ExpressVPN in OpenVPN on OpenWrt - SUCCESS!

An important part of my purpose in putting OpenWrt on my travel router is running ExpressVPN in OpenVPN. In my searches I found many trying, but only outdated solutions. So I'm publishing my solution, so working right now that I'm posting this through it.

Setup ExpressVPN in OpenVPN on OpenWrt

These instructions will get ExpressVPN up & running in OpenVPN on OpenWrt.

opkg update
opkg install -force-overwrite openvpn-openssl luci-app-openvpn

Log back into Luci & there will now be a menu VPN > OpenVPN.


In SSH to the router...

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.device="tun+"
uci add_list firewall.wan.device="tun+"
uci commit firewall
/etc/init.d/firewall restart

ExpressVPN Files

Create two folders at a convenient location on your computer...

  • config
  • openvpn

Log into your ExpressVPN account & navigate to Manual Configuration.

  1. There's a username & password given. Create a file, openvpn/user.auth, with the username as the first line & the password as the 2nd line, & nothing else.
  2. Download all the OpenVPN configuration files you want & save them to config.
  3. Download zip file containing certificates & keys.
  4. Unpack the zip file & put the certificates & keys in openvpn.
  5. Check that you have /etc/openvpn on the router with ls -l /etc in SSH to the router. If there is no /etc/openvpn folder, use mkdir /etc/openvpn to create it.
  6. Use scp openvpn/* root@OpenWrt:/etc/openvpn/ to copy files to that folder.
  7. Optionally change names of .ovpn files to be shorter & more convenient. Keep the charachter set of the new filenames to alphanumeric with hyphens & underscores, & the filenames to 20 characters or less.

UCI Config Files

About UCI Config Files

OpenVPN configuration is defined in a file /etc/config/openvpn with a definition block for each of one or more OpenVPN instance. The first line of each definition block includes a name which must be unique withing the file. The instance names are limited to 20 characters & a restricted character set. I've found alphanumeric with hyphens & underscores to be safe.

Here I'm turning each .ovpn file into a version of /etc/config/openvpn with the OpenVPN instance names as filenames, without an extension. My naming scheme is CC_Location where CC is the 2 letter country code.


Rename the .ovpn files according to whatever naming scheme you decide on. Now that they have no extensions they're not .ovpn files

Your choice of text editor makes a big difference to the job or turning the files into UCI files. I use BBEdit which has multi-file find & replace, & GREP find & replace. The combination of those features makes transforming a lot of files quick & easy.

First edit certificates & keys out of the .conf files. These are the same in all the files making it a simple operation with multi-file find & replace.

The files you have now look like this...

dev tun
remote 1195

comp-lzo no
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288

The files are identical except for the server URL in the 6th line.

The UCI config files will also be identical except for that URL & the filename. They look like...

config openvpn 'filename' # Country
	option enabled '1'
	option client '1'
	option proto 'udp'
	option dev 'tun'
	option fast_io '1'
	option persist_key '1'
	option persist_tun '1'
	option nobind '1'
	list remote ''
	option port '1195'
	option remote_random '1'
	option pull '1'
	option comp_lzo 'no'
	option tls_client '1'
	option verify_x509_name 'Server name-prefix'
	option ns_cert_type 'server'
	option route_method 'exe'
	option route_delay '2'
	option tun_mtu '1500'
	option fragment '1300'
	option mssfix '1200'
	option verb '3'
	option cipher 'AES-256-CBC'
	option keysize '256'
	option auth 'SHA512'
	option sndbuf '524288'
	option rcvbuf '524288'
	option ca '/etc/openvpn/ca2.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option tls_auth '/etc/openvpn/ta.key'
	option key_direction '1'
	option auth_user_pass '/etc/openvpn/user.auth'

Use whatever methods you prefer to transform the UCI files from the first form to the 2nd.

Files to Router

Create a location in /overlay of the router for storing OpenVPN config files. I used /overlay/.ovpn...

mkdir /overlay/.ovpn

Copy UCI files to the router...

scp overlay/* root@OpenWrt:/overlay/.ovpn/

Selecting & Starting ExpressVPN

For the VPN connection you want to use...

cp /overlay/.ovpn/filename /etc/config/openvpn
/etc/init.d/openvpn restart

Do this whenever you want to change your VPN connection.

Combining UCI Config Files

At this point we have a set of UCI files with a single OpenVPN instance in each one. Like this we could have generic names for the OpenVPN instances (I've used Connection in my set). However we've given them unique names so you can make UCI files with groups of OpenVPN instances.

