DDWRT OpenVPN Client setup guide

The latest version of this guide can be found here

Introduction
This guide starts with a general overview of OpenVPN Client settings.
In the second part are provider specific settings.
This guide is for build 48128 and upwards.

Other useful OpenVPN information here e.g. OpenVPN server setup, Policy Based Routing, DNS leaks and much
more.

Table of Contents
Introduction ...................................................................................................................................................................... 1
OpenVPN client settings ................................................................................................................................................... 3
CVE-2019-14899 Mitigation .......................................................................................................................................... 3
Server IP/Name : Port ................................................................................................................................................... 3
Enable Multiple Servers ................................................................................................................................................ 3
Tunnel Protocol ............................................................................................................................................................. 3
Encryption cipher .......................................................................................................................................................... 4
Data cipher(s) ................................................................................................................................................................ 4
User Pass Authentication .............................................................................................................................................. 4
Advanced Options ......................................................................................................................................................... 5
TLS cipher ...................................................................................................................................................................... 5
Compression ................................................................................................................................................................. 5
Inbound Firewall on TUN .............................................................................................................................................. 5
Killswitch ....................................................................................................................................................................... 5
Watchdog ...................................................................................................................................................................... 6
Tun-mtu......................................................................................................................................................................... 7
Policy Based Routing ......................................................................................................................................................... 7
Source Based ............................................................................................................................................................. 7
Route all sources via VPN.......................................................................................................................................... 7
Route Selected sources via VPN: .............................................................................................................................. 7
Routed selected sources via the WAN ...................................................................................................................... 8
Split DNS........................................................................................................................................................................ 9
Destination Based ......................................................................................................................................................... 9
Additional Config......................................................................................................................................................... 10
Adding Servers/Country .......................................................................................................................................... 10
Add extra DNS servers ............................................................................................................................................ 10
Route through VPN or WAN (e.g. for your added DNS server)............................................................................... 10
Show more info in the log ....................................................................................................................................... 10
Connection Problems ...................................................................................................................................................... 10
stopping and starting OpenVPN client:....................................................................................................................... 11
Troubleshooting .............................................................................................................................................................. 11
Further reading ............................................................................................................................................................... 11
Advanced......................................................................................................................................................................... 11
For script to automatically change the remote server/port: ...................................................................................... 11
Easy switch between Providers/Setup........................................................................................................................ 12
OpenVPN Client on a Wireless Access Point (WAP).................................................................................................... 12
Scramble options ........................................................................................................................................................ 12
Specific settings for Providers ......................................................................................................................................... 14
AirVPN ............................................................................................................................................................................. 14
IVACY VPN ....................................................................................................................................................................... 14
Nord VPN......................................................................................................................................................................... 14
Private Internet Access ................................................................................................................................................... 14
Express VPN .................................................................................................................................................................... 14
Keepsolid (VPN Unlimited).............................................................................................................................................. 14
Proton VPN...................................................................................................................................................................... 16
Cyberghost ...................................................................................................................................................................... 16
vpn-ip.co.uk..................................................................................................................................................................... 16
Surfshark.com ................................................................................................................................................................. 16
Azire VPN......................................................................................................................................................................... 16
IPVanish........................................................................................................................................................................... 16
References: ..................................................................................................................................................................... 16

DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 2
OpenVPN client settings
Most settings are self-explanatory important ones are discussed below

CVE-2019-14899 Mitigation
This is to stop a minor security leak, can be kept enabled for normal client mode operation but blocks LAN access
when used in a site-to-site setup. This is discussed in the OpenVPN server setup guide.

