT wiki page on OpenVPN (good info, but not 100% relevant to this guide): http://www.dd-wrt.com/wiki/index.php/OpenVPN
FightForTheFuture.org About page: https://www.fightforthefuture.org/aboutus/index.html
OpenVPN homepage: http://openvpn.net/
Special Thanks
Kong, BrainSlayer, Fractal, Eko, Magnetron1.1, Quidagis, Adam Dachis, Alan Henry, kh1349
Non-Commercial Statement
I haven't been incentivized or compensated in any way by the organizations I've linked or recommended in this guide.
47 Comments
3 years ago
Yea this no longer works...PIA made a change and the CA document is now CA.rsa.2048 and it makes it so t no lnoger works. I also bricked an r7000 trying to overclock l,ike the user below.DO NOT FOLLOW THESE INSTRUCTIONS FOR OVERCLCLOCKING
3 years ago
These instructions are no good. Bricked my R7000 router attempting to overclock. Please, please avoid overclocking, not worth bricking a perfectly good router. Also, the PIA settings are wrong. Ironically, it says the PIA website is wrong. Other way around, pal. Use these from PIA directly. You'll thank me later.
https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn
4 years ago
any suggestions on how to configure an r7000 with a Static IP for the WAN connection. there are no spaces below the DHCP settings for the three Static DNS entries with the router set for static IP. thanks.
5 years ago on Introduction
I am using a flashed Cisco e2500 V.1 router . My settings do not have an option for IPV6 under Setup.
No do I have the following options under Services>VPN:
Is there a work around for this?
Reply 5 years ago
guide for OLD BUILDS without password option to enable
you don't have this option "User Pass Authentication = Enable" ,
use this guide
https://www.privateinternetaccess.com/pages/client...
Reply 5 years ago
link for the certificate if you don't have it yet:
https://www.privateinternetaccess.com/openvpn/open...
have nice day .
Reply 5 years ago
You can try to set up commands on start up. The HMA instructions on their website talks through this quite well, but I don't know if it actually works - never got HMA working!
Reply 5 years ago
Hi George, I am in the same boat you are,any solution for this? Maybe we have to flash a different DD-WRT firmaware to the router,please let me know if you got this fixed. thanks
5 years ago
I've done this and it works like a dream. I initially left my router set with the ISPs DNS, but this blocked some sights - even though I was in VPN! So I've changed to using PIA VPNs. They have overcome this but, default Google searches always always default to US results - painful. Are there Good DNS available that will be UK based?
Thanks
5 years ago on Introduction
No success sadly. Same as my attempts to get HMA on this build. I'm certain its because I can't connect to the internet out of my WAN port and am connecting to my ISPs router through the LAN port and I'm getting blocked in the ISP router. Any advice greatly appreciated.
Clientlog:
20150830 17:28:02 I OpenVPN 2.3.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 15 2014
20150830 17:28:02 I library versions: OpenSSL 1.0.1i 6 Aug 2014 LZO 2.08
20150830 17:28:02 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20150830 17:28:02 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20150830 17:28:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20150830 17:28:02 Socket Buffers: R=[180224->131072] S=[180224->131072]
20150830 17:28:07 N RESOLVE: Cannot resolve host address: uk-london.privateinternetaccess.com: Try again
20150830 17:28:12 N RESOLVE: Cannot resolve host address: uk-london.privateinternetaccess.com: Try again
20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150830 17:28:12 D MANAGEMENT: CMD 'state'
20150830 17:28:12 MANAGEMENT: Client disconnected
20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150830 17:28:12 D MANAGEMENT: CMD 'state'
20150830 17:28:12 MANAGEMENT: Client disconnected
20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150830 17:28:12 D MANAGEMENT: CMD 'state'
20150830 17:28:12 MANAGEMENT: Client disconnected
20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150830 17:28:12 D MANAGEMENT: CMD 'status 2'
20150830 17:28:12 MANAGEMENT: Client disconnected
20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20150830 17:28:12 D MANAGEMENT: CMD 'log 500'
19700101 02:00:00
ca /tmp/openvpncl/ca.crt
management 127.0.0.1 16
management-log-cache 100
verb 3
mute 3
syslog
writepid /var/run/openvpncl.pid
client
resolv-retry infinite
nobind
persist-key
persist-tun
script-security 2
dev tun1
proto udp
cipher bf-cbc
auth sha1
auth-user-pass /tmp/openvpncl/credentials
remote uk-london.privateinternetaccess.com 1194
comp-lzo yes
tun-mtu 1500
mtu-disc yes
fast-io
tun-ipv6
persist-key
persist-tun
tls-client
remote-cert-tls server
5 years ago on Introduction
I didn't found any errors between this and the instruction from PIA,
https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn
Either I didn't notice it or they might have corrected.
The only part is different than this on PIA is "Step 8. If there is a DNS Suffix, Remove that"
I did not find this in here, do I have to do anything?
Other than that all working for now, will get back if anything needed.
Thank you,
5 years ago on Introduction
Hello,
I would like to know, it is possible that I can use on my "netgear r7000 & kongs last dd-wrt) following:
I use & need it really a dns-service (dns4me.net) for my Sonos Network for Pandora Radio & Songza Music, without I cant live with it in Germany!
1... is it possible, that i use the dns4me.net IP´s, without the dns IP´s from PIA ???(like 4.2.2.1 & 4.2.2.2 & 4.2.2.3)
2. What for Settings like "dns-masque" or other stuff i have to change?
3. Maybee you know other spezial tricks (ip range, port forwarding or triggering, ...)?
Thank you, for this great Tutorials :))
5 years ago on Introduction
I use the following tutorial for my iPad and it worked great for me.
http://www.vpnranks.com/how-to-setup-vpn-on-ipad/
5 years ago on Introduction
Cant get this to work. The traffic wont pass through the VPN...
5 years ago on Introduction
5 years ago
Can you send me ca cert file so i can copy and paste
Reply 5 years ago on Introduction
openvpn ca cert is:
-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----
5 years ago on Step 9
Server:
:
Local Address:
Remote Address:
Client:
:
Local Address:
Remote Address:
5 years ago on Step 6
how does this work?
http://imgur.com/8uDY2P6
5 years ago on Step 6
http://imgur.com/8uDY2P6