Configure VPN Settings on a DD-WRT Router for Private Internet Access

352,293

88

47

Published

Introduction: Configure VPN Settings on a DD-WRT Router for Private Internet Access

In an age of Big Data and mass surveillance, a consumer VPN is a great way to stay more secure and private on the Internet. Running a VPN client on your router offers the benefit of seamlessly routing traffic from all devices connected to your LAN through the VPN. This guide shows a DD-WRT user how to configure the OpenVPN Client on a DD-WRT router to use the Private Internet Access VPN provider to encrypt and anonymize all Internet traffic on their LAN.

Why Private Internet Access?

There are tons of great consumer VPN companies to choose from. Why Private Internet Access (PIA)? First, you can tell them to donate a portion of your subscription to a worthy non-profit that works for Internet freedom, FightForTheFuture.org. Second, the company has gone on record about their opposition to government mass surveillance. Third, they have no restrictions on running a Tor relay inside their VPN. Finally, they are one of the least expensive VPN services. Bonus! This guide assumes you are a paid subscriber to Private Internet Access, with a PIA username and password.

Full disclosure: I am a (satisfied) customer of PIA, but I have in no way been paid, contacted, encouraged, etc. by them to write this guide. For recommendations for other VPN providers, see the end of the guide.

Note on DD-WRT Older vs Newer Revisions

OpenVPN setup on DD-WRT differs between older and newer revisions. Some older routers are actually more stable on old K26 builds, or even require it, so I have written a guide specifically for those older DD-WRT versions. This guide, however, is written for newer builds, specifically Kong revisions >24710. If you followed my Instructable on how toInstall and Configure a DD-WRT Kong Router on the NETGEAR R7000 router, you are all set for this VPN guide.

Materials

  • Router with DD-WRT revision greater than 24710 installed (recommend the NETGEAR R7000)
  • A PC
  • Private Internet Access VPN paid subscription, with a strong password
  • High-speed Internet service

Step 1: Select a VPN Server

You are free to pick any Private Internet Access VPN server you like, but generally OpenVPN connections are faster and more stable with a physically closer server.

  1. In a browser, go to https://www.privateinternetaccess.com/pages/network/
  2. Note the full Hostname of the nearest VPN server. For example, if you reside in Cascadia, pick us-seattle.privateinternetaccess.com

Step 2: Download the PIA OpenVPN Configuration Files

  1. Navigate to the Private Internet Access Client Support page at https://www.privateinternetaccess.com/pages/client-support/
  2. Scroll down to Advanced OpenVPN SSL Usage Guides, and select OPENVPN CONFIGURATION FILES (DEFAULT) to download some files you'll need later.

Step 3: Modify the DD-WRT Basic DNS Settings

By default, DD-WRT uses your ISP's DNS servers. For privacy reasons, we'll instead configure DD-WRT to explicitly use PIA's DNS servers (which technically belong to a company called Level 3); these DNS servers are something of an IT legend in their own right, and superior to OpenDNS or Google in this author's opinion. As a PIA subscriber, you should take advantage of them.

  1. In the DD-WRT Control Panel page, navigate to Setup > Basic Setup.
  2. Under Network Address Server Settings (DHCP), set:
    • Static DNS 1 = 4.2.2.1
    • Static DNS 2 = 4.2.2.2
    • Static DNS 3 = 4.2.2.3

    • Use DNSMasq for DHCP = Checked

    • Use DNSMasq for DNS = Checked

    • DHCP-Authoritative = Checked

  3. Save and Apply Settings.

Step 4: Disable IPv6

  1. Navigate to Setup > IPV6.
  2. Make sure IPv6 is set to Disable, thenSave & Apply Settings.

Step 5: Enable Local DNS

  1. Navigate to Services > Services.
  2. We'll remove the ISP's DNS suffix from LAN clients. Under DHCP Server, set Used Domain = LAN & WLAN.
  3. Under DNSMasq, make sure DNSMasq, Local DNS, & No DNS Rebind are all set to Enable.
  4. Save and Apply Settings.