Server IP/Name : Port

This can be an IP address or an URL

Enable Multiple Servers

For entering more than one remote server address and port, there is also a random setting which chooses one server
randomly at startup.
Note the certificates, keys and username/password if applicable should be the same for all servers

Tunnel Protocol
If only IPv4 is used make sure to choose udp4 otherwise OpenVPN tries to setup IPv6 which results in a lot of
warnings.
If your provider still pushes IPv6 options then you can add in the Additional Config:
pull-filter ignore "route-ipv6"

DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 3
pull-filter ignore "ifconfig-ipv6"

The following option is necessary if you have IPv6 Enabled and do not want Ipv6 through the tunnel
block-ipv6

Encryption cipher
This is for backwards compatibility with older pre 2.4 servers. Will be deprecated soon.
Can usually be set to None

Data cipher(s)
The server and client will negotiate one of the three data-ciphers.
Default is AES-256-GCM be sure to at least have this as one of the data ciphers

User Pass Authentication

If your provider works with username password Enable it and fill in.
Note: if you do not use it, Disable it otherwise the tunnel will not start.

DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 4
Advanced Options

TLS cipher
Used for Control channel key negotiation (via TLS)
Leave at None and it will be negotiated with your server and usually is :
ECDHE-RSA-AES256-GCM-SHA384 4096

Compression
Compresses data channel, in theory should get you better throughput but the compress/decompress also costs you
valuable CPU cycles so the net effect if any is small on SOHO routers.
Using compression is a security risk and should be avoided, it will be deprecated in the next OpenVPN update.
So the best setting is Disabled (this is different from No)
Unfortunately a lot of providers are still using it or making it optional for backward compatibility (so that I can be
used) .
If Disabled does not work (you get a connection but no traffic) try No if that is not working try Adaptive.

Inbound Firewall on TUN

Prevents outside attacks.
Should be enabled for normal client mode operation, disable for site-to-site setup.

Killswitch
Stops (Kills) access via the WAN so that your IP address is not exposed even if the VPN is down.
It is recommended to enable the Kill switch.
The killswitch only works if the OpenVPN client is enabled (Start OpenVPN Client, first setting in the GUI)
The killswitch is also working for Policy Based routing, meaning everything in the PBR field (which is using the VPN)
should be protected by the killswitch.

DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 5
If you want to block IP sources manually see the following examples, source IP addresses are used with CIDR notation but you
can also use an interface (and other source):
In Administration/Commands you enter the following:
iptables -I FORWARD -s 192.168.1.64/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.28/30 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.1.150 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -i wl0.1 -o $(get_wanface) -m state --state NEW -j REJECT
Save as Firewall
-m state --state NEW is used here so as to allow access from other internal addresses, if you do not want this you can omit this.

It is recommended to check if the killswitch is working.

To do that deliberately add a wrong setting e.g. wrong Port so that the VPN will stop working and see if the killswitch
stops internet access.
Furthermore you can also test from CLI with:
killall openvpn # kill it outright
killall -s SIGUSR1 openvpn # force a hard reset

The killswitch stops all traffic from all interfaces so you cannot use port forwarding or things like an OpenVPN server
with this kill switch.
For that specific purpose you can use something like (Administration/Commands, Save as Firewall):
iptables -I FORWARD -i br0 -o $(get_wanface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited

Note 1: although the killswitch will restart SFE to block existing connections it is advised to reboot the router after
enabling the killswitch.

Note 2: The killswitch is only tested when the router is in gateway mode.
When the router is set up as a WAP you can use the following(Administration/Commands Save as firewall):
iptables -I FORWARD -i br0 -o br0 -j REJECT
If you use PBR on a WAP see next paragraph, the killswitch will probably work but is not tested. If you want to do
that manually you add the source IP address e.g.:
iptables -I FORWARD -i br0 -s 192.168.1.150 -o br0 -j REJECT

Note 3:
For older builds which do not have this advanced killswitch you can add one, See second post of this thread:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686

Watchdog

If you experience frequent disconnects first take the mitigation steps as described in the Connection Problems
section and try to find a cause for the disconnects.
As a last resort enable the Watchdog which will ping trough the tunnel and after some time will restart OpenVPN (or
reboot the router when nvram variable vpn_onfail_reboot is set to 1)

