This is a step-by-step guide to setting up Proton VPN on your DD-WRT router.
Introduction
If you set up your VPN account to work on your router, you can protect the online activity of each device connected to your WiFi. Below we explain how to get Proton VPN to work on your DD-WRT router.
But, you can skip this setup process by purchasing a pre-configured router from FlashRouters. FlashRouters makes it easy for anyone to have VPN security for all of the Internet-connected devices in their home, including smart phones, SmartTVs, and gaming consoles. No matter what Proton VPN plan you use, you can configure your router to work with your Proton VPN account. If you buy a Proton VPN pre-configured router, you will only need to enter your Proton VPN OpenVPN credentials.
Regardless of whether you are setting your router up yourself or using a pre-configured router, you will need your OpenVPN config files from the Proton VPN Dashboard.
Learn more: How to download OpenVPN config files for Proton VPN.
1. Basic router settings
Log in to your DD-WRT Administrative Interface, usually accomplished using your browser and opening the IP of your router (per default 192.168.1.1 or similar).
Navigate to Setup > Basic Setup.
Under Network Address Server Settings (DHCP), set the DNS values to the following Proton VPN DNS addresses:
(The DNS values depend on which transport protocol you want to use, either UDP or TCP. Learn more about UDP vs. TCP.)
If you are using UDP:
Static DNS 1 = 10.8.8.1 Static DNS 2 = 0.0.0.0 Static DNS 3 = 0.0.0.0 (default) Use DNSMasq for DHCP = Checked Use DNSMasq for DNS = Checked DHCP-Authoritative = Checked
NOTE: If you are a FREE user and using FREE servers to configure your router, you will have to use 10.8.0.1 for Static DNS 1
If you are using TCP:
Static DNS 1 = 10.7.7.1 Static DNS 2 = 0.0.0.0 Static DNS 3 = 0.0.0.0 (default) Use DNSMasq for DHCP = Checked Use DNSMasq for DNS = Checked DHCP-Authoritative = Checked
NOTE: If you are a FREE user and using FREE servers to configure your router, you will have to use 10.7.0.1 for Static DNS 1
Then, Save and Apply settings.
2. Disabling IPV6
Navigate to Setup > IPV6 and set IPv6 to Disable, then Save & Apply Settings. (this is a recommended step to make sure you get no IP leaks)
3. Open the desired *.ovpn config file with a text editor, such as Notepad.
In our example, we chose de-03.protonvpn.com.udp1194.ovpn as an example.
4. Configuring the OpenVPN service
Navigate to Service > VPN.
Under OpenVPN Client, set Start OpenVPN Client = Enable
Then set the necessary fields as follows:
Server IP/Name = copy the value in the line starting with 'remoteʼ, excluding the port number at the end, e.g., 123.123.123.123 or de.protonvpn.com Port = copy the value behind the server IP, e.g., 1194 or 443 Tunnel Device = TUN Tunnel Protocol = copy the value from the proto line, e.g., UDP or TCP Note: If you are using 10.8.8.1 or 10.8.0.1 as "Static DNS 1" in Step 1, then select UDP for Tunnel Protocol. If you are using 10.7.7.1 or 10.7.0.1 as "Static DNS 1" in Step 1, then select TCP for Tunnel Protocol. Encryption Cipher = AES-256-CBC Hash Algorithm = SHA-512 User Pass Authentication = Enable Username, Password = Your OpenVPN credentials If the Username and Password fields are missing, fill in the remaining fields and continue with step 5.1 Advanced Options = Enable (this will enable additional options) TLS Cipher = None LZO Compression = No NAT = Enable
Note 1: To find your OpenVPN username and password, go to your Proton Account. These are not the same as your regular Proton Account username and password.
Note 2: to use our NetShield DNS filtering feature, append the suffix +f1 to your Username to block malware, or +f2 to block malware, ads, and trackers (for example 123456789+f2).
Options not mentioned above should be kept with default values.
4.1. (Optional, depending on step 5.)
If the Username and Password fields are missing, go to Administration > Commands, and enter this code:
echo "YOURUSERNAME YOURPASSWORD" > /tmp/openvpncl/user.conf /usr/bin/killall openvpn /usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon
Replace YOURUSERNAME and YOURPASSWORD with your respective OpenVPN login and OpenVPN password. If you do not know your OpenVPN credentials see this article.