Step 6: Set the OpenVPN Client Parameters

  1. Navigate to Services > VPN.
  2. Under OpenVPN Client, set Start OpenVPN Client = Enable. Other options will appear.
  3. Set Advanced Options to Enable, More options will appear.
  4. Set the following:
  • Server IP/Name = The full hostname of the VPN Server you noted in Step 1: Select a VPN Server
  • Port = 1194
  • Tunnel Device = TUN
  • Tunnel Protocol = UDP
  • Encryption Cipher = Blowfish CBC
  • Hash Algorithm = SHA1
  • User Pass Authentication = Enable
  • Username, Password = Your PIA username & password
  • TLS Cipher = None
  • LZO Compression = Yes
  • NAT = Enable

5. (Optional) This VPN provider offers an undocumented and unsupported AES128 cipher option that may give a modest (~9%) download speed improvement. If you're OK with all that, change these settings:

  • Port = 1196
  • Encryption Cipher = AES-128 CBC

Step 7: Set the OpenVPN Additional Config Settings

  1. Enter this for Additional Config:
persist-key
persist-tun
tls-client
remote-cert-tls server

Step 8: Set the OpenVPN CA Cert

  1. On your PC, unzip the file openvpn.zip which you downloaded earlier.
  2. Open Notepad, then drag the file ca.crt onto Notepad, to open the Private Internet Access CA certificate as a text file.
  3. Ctrl-A to select all text, then Copy it.
  4. In the the DD-WRT VPN page, paste the entire CA certificate text into the CA Cert field. Be sure the entire text gets pasted in, including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
  5. Save and Apply Settings.

Step 9: Verify the VPN Is Working

  1. Navigate to Status > OpenVPN.
  2. Under State, you should see the message "Client: CONNECTED SUCCESS". If not, check your configuration for typos.

Step 10: (Optional) Overclock the Router CPU

WARNING!

Overclocking has real benefits, but could overheat your router and damage it. Don't sue if you break your stuff! The following instructions and statements pertain specifically to the NETGEAR R7000 router (Broadcom BCM4709A0 CPU), which is the recommended router for this guide.

That being said, overclocking is known to increase NAT Routing Performance and OpenVPN performance. Kong's changelog shows some test results where a 20% CPU overclock increased WAN-LAN throughput by about 20% in very high throughput scenarios.

What Is the Safe CPU Temperature Range?

Kong has stated in the DD-WRT forums that this router has a good amount of thermal headroom: "...the R7000 definitely does not need any extra cooling as these chips can easily do 90 degrees." Other posts about ARM CPUs generally agree under 80-90 C core temp is considered safe.

What Is the Recommended Overclock?

The DD-WRT wiki page for the NETGEAR R7000 states this router "supports CPU overclocking (1200MHz and 1400MHz possible)". Higher than that will be unstable. In general, avoid overclocking the RAM on this router. Further discussion of overclocking settings can be found in the DD-WRT forums.

1200 MHz or 1400 MHz are good bets.

Analysis

Below are some of my own real-world VPN performance results with CPU temperatures under load, comparing stock speed to overclocked. All VPN speed tests were performed using a 50 Mbps Internet speed tier, running speedtest.net 3 times on a wired client, and averaging the results.

CPU Clock (Mhz) = 1000 MHz (stock)
Avg Download Speed (Mbps) = 37.10
Avg Load CPU Temp (C) = 67.10


CPU Clock (Mhz) = 1200 MHz
Avg Download Speed (Mbps) = 38.63
Avg Load CPU Temp (C) = 66.9


CPU Clock (Mhz) = 1400 MHz
Avg Download Speed (Mbps) = 42.90
Avg Load CPU Temp (C) = 67.30

The highest measured VPN throughput achieved in the 1400 MHz test was 44.17 Mbps; that's not much less than the non-VPN speed of 50 Mbps! As these numbers show, it's possible to achieve the maximum stable overclock of 1400 MHz with little impact to CPU temps, even under the load of an Internet speed test. It would seem VPN throughput is CPU-bound, as the router crunches the crypto math for the VPN, so every bit of CPU speed helps.