Instead of a Server IP to Ping to you can also set a host-name and add a number of IP addresses to said host-name in
DNSMasq Additional Options.
This has the added benefit that DNSMasq will use a round robin method to use all the IP addresses so that you will
not risk a ban for too frequent pinging and it also adds redundancy if one ping ip address is down.
See ninth post by @eibgrad: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331461

DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 6
Tun-mtu
tun-mtu default is lowered from standard 1500 to 1400 in builds from 46681 and upwards.
OpenVPN should deal with the correct tun-mtu size but it does a sub-par job resulting in possible mtu problems.
Therefore a lower default of 1400 was chosen.
You can set tun-mtu to 0 and let OpenVPN decide or search manually for the optimal mtu size.
For more information see the VPN troubleshooting guide under MTU size problems

Policy Based Routing

Policy Based Routing (PBR) works by creating multiple routing tables and rules that specify which routing table to use
when certain criteria are met.
Criteria for routing decision can be source- and destination address, port, interface, fwmark etc. see:
ip rule man page

For iptables based routing and IPSET routing, scripts are available, see https://pastebin.com/nC27ETsp for
@eibgrad's sophisticated solution.

Source Based
Source Based Routing is based on the source of the connection e.g. your clients IP address, port, interface etc.

The Source Routing (PBR) setting is a drop-down box with three choices:

Route all sources via VPN

This is the default where everything is routed via the VPN and actually means No PBR.

Note: this assumes the server is indeed pushing the default route via the VPN ( push "redirect-gateway def1" ) usually all
commercial VPN providers will push this default route.
If the server does not push the default route and you do not what to use PBR, you can manually add it, in the Additional Config
add: redirect-gateway def1

Route Selected sources via VPN:

If you choose this, more options will become available i.e. Split DNS and the entry box for Policy Based Routing.

This is the classic PBR where everything entered in the PBR box will be route via the VPN, everything else is routed
via the WAN.

In the PBR box you can add not only IP addresses (CIDR notation) but also source port (sport) destination port
(dport) In-interfaces (iif) e.g. br1 etc, see the ip rule MAN page

In this OpenVPN example one client 192.168.13.59, one port, I commented out the IP address range of the VAP
(Virtual Access Point) and use as alternate the VAP's interface, all are routed via the VPN.

DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 7
Place one entry per line
Lines starting with a # are skipped.
You can add a comment at the end of a line starting with #.

A range of IP-addresses can be written with the help of CIDR notation.

Optional,to make it easier to work with CIDR, group your IP addresses by doing the following:
1. On Setup page set DHCP start address to 192.168.1.64 for a Maximum DHCP users of 64
Your DHCP users will now be in the range .64- .127, which translates to a CIDR notation of 192.168.1.64/26
2. For all your local LAN clients you want to use the VPN set a static lease in the range .128- .191 this translates
to 192.168.1.128/26
3. For all your local LAN clients you do not want to use the VPN but the WAN set a static lease below .64

In the PBR field enter:

192.168.1.128/26 #Static leases using the VPN
192.168.1.64/26 #DHCP users using the VPN delete if you do not want this

You can also include a specific destination address to route via the VPN e.g. if you want only to route this specific IP
address: 208.79.209.138 (whatsmyip.org) through the VPN from your whole subnet then enter in the PBR field:
192.168.1.0/24 to 208.79.209.138 #whatsmyip.org

You can specify a whole in-interface to use the VPN with CIDR notation e.g. 192.168.2.0/24 but it is easier to use the
interface name (e.g. br1, wl0.1, wlan1.1 etc), the interface has to be unbridged to work and some routers have
problems with it so when in doubt just use the subnet to route:
iif br1
or
iif wl0.1

You can also specify certain ports to use your VPN with sport (source port) e.g. for transmission:
sport 51413 # Transmission

For a quick check you can point your web browser to ipleak.net

Everything entered in the Policy Based Routing box is an ip rule which is set on table 10 and can be checked (from CLI
telnet/Putty) with:
ip rule show
ip route show
ip route show table 10
cat /tmp/openvpncl/policy_ips

For more troubleshooting tips see the Troubleshooting section

Routed selected sources via the WAN

This does the opposite, everything entered in the PBR box will be routed via the WAN and everything else will be
routed via the VPN.

DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 8
This can be useful if you have only a few IP addresses you want to route via the WAN and is also very useful if you
also run a concurrent OpenVPN server.
As the OpenVPN server must be using the WAN you can add sport 1194 and now this port will be using the WAN.

Split DNS
When using "Selected sources via the VPN" and "Split DNS" only the selected sources will use the pushed DNS
servers from the provider.

you can also add your own DNS server in Additional config e.g.:
dhcp-option DNS 8.8.8.8
Then that will be used as DNS server

Note: added DNS servers are not automatically routed via the VPN you have to do that manually with:
route 8.8.8.8 255.255.255.255 vpn_gateway

If you do not want to use the pushed DNS servers from the provider add to the Additional Config:
pull-filter ignore "dhcp-option DNS"

If "Selected sources via WAN" is chosen The Selected sources will use the first DNS server e.g. from Static DNS 1

Note:
When Selected sources via WAN is chosen with Kill switch enabled, the firewall rules of the Selected sources to
escape the killswitch are only active on --route-up. As a consequence everything is blocked if the VPN is not up.
In future builds these rules will be moved to --up so that the Selected sources will be available even if the VPN is not
up.

When the router is setup as a Wireless Access Point (WAP) with WAN Disabled the Killswitch is not working (will
come in future release), however the firewall rules of the Selected sources via WAN are already working so by
inserting the necessary kill switch rule (see Killswitch section) it might already work

Note:
If you want to do everything manually and do not want the default routing via the VPN (which is usually set=pushed
by the provider) then you can add the following in the Additional Config:
pull-filter ignore "redirect-gateway"

For some more reading about VPN and DNS see the VPN and DNS guide

Destination Based
If you primarily want to use the VPN but have a selected destination which you want to route via the Wan you can
enter in the OpenVPN Additional Config:
route ipleak.net 255.255.255.255 net_gateway #use vpn_gateway to route via the VPN

Now all traffic for this website, regardless of the source, will be routed via the WAN
You might also want to have the DNS query for this domain routed via the WAN which is explained in DDWRT DNS
and VPN guide

You can either specify an IP address which can have netmask ranging from 255.0.0.0 to 255.255.255.255. e.g.:
route 212.58.0.0 255.255.0.0 #BBC

or a domain name but that can only have a netmask of 255.255.255.255 (see ipleak.net example)

The netmask is always in dotted decimal notation.

It is often asked of this can also be done for e.g. Amazon, Netflix, BBC etc.

DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 9
Unfortunately Amazon (and Netflix, BBC, Youtube etc) have multiple changing DNS servers and multiple domains
and you have to catch them all so in reality this probably will not work.
IPSET might be able to mitigate this (for an example see:
https://www.linksysinfo.org/index.php?threads/using-ipset-to-bypass-a-vpn.73136/page-2
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327102&highlight=youtube )
For some further reading about DNS (DNS leaks, routing of DNS servers, adding extra DNS servers, Split DNS etc.) see
the VPN and DNS guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331017

Additional Config
Useful setting which can be added:

Adding Servers/Country
On builds starting with build 47640 this can be set in the GUI
Some VPN providers use the same keys for multiple servers/countries you can then alternate between countries or
add extra servers if the first one is not working with
server-poll-timeout 10
remote-random
remote [server address] [port number]
remote de.vpnunlimitedapp.com 1194

server poll timeout will query for 10 seconds before querying the next, remote random will randomly choose the first
server to query if you remove this it will query your list from top to bottom starting with the one in the Server
IP/name box.

