Professional Documents
Culture Documents
DDWRT OpenVPN Client Setup Guide v14
DDWRT OpenVPN Client Setup Guide v14
Introduction
This guide starts with a general overview of OpenVPN Client settings.
In the second part are provider specific settings.
This guide is for build 48128 and upwards.
Other useful OpenVPN information here e.g. OpenVPN server setup, Policy Based Routing, DNS leaks and much
more.
Table of Contents
Introduction ...................................................................................................................................................................... 1
OpenVPN client settings ................................................................................................................................................... 3
CVE-2019-14899 Mitigation .......................................................................................................................................... 3
Server IP/Name : Port ................................................................................................................................................... 3
Enable Multiple Servers ................................................................................................................................................ 3
Tunnel Protocol ............................................................................................................................................................. 3
Encryption cipher .......................................................................................................................................................... 4
Data cipher(s) ................................................................................................................................................................ 4
User Pass Authentication .............................................................................................................................................. 4
Advanced Options ......................................................................................................................................................... 5
TLS cipher ...................................................................................................................................................................... 5
Compression ................................................................................................................................................................. 5
Inbound Firewall on TUN .............................................................................................................................................. 5
Killswitch ....................................................................................................................................................................... 5
Watchdog ...................................................................................................................................................................... 6
Tun-mtu......................................................................................................................................................................... 7
Policy Based Routing ......................................................................................................................................................... 7
Source Based ............................................................................................................................................................. 7
Route all sources via VPN.......................................................................................................................................... 7
Route Selected sources via VPN: .............................................................................................................................. 7
Routed selected sources via the WAN ...................................................................................................................... 8
Split DNS........................................................................................................................................................................ 9
Destination Based ......................................................................................................................................................... 9
Additional Config......................................................................................................................................................... 10
Adding Servers/Country .......................................................................................................................................... 10
Add extra DNS servers ............................................................................................................................................ 10
Route through VPN or WAN (e.g. for your added DNS server)............................................................................... 10
Show more info in the log ....................................................................................................................................... 10
Connection Problems ...................................................................................................................................................... 10
stopping and starting OpenVPN client:....................................................................................................................... 11
Troubleshooting .............................................................................................................................................................. 11
Further reading ............................................................................................................................................................... 11
Advanced......................................................................................................................................................................... 11
For script to automatically change the remote server/port: ...................................................................................... 11
Easy switch between Providers/Setup........................................................................................................................ 12
OpenVPN Client on a Wireless Access Point (WAP).................................................................................................... 12
Scramble options ........................................................................................................................................................ 12
Specific settings for Providers ......................................................................................................................................... 14
AirVPN ............................................................................................................................................................................. 14
IVACY VPN ....................................................................................................................................................................... 14
Nord VPN......................................................................................................................................................................... 14
Private Internet Access ................................................................................................................................................... 14
Express VPN .................................................................................................................................................................... 14
Keepsolid (VPN Unlimited).............................................................................................................................................. 14
Proton VPN...................................................................................................................................................................... 16
Cyberghost ...................................................................................................................................................................... 16
vpn-ip.co.uk..................................................................................................................................................................... 16
Surfshark.com ................................................................................................................................................................. 16
Azire VPN......................................................................................................................................................................... 16
IPVanish........................................................................................................................................................................... 16
References: ..................................................................................................................................................................... 16
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 2
OpenVPN client settings
Most settings are self-explanatory important ones are discussed below
CVE-2019-14899 Mitigation
This is to stop a minor security leak, can be kept enabled for normal client mode operation but blocks LAN access
when used in a site-to-site setup. This is discussed in the OpenVPN server setup guide.
Tunnel Protocol
If only IPv4 is used make sure to choose udp4 otherwise OpenVPN tries to setup IPv6 which results in a lot of
warnings.
If your provider still pushes IPv6 options then you can add in the Additional Config:
pull-filter ignore "route-ipv6"
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 3
pull-filter ignore "ifconfig-ipv6"
The following option is necessary if you have IPv6 Enabled and do not want Ipv6 through the tunnel
block-ipv6
Encryption cipher
This is for backwards compatibility with older pre 2.4 servers. Will be deprecated soon.
Can usually be set to None
Data cipher(s)
The server and client will negotiate one of the three data-ciphers.
Default is AES-256-GCM be sure to at least have this as one of the data ciphers
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 4
Advanced Options
TLS cipher
Used for Control channel key negotiation (via TLS)
Leave at None and it will be negotiated with your server and usually is :
ECDHE-RSA-AES256-GCM-SHA384 4096
Compression
Compresses data channel, in theory should get you better throughput but the compress/decompress also costs you
valuable CPU cycles so the net effect if any is small on SOHO routers.
Using compression is a security risk and should be avoided, it will be deprecated in the next OpenVPN update.
