DD-WRT OpenVPN Setup


FlashRouters offers plug and play DD-WRT Routers preconfigured Private Internet Access Routers for this setup.


By default, DD-WRT may use your ISP's DNS servers using DHCP. For privacy reasons, we'll instead configure DD-WRT to explicitly use alternate DNS servers. The below servers are provided as an example, you can use any Public DNS service you would prefer, such as Google DNS (8.8.8.8 and 8.8.4.4), Level 3 (209.244.0.3 and 209.244.0.4), or you can use a combination to fill in the 3 Static DNS fields.


You can find our CA Certificate here, which will be useful later.


  1. In the DD-WRT Administrative Interface, navigate to Setup > Basic Setup.
  2. Under Network Address Server Settings (DHCP), set:
    Static DNS 1 = 4.2.2.1
    Static DNS 2 = 4.2.2.2
    Static DNS 3 = 4.2.2.3
    Use DNSMasq for DHCP = Checked
    Use DNSMasq for DNS = Checked
    DHCP-Authoritative = Checked
  3. Save and Apply Settings.
    DD-WRTOpenVPN1
  4. To Disable IPv6, Navigate to Setup > IPV6
  5. Set IPv6 to Disable, then Save & Apply Settings.
  6. Disable IPv6
    DD-WRTOpenVPN2
  7. To Enable Local DNS, Navigate to Services > Services
  8. If there is a DNS Suffix, Remove that
  9. Under DHCP Server, Set Used Domain to LAN & WLAN
  10. Under DNSMasq Ensure that DNSMasq, Local DNS, and No DNS Rebind are all enabled
  11. Save & Apply Settings.
    DD-WRTOpenVPN3
  12. Navigate to Service > VPN
  13. Under OpenVPN Client, set Start OpenVPN Client = Enable. Other options will appear.
  14. Set Advanced Options to Enable, More options will appear.
  15. Set the following:
    Server IP/Name = us-east.privateinternetaccess.com [*]
    Or if you prefer to use a specific location, You can find the full list of locations here: https://www.privateinternetaccess.com/pages/network
    Port = 1198
    Tunnel Device = TUN
    Tunnel Protocol = UDP
    Encryption Cipher = AES­-128-­CBC
    Hash Algorithm = SHA1
    User Pass Authentication = Enable
    Username, Password = Your PIA username & password
    TLS Cipher = None
    LZO Compression = Yes
    NAT = Enable
    DD-WRTOpenVPN4
  16. In Additional Config, Type:
    persist-key
    persist-tun
    tls-client
    remote-cert-tls server
  17. Download the file https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt
  18. Right-Click the ca.rsa.2048 file, and Choose Open With, Then choose Notepad
    DD-WRTOpenVPN5
  19. Highlight the full contents of the ca.rsa.2048 file by pressing Ctrl+A then copy with Ctrl+C
  20. In DD-WRT, Paste, (Ctrl+P) the contents in the CA Cert field. Be sure the entire text gets pasted in, including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
    DD-WRTOpenVPN6
  21. Save and Apply Settings
  22. To Verify the VPN is Working, Navigate to Status > OpenVPN
    Under State, you should see the message "Client: CONNECTED SUCCESS"
    DD-WRTOpenVPN7

EASY Setup Guides for Alternate Configurations (Advanced):

PPTP/L2TP/SOCKS Security

The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one's IP address, censorship circumvention, and geolocation.

If you need encryption, please use the Private Internet Application or OpenVPN protocol with our service.

    Although quite different from a VPN, we provide a SOCKS5 Proxy with all accounts in the event users require this feature.

    SOCKS5 Proxy Usage Guides
    proxy-nl.privateinternetaccess.com port 1080
    Enable port forwarding in the application by entering the Advanced area, enabling port forwarding and selecting one of the following gateways:

    CA Toronto
    CA Montreal
    Netherlands
    Sweden
    Switzerland
    France
    Germany
    Romania
    Israel

    After enabling port forwarding and re-connecting to one of the above gateways, please hover your mouse over the System Tray or Menu Bar icon to reveal the tooltip which will display the port number. You can then enter this port into your software.

    Port Forwarding reduces privacy. For maximum privacy, please keep port forwarding disabled.
IPv6 leak protection disables IPv6 traffic while on the VPN. This ensures that no IPv6 traffic leaks out over your normal internet connection when you are connected to the VPN. This includes 6to4 and Teredo tunneled IPv6 traffic.
    The dns leak protection feature activates VPN dns leak protection. This ensures that DNS requests are routed through the VPN. This enables the greatest level of privacy and security but may cause connectivity issues in non-standard network configurations.

    This can be enabled and disabled in the Windows application, while it is enabled by default on our macOS application.

    We use our own private DNS servers for your DNS queries while on the VPN. After connecting we set your operating system's DNS servers to 209.222.18.222 and 209.222.18.218. When using a DNS Leak testing site you should expect to see your DNS requests originate from the IP of the VPN gateway you are connected to.

    If you change your DNS servers manually or if for some other reason they are changed this does not necessarily mean your DNS is leaking. Even if you use different DNS servers the queries will still be routed through the VPN connection and will be anonymous.
    The internet kill switch activates VPN disconnect protection. If you disconnect from the VPN, your internet access will stop working. It will reactivate normal internet access when you deactivate the kill switch mode or exit the application.

    Users who may be connected to two connections simultaneously (ex.: wired and wireless) should not use this feature, as it will only stop 1 active connection type.


  • United States (US VPN)
    us-california.privateinternetaccess.com
    us-east.privateinternetaccess.com
    us-midwest.privateinternetaccess.com
    us-chicago.privateinternetaccess.com
    us-texas.privateinternetaccess.com
    us-florida.privateinternetaccess.com
    us-seattle.privateinternetaccess.com
    us-west.privateinternetaccess.com
    us-siliconvalley.privateinternetaccess.com
    us-newyorkcity.privateinternetaccess.com

  • United Kingdom (GB VPN)
    uk-london.privateinternetaccess.com
    uk-southampton.privateinternetaccess.com

  • Canada (CA VPN)
    ca-toronto.privateinternetaccess.com
    ca.privateinternetaccess.com

  • Australia (AU VPN)
    aus.privateinternetaccess.com
    aus-melbourne.privateinternetaccess.com

  • New Zealand (NZ VPN)
    nz.privateinternetaccess.com

  • Netherlands (NL VPN)
    nl.privateinternetaccess.com

  • Sweden (SE VPN)
    sweden.privateinternetaccess.com

  • Norway (NO VPN)
    no.privateinternetaccess.com

  • Denmark (DK VPN)
    denmark.privateinternetaccess.com

  • Finland (FI VPN)
    fi.privateinternetaccess.com

  • Switzerland (CH VPN)
    swiss.privateinternetaccess.com

  • France (FR VPN)
    france.privateinternetaccess.com

  • Germany (DE VPN)
    germany.privateinternetaccess.com

  • Ireland (IE VPN)
    ireland.privateinternetaccess.com

  • Italy (IT VPN)
    italy.privateinternetaccess.com

  • Romania (RO VPN)
    ro.privateinternetaccess.com

  • Turkey (TR VPN)
    turkey.privateinternetaccess.com

  • South Korea (KR VPN)
    kr.privateinternetaccess.com

  • Hong Kong (HK VPN)
    hk.privateinternetaccess.com

  • Singapore (SG VPN)
    sg.privateinternetaccess.com

  • Japan (JP VPN)
    japan.privateinternetaccess.com

  • Israel (IL VPN)
    israel.privateinternetaccess.com

  • Mexico (MX VPN)
    mexico.privateinternetaccess.com

  • Brazil (BR VPN)
    brazil.privateinternetaccess.com

  • India (IN VPN)
    in.privateinternetaccess.com