Add extra DNS servers

dhcp-option DNS 10.200.1.1

Route through VPN or WAN (e.g. for your added DNS server)
route 10.200.1.1 255.255.255.255 vpn_gateway # route DNS via VPN
route 212.58.0.0 255.255.0.0 vpn_gateway #route A class address via VPN
route amazon.com 255.255.255.255 net_gateway route amazon via WAN, url can only take 255.255.255.255

Show more info in the log

verb x # for x use at least 3 or if you want more information 5, you can go upto 11

After you are done configuring be sure to reboot (or press Apply on the setup page)

Connection Problems
When the tunnel goes down and does not reconnect because it cannot resolve the url address of the server and
cannot set a route to the new server, this can be due to the route-up and down script are not being reread (because
of the persist-tun parameter).
This will keep the resolv.dnsmasq with pushed DNS servers which are not publicly available and keep the pre-
existent routes.
So the tunnel should be restarted, you can force a restart with adding in the additional config:
remap-usr1 SIGHUP

Other things which might help:

keepalive 10 120 #check if provider does not pushes ping-exit, that takes precedence and you have to use a watchdog
resolv-retry infinite
reneg-sec 0 #slightly unsafe to use so not recommended

DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 10
You can also try adding the server's domain name as a route directive to force *all* its public IPs to be bound to the
WAN, add in the additional config (this can be useful if you have the error: RESOLVE: Cannot resolve host address ….):
route <server url> 255.255.255.255 net_gateway

In the end you might need a tunnel watchdog see third post of this thread or simply use the built-in connection
watchdog to reboot the router if a connection is lost.

stopping and starting OpenVPN client:

While the client is running:
stopservice openvpn
startservice openvpn

When OpenVPN client is disabled and you want to start it form the CLI:
nvram set openvpncl_enable=1
/sbin/service openvpn start

Troubleshooting
To troubleshoot setup problems do the following:
• Enable "Syslogd" on Services page
• Add in OpenVPN Additional config: verb 5
• From the CLI (telnet/Putty) view/send openvpn log: grep -i openvpn /var/log/messages
• From the CLI (telnet/Putty) view/send: cat /tmp/openvpncl/openvpn.conf
• Post pictures of OpenVPN Setup page and Status page (whole page)
• Post content of Additional Config on OpenVPN Setup page
• Send link of the settings you followed
• For PBR send output of:
o ip rule show
o ip route show
o ip route show table 10
o cat /tmp/openvpncl/policy_ips

Further reading
OpenVPN (server) trouble shooting guide:
https://forum.dd-wrt.com/phpBB2/download.php?id=43221

Policy Based Routing:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686

DNS Problems (leak or no DNS) with Policy Based Routing:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686

Advanced

For script to automatically change the remote server/port:

stopservice openvpn
#replace your remote ip address/port in the nvram parameter:
nvram set openvpncl_remoteip=<my_new_server_address>
nvram set openvpncl_remoteport=<my_new_port>
nvram commit
startservice openvpn
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 11
Easy switch between Providers/Setup
To easily switch between Providers/Setup also useful for a backup of your configuration see the very nice script from
@eibgrad: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326230

OpenVPN Client on a Wireless Access Point (WAP)

Set up as a WAP to recap (do no more and no less!) on Setup page:
• Disable WAN
• Set Local IP Address inside scope of primary router e.g. if primary router is 192.168.1.1 set WAP as
192.168.1.2 / 24
• Set Gateway and Local DNS to the primary router
• DHCP off
• Leave DNSMasq on
• Leave the router in Gateway mode do NOT use Router mode!

Make sure to add the following rule to Administration/Commands and Save Firewall:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

On your LAN clients, which you want to use the VPN, set the gateway and DNS to point to the WAP (Static IP
address) or use DNSMasq on primary router to hand out alternate gateways.

For instructions how to use DNSMasq on your primary router to handout an alternate gateway and more options to
change the gateway, see the VPN and DNS Guide , paragraph "Using DNSMasq to specify Alternate DNS
servers/Gateway for specific clients"

Note:
An unbridged VAP (wireless Virtual Access Point) or unbridged VLAN/br1 on your WAP will automatically use the
VPN, no extra settings necessary!
In this way you can switch your LAN clients to use the VPN or not by switching Wireless SSID's

Scramble options
Scramble options can be used to obfuscate the connection this can be useful to escape censoring.