So the best setting is Disabled (this is different from No)
Unfortunately a lot of providers are still using it or making it optional for backward compatibility (so that I can be
used) .
If Disabled does not work (you get a connection but no traffic) try No if that is not working try Adaptive.
Killswitch
Stops (Kills) access via the WAN so that your IP address is not exposed even if the VPN is down.
It is recommended to enable the Kill switch.
The killswitch only works if the OpenVPN client is enabled (Start OpenVPN Client, first setting in the GUI)
The killswitch is also working for Policy Based routing, meaning everything in the PBR field (which is using the VPN)
should be protected by the killswitch.
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 5
If you want to block IP sources manually see the following examples, source IP addresses are used with CIDR notation but you
can also use an interface (and other source):
In Administration/Commands you enter the following:
iptables -I FORWARD -s 192.168.1.64/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.28/30 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.150 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -i wl0.1 -o $(get_wanface) -m state --state NEW -j REJECT
Save as Firewall
-m state --state NEW is used here so as to allow access from other internal addresses, if you do not want this you can omit this.
The killswitch stops all traffic from all interfaces so you cannot use port forwarding or things like an OpenVPN server
with this kill switch.
For that specific purpose you can use something like (Administration/Commands, Save as Firewall):
iptables -I FORWARD -i br0 -o $(get_wanface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
Note 1: although the killswitch will restart SFE to block existing connections it is advised to reboot the router after
enabling the killswitch.
Note 2: The killswitch is only tested when the router is in gateway mode.
When the router is set up as a WAP you can use the following(Administration/Commands Save as firewall):
iptables -I FORWARD -i br0 -o br0 -j REJECT
If you use PBR on a WAP see next paragraph, the killswitch will probably work but is not tested. If you want to do
that manually you add the source IP address e.g.:
iptables -I FORWARD -i br0 -s 192.168.1.150 -o br0 -j REJECT
Note 3:
For older builds which do not have this advanced killswitch you can add one, See second post of this thread:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Watchdog
If you experience frequent disconnects first take the mitigation steps as described in the Connection Problems
section and try to find a cause for the disconnects.
As a last resort enable the Watchdog which will ping trough the tunnel and after some time will restart OpenVPN (or
reboot the router when nvram variable vpn_onfail_reboot is set to 1)
Instead of a Server IP to Ping to you can also set a host-name and add a number of IP addresses to said host-name in
DNSMasq Additional Options.
This has the added benefit that DNSMasq will use a round robin method to use all the IP addresses so that you will
not risk a ban for too frequent pinging and it also adds redundancy if one ping ip address is down.
See ninth post by @eibgrad: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331461
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 6
Tun-mtu
tun-mtu default is lowered from standard 1500 to 1400 in builds from 46681 and upwards.
OpenVPN should deal with the correct tun-mtu size but it does a sub-par job resulting in possible mtu problems.
Therefore a lower default of 1400 was chosen.
You can set tun-mtu to 0 and let OpenVPN decide or search manually for the optimal mtu size.
For more information see the VPN troubleshooting guide under MTU size problems
For iptables based routing and IPSET routing, scripts are available, see https://pastebin.com/nC27ETsp for
@eibgrad's sophisticated solution.
Source Based
Source Based Routing is based on the source of the connection e.g. your clients IP address, port, interface etc.
The Source Routing (PBR) setting is a drop-down box with three choices:
Note: this assumes the server is indeed pushing the default route via the VPN ( push "redirect-gateway def1" ) usually all
commercial VPN providers will push this default route.
If the server does not push the default route and you do not what to use PBR, you can manually add it, in the Additional Config
add: redirect-gateway def1
This is the classic PBR where everything entered in the PBR box will be route via the VPN, everything else is routed
via the WAN.
In the PBR box you can add not only IP addresses (CIDR notation) but also source port (sport) destination port
(dport) In-interfaces (iif) e.g. br1 etc, see the ip rule MAN page
In this OpenVPN example one client 192.168.13.59, one port, I commented out the IP address range of the VAP
(Virtual Access Point) and use as alternate the VAP's interface, all are routed via the VPN.
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 7
Place one entry per line
Lines starting with a # are skipped.
You can add a comment at the end of a line starting with #.
You can also include a specific destination address to route via the VPN e.g. if you want only to route this specific IP
address: 208.79.209.138 (whatsmyip.org) through the VPN from your whole subnet then enter in the PBR field:
192.168.1.0/24 to 208.79.209.138 #whatsmyip.org
You can specify a whole in-interface to use the VPN with CIDR notation e.g. 192.168.2.0/24 but it is easier to use the
interface name (e.g. br1, wl0.1, wlan1.1 etc), the interface has to be unbridged to work and some routers have
problems with it so when in doubt just use the subnet to route:
iif br1
or
iif wl0.1
You can also specify certain ports to use your VPN with sport (source port) e.g. for transmission:
sport 51413 # Transmission
For a quick check you can point your web browser to ipleak.net
Everything entered in the Policy Based Routing box is an ip rule which is set on table 10 and can be checked (from CLI
telnet/Putty) with:
ip rule show
ip route show
ip route show table 10
cat /tmp/openvpncl/policy_ips
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 8
This can be useful if you have only a few IP addresses you want to route via the WAN and is also very useful if you
also run a concurrent OpenVPN server.
