My vpn said to create an interface and name it, I did. Click unmanaged, I did. Then select Tun0. There is no Tun0. There is bridge, lan1, lan 2, wan, ethernet switch eth0(and the name of my interface), that is the one I selected. In the VPN page, I selected enable and start and nothing. I have internet connectivity as I can ping. This being my first time with openwrt, not sure what I should see? Maybe I'm not connected or set up correctly to my vpn but it all looks correct.
Does your vpn provider support wireguard? It is usually easier and more performant.
Thst said…
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/openvpn
logread -e openvpn
It does not support Wireguard for routers:) Where do I enter the ssh info, in my regular terminal or where in Luci? Thanks
A regular terminal.
ssh root@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ED25519 key fingerprint is SHA256:FwQFAdpsS+yx90Lnfbs0jTmzeyRrpi7O2w9FaaAliRY.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?
e or paste code here
```My bad, this is going on 20+ hours over the last week. I'll get the info and post it, sorry.typeubus call system board
{
"kernel": "6.6.119",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "GL.iNet GL-A1300",
"board_name": "glinet,gl-a1300",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.5",
"revision": "r29087-d9c5716d1d",
"target": "ipq40xx/generic",
"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
"builddate": "1766005702"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf0:7019:2115::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'IVPNUS'
option proto 'none'
option device 'eth0'
list dns '9.9.9.9'
list dns '149.112.112.112'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
root@OpenWrt:~# cat /etc/config/openvpn
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh2048.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option verb '3'
config openvpn 'VPN'
option config '/etc/openvpn/VPN.ovpn'
option enabled '1'
root@OpenWrt:~# logread -e openvpn
Mon Apr 6 18:29:02 2026 daemon.warn openvpn(VPN)[10429]: Use --help for more information.
Mon Apr 6 18:29:07 2026 daemon.err openvpn(VPN)[10430]: Options error: Unrecognized option or missing or extra parameter(s) in VPN.ovpn:8: auth-user-pass (2.6.19)
Mon Apr 6 18:29:07 2026 daemon.warn openvpn(VPN)[10430]: Use --help for more information.
Mon Apr 6 18:29:12 2026 daemon.err openvpn(VPN)[10431]: Options error: Unrecognized option or missing or extra parameter(s) in VPN.ovpn:8: auth-user-pass (2.6.19)
Mon Apr 6 18:29:12 2026 daemon.warn openvpn(VPN)[10431]: Use --help for more information.
Mon Apr 6 18:29:17 2026 daemon.err openvpn(VPN)[10432]: Options error: Unrecognized option or missing or extra parameter(s) in VPN.ovpn:8: auth-user-pass (2.6.19)
Mon Apr 6 18:29:17 2026 daemon.warn openvpn(VPN)[10432]: Use --help for more information.
Mon Apr 6 18:29:22 2026 daemon.err openvpn(VPN)[10433]: Options error: Unrecognized option or missing or extra parameter(s) in VPN.ovpn:8: auth-user-pass (2.6.19)
Mon Apr 6 18:29:22 2026 daemon.warn openvpn(VPN)[10433]: Use --help for more information.
Mon Apr 6 18:29:27 2026 daemon.err openvpn(VPN)[10434]: Options error: Unrecognized option or missing or extra parameter(s) in VPN.ovpn:8: auth-user-pass (2.6.19)
Mon Apr 6 18:29:27 2026 daemon.warn openvpn(VPN)[10434]: Use --help for more information.
Mon Apr 6 18:29:32 2026 daemon.err openvpn(VPN)[10435]: Options error: Unrecognized option or missing or extra parameter(s) in VPN.ovpn:8: auth-user-pass (2.6.19)
Mon Apr 6 18:29:32 2026 daemon.warn openvpn(VPN)[10435]: Use --help for more information.
Mon Apr 6 18:29:37 2026 daemon.err openvpn(VPN)[10436]: Options error: Unrecognized option or missing or extra parameter(s) in VPN.ovpn:8: auth-user-pass (2.6.19)
Mon Apr 6 18:29:37 2026 daemon.warn openvpn(VPN)[10436]: Use --help for more information.
Mon Apr 6 18:29:42 2026 daemon.err openvpn(VPN)[10437]: Options error: Unrecognized option or missing or extra parameter(s) in VPN.ovpn:8: auth-user-pass (2.6.19)
Mon Apr 6 18:29:42 2026 daemon.warn openvpn(VPN)[10437]: Use --help for more information.
Mon Apr 6 18:29:47 2026 daemon.err openvpn(VPN)[10438]: Options error: Unrecognized option or missing or extra parameter(s) in VPN.ovpn:8: auth-user-pass (2.6.19)
or paste code here
I think the issue may be with my vpn credentials. In the VPN section "edit" the bottom where it says "Section to add an optional 'auth-user-pass' file with your credentials (/etc/openvpn/VPN.auth)", I have entered my username on top line and my password on the second line. My vpn does not require a username and said it can be anything. What should be entered there??? Thanks
Explicit support for routers is not usually necessary… just support for standard WireGuard. If you can use the normal WG apps for iOS/Android/MacOS (and presumably Linux, and Windows), it can work on OpenWrt.
I’m not sure what this IVPNUS network is supposed to be, but this certainly isn’t doing anything useful.
You don’t have any VPN tunnels or networks associated with a firewall zone, so you’ll need to fix that.
But… the main issue is indeed the VPN credentials.
If your VPN doesn’t require credentials, you should remove the config line that seems to require them.
