Configure VPN Settings on a DD-WRT Router for Private Internet Access

In an age of Big Data and mass surveillance, a consumer VPN is a great way to stay more secure and private on the Internet. Running a VPN client on your router offers the benefit of seamlessly routing traffic from all devices connected to your LAN through the VPN. This guide shows a DD-WRT user how to configure the OpenVPN Client on a DD-WRT router to use the Private Internet Access VPN provider to encrypt and anonymize all Internet traffic on their LAN.

Why Private Internet Access?

There are tons of great consumer VPN companies to choose from. Why Private Internet Access (PIA)? First, you can tell them to donate a portion of your subscription to a worthy non-profit that works for Internet freedom, FightForTheFuture.org. Second, the company has gone on record about their opposition to government mass surveillance. Third, they have no restrictions on running a Tor relay inside their VPN. Finally, they are one of the least expensive VPN services. Bonus! This guide assumes you are a paid subscriber to Private Internet Access, with a PIA username and password.

Full disclosure: I am a (satisfied) customer of PIA, but I have in no way been paid, contacted, encouraged, etc. by them to write this guide. For recommendations for other VPN providers, see the end of the guide.

Note on DD-WRT Older vs Newer Revisions

OpenVPN setup on DD-WRT differs between older and newer revisions. Some older routers are actually more stable on old K26 builds, or even require it, so I have written a guide specifically for those older DD-WRT versions. This guide, however, is written for newer builds, specifically Kong revisions >24710. If you followed my Instructable on how toInstall and Configure a DD-WRT Kong Router on the NETGEAR R7000 router, you are all set for this VPN guide.

Materials

• Router with DD-WRT revision greater than 24710 installed (recommend the NETGEAR R7000)
• A PC
• Private Internet Access VPN paid subscription, with a strong password
• High-speed Internet service

You are free to pick any Private Internet Access VPN server you like, but generally OpenVPN connections are faster and more stable with a physically closer server.

1. In a browser, go to https://www.privateinternetaccess.com/pages/network/
2. Note the full Hostname of the nearest VPN server. For example, if you reside in Cascadia, pick us-seattle.privateinternetaccess.com

1. Navigate to the Private Internet Access Client Support page at https://www.privateinternetaccess.com/pages/client-support/
2. Scroll down to Advanced OpenVPN SSL Usage Guides, and select OPENVPN CONFIGURATION FILES (DEFAULT) to download some files you'll need later.

By default, DD-WRT uses your ISP's DNS servers. For privacy reasons, we'll instead configure DD-WRT to explicitly use PIA's DNS servers (which technically belong to a company called Level 3); these DNS servers are something of an IT legend in their own right, and superior to OpenDNS or Google in this author's opinion. As a PIA subscriber, you should take advantage of them.

1. In the DD-WRT Control Panel page, navigate to Setup > Basic Setup.
2. Under Network Address Server Settings (DHCP), set:
   • Static DNS 1 = 4.2.2.1
   • Static DNS 2 = 4.2.2.2

   • Static DNS 3 = 4.2.2.3

   • Use DNSMasq for DHCP = Checked

   • Use DNSMasq for DNS = Checked

   • DHCP-Authoritative = Checked

3. Save and Apply Settings.

1. Navigate to Setup > IPV6.
2. Make sure IPv6 is set to Disable, thenSave & Apply Settings.

1. Navigate to Services > Services.
2. We'll remove the ISP's DNS suffix from LAN clients. Under DHCP Server, set Used Domain = LAN & WLAN.
3. Under DNSMasq, make sure DNSMasq, Local DNS, & No DNS Rebind are all set to Enable.
4. Save and Apply Settings.

1. Navigate to Services > VPN.
2. Under OpenVPN Client, set Start OpenVPN Client = Enable. Other options will appear.
3. Set Advanced Options to Enable, More options will appear.
4. Set the following:

• Server IP/Name = The full hostname of the VPN Server you noted in Step 1: Select a VPN Server
• Port = 1194
• Tunnel Device = TUN
• Tunnel Protocol = UDP
• Encryption Cipher = Blowfish CBC
• Hash Algorithm = SHA1
• User Pass Authentication = Enable
• Username, Password = Your PIA username & password
• TLS Cipher = None
• LZO Compression = Yes
• NAT = Enable

5. (Optional) This VPN provider offers an undocumented and unsupported AES128 cipher option that may give a modest (~9%) download speed improvement. If you're OK with all that, change these settings:

• Port = 1196
• Encryption Cipher = AES-128 CBC

1. Enter this for Additional Config:

persist-key
persist-tun
tls-client
remote-cert-tls server

1. On your PC, unzip the file openvpn.zip which you downloaded earlier.
2. Open Notepad, then drag the file ca.crt onto Notepad, to open the Private Internet Access CA certificate as a text file.
3. Ctrl-A to select all text, then Copy it.
4. In the the DD-WRT VPN page, paste the entire CA certificate text into the CA Cert field. Be sure the entire text gets pasted in, including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
5. Save and Apply Settings.

1. Navigate to Status > OpenVPN.
2. Under State, you should see the message "Client: CONNECTED SUCCESS". If not, check your configuration for typos.

WARNING!

Overclocking has real benefits, but could overheat your router and damage it. Don't sue if you break your stuff! The following instructions and statements pertain specifically to the NETGEAR R7000 router (Broadcom BCM4709A0 CPU), which is the recommended router for this guide.

That being said, overclocking is known to increase NAT Routing Performance and OpenVPN performance. Kong's changelog shows some test results where a 20% CPU overclock increased WAN-LAN throughput by about 20% in very high throughput scenarios.

What Is the Safe CPU Temperature Range?

Kong has stated in the DD-WRT forums that this router has a good amount of thermal headroom: "...the R7000 definitely does not need any extra cooling as these chips can easily do 90 degrees." Other posts about ARM CPUs generally agree under 80-90 C core temp is considered safe.

What Is the Recommended Overclock?

The DD-WRT wiki page for the NETGEAR R7000 states this router "supports CPU overclocking (1200MHz and 1400MHz possible)". Higher than that will be unstable. In general, avoid overclocking the RAM on this router. Further discussion of overclocking settings can be found in the DD-WRT forums.

1200 MHz or 1400 MHz are good bets.

Analysis

Below are some of my own real-world VPN performance results with CPU temperatures under load, comparing stock speed to overclocked. All VPN speed tests were performed using a 50 Mbps Internet speed tier, running speedtest.net 3 times on a wired client, and averaging the results.

CPU Clock (Mhz) = 1000 MHz (stock)
Avg Download Speed (Mbps) = 37.10
Avg Load CPU Temp (C) = 67.10


CPU Clock (Mhz) = 1200 MHz
Avg Download Speed (Mbps) = 38.63
Avg Load CPU Temp (C) = 66.9


CPU Clock (Mhz) = 1400 MHz
Avg Download Speed (Mbps) = 42.90
Avg Load CPU Temp (C) = 67.30

The highest measured VPN throughput achieved in the 1400 MHz test was 44.17 Mbps; that's not much less than the non-VPN speed of 50 Mbps! As these numbers show, it's possible to achieve the maximum stable overclock of 1400 MHz with little impact to CPU temps, even under the load of an Internet speed test. It would seem VPN throughput is CPU-bound, as the router crunches the crypto math for the VPN, so every bit of CPU speed helps.

The numbers also suggest that, if you have Internet service slower than 37 Mbps, there would be no benefit from overclocking, so don't bother. Likewise, if you have Internet service faster than 50 Mbps, you might want to experiment with the max speed to can get over VPN, then downgrade your Internet service to match it, saving money on your ISP bill in the process.

How to Overclock

Here are the steps to achieve the highest stable (YMMV) overclock:

1. Navigate to Administration > Commands.
2. Paste the following commands into the Command Shell:

nvram set clkfreq=1400,800
nvram commit && reboot

- Note: The factory clock setting for the NETGEAR R7000 is 1000,800 (1000 MHz CPU, 800 MHz RAM).

3. Select Run Commands. The router will reboot.

4. Once rebooted, navigate to Administration > Commands again, and enter the following command to check the speed settings:

 nvram get clkfreq

- Note: You should see output of "1400,800".

5. You can also see CPU Clock, Load, and Temperature on DD-WRT's Status > Router page, under CPU.

Backup your settings, in case you need to roll back later.

1. Navigate to Administration > Backup.
2. Select the Backup button, and a configuration file called nvrambak.bin will be downloaded to your PC.
3. Done!

Conclusion

Congratulations, you now have your DD-WRT router setup to automatically encrypt and anonymize the Internet traffic for all devices on your LAN.

Additional Info

Good article on other consumer VPN companies/providers and general info: http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs

VPN Listings and features: That One Privacy Guy’s VPN Comparison Chart

PIA official DD-WRT configuration guide (has some errors): https://www.privateinternetaccess.com/pages/client-support/#ddwrt_openvpn

DD-WRT wiki page on OpenVPN (good info, but not 100% relevant to this guide): http://www.dd-wrt.com/wiki/index.php/OpenVPN

FightForTheFuture.org About page: https://www.fightforthefuture.org/aboutus/index.html

OpenVPN homepage: http://openvpn.net/

Special Thanks
Kong, BrainSlayer, Fractal, Eko, Magnetron1.1, Quidagis, Adam Dachis, Alan Henry, kh1349

Non-Commercial Statement

I haven't been incentivized or compensated in any way by the organizations I've linked or recommended in this guide.