As the OpenVPN server must be using the WAN you can add sport 1194 and now this port will be using the WAN.
Split DNS
When using "Selected sources via the VPN" and "Split DNS" only the selected sources will use the pushed DNS
servers from the provider.
you can also add your own DNS server in Additional config e.g.:
dhcp-option DNS 8.8.8.8
Then that will be used as DNS server
Note: added DNS servers are not automatically routed via the VPN you have to do that manually with:
route 8.8.8.8 255.255.255.255 vpn_gateway
If you do not want to use the pushed DNS servers from the provider add to the Additional Config:
pull-filter ignore "dhcp-option DNS"
If "Selected sources via WAN" is chosen The Selected sources will use the first DNS server e.g. from Static DNS 1
Note:
When Selected sources via WAN is chosen with Kill switch enabled, the firewall rules of the Selected sources to
escape the killswitch are only active on --route-up. As a consequence everything is blocked if the VPN is not up.
In future builds these rules will be moved to --up so that the Selected sources will be available even if the VPN is not
up.
When the router is setup as a Wireless Access Point (WAP) with WAN Disabled the Killswitch is not working (will
come in future release), however the firewall rules of the Selected sources via WAN are already working so by
inserting the necessary kill switch rule (see Killswitch section) it might already work
Note:
If you want to do everything manually and do not want the default routing via the VPN (which is usually set=pushed
by the provider) then you can add the following in the Additional Config:
pull-filter ignore "redirect-gateway"
For some more reading about VPN and DNS see the VPN and DNS guide
Destination Based
If you primarily want to use the VPN but have a selected destination which you want to route via the Wan you can
enter in the OpenVPN Additional Config:
route ipleak.net 255.255.255.255 net_gateway #use vpn_gateway to route via the VPN
Now all traffic for this website, regardless of the source, will be routed via the WAN
You might also want to have the DNS query for this domain routed via the WAN which is explained in DDWRT DNS
and VPN guide
You can either specify an IP address which can have netmask ranging from 255.0.0.0 to 255.255.255.255. e.g.:
route 212.58.0.0 255.255.0.0 #BBC
or a domain name but that can only have a netmask of 255.255.255.255 (see ipleak.net example)
It is often asked of this can also be done for e.g. Amazon, Netflix, BBC etc.
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 9
Unfortunately Amazon (and Netflix, BBC, Youtube etc) have multiple changing DNS servers and multiple domains
and you have to catch them all so in reality this probably will not work.
IPSET might be able to mitigate this (for an example see:
https://www.linksysinfo.org/index.php?threads/using-ipset-to-bypass-a-vpn.73136/page-2
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327102&highlight=youtube )
For some further reading about DNS (DNS leaks, routing of DNS servers, adding extra DNS servers, Split DNS etc.) see
the VPN and DNS guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331017
Additional Config
Useful setting which can be added:
Adding Servers/Country
On builds starting with build 47640 this can be set in the GUI
Some VPN providers use the same keys for multiple servers/countries you can then alternate between countries or
add extra servers if the first one is not working with
server-poll-timeout 10
remote-random
remote [server address] [port number]
remote de.vpnunlimitedapp.com 1194
server poll timeout will query for 10 seconds before querying the next, remote random will randomly choose the first
server to query if you remove this it will query your list from top to bottom starting with the one in the Server
IP/name box.
Route through VPN or WAN (e.g. for your added DNS server)
route 10.200.1.1 255.255.255.255 vpn_gateway # route DNS via VPN
route 212.58.0.0 255.255.0.0 vpn_gateway #route A class address via VPN
route amazon.com 255.255.255.255 net_gateway route amazon via WAN, url can only take 255.255.255.255
After you are done configuring be sure to reboot (or press Apply on the setup page)
Connection Problems
When the tunnel goes down and does not reconnect because it cannot resolve the url address of the server and
cannot set a route to the new server, this can be due to the route-up and down script are not being reread (because
of the persist-tun parameter).
This will keep the resolv.dnsmasq with pushed DNS servers which are not publicly available and keep the pre-
existent routes.
