Return to protonvpn.com Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail
Support Center / Download and setup / How to set up ProtonVPN on OpenWRT routers

How to set up ProtonVPN on OpenWRT routers

In this article, we are going to cover the basic VPN setup process on an OpenWRT router so that it can connect directly to the ProtonVPN servers.

Learn more about why you should set up a VPN on your router

We don’t recommend setting up a VPN connection if you aren’t a tech-savvy user.

1. Install needed packages

Install openvpn-openssl and luci-app-openvpn to be able to manage OpenVPN using the web interface.

A new page in the web interface should appear.

Navigate to VPN → OpenVPN to open the OpenVPN config management page.

2. Upload and edit an OpenVPN config file

This is available starting with the OpenWrt 19.07 version.

Log in to your ProtonVPN account and click the Downloads category. You can download the desired configuration files by selecting the Router option.

Then, go back to Openvpn and scroll down to the OVPN configuration file upload section. Browse (1) and get the desired configuration file that you have just downloaded. Give it a name (2) and upload it (3).

The configuration file will appear in the table of available OpenVPN configurations. You can now edit it.

 

Search for the line that begins with auth-user-pass in the first text box. Edit by adding the full path to the username/password .auth file, visible in the text just above the second text box (1). For the example below, this would be:

auth-user-pass /etc/openvpn/FR.auth

In the second box, enter the OpenVPN/IKEv2 username and password you retrieve on your account (2). Note: to use our NetShield DNS filtering feature, append the suffix +f1 to your username to block malware, or +f2  to block malware, ads, and trackers (for example 123456789+f2).

Back in the first box, add the following line to the configuration file (3):

script-security 2
up /etc/openvpn/client.sh
down /etc/openvpn/client.sh

Save the configuration file.

Go back to VPN → OpenVPN then click on Save & Apply

3. Add DNS updater script

Log in on your router via SSH client with root user. Type the following in the terminal:

cat << "EOF" > /etc/openvpn/client.sh
#!/bin/sh
env | sed -n -e "
/^foreign_option_.*=dhcp-option.*DNS/s//nameserver/p
/^foreign_option_.*=dhcp-option.*DOMAIN/s//search/p
" | sort -u > /tmp/resolv.conf.vpn
case ${script_type} in
(up) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn" ;;
(down) uci revert dhcp ;;
esac
/etc/init.d/dnsmasq restart &
EOF
chmod +x /etc/openvpn/client.sh

Exit your shell.

4. Start and enable the client

Start the client by pressing the Start button in the table of available configurations. This can take up to 10 seconds to complete, as OpenVPN startup and shutdown are slow.

If you want this VPN client connection to start on boot and remain always active, tick the Enable checkbox.

Note: In case clicking the Start button in the table fails to start the VPN instance, tick the Enable checkbox, and press Save & Apply button.

5. Firewall

At this point, the VPN is set up and your router can use it. However, the devices in the LAN of your router won’t be able to access the Internet anymore. To do this, you need to set the VPN network interface as public by assigning a VPN interface to WAN zone.

5.1-a With OpenWRT versions up to 18.06 and 19.07

  1. Click on Network in the top bar and then on Interfaces to open the interfaces configuration page.
  2. Click on button Add new Interface…
  3. Fill the form with the following values: name = tun0Protocol = UnmanagedInterface = tun0. Then click on Create Interface.
  4. Edit the interface.
  5. In panel General Settings: unselect the checkbox Bring up on boot.
  6. In panel Firewall SettingsAssign firewall-zone to wan.
  7. Click on Save and Apply the new configuration.
  8. Reboot the router.

5.1-b With OpenWRT 19.07 (alternative to the above step 5.1-a)

Click on Network in the top bar and then on Firewall to open the firewall configuration page.

Click on the Edit button of the wan (red) zone in the Zones list at the bottom of the page.

Click on the Advanced Settings tab and select the tunX interface (tun0 in the screenshot, which is the most likely if you have a single OpenVPN client/server running)

 

Click on Status on the top bar and then click on System Log to see the interface name.

A few lines from the system log where you can see the interface name of the OpenVPN client started with the configuration file FR

Mon Nov 23 09:58:54 2020 daemon.notice openvpn(FR)[3416]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.20.0.1
Mon Nov 23 09:58:54 2020 daemon.notice openvpn(FR)[3416]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.20.0.1
Mon Nov 23 09:58:54 2020 daemon.notice openvpn(FR)[3416]: Initialization Sequence Completed

6. Run a test

Establish the VPN connection. Verify your client traffic is routed via VPN gateway.

6.1. Check your client public IP addresses.

6.2. Make sure there is no DNS leak on the client side.

Leave a Reply

Your email address will not be published. Required fields are marked *

Don't find your answer? We're happy to help you!     Contact Our Support Team

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
https://protonvpn.com/support-form

For all other inquiries:
contact@protonvpn.com

You can also Tweet to us:
@ProtonVPN