The numbers also suggest that, if you have Internet service slower than 37 Mbps, there would be no benefit from overclocking, so don't bother. Likewise, if you have Internet service faster than 50 Mbps, you might want to experiment with the max speed to can get over VPN, then downgrade your Internet service to match it, saving money on your ISP bill in the process.

How to Overclock

Here are the steps to achieve the highest stable (YMMV) overclock:

  1. Navigate to Administration > Commands.
  2. Paste the following commands into the Command Shell:
nvram set clkfreq=1400,800
nvram commit && reboot

- Note: The factory clock setting for the NETGEAR R7000 is 1000,800 (1000 MHz CPU, 800 MHz RAM).

3. Select Run Commands. The router will reboot.

4. Once rebooted, navigate to Administration > Commands again, and enter the following command to check the speed settings:

 nvram get clkfreq

- Note: You should see output of "1400,800".

5. You can also see CPU Clock, Load, and Temperature on DD-WRT's Status > Router page, under CPU.

Step 11: Backup the Settings

Backup your settings, in case you need to roll back later.

  1. Navigate to Administration > Backup.
  2. Select the Backup button, and a configuration file called nvrambak.bin will be downloaded to your PC.
  3. Done!

Step 12: Conclusion and Additional Info

Conclusion

Congratulations, you now have your DD-WRT router setup to automatically encrypt and anonymize the Internet traffic for all devices on your LAN.

Additional Info

Good article on other consumer VPN companies/providers and general info: http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs

VPN Listings and features: That One Privacy Guy’s VPN Comparison Chart

PIA official DD-WRT configuration guide (has some errors): https://www.privateinternetaccess.com/pages/client-support/#ddwrt_openvpn

DD-WRT wiki page on OpenVPN (good info, but not 100% relevant to this guide): http://www.dd-wrt.com/wiki/index.php/OpenVPN

FightForTheFuture.org About page: https://www.fightforthefuture.org/aboutus/index.html

OpenVPN homepage: http://openvpn.net/

Special Thanks
Kong, BrainSlayer, Fractal, Eko, Magnetron1.1, Quidagis, Adam Dachis, Alan Henry, kh1349

Non-Commercial Statement

I haven't been incentivized or compensated in any way by the organizations I've linked or recommended in this guide.

Share

    Recommendations

    • Water Contest

      Water Contest
    • Clocks Contest

      Clocks Contest
    • Creative Misuse Contest

      Creative Misuse Contest

    47 Discussions

    Yea this no longer works...PIA made a change and the CA document is now CA.rsa.2048 and it makes it so t no lnoger works. I also bricked an r7000 trying to overclock l,ike the user below.DO NOT FOLLOW THESE INSTRUCTIONS FOR OVERCLCLOCKING

    0
    user
    choids

    1 year ago

    These instructions are no good. Bricked my R7000 router attempting to overclock. Please, please avoid overclocking, not worth bricking a perfectly good router. Also, the PIA settings are wrong. Ironically, it says the PIA website is wrong. Other way around, pal. Use these from PIA directly. You'll thank me later.

    https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn

    any suggestions on how to configure an r7000 with a Static IP for the WAN connection. there are no spaces below the DHCP settings for the three Static DNS entries with the router set for static IP. thanks.

    I am using a flashed Cisco e2500 V.1 router . My settings do not have an option for IPV6 under Setup.

    No do I have the following options under Services>VPN:

    • User Pass Authentication = Enable
    • Username, Password = Your PIA username & password

    Is there a work around for this?

    4 replies

    You can try to set up commands on start up. The HMA instructions on their website talks through this quite well, but I don't know if it actually works - never got HMA working!

    Hi George, I am in the same boat you are,any solution for this? Maybe we have to flash a different DD-WRT firmaware to the router,please let me know if you got this fixed. thanks

    I've done this and it works like a dream. I initially left my router set with the ISPs DNS, but this blocked some sights - even though I was in VPN! So I've changed to using PIA VPNs. They have overcome this but, default Google searches always always default to US results - painful. Are there Good DNS available that will be UK based?

