I would like to start a thread with pictures of some type of step-by-step process of setting up a VPN client connection per say in this case (NordVPN for which I use) using the web interface like DD-WRT as shown in the below picture. I am not a fan 100% of using CLI as I'm a newbie at this stuff and would like to minimize as much of it but I am open to some involvement of using CLI to get this completed.
As per some of the settings under the OpenVPN in DD-WRT I have navigated through the different "Instances" and tried to see the different fields/options that mimics the DD-WRT setup as shown in the very first screenshot above.
- After setting up the instances I clicked to edit as depicted
- Cryptography Tab
AGAIN I tried to compare as much fields to this instance as what I could see used in my DD-WRT (first screenshot) setup for a successful connection alongside this for what I feel would be needed for the OpenWRT. I am using an OpenWRT build by Kong.
As of March 10, this is by far not complete. I am hoping members of the community would and could chime in and help with this.
Overview of setting up openvpn client using LuCI can be found here.
See also the 'Alternative guide for OpenVPN client with LuCI' at the bottom of the above wiki page for detailed step by step instructions and tips. v1.1 pdf covers LEDE17/OpenWrt 18. v1.2 pdf for OpenWrt 19 using new .ovpn file upload function.
Welcome to CLI, I can't afford to spend my time for additional web-features. You can find my guide, and configure by it.
In OpenWRT Luci, you can set up your router to use the OpenVPN client with NordVPN in 5 easy steps.
1/ install required packages
System > Software
2/ upload .opvn file and complete configuration
VPN > OpenVPN
- choose Instance name under OVPN configuration file upload
- download NordVPN config here or here
- Choose File, pick up .opvn file obtained above
- Edit newly created instance
- add username and password in bottom box (personal NordVPN username and password, username and password need to be on separate lines)
- copy location of file containing username and password (line right above bottom box, ex:
- in top box, find line that says
auth-user-passand paste location next to it. Include space before (ex:
3/ create new network interface
Network > Interfaces
- Add new interface
- name it (ex: vpn)
- set Protocol to Unmanaged
- under Interface, type
tun0in custom box (very last option of drop down list) and hit enter
- Create interface
4/ create new firewall zone for interface
Network > Firewall
- Add zone
- name it (ex: vpn)
- set Input to reject, Output to accept and Forward to reject
- tick Masquerading
- tick MSS clamping
- under Covered networks, select interface created in 3/
- under Allow forward from source zones, select lan
5/ set DNS servers
Network > Interfaces
- edit WAN
- under Advanced Settings, untick box for Use DNS servers advertised by peer
- in Use custom DNS servers add 2 DNS servers supplied by NordVPN (184.108.40.206 and 220.127.116.11 as of today)
Finally, VPN > OpenVPN
- in Enabled column, tick box for OpenVPN instance created
- Save & Apply
- if VPN client hasn't started yet, press start
Your last .pdf is a very nice read! Thanks for taking time to put a thorough guide together.
My post 's purpose is just to be a quick 5 steps guide.
Quick question: for the VPN firewall zone, what's your logic behind setting input to reject?
I have seen different recommendations. Firewall in OpenWRT is the one area where I am not comfortable yet.
Let me answer. VPN firewall zone is zone, containing tun adapter. It is interface of router, like 'WAN', so the safest option is to set 'REJECT' for 'INPUT' policy of this zone. What other recommendation have you seen?
Good question! I looked back at notes I took and websites I bookmarked. I can't figure out where I read these recommendations or why I set my VPN fw zone to accept input in the first place. All the links I bookmarked have in fact the VPN fw zone set to reject input.
Setting an OpenWrt Based Router as OpenVPN Client
My WAN is actually set to reject input, so I should have logically set the VPN zone to do the same.
The fact I asked the question illustrates I knew something wasn't right!
I am amending my 5 steps guide.
Can you maybe elaborate why this is safer maybe?
Sorry, I dont' understand your question? It is evident, because router blocks incoming connections, SSH-login e.g. If you set 'ACCEPT', and tun has real IP, anyone from Internet could login by SSH. It is case of VPN-provider. If you are connecting with your own VPN-server, and want the server to have access to LAN behind your router, you should set 'ACCEPT'.
Regarding DNS servers, I am having a little trouble. I wanted to use cloudflare dns servers when my vpn is disabled and NORD DNS servers when the VPN is enabled. The reason for this is that from my location cloudflare DNS is noticeably faster than NORD's DNS servers but when the VPN server is enabled, cloudflare DNS servers seem to cause geo-restricted content blocking unlike with NORD DNS servers. Any advice?
It should change DNS dynamically based on the VPN status.
Many thanks - solved!
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.