Your location: Your IP: Your status:ProtectedUnprotected · To the tests »

OpenVPN on a Router running OpenWRT

Ssh terminal (PuTTY) | OpenVPN on a Router running OpenWRT


First download and unpack the archive with the OpenVPN configuration files linked above. Open PuTTY or another terminal program, connect to the router and log in. Successively execute both commands: opkg update and opkg install openvpn-openssl luci-app-openvpn kmod-ipt-nat6

Optional: Create script for IPv6

Attention: If you plan to use several OpenVPN connections later, skip this step because the script only works with one OpenVPN client so far.
The script later is used to request an IPv6 prefix from the VPN server.

cat << EOF > /etc/firewall.nat6
iptables-save -t nat \
| sed -e "/\s[DS]NAT\s/d" \
| ip6tables-restore -T nat

Copy the command to create the script above and the following commands one after another in the terminal window and execute each by then pressing the Enter-key.

uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
service firewall restart

WinSCP connecting | OpenVPN on a Router running OpenWRT

Copy VPN configurations onto the router

Copy the chosen OpenVPN configuration file (for example by using the program WinSCP) in the directory /etc/openvpn/ of the OpenWRT router. In this example (for the VPN servers in Amsterdam) the file to copy is Amsterdam.ovpn.

WinSCP file properties | OpenVPN on a Router running OpenWRT

Adjust configuration

Afterwards create the file userpass.txt in the /etc/openvpn/ directory using WinSCP (of course alternatively the ssh terminal may be used). Enter your Perfect Privacy username in the first row and your Perfect Privacy password in the second row.

In the same directory create the file with the following lines as content

env | sed -n -e "
" | sort -u > /tmp/resolv.conf.vpn
uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn"
/etc/init.d/dnsmasq restart

and the file with the following content

uci set dhcp.@dnsmasq[0].resolvfile="/tmp/"
/etc/init.d/dnsmasq restart

Open the properties of the files userpass.txt, and to set the permissions to 755.

Using WinSCP open the file openvpn in the /etc/config/ directory. Delete the contents of the file and instead enter the following rows:

config openvpn 'PP_Amsterdam'
option config '/etc/openvpn/Amsterdam.ovpn'
Save the file. In /var/log/openvpn.log you later may view the log, in case any issues with the OpenVPN connections should occur.

WAN Interface: configuring DNS servers | OpenVPN on a Router running OpenWRT

DNS server configuration

Log in on your OpenWRT router using a web browser ( Change to the Network=>Interfaces=>WAN=>Edit=>Advanced Settings tab and deactivate Use DNS servers advertised by peer. At Use custom DNS servers enter at least two publicly usable IPv4 DNS servers (e.g. and and click on the Save button.

WAN6 Interface: configuring DNS servers | OpenVPN on a Router running OpenWRT

Do the same in the WAN6 tab and enter at least two IPv6 DNS servers. Then click the Save & Apply button. You can either use the DNS servers from Google (IPv4: and IPv6: 2001:4860:4860::8888 and 2001:4860:4860::8844) or use some of the OpenNIC project.

Note: If you want, you can also use Perfect Privacy DNS servers (you can find the IPs on the DNS server page in the customer area). These DNS servers will only resolve * domains when VPN is not connected which means that Internet access will not work without the VPN being connected. However, there will be no IP leak when using public name servers instead, since all DNS requests will be sent anonymized over the VPN tunnel while a VPN connection is established.

Creating VPN the interface | OpenVPN on a Router running OpenWRT

Firewall configuration

Navigate to the menu Network=>Interfaces and click on Add new interface….

  • Name of the new interface: PP_VPN
  • Protocol of the new interface: Unmanaged
  • Cover the following interface: Custom Interface: tun0

Accept the settings with the Submit button.

Properties of the VPN interface | OpenVPN on a Router running OpenWRT

In the newly created interface switch to the Advanced Settings tab and activate:

  • Bring up on boot
  • Use builtin IPv6-management

Use the Save button to accept the settings.

Creating the firewall for the VPN interface | OpenVPN on a Router running OpenWRT

Then navigate to the Firewall Settings tab. Open the choice field next to Create / Assign firewall-zone, choose create and enter PP_Firewall behind it. Click the Save & Apply button.

Settings of the firewall | OpenVPN on a Router running OpenWRT

Afterwards navigate to Network=>Firewall and to the right of PP_Firewall click on Edit. Adjust the following settings:

  • Name: PP_Firewall
  • Input: reject
  • Output: accept
  • Forward: reject
  • Masquerading: activate
  • MSS clamping: activate
  • Covered networks: PP_VPN

Underneath Inter-Zone Forwarding select the following:

  • Allow forward from source zones: activate lan

Use the Save button to accept the settings.

Activating OpenVPN | OpenVPN on a Router running OpenWRT

Activate OpenVPN

Go to the menu Services=>OpenVPN and set the checkmark at Enabled. Then first click on the button Save & Apply and then start PP_Amsterdam1 by clicking the start button.

Optionally activate the kill-switch | OpenVPN on a Router running OpenWRT

Optional: Activate the kill-switch

Attention: This step activates the firewall protection ("kill switch"), which ensures in case off an interruption of the internet service no data can bypass the VPN tunnel. If you want to access the internet via your router without VPN too, you have to skip this step.

Navigate to Network=>Firewall and underneath Zones open lan using the Edit button.

Kill-switch activation/deactivation | OpenVPN on a Router running OpenWRT

Scroll down to Inter-Zone Forwarding and next to Allow forward to destination zones activate only PP_Firewall. Then click on the button Save & Apply.

If you want to disable the firewall protection ("kill switch") again, next to Allow forward to destination zones: PP-Firewall additionally activate WAN and WAN6.

Check-IP | OpenVPN on a Router running OpenWRT

You can verify that the VPN connection is working correctly by visiting our Check-IP website from any device connected to the router.

This website uses cookies to analyze the traffic and to control our advertising. By using this site, you agree to the use of cookies. More information can be found in our privacy policy.