Hi all,
         I am new to OpenWRT and was using DD-WRT before this but found Openwrt worked better for me on my WDR4300 router. Here is the script which may help others config your router to work with NordVPN servers. It may work for other VPN, but I have not tested it.

#!/bin/sh

USERNAME="Username"
PASSWORD="Password"

PROTO="udp"
TUN="tun1"
REMOTE="remote vpn-nl.nordvpn.com 1194"

CA_CRT='-----BEGIN CERTIFICATE-----
MIID7DCCA1WgAwIBAgIJAJBW0AnvvfI9MA0GCSqGSIb3DQEBBQUAMIGrMQswCQYD
VQQGEwJOTDELMAkGA1UECBMCTkwxFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEQMA4G
A1UEChMHTm9yZFZQTjELMAkGA1UECxMCTkwxGzAZBgNVBAMTEnZwbi1ubC5ub3Jk
dnBuLmNvbTEbMBkGA1UEKRMSdnBuLW5sLm5vcmR2cG4uY29tMR8wHQYJKoZIhvcN
AQkBFhBtYWlsQGhvc3QuZG9tYWluMB4XDTE0MDQyMjEwMjY0OVoXDTI0MDQxOTEw
MjY0OVowgasxCzAJBgNVBAYTAk5MMQswCQYDVQQIEwJOTDEVMBMGA1UEBxMMU2Fu
RnJhbmNpc2NvMRAwDgYDVQQKEwdOb3JkVlBOMQswCQYDVQQLEwJOTDEbMBkGA1UE
AxMSdnBuLW5sLm5vcmR2cG4uY29tMRswGQYDVQQpExJ2cG4tbmwubm9yZHZwbi5j
b20xHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW4wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBANWLMY7HjzfL0zgWCmCCQRNxoqbhi1Kxd5/U/uJgPmME
nKTp89kQ3janQJTsIK/M8r96C+YgTua9ElRTIri6GmAD8lAfMV5CujI5N9iEs8AU
Bl3x8T22nzmTI+IYF+qBPp6g+ks+5/LiYNVBbIebNnnwvWZDBNenTRCITE/8ymsH
AgMBAAGjggEUMIIBEDAdBgNVHQ4EFgQU7tE7MjUdkRr+n2h3faMRty3zs/8wgeAG
A1UdIwSB2DCB1YAU7tE7MjUdkRr+n2h3faMRty3zs/+hgbGkga4wgasxCzAJBgNV
BAYTAk5MMQswCQYDVQQIEwJOTDEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRAwDgYD
VQQKEwdOb3JkVlBOMQswCQYDVQQLEwJOTDEbMBkGA1UEAxMSdnBuLW5sLm5vcmR2
cG4uY29tMRswGQYDVQQpExJ2cG4tbmwubm9yZHZwbi5jb20xHzAdBgkqhkiG9w0B
CQEWEG1haWxAaG9zdC5kb21haW6CCQCQVtAJ773yPTAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4GBAIOc3yXYw7O7D+lPXrOW2CYcsGKnXS5+9Kvn+rOTOCMH
4+GlSW38gwiUCYi7C2kH52VhMOLMmYosVQZMRgNRAB0immKUi1JaVq5UDkOgo+rK
keifSsGBJH4dnKUrG5lOQ7tGA88oT4Qlal6U1tFe2tR7keSXWVZYwtPz6jIrzK3q
-----END CERTIFICATE-----'

TLS_AUTH='-----BEGIN OpenVPN Static key V1-----
6ee32f05bd25efbd64cf08a469c6aa36
755dab4ea4cfa434c708faa51426848e
afaab0e7d275af6924aaa8fd48d5098d
7cd50b5a79d80fb85a0bcb0a9b2ec4d9
f021e8d8584902736f8090a98e2eea88
edbd26dc88361bac87d2151ade2f67be
0ffd5fcf26a1d72ac7374079b46a79e8
df52be0a49d590d80ad9bcc67ea5a01d
0e2629b3de628c3e29229d8cda7c1fa1
45111ecd7b123fda2d831216eab6c01b
2d00a0a0c48109f2d0903bd93e8a0088
c861d0b1d34513f01e075b655441662f
d36b27a51841dffd7abc8535550330f6
17266a0d891f55a6be533de8ec6483bc
c36a67ed57e215861ab408cbc218bb24
a6cbc028cfbf56a6b11ff64ed7073be0
-----END OpenVPN Static key V1-----'

#### Don't modify below here ####

#### Ensure gui client disabled ####
if [ `nvram get openvpncl_enable` != 0 ]; then
   nvram set openvpncl_enable=0
   nvram commit
   sleep 10
fi

mkdir /tmp/vpncl; cd /tmp/vpncl

echo -e "$USERNAME\n$PASSWORD" > userpass.txt

echo "#!/bin/sh
iptables -t nat -I POSTROUTING -o $TUN -j MASQUERADE" > route-up.sh

echo "#!/bin/sh
iptables -t nat -D POSTROUTING -o $TUN -j MASQUERADE" > route-down.sh

echo "$CA_CRT" > ca.crt
echo "$TLS_AUTH" > tls-auth.key
sleep 10

echo "client
dev $TUN
proto $PROTO

$REMOTE
resolv-retry infinite
nobind

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

persist-key
persist-tun
keepalive 5 30

comp-lzo
mute 20
verb 3
log-append vpn.log
fast-io

auth-user-pass userpass.txt
script-security 2
remote-cert-tls server
cipher AES-256-CBC

ca ca.crt
tls-auth tls-auth.key 1

daemon" > openvpn.conf

chmod 600 ca.crt tls-auth.key userpass.txt openvpn.conf; chmod 700 route-up.sh route-down.sh

(killall openvpn ; openvpn --config openvpn.conf --route-up /tmp/vpncl/route-up.sh --down-pre /tmp/vpncl/route-down.sh) &

exit 0

@chuxxsss67: Thank you for posting this. Can you (or someone else) please explain what to do with this script?