Concatenate all the files you want in a group, in the order you want them listed, to a new file. Name the new file how you like, avoiding characters that need to be escaped at the command line. I prefix groups with an underscore, _group_file.

A file with multiple OpenVPN instances should have at most one enabled instance, so replace all occurrences of option enabled '1' with option enabled '0'. If there's an instance that you'd like as default within a group, you can leave that one enabled.

Copy your group files to the router the saye way you copied the individual ones...

scp overlay/* root@OpenWrt:/overlay/.ovpn/

... or for individual files...

scp overlay/filename root@OpenWrt:/overlay/.ovpn/

Load a group file the same way you load a single instance file...

cp /overlay/.ovpn/filename /etc/config/openvpn
/etc/init.d/openvpn restart

To start an OpenVPN instance...

  1. Go to Luci > VPN > OpenVPN.
  2. If you have a group default you should see it as running.
  3. If there's no default check Enabled for the instance you want to start.
  4. Click Save & Apply.

To change the active OpenVPN instance...

  1. Go to Luci > VPN > OpenVPN.
  2. Uncheck Enabled for the active instance.
  3. Check Enabled for the instance you want to start.
  4. Click Save & Apply.


Follow the testing instructions on the OpenVPN client page of the OpenWrt website.

1 Like
  1. When you have an .ovpn file from the VPN service, you can use it directly on OpenWrt by using option config in a simple UCI /etc/config/openvpn to point to the config.
config openvpn 'expressvpn'
    option enabled '1'
    option config '/etc/openvpn/expressvpn-usa.ovpn'

Slight modifications to the .ovpn file may be needed such as file paths and interface names.

  1. I like to make a directory /etc/config/vpnfiles and place vpn configs, certificates, passwords, etc. there. Unlike /etc/openvpn, a directory under /etc/config will be preserved when you sysupgrade OpenWrt, and it should only be necessary to reinstall OpenVPN to bring up OpenVPN again.

  2. Make sure there are no files named *.conf in /etc/openvpn because OpenVPN will automatically read and parse them even if you didn't configure to, and you usually won't want that.


Exactly as @mk24 has mentioned.

See my manual on

It could be easily adapter to any OpenVPN-service, also it contains kill-switch.

Where do i find this file in ExpressVPN dashboard?

Ive got all the way to " First edit certificates & keys out of the .conf files", though im guessing these file are in that .zip i need tod dowload ?

Any help, much appreciated.

1 Like

Sorry it's been a while. Other things have kept me from this stuff. The zip file is here, & if that direct link does't work it's on this page.

I followed the steps on my Archer A6 V3, and it fails to use the VPN. It shows that it is connected in the luci app, but the traffic is not tunneled through the VPN, and my IP remains unchanged.

Please let me know what log files/information you need to help me out.


Give routing table:

Here is what I get:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default UG 0 0 0 wan * U 0 0 0 wan * U 0 0 0 br-lan

This is the regular routing table you would see when not running a VPN client. A route to a VPN tunnel is not present. Your Internet usage is not going by VPN.

Run ip link show to see if a tun0 device exists. If tun0 was not created that generally means that OpenVPN failed to connect to the server. Restart the openvpn service then read the log for OpenVPN errors. OpenVPN puts a lot of entries in the log.

After ive logged into ExpressVPN ive tried looking everywhere for this zip file that contains the Certificates and Keys.

Where is this zip file located in ExpressVPN?

I can download the OVPN file, but lost where this zip file is located. The OVPN file contains ca, cert, rsa keys, is this what you mean by the zip? Extract each key and make the relevant filename ie ca.crt for the ca etc?

1 Like

It's on this page, with the link in the sentence, " Next, download this ZIP file which contains the VPN keys and certificates." And lookee, the direct link to the file is right there for you.

Hello , thanks for share this information, I'm following the steps but in the 2nd I'm a bit confused , when I'm into the ExpressVpn page, I found easily the user , password and activation code, however configuration files and certificates , I Can't find them, I follows some instructions on the ExpressVpn page and those guide me to a point where I have to choose options in 2 parts , one asked me about the type of device (Linux OpenVPN with terminal or Linux OpenVpn with Ubuntu Network manager) and the type of Linux (Ubuntu, Debian, Fedora), can you tell me which are the right options?
I have to mentioned that When I was configured my computer I download one file *.ovpn but is only one file .
I'll appreciate your assistance in this matter.



Any Linux device, you should download *.ovpn files. No matter, Ubuntu, Debian, etc.

Certificate data can now be embedded in the .ovpn file. If the VPN provider did that, you only need the one file. Opening such a file with a text editor will show blocks of apparently random characters-- these are encoded certificates.

A post was split to a new topic: Opening a port via commercial VPN