Click Save Startup, and return to the previous VPN tab.
5. In Additional Config box either enter or copy/paste these commands:
tls-client remote-cert-tls server remote-random nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping-timer-rem reneg-sec 0
#log /tmp/vpn.log
# Delete ‘#’ in the line below if your router does not have credentials fields and you followed step 4.1:
# auth-user-pass /tmp/openvpncl/user.conf
6. Copy the CA Cert into the respective field.
Be sure the entire text gets pasted in, including
—–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines.
7. Copy the TLS Auth Key field into the respective field.
Be sure the entire text gets pasted in, including
—–BEGIN OpenVPN Static key V1—– and —–END OpenVPN Static key V1—– lines.
8. After entering all this data, Save and Apply Settings
9. To Verify the VPN is Working, Navigate to Status > OpenVPN
Under State, you should see the message: Client: CONNECTED SUCCESS.
10. To create a kill-switch,
Go into Administration > Commands, and enter this script:
WAN_IF=`nvram get wan_iface` iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
Then select Save Firewall, Go into Administration > Management > Reboot router.
Hi, will your router VPN setup flash the router and change the firmware? If I am a free user, can I setup my router to your VPN.
Best Regards
0
Hello. We do not provide router flashing tutorials as they void warranty of your devices. This has to be performed under your own actions and if you are a free user, you will be able to connect to our services with a firmware on the router that supports OpenVPN.
0
I am using OpenVPN and the program say that I must put “CA private key”, but I don’t know where I could find so. I am trying use the IS-ES connection in ArchLInux, by OpenVPN-Network Manager plugin
0
Hello, the CA private key can be found in the connection config file itself, if it does not upload automatically when uploading the config, then we suggest using our linux command line tool instead to avoid issues and bugs that we do not stand for since Network manager is not a product developed by ProtonVPN.
0
Hello
I’m running a dual router setup whereby I have a stock Netgear D6300 as essentially my modem, to which I have a Netgear Nighthawk X10 DD-WRT router connected. I’m getting DNS leaks. Could you please advise?
Thanks
Tommo
0
Hello, we suggest contacting our customer support team for the troubleshooting of your current issue. https://protonvpn.com/support-form
0
Where can I find the instructions for OpenWRT?
0
Hello Stefan, currently we do not have an official guide for OpenWRT routers.
0
The single quotes on line 1 of the kill switch script need to be backticks (i.e. ` <– that thing by tilde), otherwise it fails to work as advertised. This kind of thing is why I prefer the $() construct.
0
Hey Emerald, we fixed it , thanks for the heads up!
0
Just set up on a new router (Linksys wrt3200acm) and all seems to be working. I didn’t realize difference in login credentials between OpenVPN and ProtonVPN, but other than that it is working. I’m wondering if multiple configs are possible using different servers, with ability to switch between them in dd-wrt?
0
Hello Chris. Sadly but no, DD-WRT does not have profiles that you could pre-configure and switch in between.
0
I keep getting fail to resolve us-free-01.protonvpn.com and us-free-02.protonvpn.com
0
Hello Dave, we would ask you to contact our customer support team via this form as we need a more detailed investigation to see where the issue might be. https://protonvpn.com/support-form
0
Followed the instructions and works fine. Using dd-wrt
DD-WRT v3.0-r34311 std (12/29/17)
on a tp-link TL-WDR3600
0
Trying to create a vpn server do we set this up on the client side or server? Using a ddwrt router and has the option of setting this up as a server however the config files are for a client not server. This tutorial is to set up a client on ddwrt router, how can i set the router up as a server?
Please advise thank you!
0
Hello. We only provide client option for the ProtonVPN services and setting up a VPN server on your router is not provided by us nor the tutorial for it since that would be using your own VPN services.
0
All the article links are missing. try search for `[` and you can see which are missing. Looks like wrong wiki syntax.
0
Hello Sha, what exactly are you pointing out may we ask? you can contact our customer support team and let us know there too! https://protonvpn.com/support-form
0
They are saying that in your article above, whenever you say to follow “[this article]”, the links don’t exist. There are no hyperlinks, just plaintext that said “[this article].”
