Setting up DD-WRT OpenVPN client.



  • Posts: 2
    Hi all

    I have tried the OP script and the PIA suggested way to get the Router 2 in my home network connecting via openvpn to my PIA account without any luck.

    I followed all the steps one by one and neither of the two options is working on my setup. The description of my setup is bellow:

    Router 1 (ADB Broadband)
    WAN IP: ISP Provided
    WAN Subnet: ISP Provided
    LAN IP:
    LAN Subnet:

    Router 2 (ASUS RT-AC56U with dd-wrt v24 PreSP2 Beta B23940)
    WAN IP (Connected to a LAN port of Router 1): (Leased static)
    WAN Subnet:
    LAN IP:
    LAN Subnet:

    Router 1 
    Configured with static route:
    Metric: 0
    Destination LAN NET:
    Subnet Mask:
    Interface: LAN

    Router 2 
    Operating Mode is 'Gateway' Setup->Advanced Routing page.  
    Iptables firewall command in Router 2:
    # Allow Router2 to forward traffic from Router1 subnets
    iptables -I FORWARD -s -j ACCEPT

    This setup fully works. Devices connected to Router 1 via LAN and WLAN have full internet access and properly communicate with devices connected to Router 2 via LAN and WLAN and Viceversa.

    I need to get PIA via openvpn in my dd-wrt Router 2 working.

    Have anyone else such a setup working? Could anyone help?

    Posts: 795
    How is it not working? Error messages in the log files? Any other error indicators?
    Show screenshots of your VPN settings.
  • Posts: 2
    How is it not working? Error messages in the log files? Any other error indicators?
    Show screenshots of your VPN settings.
    Hi VPN, thanks for your relply.

    I know it does not work because with the two options I still see my ISP provided IP address and not the one from the PIA server I am using. 

    How can I get the error log files? In the dd-wrt router Status/OpenVPN tab everything is empty.

    Here and screenshot of my VPN setting when using the PIA method:

    When using the OP's method I just have OpenVPN Server/Daemon enabled as he instruct.

    Note that if I use PPTP Client as explained here it works straight away.

    However, the PPTP connection is very slow and I would really like to have the openvpn working.

    Thanks for the help.
    Posts: 795
    Since I don't have a DD-WRT device, I can't tell you where to find logs or how to further debug this. As far as I know, your settings look OK.
    Does it have a OpenVPN connection status screen somewhere? Does that show anything? What if you save the settings, reboot and check 5 minutes after?

    Please note that OP's method is conceptionally different from the OpenVPN client setup via the DD-WRT settings. Errors with these methods might not be related.
  • Posts: 1
    Hello, I have a Linksys E1200 V2 and can't make it work even following exactly the instructions. Somebody can help me?

  • Posts: 68
    @P5471559: My settings are very similar except mtu=1500.  You can try that.  Change, save and apply settings and then reboot the router.  After that try at and see. 

  • New to the forum, rookie PIA user. Used DDWRT in the past, but just basic stuff. I am trying to get OpenVPN going. I do not understand how all the magic works, or where and how the startup commands create the scripts.

    Router - Netear R6200 v1
    Firmware - DD-WRT v24-sp2 (04/14/14) giga (SVN revision build r23075)

    Setup router using p999999 script. In the “piavpn.log” file in /tmp, at the tail end, the route commands are failing, because their is no “route” command in /usr/sbin.

    If I telnet into the router, and use /sbin/route for the failing route commands, I get the VPN up.

    Since the filesystem is read only, I can’t copy /sbin/route to /usr/sbin.

    Can anyone tell me how I can change the startup script to use /sbin/route instead of /usr/sbin/route?

