Return to protonvpn.com Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail
Support Center / Download and setup / How to set up ProtonVPN on OpenWRT routers

How to set up ProtonVPN on OpenWRT routers

In this article, we are going to cover the basic VPN setup process on an OpenWRT router so that it can connect directly to the ProtonVPN servers.

Learn more about why you should set up a VPN on your router

We don’t recommend setting up a VPN connection if you aren’t a tech-savvy user.

1. Install needed packages

Install openvpn-openssl and luci-app-openvpn to be able to manage OpenVPN using the web interface.

A new page in the web interface should appear.

Navigate to VPN → OpenVPN to open the OpenVPN config management page.

2. Upload and edit an OpenVPN config file

This is available starting with the OpenWrt 19.07 version.

Log in to your ProtonVPN account and click the Downloads category. You can download the desired configuration files by selecting the Router option.

Then, go back to Openvpn and scroll down to the OVPN configuration file upload section. Browse (1) and get the desired configuration file that you have just downloaded. Give it a name (2) and upload it (3).

The configuration file will appear in the table of available OpenVPN configurations. You can now edit it.

 

Search for the line that begins with auth-user-pass in the first text box. Edit by adding the full path to the username/password .auth file, visible in the text just above the second text box (1). For the example below, this would be:

auth-user-pass /etc/openvpn/FR.auth

In the second box, enter the OpenVPN/IKEv2 username and password you retrieve on your account (2). Note: to use our NetShield DNS filtering feature, append the suffix +f1 to your username to block malware, or +f2  to block malware, ads, and trackers (for example 123456789+f2).

Back in the first box, add the following line to the configuration file (3):

script-security 2
up /etc/openvpn/client.sh
down /etc/openvpn/client.sh

Save the configuration file.

Go back to VPN → OpenVPN then click on Save & Apply

3. Add DNS updater script

Log in on your router via SSH client with root user. Type the following in the terminal:

cat << "EOF" > /etc/openvpn/client.sh
#!/bin/sh
env | sed -n -e "
/^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p
/^foreign_option_.*=dhcp-option.*DOMAIN/s//search/p
" | sort -u > /tmp/resolv.conf.vpn
case ${script_type} in
(up) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn" ;;
(down) uci revert dhcp ;;
esac
/etc/init.d/dnsmasq restart &
EOF
chmod +x /etc/openvpn/client.sh

Exit your shell.

4. Start and enable the client

Start the client by pressing the Start button in the table of available configurations. This can take up to 10 seconds to complete, as OpenVPN startup and shutdown are slow.

If you want this VPN client connection to start on boot and remain always active, tick the Enable checkbox.

Note: In case clicking the Start button in the table fails to start the VPN instance, tick the Enable checkbox, and press Save & Apply button.

5. Firewall

At this point, the VPN is set up and your router can use it. However, the devices in the LAN of your router won’t be able to access the Internet anymore. To do this, you need to set the VPN network interface as public by assigning a VPN interface to WAN zone.

5.1-a With OpenWRT versions up to 18.06 and 19.07

  1. Click on Network in the top bar and then on Interfaces to open the interfaces configuration page.
  2. Click on button Add new Interface…
  3. Fill the form with the following values: name = tun0Protocol = UnmanagedInterface = tun0. Then click on Create Interface.
  4. Edit the interface.
  5. In panel General Settings: unselect the checkbox Bring up on boot.
  6. In panel Firewall SettingsAssign firewall-zone to wan.
  7. Click on Save and Apply the new configuration.
  8. Reboot the router.

5.1-b With OpenWRT 19.07 (alternative to the above step 5.1-a)

Click on Network in the top bar and then on Firewall to open the firewall configuration page.

Click on the Edit button of the wan (red) zone in the Zones list at the bottom of the page.

Click on the Advanced Settings tab and select the tunX interface (tun0 in the screenshot, which is the most likely if you have a single OpenVPN client/server running)

 

Click on Status on the top bar and then click on System Log to see the interface name.

A few lines from the system log where you can see the interface name of the OpenVPN client started with the configuration file FR

Mon Nov 23 09:58:54 2020 daemon.notice openvpn(FR)[3416]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.20.0.1
Mon Nov 23 09:58:54 2020 daemon.notice openvpn(FR)[3416]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.20.0.1
Mon Nov 23 09:58:54 2020 daemon.notice openvpn(FR)[3416]: Initialization Sequence Completed

6. Run a test

Establish the VPN connection. Verify your client traffic is routed via VPN gateway.