I mean, is it an init script? How do you create it and how do you activate it? And then what other steps are needed in order to make the connection?

I'm using openwrt on a TP-Link TL-WR740N.

HI,

From SSH terminal do:

opkg update
opkg install openvpn-openssl luci-app-openvpn

vi /etc/config/openvpn

Add this lines

config openvpn 'NordVPNUK2TCP'
    option dev 'tun'
    option proto 'tcp'
    option nobind '1'
    option verb '3'
    option comp_lzo 'yes'
    option persist_tun '1'
    option persist_key '1'
    option client '1'
    option fast_io '1'
    option pull '1'
    option resolv_retry 'infinite'
    option tun_mtu '1500'
    option tun_mtu_extra '32'
    option ping '15'
    option ping_restart '0'
    option ping_timer_rem '1'
    option reneg_sec '0'
    option remote_cert_tls 'server'
    option auth_user_pass '/etc/openvpn/userpass.txt'
    option cipher 'AES-256-CBC'
    option auth_nocache '1'
    option port '443'
    option remote '213.229.103.90'
    option log_append '/var/log/openvpn.log'
    option ca '/lib/uci/upload/cbid.openvpn.NordVPNUK2TCP.ca'
    option tls_auth '/etc/openvpn/tlsauth.key 1'
    option enabled '1'

Open your uk2.nordvpn.com.tcp443.ovpn downloaded from nordvpn.com

Copy from -----BEGIN CERTIFICATE-----  to   -----END CERTIFICATE-----   of <ca> </ca> section into a file name /lib/uci/upload/cbid.openvpn.NordVPNUK2TCP.ca
Copy from -----BEGIN OpenVPN Static key V1-----   to   -----END OpenVPN Static key V1-----   of <tls-auth> </tls-auth> section into file /etc/openvpn/tlsauth.key

Add this to your /etc/config/network file

config interface 'NordVPN'
    option proto 'none'
    option ifname 'tun0
   
Add this to your /etc/config/firewall file

config zone
    option name 'VPN'
    option input 'REJECT'
    option forward 'REJECT'
    option output 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option network 'NordVPN'

config forwarding
    option dest 'VPN'
    option src 'lan'
   
   
Add username and password (username on first line, password on second line) of file /etc/openvpn/userpass.txt

Create logfile with touch /var/log/openvpn.log

From openwrt webinterface on Services -> OpenVPN check the enabled flag on nordvpn configuration and click start.

If u wanna use other server insterad of uk2 server with TCP you can change "option remote SERVERIPADDRESSACCORDINTOOVPN" the certificate and the certificate key accordint to your
preferred openvpn server.

Bye

Hi I am new do OpenWRT and already love it.
Thank you for the instructions.
I was looking for a quide and trying different instructions for days!
Resetting router many times and almost gave up.
This one finally works!

My advice for less advanced users:
1 Freshly flashed Openwrt
2 go to 192.168.1.1 and change password
3 go to /Network/WIFI and setup an active WIFI connection
4 System/backup configuration/
5 I backup config quite often and rename according to progress
   example: backup-OpenWrt-2016-09-18.clean.Admin.Wifi.SFTP.tar.gz
6 from now I can do everything without cable
7 in case of problems I reset router and restore backed up configuration each time until success!

Go to: WebGui/system/software/
-click on update lists
-available packages --> openssh-sftp-server --> install
Now I am able to use Mobaxterm (SFTP client) to edit all the files (RightMouseClick --> MobaTextEditor).
As a SSH terminal I use SmarTTY:
I don't use VI editor.
I use builtin MobaTextEditor instead to save lots of time.

Only small detail I found is in /etc/config/network file:

is:
config interface 'NordVPN'
    option proto 'none'
    option ifname 'tun0

should be:
config interface 'NordVPN'
    option proto 'none'
    option ifname 'tun0'

Regards!

Great, it finally works for me as well!
Unfortunately there's also side effect. I lost possibility to login to router via SSH from WAN side. I guess new part of /etc/config/firewall is guilty. Could you suggest the way to make ssh port back open again?

Firstly, OpenWRT contains standard implementation of OpenVPN, so the most simple approach is to use configuration files *.ovpn directly. In this case the configuration is very simple. It is described very well on Streisand page.

Secondly, using ssh to login to VPN-client rises some questions. If you get virtual IP from VPN-server, server should forward specific port to you. If you get real IP from VPN-server, server should accept incoming connections to this IP. Furthermore, your firewall settings should accept incoming connections via VPN-specific interface. Another approach is to make VPN-client to send packets corresponding to established connection with specific port to WAN interface, not by default route via VPN-specific interface. It is attained by route configuration (of course, without VPN-connection it should accept incoming connections via ssh to specific port).

(Last edited by ulmwind on 10 Nov 2016, 10:40)

Hello there, I followed your instructions and clicked on 'start' as per the last step.

It says 'started (2998)', but it appears that im still not connected. my ip addresses show with my current location.

How can i address that?

Thanks!!

Use my updated manual: https://forum.openwrt.org/viewtopic.php?id=71153