    Thank You


    t Jul 5 19:18:52 2014 us=98936 [Private Internet Access] Peer Connection Initiated with [AF_INET]
    Sat Jul 5 19:18:54 2014 us=403257 SENT CONTROL [Private Internet Access]: 'PUSH_REQUEST' (status=1)
    Sat Jul 5 19:18:54 2014 us=431282 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS,dhcp-option DNS,ping 10,route,topology net30,ifconfig'
    Sat Jul 5 19:18:54 2014 us=432278 OPTIONS IMPORT: timers and/or timeouts modified
    Sat Jul 5 19:18:54 2014 us=432495 OPTIONS IMPORT: --ifconfig/up options modified
    Sat Jul 5 19:18:54 2014 us=432677 OPTIONS IMPORT: route options modified
    Sat Jul 5 19:18:54 2014 us=432858 NOTE: --mute triggered...
    Sat Jul 5 19:18:54 2014 us=435832 1 variation(s) on previous 5 message(s) suppressed by --mute
    Sat Jul 5 19:18:54 2014 us=436045 ROUTE_GATEWAY IFACE=vlan2 HWADDR=20:e5:2a:18:34:c0
    Sat Jul 5 19:18:54 2014 us=443262 TUN/TAP device tun0 opened
    Sat Jul 5 19:18:54 2014 us=443564 TUN/TAP TX queue length set to 100
    Sat Jul 5 19:18:54 2014 us=443833 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sat Jul 5 19:18:54 2014 us=444179 /sbin/ifconfig tun0 pointopoint mtu 1500
    Sat Jul 5 19:18:54 2014 us=451992 /usr/sbin/route add -net netmask gw
    Sat Jul 5 19:18:54 2014 us=474712 ERROR: Linux route add command failed: could not execute external program
    Sat Jul 5 19:18:54 2014 us=475167 /usr/sbin/route add -net netmask gw
    Sat Jul 5 19:18:54 2014 us=477342 ERROR: Linux route add command failed: could not execute external program
    Sat Jul 5 19:18:54 2014 us=477762 /usr/sbin/route add -net netmask gw
    Sat Jul 5 19:18:54 2014 us=479915 ERROR: Linux route add command failed: could not execute external program
    Sat Jul 5 19:18:54 2014 us=480371 /usr/sbin/route add -net netmask gw
    Sat Jul 5 19:18:54 2014 us=482480 ERROR: Linux route add command failed: could not execute external program
    Sat Jul 5 19:18:54 2014 us=508916 Initialization Sequence Completed
    root@DD-WRT6200:/tmp/pia# /sbin/route add -net netmask gw
    root@DD-WRT6200:/tmp/pia# /sbin/route add -net netmask gw
    root@DD-WRT6200:/tmp/pia# /sbin/route add -net netmask gw
    root@DD-WRT6200:/tmp/pia# /sbin/route add -net netmask gw
    root@DD-WRT6200:/tmp/pia# cd /usr/sbin
  • Posts: 2
    I have followed these but I dont seem to be going though the VPN. Is there a firewall script I need to add?
  • edited July 2014 Posts: 3
    A few people on this thread have asked how to get this just to route traffic from particular computers to the VPN... and I think I've figured out how to do that! At least, it seems to work for me.  Immediately after the two lines which read:

    echo "#!/bin/sh
    iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE" >

    add the following lines:

    echo "ip route del" >>
    echo "ip route del" >>
    echo "ip rule add from table 200" >>
    echo "ip route add default dev tun0 table 200" >>
    echo "ip route flush cache" >>

    This does three important things:
    - removes the default routes via the VPN (now, although you're still connected to the VPN, no traffic is sent through it)
    - adds a rule that anything from source address is part of "table 200"
    - adds a default route for everything on table 200 to be sent via the tun0 interface (i.e. the VPN)

    I've tested this by adding and removing my laptop's IP address to table 200 via telnet, and when it was on that table I saw a VPN IP address at, but otherwise I saw my home internet connection's address.
    hello, I tried these (changing them for my internal ip address of 192.168.1.x) and couldn't seem to get this working it just didn't route anyone through the VPN anymore.. 

    can anyone help? I would love to know how to route some specific ip addresses through the VPN

    Post edited by Stargaze on
  • Posts: 0
     p999999 you just made our lives a ton easier. Thank you. Worked perfect on Netgear WNDR-4300 from the first time. (make sure the VPN server and Client are both enabled)
  • I followed this tutorial and everything works but I am running into errors with TCP CONNECT issues every morning. I have to reboot the router in order for the connection to come back up. I have tried multiple servers and multiple TCP ports. Below is my attached command startup:


    # Add - delete - edit servers between ##BB## and ##EE##
    # US - EAST
    remote 80

    #### DO NOT CHANGE below this line unless you know exactly what you're doing ####

    -----END CERTIFICATE-----'

    OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`

    if [ "$OPVPNENABLE" != 0 ]; then
       nvram set openvpncl_enable=0
       nvram commit

    sleep 10
    mkdir /tmp/pia; cd /tmp/pia
    echo -e "$USERNAME\n$PASSWORD" > userpass.conf
    echo "$CA_CRT" > ca.crt
    echo "#!/bin/sh
    iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE" >
    echo "#!/bin/sh
    iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE" >
    chmod 644 ca.crt; chmod 600 userpass.conf; chmod 700
    sleep 10
    echo "client
    auth-user-pass /tmp/pia/userpass.conf
    management 5001
    management-log-cache 50
    dev tun0
    proto $PROTOCOL
    comp-lzo adaptive
    script-security 2
    mtu-disc yes
    verb 4
    mute 5
    cipher bf-cbc
    auth sha1
    tun-mtu 1500
    resolv-retry infinite
    remote-cert-tls server
    log-append piavpn.log
    ca ca.crt
    status-version 3
    status status
    $REMOTE_SERVERS" > pia.conf
    ln -s /tmp/pia/piavpn.log /tmp/piavpn.log
    ln -s /tmp/pia/status /tmp/status
    (killall openvpn; openvpn --config /tmp/pia/pia.conf --route-up /tmp/pia/ --down /tmp/pia/ &
    exit 0
  • Below is a screen shot of the error I wake up to:

  • Posts: 861
    perhaps your WAN connection is reset every night by your ISP?
  • No because it doesn't drop connection EVERY night just most :)
  • edited August 2014 Posts: 1
    Hi Guys, do any one knows what is going on here?

    Log see attachment.

    My network environment:

    ISP modem --> router1 --> router 2(simple 4 port switch) --> device

    Router 2 is the one I am trying to put OpenVPN on.  I used the the same script provided on page one.

    My router2 has a different IP address than router1 and disabled DHCP.
    Post edited by petercdcn on
  • If I want to change the server I'm on do I have to configure the router each time? This seems tedious. Is there a way to change servers on the router with a client program or something?
  • Posts: 4,013
    Not that I know of. It would be nice to have a client for your Windows/Linux/Mac OS to tell the router to change servers without all the hassle, but at this point it is all manual.
  • Hi,

    i used the script for startup on my WNDR3700 with dd-wrt.
    my connected machine now routes traffic through the vpn as expected so all good there.

    Then i noticed that all my android clients (tablets and phones) have no internet access.
    doesn't make sense to me but wondering if anybody else has seen this or has a possible solution for this.

  • Posts: 1
    This really helped when my router suddenly stopped maintaining a connection. I have the mega package, but this worked better than using the web interface. Thanks!
  • Set up this build on a RT-N16 router running DD-WRT v26 14896.

    Worked for a couple of days but found the VPN was dying every couple of hours. Some digging showed that it was failing to renegotiate DHCP. Adding a firewall exception for port 68 and possibly port 67 on the destination, or if necessary on the destination and source addresses can rectify this.

    iptables -I INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT

    Obviously start minimal, only with dport 68 and work up to the full exception as necessary.

    Also stability issues with the vpn can be addressed by lowering the tun-mtu to 1400 in the config or if necessary (and apparently technically preferred, though tun-mtu 1400 worked better for me), setting UDP fragments (should be automatically done, but forcing the router to fragment the packets may be necessary) and finally set mssfix max.

    tun-mtu 1400


    fragment max

    mssfix max

    As a catch all I set the keepalive function to 10 60 so if something goes wrong the wife doesn't notice.

    keepalive 10 60
  • edited September 2014 Posts: 24
    Post edited by Evilbred on
  • edited September 2014 Posts: 4,013
    DHCP is a two way street. Once anything changes for router 1, router 2 will not function anymore since it cannot get the correct details of how router 1 is working.

    *Edit* I am not getting something about this. You say router 2 is a simple 4 port switch. How then can it handle the mathematical overhead of encryption? Am I just misunderstanding?

    Disregard. The post below explains everything.
    Post edited by OmniNegro on
  • DHCP is a two way street. Once anything changes for router 1, router 2 will not function anymore since it cannot get the correct details of how router 1 is working.

    *Edit* I am not getting something about this. You say router 2 is a simple 4 port switch. How then can it handle the mathematical overhead of encryption? Am I just misunderstanding?

    The message system is just messed for me. I accidently quoted a guy and then couldn't figure out how to delete, turns out I just need to view source forum script.

    Anyway, I have only 1 router, which does DHCP (and receives DHCP from my ISP, which was where the problem was)

    Essentially for some reason it could receive the original lease, but could never renew.
    I was just posting what I did to resolve the problem I had (essentially add firewall exceptions on DHCP ports)

    The other parts was a couple of things I did to improve VPN stability as it tended to drop and show some jabber issues.
  • Excluding ports from VPN:

    I was wondering how to exclude certain ports, e.g. Steam, CS:GO, DOTA2 etc, from the DD_WRT script?
  • okay from what I can see there's a big problem with how the tutorial is set out.
    Took me a little while to figure it out too, but it's so ridiculously simple.
    The Instructions are as follows:

