Setting up DD-WRT OpenVPN client.

p999999

I've read many users have trouble setting up the OpenVPN client on some DD-WRT flashed routers. There are DD-WRT builds that lack the ADVANCED OPTIONS button, here's my solution:

1- Go to SETUP - BASIC SETUP - NETWORK ADDRESS SERVER SETTINGS (DHCP) 

Set Static DNS 1 to: 8.8.8.8

Set Static DNS 2 to: 8.8.4.4

or any other DNS servers you want.

2- Set TIME SETTINGS to match your current location.

Click SAVE - Click APPLY SETTINGS

3- Go to SERVICES - VPN

Enable OpenVPN Server (Just click the enable button, do nothing else). This step you can skip. It only serves the purpose of enabling OPENVPN STATUS so that you can see the current state and log of PIA OPENVPN CLIENT.

Click APPLY SETTINGS

4- Go to ADMINISTRATION - COMMANDS

Copy - Paste the text from link below to commands, don't forget to edit Your_PIA_Username and Your_PIA_Password with your own credentials, if you want you can change the remote regional-gateway (us-west...) too:

http://pastebin.com/raw.php?i=adYRLxgf

Click SAVE STARTUP

5- Go to ADMINISTRATION - MANAGEMENT

Click REBOOT ROUTER

6- That should do it, from now on every device that gets a IP address from your router will go through PIA's VPN tunnel.

As you can see, we did nothing to the OpenVPN client in SERVICES - VPN. The script takes care of that for us.

ENJOY!!

Support

Nice!  Thanks p999999

jdev

When multiple servers are added will it connect to a random one each reconnect?

thisisme786

When multiple servers are added will it connect to a random one each reconnect?

I had like to know this too.

Thanks

WpgIsHockey

Hey p999999 or anyone, is there a way with that script to have certain IP's route through the VPN and all the rest without the VPN??

I found something like this:

# Add rules for all DHCP routes (192.168.1.100 -> 192.168.1.255)
ip rule add from 192.168.1.100/30 lookup 4
ip rule add from 192.168.1.104/29 lookup 4
ip rule add from 192.168.1.112/28 lookup 4
ip rule add from 192.168.1.128/25 lookup 4

but i don't know what it will do to the script

beer_baron3

Hi, has anyone been able to figure out how to do selective vpn through the above method> I have tried some options but nothing seems to work

esamett

What do you use to copy/paste? I think there is an issue with return/line feeds corrupting the certificate.

Bryand

Thank you. This is working like a charm on my Asus RT-N16. My only worry is that I ave no idea what its doit so I hope I never need to change it.

emiller3

So glad I found this. Will try it out tonight and report back!

jme30

Works like a charm... Was anyone able to able to modify the script to restrict IP's for the VPN.

rainman2

p999999 I need your help if you can I did as you said in your post setting up dd-wrt router but it shows my real ip address. I have TeamViewer on my pc if you have Teamviewer we can connect together and you can see my setup.Maybe you can look at it and tweak it to work.

 

rainman2

Hoorah I got it going right .My problem was I have 2  servers 1 was open vpn client and the other was  open start vpn Daemon which I did and voila it works. Thanks p999999

oki81

How are people finding the speeds using DD-WRT and OpenVPN?  I've heard speeds on routers like the WRT54G can really be hit using OpenVPN due to a lack of power.

Cooler044

Wow!  I was ready for problems, but did it in one shot, thank`s a lot!

I have one question:

In your script I can see, where you setup routing through tun device:
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE" > route-up.sh
iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE" > route-down.sh

I`ve created a bridge br1 for my second guest WiFi network  192.168.2.X .
So I have two bridges. Default br0 and br1.
How can I modify the rules to VPN`ize only the traffic from that guest network on br1?
Processing VPN from all networks overheads my router CPU. I just wanted to install VPN clients for pcs on my home network and VPN`ize small guest traffic on router.

Thank`s in advance!

VPN

@Cooler044: That needs policy routing.

FryVolt

Thanks for these instructions. Will try them out shortly. I am eager to have all my traffic routed via PIA, so doing it at the router seems sensible to me.

p2875190

I've gone through all the steps, but my router is not connecting with PIA using OpenVPN. I'm using DD-WRT v24-sp2 (11/02/09) mega, which is the most recent release for my router (WRT54GS v2). Just to confirm, this is what I've done so far...

Step 1; DNS set for OpenDNS
Step 2; Time settings set to -8 GMT, NTP server selected
Step 3; Start OpenVPN Daemon set to 'yes'
Step 4; Username/Password added, no servers changed, copied and pasted using Notepad++, clicked 'Save Startup'
Step 5; Clicked reboot router, also have tried power cycling
Step 6; Doesn't work.

I can see an OpenVPN section under Status tab now, but the State, Status and Log sections under that tab are all blank. This setup has been done on a mostly fresh flash (apart from wireless config). I've tried with and without SPI firewall enabled.

I'm not sure where to go from here. Open to any suggestions.

inotphone

Thanks p999999. I was about to give up.

It worked for me for DD WRT on DIR 632 , build 21061.

VPN

@p2875190: Step 3 - Daemon mode sounds wrong in this case. You don't want other users to establish a VPN to your router, instead your router should act as a client.

I don't have any experience with DD-WRT, but maybe try without the OpenVPN daemon.

noodle

Thank you so much!!! 

these instructions need to be added to the DD-WRT OpenVPN setup instructions that are already on the page. I'm up and working now! thanks a lot

worked for me with 

Netgear WNR3500L v1

DD-WRT v24-sp2 (01/25/13) vpnkong - build 20500M

aiojgngiaj

Worked Great, Thanks!!! Now I can use PrivateInternetAccess on my router.

Many Thanks.

:-)

p7294393

I have D-Link DIR-615 router and am using Firmware: DD-WRT v24-sp2 (03/25/13) std Build 20161. I was trying different vpn setting available on PIA website. When I saw this post I rest setting to start a fresh.

I changed static DNS as noted above and copied command and pasted into the comman box. I changed user name and password (same as to access PIA) and followed rest of the instructions. But I don't see this works for me. Is there anything I should do to make it work?

P2285089

Used this configuration and it works unlike the trouble I had on the website. THANKS

Is there a way to keep the PS4 wired connection off the VPN ?

Unexploded

Thank you very much p999999, I hope at the very least they gave you a free year or something. 

After wasting most of my evening, I can confirm PIA's posted method for getting openvpn working on  the latest DD-WRT v24-sp2 (12/12/13) std does not work on a Netgear WNDR3800. Even if you try it a half-dozen times and swear a fair bit. Your method was painless. 

Currently in the same boat as the poster above, trying to figure out how to exclude several IPs from going through the VPN. 

I'm willing to chip in a few bucks towards p999999 's VPN if he continues to refine his script (hopefully to include the ability to exclude), anybody else?

I'm as cheap as the next guy, but would happily shell out $10-$20 bucks for a fool proof way of setting this up properly and painlessly with a few options. 

johnfromnowhere

Is there a way to keep the PS4 wired connection off the VPN ?:D

I can tell you how we bypass our tomato'ed router.  We have two routers in series.  We connected the tomato WAN port to a LAN port of our main router which is connected to the cable modem.  Now anything that connects to the tomato SSID is through the VPN while anything that connects to the main router bypasses the vpn and runs at full ISP speed.  Obviously you can still use the PIA client through this connection if you want.

There is one minor trick to doing this - make sure the subnets do not conflict.  We made the subnet mask of the main router 255.255.255.128 and the subnet mask of the tomato router 255.255.255.0.  I configured the main router to assign IP's in the range 192.168.50.1 to 100 while the tomato to assign IP's in the range 150 to 250.  The subnet mask on all of the computers matches the tomato so they can connect to either one.