Ie:
“If you do not know your OpenVPN credentials see [this article]”
They recommended you search the page for “[” because that character only appears in instances where you tell us to click a (non-existent) hyperlink.
0
Thank you for pointing that out, this has been fixed!
0
No VPN connection by usein Static DNS 1 = 10.8.8.1 like descibe on How to. No problem with other DNS server. Please fix the wrong how to.
0
Hello Amanda, please try using 10.8.0.1 or 10.7.7.1 and contact our support regarding your issue, https://protonvpn.com/support-form
0
I have followed the steps, but somehow the Status shows nothing, can’t get the OpenVPN connected. Under the Status – OpnVPN, is showing like below:
State
Server: : Local Address: Remote Address: Client: : Local Address: Remote Address:
Under the log section I have the following message:
Serverlog Clientlog 20180418 19:47:54 I OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013
20180418 19:47:54 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20180418 19:47:54 W WARNING: file ‘/tmp/openvpncl/user.conf’ is group or others accessible
20180418 19:47:54 W NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
20180418 19:47:54 W WARNING: file ‘/tmp/openvpncl/ta.key’ is group or others accessible
20180418 19:47:54 I Control Channel Authentication: using ‘/tmp/openvpncl/ta.key’ as a OpenVPN static key file
20180418 19:47:54 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
20180418 19:47:54 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
20180418 19:47:54 Socket Buffers: R=[114688->131072] S=[114688->131072]
20180418 19:47:54 I UDPv4 link local: [undef]
20180418 19:47:54 I UDPv4 link remote: [AF_INET]108.59.0.37:1194
20180418 19:47:54 TLS: Initial packet from [AF_INET]108.59.0.37:1194 sid=53436fc2 45409790
20180418 19:47:54 W WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
20180418 19:47:54 VERIFY OK: depth=2 C=CH O=ProtonVPN AG CN=ProtonVPN Root CA
20180418 19:47:54 VERIFY OK: depth=1 C=CH O=ProtonVPN AG CN=ProtonVPN Intermediate CA 1
20180418 19:47:54 Validating certificate key usage
20180418 19:47:54 NOTE: –mute triggered…
20180418 19:48:01 6 variation(s) on previous 3 message(s) suppressed by –mute
20180418 19:48:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180418 19:48:01 D MANAGEMENT: CMD ‘state’
20180418 19:48:01 MANAGEMENT: Client disconnected
20180418 19:48:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180418 19:48:01 D MANAGEMENT: CMD ‘state’
20180418 19:48:01 MANAGEMENT: Client disconnected
20180418 19:48:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180418 19:48:01 D MANAGEMENT: CMD ‘state’
20180418 19:48:01 MANAGEMENT: Client disconnected
20180418 19:48:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20180418 19:48:01 D MANAGEMENT: CMD ‘log 500’
19700101 00:00:00
0
Hello Francesco, have you tried using a few different servers with different protocols , udp/tcp? Please contact our support team regarding that. https://protonvpn.com/support-form
0
It seems the killswitch feature doesn’t work. After I set everything up (including firewall settings), I ran ‘killall openvpn’ command in the router to simulate VPN going down. I was still able to surf the internet using my own ISP IP.
0
Hello, if you are able to surf the internet even with that killswitch script as in our tutorial for the dd-wrt router, then there is something wrong with the script or error in it. This script will kill all network even if you disconnect the VPN yourself.
0
Hello, I need to hide my IP address. Do you do that with the dns or how does it work.
0
Hello Terry, with our VPN services you can hide IP addresses and get encrypted traffic too, so you are secure online and no one can see your online activities. Currently we ave applications that are easy to operate for Windows, macOS and android devices. iOS application is yet to come. :)
0
My connection is successful and the VPN seems to be running however, I am not sure what steps I need to take next as I am unable to connect to any web pages even-though my status on all network devices states that I am connected to the Internet. I have a Server-client topology where my router is only the gateway and my server hands out DHCP. I am using a Linksys WRT 3700 ACM Router using DD-WRT as firmware.
0
Hello, May we ask, have you tried running pings? Try pining hostname like google.com and then their IP or DNS IP, like 8.8.8.8 . If IP does ping and hostname doesn’t it means that there is an issue with DNS settings. Please contact our support team for the investigation. https://protonvpn.com/support-form
0
Can I change remote-random to remote-fastest to get the fastest server?