    DD-WRT OpenVPN VPN Setup DD-WRT: VPN OpenVPN Setup

    1. Access the Administration area and then go to Commands and finally Startup.
    2. Enter the following:
        echo username >> /tmp/password.txtecho password >> /tmp/password.txt/usr/bin/killall openvpn/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/ --down-pre /tmp/openvpncl/ --daemon
    3. Access the VPN tab found under the Services section.
    4. Enable the OpenVPN Client.
    5. Set the Server IP/name to [*].
    6. Set the Port to 1194.
    7. Set the Tunnel Device to TUN.
    8. Set the Tunnel Protocol to UDP.
    9. Set the Encryption Cipher to Blowfish CBC (Default).
    10. Set the Hash Algorithm to SHA1.
    11. Set the nsCertType to unchecked.
    12. Set the Advanced Options to Enabled.
    13. Set Use LZO Compression to Enable.
    14. Set NAT to Enable.
    15. In the Additional Config enter the following:
        auth-user-pass /tmp/password.txtpersist-keypersist-tuntls-clientremote-cert-tls server
    16. Copy and paste the contents of ca.crt found in our OPENVPN CONFIG FILES, into the CA cert field.

      echo username >> /tmp/password.txtecho password >> /tmp/password.txt/usr/bin/killall openvpn/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/ --down-pre /tmp/openvpncl/ --daemon
    See the two thing's I have highlighted?
    They're all that has to be changed To you guessed it, your username and password that was given to you when you signed up. Follow the rest of the information accordingly and you will be successful in routing your VPN. Do not use scripts provided by others! Hope this helps you all as much as it did I.
  • edited October 2014 Posts: 4
    Does anyone know if there is a script like this that I can run on my Ubuntu 14.04 64 bit machine? 

    I tried this on my router, but It's not powerful enough to handle it. I also tried the Linux Beta Client on my computer, but it has issues with Ubuntu 14.04. 
    Post edited by killabee44 on
  • I used this guide for my Buffalo dd-wrt router:  Older version of dd-wrt .  Here is a link for the Kong version of dd-wrt.

  • edited October 2014 Posts: 4


    I got it working thanks to your link. Thanks a lot!

    Edit: Well, the speeds just aren't there with my router. It is a cisco E4200 which has a processor speed of 480 Mhz. As soon as I enable the openvpn Client in DD-WRT, my speeds drop from 2.6 MB/s to 600-700 KB/s which really really sucks.

    Time for a new, more powerful router I guess. Any recommendations? Thanks.
    Post edited by killabee44 on
  • edited November 2014 Posts: 9
    I did a bunch of research and testing and found a solution for a hardware like kill switch within DD-WRT. This is where you want to basically block traffic when the VPN conection fails or gets blocked for many reasons.

    This was some of the things I tested for:

    1. When the OpenVPN process dies all LAN/wireless traffic will not leak to the WAN port and bypass the VPN tunnel.
    2. When the router boots up LAN/wireless traffic will not leak to the WAN port and bypass the VPN tunnel.
    3. When OpenVPN is blocked downstream, ex. blocking UDP 1194, LAN/wireless traffic will not leak to the WAN port and bypass the VPN tunnel.
    4. Unplugging/plugging any port on the router will not cause LAN/wireless traffic to leak to the WAN port and bypass the VPN tunnel.

    I use a regular router, router #1, downstream (Fios router from Verizon) and use DD-WRT, router #2, only when I want to use the VPN. I connect the WAN port of the DD-WRT router into the LAN port of the Fios router. I then manually connect devices which I want to use the VPN into the LAN ports OR associate them with the wireless AP in the DD-WRT router.

    If you only wanted to use one router and not two as I have described above, then you would need to use a policy based solution where some devices would tunnel over the VPN and other you could selectively allow to bypass the VPN. See my comments at the very end for this solution.

    These are the firewall commands I added to my WZR-HP-G300NH v1 router (ADMINISTRATION - COMMANDS):

    iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
    iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
    iptables -I FORWARD -i br0 -o eth1 -j DROP
    iptables -I INPUT -i tun0 -j REJECT
    iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

    Make certain you click "Save Firewall".

    The last line is a duplicate from the OP, but doesn't seem to cause any issue. I also own a whr-g54s which required the same above command, but eth1 was replaced with vlan1. Each router will have different interfaces, so these firewall commands might be different for your router. You can use the route command to see what interfaces you have.

    This is where I found this information:

    For a policy based solution where you want to allow some machines to go around the VPN, go here:

    Post edited by bunklung on
Sign In or Register to comment.