If that doesn’t fix the issue, you’ll need to ask them for help.
Meanwhile, be sure to read the documentation:
I really appreciate your help and yeah I've spent at least 10 hours reading the forums and the guides before I even started this process. I have Linux on 5 computers so I thought it wouldn't be too tough but I was wrong. OpenWRT is for more than basic Linux users, its COMPLEX. My hats off to all of you who can do it. I might not be able to. This is how the vpn said to set this up, the copy/paste below. The IVPNUS was what the vpn instructions said to create.
type or client
dev tun
proto tcp-client
remote-random
remote 212.103.48.194 443
remote 89.187.178.144 443
remote 91.132.137.172 443
auth-user-pass /etc/openvpn/United States.auth
resolv-retry infinite
nobind
persist-tun
persist-key
persist-remote-ip
data-ciphers-fallback AES-256-CBC
data-ciphers "ChaCha20-Poly1305:AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC"
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
remote-cert-tls server
verify-x509-name us-ny name-prefix
key-direction 1
comp-lzo no
verb 3
;ca ca.crt
<ca>paste code here
The section below the one above is set like this:
I
i-xxxx-xxxx-xxxx
type o
OpenWrt OpenVPN Setup Guide
This guide was produced using OpenWrt v.23.05.5
Install required packages
In your router’s webUI, navigate to System - Software, click Update lists.
In the Filter field, type OpenVPN, locate and install openvpn-openssl & luci-app-openvpn packages
Restart your router.
If you receive an error while attempting to install the 'luci-app-openvpn' package, check the 'Overwrite files from other package(s)' checkbox
Create a VPN profile
Download and extract our config files to your computer. Choose the IP address option on the configuration generator. Choose OpenVPN 2.5.
In your router, navigate to VPN - OpenVPN.
Under the OVPN configuration file upload section, Browse for the .ovpn config file with the VPN server you would like to connect to, give it any name, then click Upload.
Create an Interface
Navigate to Network - Interfaces
Click on the Add new interface button and enter the following configuration:
Name - Give it any name, e.g. ivpnAustria
Protocol - Unmanaged
Interface - tun0
Create interface
In the interface properties window, ensure that Bring up on boot is checked, then click Save & Save & Apply buttons.
Did they provide this file? Maybe in the zip file?
The zip file is the one above the small box with the identification ID. No file indicated for box below. The identification box just shows password and any name for username. I have just been using their guide I posted. Tech support there has been outstanding and I will email them to ask what else. You mentioned the IVPNUS interface they said to create, you didn't like it. Should I delete it?
People find https://raw.githubusercontent.com/egc112/OpenWRT-egc-add-on/main/notes/OpenWRT%20WireGuard%20Client%20Setup%20guide%20using%20LuCi.pdf helpful, when setting up a WG client.
Btw, VPN does nada for your internet privacy - https://overengineer.dev/blog/2019/04/08/very-precarious-narrative/.
Thank you very much for taking the time to post those 2 links, I will read them both right now. Yeah I agree on the VPN but there are still some uses that make it worthwhile for me, but certainly over-played to most users who buy the hype as far as what they really do.
BTW, the instructions said to specify tun0 (which is the usual name for an OpenVPN interface) - you specified eth0.
1 Like
First a VPN provider which does not hand out a WireGuard config file so that it can be used on a router is not on my recommended list, so if your contract with this provider ends, consider switching to a "better" VPN provider.
That said we will try to get you going with OpenVPN and you are already halfway there 
The interface 'IVPNUS' the instructions let you create is for the firewall.
As already pointed out by @lleachii the device name should be tun0 to correspond with the device name of your OpenVPN config (dev tun) as there is no index configured OpenVPN will take the first index available and as there is only one tunnel that is index 0 so the device will be named tun0
For Advanced users: this is bad practice please hardcode the device in the OpenVPN config as it could be ambiguous
For the firewall you should add the interface 'IVPNUS' to the WAN zone.
Second problem is that there are wrong options in your OpenVPN config , it is sometimes a bit of a puzzle to find out what options.
About the username password, use the modern way to set it inline in the OpenVPN config:
Comment (put a # as first character on the rule) this line so that it will look like this:
#auth-user-pass /etc/openvpn/United States.auth`
For username/password add this:
<auth-user-pass>
username
password
</auth-user-pass>
It looks like the openvpn config you posted is not complete, so maybe there are other things that needs tweaking but first see if this solves the auth-user-pass error in the log
A quick way to check if device is up is to just look at ifconfig tun0, if the OpenVPN is up it will show tun0
1 Like
Thanks for the reply folks. I have changed the "eth0" to "tun0". tun0 is not in the drop down list so I entered it manually. I have changed the info as instructed, rebooted and wont start.
tun0: error fetching interface information: Device not found
The good news if I can call it that is my vpn sent me the data for wireguard which wasn't at first listed so if it really is so much better, I'm ok with dumping the 30 hours I've spent on this and go to the Wireguard guide and start all over. What do you all think?
Oh and adding the IVPNUS to the Wan zone, no idea how to do that, but maybe wont have to if we scrap this.
Yes. Move to wireguard.
1 Like
Well that didn't take long to settle. Just delete everything I've done so far as openvpn and keep the same basic flash and start on the wireguard guide, correct? Thanks to all who helped me.
Yes. Delete the OpenVPN stuff, add wireguard. Post your configs if you get stuck.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
Ok will do. Again thanks a lot to all who took the the time and effort to help me, I really appreciate it. I'll be back.