0
Hello. remote-fastest is not an option and it does not exist. Remote-random is not randomly selecting a server for you. You can find more information about it here – https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
0
When I enter a domain like de.protonvpn.com, then the status stays in “reconnect”. When I use an IP address it works fine. My internet connection is provided via static IP. I set up the DNS as described. What could be the reason?
0
Hello,
It may be that you are entering wrong hostname address. Please contact our support team about it. https://protonvpn.com/support-form
0
Adding “How to setup ProtonVPN on “Open-WRT routers” will be great.
VBR
0
Hello,
We will consider doing so in the future, thank you for the suggestion. :)
0
I was able to setup a GL-MT300N-V2 OpenWrt router by uploading the ProtonVPN DD-WRT ovpn configuration files and setting the DNS to be 10.8.0.1 and 9.9.9.9. Passes DNS leak test :-)
0
The GL-MT300N-V2 OpenWrt router is working with Proton VPN by useing other than 10.8.0.1 DNS. If you configure 9.9.9.9. as only one DNS its working too. Thats looks like, the Proton DNS 10.8.0.1 still not working.
0
Hello. 10.x.x.x is not a physical DNS server. By using let say 10.8.8.1 you set DNS address to call for the serve IP and since our all VPN servers run DNS server on them, thus you can use this to prevent leaks. You cant ping 10.8.8.1 while not connected to the VPN since that is not a DNS server like for example google 8.8.8.8, its a Subnet.
0
I have exactly the same issue as Fran above. The log just abruptly ends with:
20180308 22:46:38 D MANAGEMENT: CMD ‘log 500’
19700101 01:00:00
Any thoughts?
0
I figured it out! I was using my protonvpn username and password instead of the openvpn username and password. I also had to factory reset the dd-wrt and install from scratch to ensure all settings were on default, except for the server domain, which I changed to 192.168.0.1 (default is 192.168.1.1). All working now!
0
I cannot get this to work. I have tried ever suggestion in the comments including removing the last 3 lines and nothing. I just end up like Peng. Not sure what im doing wrong.
0
Hello,
Please contact our support team with all detailed information of your router and screenshots of its configuration that we could investigate.
https://protonvpn.com/support-form
0
I keep getting this warning in my log, Feb 26 12:28:43 DD-WRT daemon.warn openvpn[4347]: Option ‘explicit-exit-notify’ in [PUSH-OPTIONS]:5 is ignored by previous blocks. I don’t notice ‘explicit-exit-notify’ in my openvpn.conf file.
0
Hello,
Could you please send some screenshots of your current router configuration to our support team using our support form:
https://protonvpn.com/support-form
0
Does anyone know how to configure the VPN on follow ?
# Open WRT Router
# AVM Fritz Box
0
Open WRT are working with Linux and DDWRT server config files and with country config files. Multi hop are not tested by me, depend on still waiting for onetime lifetime payment ffer and invoice…
0
My router GUI looks a bit different and am missing some fields. I have WRT54G 2.2.
I see fields for Public Server cert, Public Client Cert, Private Client key.
There are no fields for Additional Config, encryption cipher or hash algorithm.
0
Hello.
Private client key = TLS auth key.
Public server cert = CA cert. Try doing it this way and if you have any issues feel free to contact our support at https://protonvpn.com/support-form
0
Does anyone know how to configure the VPN on Asus Router’s?
0
Hello, regarding the Asus router configuration we will need to have some correspondence, so please create a ticket through the following link, and we will assist you with the setup:
https://protonvpn.com/support-form
0
Where do I get the ca cert and tls auth key? And also whenever I open the opvn file in notepad it’s all encrypted. How can I view it in plain text?
0
Hey, each configuration file does have both CA Certificate TLS Auth key, they both begin with —–BEGIN CERTIFICATE—– for cert and —–BEGIN OpenVPN Static key V1—– for key. If you need both of them separately, you can copy/paste the info to a plain text file or write us an e-mail via our contact form and we will send them to you.
0
How do you connect to “Secure Core” servers using DD-WRT? The GUI only allows a single IP address for the VPN server.
0
Is Ddwrt Openvpn supported for free Proton VPN users?