So the tunnel should be restarted, you can force a restart with adding in the additional config:
remap-usr1 SIGHUP
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 10
You can also try adding the server's domain name as a route directive to force *all* its public IPs to be bound to the
WAN, add in the additional config (this can be useful if you have the error: RESOLVE: Cannot resolve host address ….):
route <server url> 255.255.255.255 net_gateway
In the end you might need a tunnel watchdog see third post of this thread or simply use the built-in connection
watchdog to reboot the router if a connection is lost.
When OpenVPN client is disabled and you want to start it form the CLI:
nvram set openvpncl_enable=1
/sbin/service openvpn start
Troubleshooting
To troubleshoot setup problems do the following:
• Enable "Syslogd" on Services page
• Add in OpenVPN Additional config: verb 5
• From the CLI (telnet/Putty) view/send openvpn log: grep -i openvpn /var/log/messages
• From the CLI (telnet/Putty) view/send: cat /tmp/openvpncl/openvpn.conf
• Post pictures of OpenVPN Setup page and Status page (whole page)
• Post content of Additional Config on OpenVPN Setup page
• Send link of the settings you followed
• For PBR send output of:
o ip rule show
o ip route show
o ip route show table 10
o cat /tmp/openvpncl/policy_ips
Further reading
OpenVPN (server) trouble shooting guide:
https://forum.dd-wrt.com/phpBB2/download.php?id=43221
Advanced
Make sure to add the following rule to Administration/Commands and Save Firewall:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
On your LAN clients, which you want to use the VPN, set the gateway and DNS to point to the WAP (Static IP
address) or use DNSMasq on primary router to hand out alternate gateways.
For instructions how to use DNSMasq on your primary router to handout an alternate gateway and more options to
change the gateway, see the VPN and DNS Guide , paragraph "Using DNSMasq to specify Alternate DNS
servers/Gateway for specific clients"
Note:
An unbridged VAP (wireless Virtual Access Point) or unbridged VLAN/br1 on your WAP will automatically use the
VPN, no extra settings necessary!
In this way you can switch your LAN clients to use the VPN or not by switching Wireless SSID's
Scramble options
Scramble options can be used to obfuscate the connection this can be useful to escape censoring.
Note: scramble options must be the same on client and server side!
However if the following are used instead, a different action will occur.
scramble reverse
This simply reverses all the data in the packet. This is enough to get past the regular expression detection in both
China and Iran.
scramble xorptrpos
This performs a xor operation, utilising the current position in the packet payload.
https://forums.openvpn.net/viewtopic.php?t=12605
https://github.com/clayface/openvpn_xorpatch/blob/master/openvpn_xor.patch
https://svn.dd-wrt.com/changeset/47850
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 12
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 13
Specific settings for Providers
This is an overview of the OpenVPN client setup instructions for various providers.
Unfortunately I cannot keep track of all things which change so your input is crucial in keeping these instructions
updated.
Post in the forum or send me a Personal Mail (PM)
Most instructions from VPN providers to setup an OpenVPN client on a DDWRT router are obsolete and often even
blatantly wrong, it sometimes makes me weep seeing so much nonsense ☹
Do not set provider specific DNS servers in the Static DNS (x) field!
These DNS servers are often only available via the VPN and if you specify an URL as server address this cannot be
resolved and you are toast.
Provider specific DNS servers should be added according to the instructions on page 4: Add extra DNS servers.
As a general warning all settings can be done in the GUI or are already done by DDWRT so to start:
Do not add anything in the Additional Config, (only exception is: verb 5 )
Do not add any firewall rules
Do not add any (startup) scripts
AirVPN
by Surpriseditworks:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321856
IVACY VPN
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322264
Nord VPN
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=328049&highlight=nordvpn
Express VPN
Settings from @eibgrad: https://imgur.com/a/QkNl9be
Tunnel UDP fragment is a bit low you can try higher for added throughput max settings is probably 1450, if set to
high you will have slow/intermittent traffic especially streaming and social media problems
See my own settings below, note that I have only verb 5 in the Additional Config!.
The only useful other additions can be:
verb 5 #gives you more log information
remote random #if you want to have a random server in that country
reneg-sec 0 #disable key renegotiation if you have hourly disconnects, but less safe
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 14
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 15
Proton VPN
Protons instructions:
https://protonvpn.com/support/vpn-router-ddwrt/
Do not set the Static DNS servers like they are doing just use for static DNS 1 something like 9.9.9.9 or another
publicly available DNS server you trust.
Do not use the killswitch (if you need one DDWRT has one built-in)
Cyberghost
See: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329642
And: https://forum.dd-wrt.com/phpBB2/download.php?id=49171
vpn-ip.co.uk
see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330389
Surfshark.com
See: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330608
Azire VPN
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330645
IPVanish
https://support.ipvanish.com/hc/en-us/articles/115002080733-DD-WRT-v3-Router-Setup
But change the following:
References:
https://wiki.dd-wrt.com/wiki/index.php/Policy_Based_Routing
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 16
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 17