Note: scramble options must be the same on client and server side!

In the Additional config add:

scramble "password"
scramble is the leftmost option name. This can be followed by a string which will be used to perform a simple xor
operation the packet payload.

However if the following are used instead, a different action will occur.
scramble reverse
This simply reverses all the data in the packet. This is enough to get past the regular expression detection in both
China and Iran.

scramble xorptrpos
This performs a xor operation, utilising the current position in the packet payload.

scramble obfuscate "password"

This method is more secure. It utilises the 3 types of scrambling mentioned above. "password" is the string which
you want to use.

https://forums.openvpn.net/viewtopic.php?t=12605
https://github.com/clayface/openvpn_xorpatch/blob/master/openvpn_xor.patch
https://svn.dd-wrt.com/changeset/47850
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 12
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 13
Specific settings for Providers
This is an overview of the OpenVPN client setup instructions for various providers.
Unfortunately I cannot keep track of all things which change so your input is crucial in keeping these instructions
updated.
Post in the forum or send me a Personal Mail (PM)

Most instructions from VPN providers to setup an OpenVPN client on a DDWRT router are obsolete and often even
blatantly wrong, it sometimes makes me weep seeing so much nonsense ☹

Do not set provider specific DNS servers in the Static DNS (x) field!
These DNS servers are often only available via the VPN and if you specify an URL as server address this cannot be
resolved and you are toast.
Provider specific DNS servers should be added according to the instructions on page 4: Add extra DNS servers.

As a general warning all settings can be done in the GUI or are already done by DDWRT so to start:
Do not add anything in the Additional Config, (only exception is: verb 5 )
Do not add any firewall rules
Do not add any (startup) scripts

AirVPN
by Surpriseditworks:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321856

IVACY VPN
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=322264

Nord VPN
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=328049&highlight=nordvpn

Private Internet Access

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326414

Express VPN
Settings from @eibgrad: https://imgur.com/a/QkNl9be
Tunnel UDP fragment is a bit low you can try higher for added throughput max settings is probably 1450, if set to
high you will have slow/intermittent traffic especially streaming and social media problems

Keepsolid (VPN Unlimited)

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=323886&sid=543d5551135783c884ff5bd8bc2e0ec2
https://www.vpnunlimitedapp.com/help/manuals/dd-wrt-open-vpn-configuration-guide

See my own settings below, note that I have only verb 5 in the Additional Config!.
The only useful other additions can be:
verb 5 #gives you more log information
remote random #if you want to have a random server in that country
reneg-sec 0 #disable key renegotiation if you have hourly disconnects, but less safe

DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 14
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 15
Proton VPN
Protons instructions:
https://protonvpn.com/support/vpn-router-ddwrt/

Do not set the Static DNS servers like they are doing just use for static DNS 1 something like 9.9.9.9 or another
publicly available DNS server you trust.

Start without anything in the additional config

Do not use the killswitch (if you need one DDWRT has one built-in)

Cyberghost
See: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329642
And: https://forum.dd-wrt.com/phpBB2/download.php?id=49171

vpn-ip.co.uk
see: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330389

Surfshark.com
See: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330608

Azire VPN
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330645

IPVanish
https://support.ipvanish.com/hc/en-us/articles/115002080733-DD-WRT-v3-Router-Setup
But change the following:

Basic Setup page:

Use for Static DNS 1 and 2 your normal trusted DNS servers e.g. 9.9.9.9, 1.1.1.1 and not the one advised by IPVanish

OpenVPN setup page

Tunnel Protocol: UDP4
Compression: No
Tunnel MTU setting: 1400
Verify Server Cert. :Enabled/ticked

Do not put anything in the Additional Config but: verb 5

References:
https://wiki.dd-wrt.com/wiki/index.php/Policy_Based_Routing
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662

Configuring a browser to bypass VPN:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321470

DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 16
DDWRT OpenVPN Client Setup guide by egc, last modified: 5-Feb-22 page 17