    Thanks

    No success sadly. Same as my attempts to get HMA on this build. I'm certain its because I can't connect to the internet out of my WAN port and am connecting to my ISPs router through the LAN port and I'm getting blocked in the ISP router. Any advice greatly appreciated.

    Clientlog:

    20150830 17:28:02 I OpenVPN 2.3.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 15 2014


    20150830 17:28:02 I library versions: OpenSSL 1.0.1i 6 Aug 2014 LZO 2.08


    20150830 17:28:02 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16


    20150830 17:28:02 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible


    20150830 17:28:02 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts


    20150830 17:28:02 Socket Buffers: R=[180224->131072] S=[180224->131072]


    20150830 17:28:07 N RESOLVE: Cannot resolve host address: uk-london.privateinternetaccess.com: Try again


    20150830 17:28:12 N RESOLVE: Cannot resolve host address: uk-london.privateinternetaccess.com: Try again


    20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16


    20150830 17:28:12 D MANAGEMENT: CMD 'state'


    20150830 17:28:12 MANAGEMENT: Client disconnected


    20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16


    20150830 17:28:12 D MANAGEMENT: CMD 'state'


    20150830 17:28:12 MANAGEMENT: Client disconnected


    20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16


    20150830 17:28:12 D MANAGEMENT: CMD 'state'


    20150830 17:28:12 MANAGEMENT: Client disconnected


    20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16


    20150830 17:28:12 D MANAGEMENT: CMD 'status 2'


    20150830 17:28:12 MANAGEMENT: Client disconnected


    20150830 17:28:12 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16


    20150830 17:28:12 D MANAGEMENT: CMD 'log 500'


    19700101 02:00:00



    ca /tmp/openvpncl/ca.crt
    management 127.0.0.1 16
    management-log-cache 100
    verb 3
    mute 3
    syslog
    writepid /var/run/openvpncl.pid
    client
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    script-security 2
    dev tun1
    proto udp
    cipher bf-cbc
    auth sha1
    auth-user-pass /tmp/openvpncl/credentials
    remote uk-london.privateinternetaccess.com 1194
    comp-lzo yes
    tun-mtu 1500
    mtu-disc yes
    fast-io
    tun-ipv6
    persist-key
    persist-tun
    tls-client
    remote-cert-tls server

    I didn't found any errors between this and the instruction from PIA,

    https://www.privateinternetaccess.com/pages/client-support/dd-wrt-openvpn

    Either I didn't notice it or they might have corrected.

    The only part is different than this on PIA is "Step 8. If there is a DNS Suffix, Remove that"

    I did not find this in here, do I have to do anything?

    Other than that all working for now, will get back if anything needed.

    Thank you,

    Hello,

    I would like to know, it is possible that I can use on my "netgear r7000 & kongs last dd-wrt) following:

    I use & need it really a dns-service (dns4me.net) for my Sonos Network for Pandora Radio & Songza Music, without I cant live with it in Germany!

    1... is it possible, that i use the dns4me.net IP´s, without the dns IP´s from PIA ???(like 4.2.2.1 & 4.2.2.2 & 4.2.2.3)

    2. What for Settings like "dns-masque" or other stuff i have to change?

    3. Maybee you know other spezial tricks (ip range, port forwarding or triggering, ...)?

    Thank you, for this great Tutorials :))

    I use the following tutorial for my iPad and it worked great for me.
    http://www.vpnranks.com/how-to-setup-vpn-on-ipad/

    Cant get this to work. The traffic wont pass through the VPN...

    Can you send me ca cert file so i can copy and paste

    1 reply

    openvpn ca cert is:

    -----BEGIN CERTIFICATE-----
    MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
    ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
    cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
    ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
    gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
    IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
    YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
    aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
    AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
    hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
    4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
    CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
    l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
    VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
    ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
    QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
    b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
    atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
    fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
    llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
    -----END CERTIFICATE-----

    Server:

    :

    Local Address:

    Remote Address:
    Client:

    :

    Local Address:

    Remote Address:

    how does this work?

    http://imgur.com/8uDY2P6