Return to Facebook   Twitter   Reddit   Instagram   ProtonMail
Support Center / Download and setup / How to set up ProtonVPN on OpenWRT routers

How to set up ProtonVPN on OpenWRT routers

In this article, we are going to cover the basic VPN setup process on an OpenWRT router so that it can connect directly to the ProtonVPN servers.

Learn more about why you should set up a VPN on your router

We don’t recommend setting up a VPN connection if you aren’t a tech-savvy user. Please be aware that OpenWRT 18.06 is no longer officially supported. We therefore suggest updating to OpenWRT 21.02, which supports the newer and faster OpenVPN 2.5.

1. Install needed packages

Install openvpn-openssl and luci-app-openvpn to be able to manage OpenVPN using the web interface.

A new page in the web interface should appear.

Navigate to VPN → OpenVPN to open the OpenVPN config management page.

2. Upload and edit an OpenVPN config file

This is available starting with the OpenWRT 19.07.

Log in to your ProtonVPN account and click the Downloads category. You can download the desired configuration files by selecting the Router option.

Then, go back to Openvpn and scroll down to the OVPN configuration file upload section. Browse (1) and get the desired configuration file that you have just downloaded. Give it a name (2) and upload it (3).

The configuration file will appear in the table of available OpenVPN configurations. You can now edit it.

Search for the line that begins with auth-user-pass in the first text box. Edit by adding the full path to the username/password .auth file, visible in the text just above the second text box (1). For the example below, this would be:

auth-user-pass /etc/openvpn/FR.auth

In the second box, enter the OpenVPN/IKEv2 username and password you retrieve on your account (2). Note: to use our NetShield DNS filtering feature, append the suffix +f1 to your username to block malware, or +f2  to block malware, ads, and trackers (for example 123456789+f2).

Back in the first box, add the following line to the configuration file (3). Note: this is not required for OpenWRT 21.02+.

script-security 2
up /etc/openvpn/
down /etc/openvpn/

Save the configuration file.

Go back to VPN → OpenVPN then click on Save & Apply

3. Add DNS updater script (skip this step if running OpenWRT 21.0+)

Log in on your router via SSH client with root user. Type the following in the terminal:

cat << "EOF" > /etc/openvpn/
env | sed -n -e "
" | sort -u > /tmp/resolv.conf.vpn
case ${script_type} in
(up) uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.vpn" ;;
(down) uci revert dhcp ;;
/etc/init.d/dnsmasq restart &
chmod +x /etc/openvpn/

Exit your shell.

4. Start and enable the client

Start the client by pressing the Start button in the table of available configurations. This can take up to 10 seconds to complete, as OpenVPN startup and shutdown are slow.

If you want this VPN client connection to start on boot and always remain active, tick the Enabled checkbox.

Click Save & Apply to save changes.

5. Firewall

At this point, the VPN is set up and your router can use it. However, the devices in the LAN of your router won’t be able to access the Internet anymore. To do this, you need to set the VPN network interface as public by assigning a VPN interface to WAN zone.

Click on Network in the top bar and then on Firewall to open the firewall configuration page, then click on the Edit button of the wan (red) zone in the Zones list at the bottom of the page.

Edit wan zone

Click on the Advanced Settings tab and select the tunX interface (tun0 in the screenshot, which is the most likely if you have a single OpenVPN client/server running). Click Save, then Save & Apply.

Click on Status on the top bar and then click on System Log to see the interface name.

A few lines from the system log where you can see the interface name of the OpenVPN client started with the configuration file FR

Mon Nov 23 09:58:54 2020 daemon.notice openvpn(FR)[3416]: /sbin/route add -net netmask gw
Mon Nov 23 09:58:54 2020 daemon.notice openvpn(FR)[3416]: /sbin/route add -net netmask gw
Mon Nov 23 09:58:54 2020 daemon.notice openvpn(FR)[3416]: Initialization Sequence Completed

6. Run a test

Establish the VPN connection. Verify your client traffic is routed via VPN gateway.

6.1. Check your client’s public IP addresses.

6.2. Make sure there is no DNS leak on the client-side.

Leave a Reply

Your email address will not be published. Required fields are marked *

Didn't find the answer you were looking for? We're happy to help you!Contact Our Support Team

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
Support Form

For all other inquiries:

Version: OpenPGP.js v4.10.10


You can also Tweet to us: