NordVPN in OpenVPN in OpenWRT 21.02, Starting but Unprotected

As concisely as possible, I've bought 2 Plusnet Hub One routers, both already with OpenWRT 21.02 flashed. I do need two, but I originally only bought the second one because I thought the issue I'm having is a build issue, but it probably isn't, so as I'm reasonably confident but a newbie to OpenWRT and SSH in general, please point out what I could be missing.

I've followed the most thorough guides for OpenVPN in OpenWRT and for NordVPN in OpenWRT, which obviously cover most of the same things but with NordVPN config files. When I upload the config file, then edit it to modify the auth-user-pass line and paste my NordVPN credentials in that file, it says near the top "Insufficient permissions to read UCI configuration" but lets me edit and save, so flag one, if that could be the issue, what's the underlying issue?

The long and the short of it is that I do the OpenVPN configuration, the interface and firewall configurations, enable and start the VPN, it looks like it's running, but:

  1. still tells me I'm unsecured.
  2. Way more importantly to me, because the practical reason I'm doing this is to stream from Australia, Spain, and the US, is that my IP address and location remain the same on, so I'm still in the UK on devices connected to this router.

Two clarifications, it's a dumb AP (its LAN1 is connected to my main router, and it has internet access), with my main router as the gateway but not one of the DNS servers, and the DNS servers on WAN and LAN have both been set to NordVPN's DNS servers. Anything you know would cause the VPN to be running but completely ineffectively?

Thanks for the reply. I've done all of that now (with NordVPN's DNS servers, which are and, and they don't have IPv6 ones) on the interfaces LAN, NORDVPN, and WAN, so the peer-advertised DNS servers are supposedly not being used by any interface... Yet I'm still showing as unprotected and located in the UK :confused:

If the router that is running OpenWrt and OpenVPN is a dumb AP, have you done anything to set the client devices to actually use that device as their gateway? You need to make sure that the connected devices know to use that specific gateway. By default, your clients will use the main router as their gateway unless instructed otherwise.

1 Like

That's very handy to know, so if I've actually done everything well, have you any idea how I would do that on an Android phone and a Chromecast? I'm asking while I'm about to browse their respective settings options, of course.

So typically the way this is done is that the client devices must have the gateway set to the device that establishes the VPN tunnel.

The easiest way to do this is to make sure that the OpenWrt router with the VPN tunnel is the main router on your network -- in other words, the one that connects directly to the internet.

Otherwise, you would need to manually configure the IP address (and related information) of your android phone and chromecast (and I'm not sure offhand if you can set a chromecast manually) in order to change the gateway.

Alternatively, you could reconfigure your DHCP server settings, or you could just simply put the OpenWrt router into router mode (rather than dumb AP) and simply connect devices to that router rather than your current main network.

1 Like

Set your openvpn on main router and then connect your dumb ap using tagged vlan. It works really well :slightly_smiling_face:

It makes sense now. The thing is it's only a few devices I want to connect using NordVPN, so not realising devices default to the peer's gateway, it all made sense in my head, but I'll have to rethink it.

Look up vpn policy based routing as an option. This would allow you to have OpenVPN on your main router and the PBR would direct the traffic from some clients through the vpn and the rest through the regular wan.

1 Like

Thanks, everyone. I was going crazy, thinking somehow I was missing some detail between firewall, interfaces, and OpenVPN, when it was just the fact that I'm not using it for the VDSL in the first place.

So I've put the NordVPN DNS servers and my dumb AP's static IP address as the gateway, on my Android and my laptop, and voila, I'm in New York, so thanks for that, especially psherman (of 42 Wallaby Way, Sydney? Amazing, small world!)

I'm sure I can't change the gateway on a Chromecast, so I may have to stream in some other way. I have a Fire Stick I can explore, otherwise may be back to my laptop through the HDMI and not that much better off, but it's been fun.

Although we don't use it much, we have a DECT/digital voice landline phone that uses the BT Smart Hub 2. Otherwise could use the Plusnet Hub One for the VDSL, but I also don't want to have to turn it's VPN on and off or adjust the rest of my families devices. For some reason, my wife hates it when everything's working well, but I'm spending a bunch of time tinkering and sometimes mess things all up :man_shrugging:

Holy mother of pearl, Merry Christmas!

Amazon Fire Stick was a cinch. I just had to deregister the Fire Stick from my UK account, so as not to change its country and lose anything, and I made sure my wife's Amazon account was in the US, although she's signed up and never used it on anything. So hello every Premier League match!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.