6.1. Check your client public IP addresses.

6.2. Make sure there is no DNS leak on the client side.

Leave a Reply

Your email address will not be published. Required fields are marked *

Don't find your answer? We're happy to help you!     Contact Our Support Team

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:
contact@protonvpn.com


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xsBNBFiYeeIBCACpwuYcTsACyjQaqY3tOUonokamGZf3VDuLvcA9nQnu4vlB
n1RFFUJa5Pmf2yZ9EjJFSldTl5lreE3tFf53CcZ9wKa1R6aMnN/0VqURJho0
ZTqevQlCvuJ9kKHkDck3Em0/1WWnhDJgabp+fOa5HAHoAvcNy5gVPuexTT/N
wp6QcfB7w+qFhf73s0bcSn5RC+FAYlQxZVFhFtA7/7LthBVatDJrYLYP9XJd
zOZqz9AX0XZwKal25RcVeGHkNKgloo0bTgro4D88MR7saqXFHTRhy3+Wss7c
uqrh0uIkVmqtadoK/rAbqOyFXQ2DlvSMVrEMLUvwlZbC0taqcKDfNA+FABEB
AAHNLWNvbnRhY3RAcHJvdG9udnBuLmNvbSA8Y29udGFjdEBwcm90b252cG4u
Y29tPsLAfwQQAQgAKQUCWJh54wYLCQcIAwIJEN4dfnhhw11TBBUIAgoDFgIB
AhkBAhsDAh4BAAoJEN4dfnhhw11T6PwIAKgIHTUaEcCFQ5WfmwGpdhRgFe7H
gnHR8UOFPrRKnbCOQgTVPGwCFt8UVFhEgbmtroThU89DpxFSYUOD6nZ2k1X3
X4Q9OsItFUUuhPtLJrkz5ghtZLmsAH/edTRbVU1Ew1E8KbylLFI1J5yId7zR
GdnaTXv/E7P3po5X/b08TFAhXSyYYUbMeQuthbJajtpFygr53lm47cOWa4N8
udqLhmpheaQj04DuqYXOGC08JQn+XbHzhFl5Yvlt9Idk8+7c2UJ0qgWKQ5ZV
mquRAw5HDCQM5OqF1MoImDxOH+tK3PUlvFDsLZ1WPEOHK/EN12sPBx0x1R04
fcPTPdbMwgISGM3OwE0EWJh54gEIALqhrLUpvarPc0nkuHpyJC/MsrIDPLuV
qMc49tgjgDBsyIKJFEP9qCnkSOEixaFi+nTljUSpkHGR+PvEGecmcOdW6djN
QGxon/nwBT9d8HbtxJesaEIzwRAxmqQW9MqNq4UsfNQ0VvUYqV9wEbYfdDT/
jZfz9N0hjFELF1sg3UPcCRijhf162bp+rLQdO9vWVUbOdMQvsM/kyUJ6JMXR
xUtyKC05ddxii2SMr4XUW45ostPbxJybOF5oSZpEb1EIlrTLLPAe/498XlBW
hpRAPe+9ZfNs7drMvUEFnnOXahrXAuaaZpyaS/XBaloqSb1+v2AkUep3dbSF
PaRtbXRMS+kAEQEAAcLAaAQYAQgAEwUCWJh54wkQ3h1+eGHDXVMCGwwACgkQ
3h1+eGHDXVMZ4Qf4hu5N8/uYNDqJMFRIWSCpPGxmyIVXGARG4hgR8gwPZY9K
fReAUndX3uODBNIgZU7I3YntawU1DlP6GpP6yyR/8lfUMNCAXPDmd+zTFYIJ
UDHD8sw2GRrFVzFOKUpAapWFOI4XjSMP2UiK4HgrpUjAhe1wSaa7nEjtAuYT
zFx1QSuQD1iYcOF/FAm7EuhBIfWITjYAobGM6gonPbp3IPHM52rUbulllcdV
vCLs+blcyiVCGZlNcmlg3eibAJJL19TQLqT2DbQvQ/SyVBJGjoT+y4TTRtmZ
cebEjt2KJcc4x2lzPq3z2KJNyJTOTMB+aYD9Ma9IObDds+M/+5XDWi7f
=ueTT
-----END PGP PUBLIC KEY BLOCK-----

You can also Tweet to us:
@ProtonVPN