** edit - corrected stupid mistake... **

FDoki

I can tell you how we bypass our tomato'ed router.  We have two routers in series.  We connected the tomato WAN port to a LAN port of our main router which is connected to the cable modem.  Now anything that connects to the tomato SSID is through the VPN while anything that connects to the main router bypasses the vpn and runs at full ISP speed.  Obviously you can still use the PIA client through this connection if you want.                                                                                                                                                      There is one minor trick to doing this - make sure the subnets do not conflict.  We made the subnet mask of the main router 255.255.255.128 and the subnet mask of the tomato router 255.255.255.0.  I configured the main router to assign IP's in the range 192.168.50.1 to 100 while the tomato to assign IP's in the range 150 to 250.  The subnet mask on all of the computers matches the tomato so they can connect to either one.

I've been looking for this exact information for a long long time now.  Thank you so much!  I got it to work using your steps, I made a couple small changes to the IP addys though. 

Only question I have is where you said that all the computers have the Tomato's subnet mask  address..  you went into the "Local Area Connection" properties and changed the TCP/IP properties 'Alternate Configuration' Subnet mask?  Did you have to assign an IP address to each computer too? 

OmniNegro

I think he is saying he assigned them via the router itself. I could be mistaken though.

johnfromnowhere

I can tell you how we bypass our tomato'ed router.  We have two routers in series.  We connected the tomato WAN port to a LAN port of our main router which is connected to the cable modem.  Now anything that connects to the tomato SSID is through the VPN while anything that connects to the main router bypasses the vpn and runs at full ISP speed.  Obviously you can still use the PIA client through this connection if you want.                                                                                                                                                      There is one minor trick to doing this - make sure the subnets do not conflict.  We made the subnet mask of the main router 255.255.255.128 and the subnet mask of the tomato router 255.255.255.0.  I configured the main router to assign IP's in the range 192.168.50.1 to 100 while the tomato to assign IP's in the range 150 to 250.  The subnet mask on all of the computers matches the tomato so they can connect to either one.

I've been looking for this exact information for a long long time now.  Thank you so much!  I got it to work using your steps, I made a couple small changes to the IP addys though. 

Only question I have is where you said that all the computers have the Tomato's subnet mask  address..  you went into the "Local Area Connection" properties and changed the TCP/IP properties 'Alternate Configuration' Subnet mask?  Did you have to assign an IP address to each computer too? 

No, both routers can be set as DHCP so it is not necessary to make your computer IP addresses static.  Sorry for the confusion, my situation is a little different.

Just make sure that your routers each have distinct subnets so they don't conflict.  I do have a static IP address in one of my computers because I use Synergy to connect my desktop to my laptop so I they can share a mouse/keyboard.  Synergy requires a static IP.  I have since changed the configuration so that the computer's IP address is set static in each router rather than in the computer settings, much better.  This situation probably does not apply to you anyway (unless you want to use Synergy - it is a cool little program).

You can just make both masks 255.255.255.0 but have the main router as i.e.

10.45.90.1/24

and the second router can be i.e.

192.168.123.1/24

It really does not matter what the router IP's are - as long as the subnets are different.

cwspen

Hi everyone,

I have managed to get my WRT54GS flashed with Tomato VPN.  It all works great.  I have it set as a Wireless client to my main router, so that I can use wired devices through the VPN with it.

Router A (192.168.1.1) wifi to Router B (192.168.2.1) wired to device I want on the VPN.

My question is how can I ensure that Router B offers internet access ONLY via VPN.  i.e. VPN fails, Router B will still route to the internet, and I'm none the wiser unless I'm actively monitoring it.

Any tips?

Thanks.

p5530075

Hi All, This finally worked for me too on WRT54GS v1.1. I had to use the latest dd-wrt firmware which was v24 preSP2[Beta] Build 14896. I used the mega. 

Much thanks to p999999.  Thanks you Rock the world for those who like to tweak but are not experts.

p9796092

I too am having trouble. Is the only place that I need to make changes is to the "Your_PIA_Username" and "Your_PIA_Password"?
I'm using DD-WRT v24-sp2 mini on Linksys WRT160Nv3.

Is there any other settings needed to be changed from default other that what is listed in op's post?
Any suggestions?
Thanks.