0
Hey,
It is supported indeed. You can download the free config files from the Downloads category on your account (in the Server configs tab), and set-up your router. We have a guide for the setup, which you can find on the following link:
https://protonvpn.com/support/vpn-router-ddwrt/
0
I can’t find the download for the .ovpn file. Can anyone provide a link?
0
log in to account.protonvpn.com and on the left side you will see the Download section
0
What is the top VPN speed you’ve achieved on a DD-WRT and what router?
0
Any recommendations on the best router to use for ProtonVPN?
Thank you
0
Some points I found:
1. If you copy the # lines from step 6, in my setup at least, the word ‘step’ from the second last line appears on a new line and I think made the whole connection fail – I just removed all 3 # lines altogether.
2. The kill switch settings as per step 11 did just that – they killed my connection – so I’m not using that. Either somethings wrong with that command or my set-up.
3. It takes a while for the VPN connection to be established (far longer than my previous PIA setup).
Anyways, thanks ProtonVPN. Will plug away with this – hopefully your speeds stay as are (PIA slowed down my internet speed heaps)
0
“Static DNS 1 = 10.8.8.1”
I think the right IP is 10.8.0.1, not 10.8.8.1
0
Hi, I followed all the steps mentioned above and I’m getting tls-error message: “19700101 01:04:23 Socket Buffers: R=[172032->131072] S=[172032->131072]
19700101 01:04:23 I UDPv4 link local: [undef]
19700101 01:04:23 I UDPv4 link remote: [AF_INET]185.159.156.3:1194
19700101 01:04:23 N TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:lib(20):func(131):reason(181)
19700101 01:04:23 N TLS Error: TLS object -> incoming plaintext read error
19700101 01:04:23 N TLS Error: TLS handshake failed
19700101 01:04:23 I SIGUSR1[soft tls-error] received process restarting
19700101 01:04:23 Restart pause 2 second(s) ”
0
After router restart it doesn’t reconnect with other vpn providers it works
0
I have followed the steps, but somehow the Status shows nothing, can’t get the OpenVPN connected. Under the Status – OpnVPN, is showing like below:
State
Server: : Local Address: Remote Address: Client: : Local Address: Remote Address:
Status
Log
Serverlog Clientlog
0
Make sure you uncomment the last line in Step 6. This solved the issue for me.
0
I erased the comment, lost internet connection and got this in Log:
Serverlog Clientlog 20170717 08:03:51 I OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013
20170717 08:03:51 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20170717 08:03:51 W WARNING: file ‘/tmp/openvpncl/user.conf’ is group or others accessible
20170717 08:03:51 W WARNING: –ping should normally be used with –ping-restart or –ping-exit
20170717 08:03:51 W NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
20170717 08:03:51 W WARNING: file ‘/tmp/openvpncl/ta.key’ is group or others accessible
20170717 08:03:51 I Control Channel Authentication: using ‘/tmp/openvpncl/ta.key’ as a OpenVPN static key file
20170717 08:03:51 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
20170717 08:03:51 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
20170717 08:03:51 Socket Buffers: R=[114688->131072] S=[114688->131072]
20170717 08:03:51 I UDPv4 link local: [undef]
20170717 08:03:51 I UDPv4 link remote: [AF_INET]209.58.129.100:1194
20170717 08:03:51 TLS: Initial packet from [AF_INET]209.58.129.100:1194 sid=a61723dc 52fb6efb
20170717 08:03:51 W WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
20170717 08:03:52 VERIFY OK: depth=2 C=CH O=ProtonVPN AG CN=ProtonVPN Root CA
20170717 08:03:52 VERIFY OK: depth=1 C=CH O=ProtonVPN AG CN=ProtonVPN Intermediate CA 1
20170717 08:03:52 Validating certificate key usage
20170717 08:03:52 NOTE: –mute triggered…
20170717 08:03:57 6 variation(s) on previous 3 message(s) suppressed by –mute
20170717 08:03:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170717 08:03:57 D MANAGEMENT: CMD ‘state’
20170717 08:03:57 MANAGEMENT: Client disconnected
20170717 08:03:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170717 08:03:57 D MANAGEMENT: CMD ‘state’
20170717 08:03:57 MANAGEMENT: Client disconnected
20170717 08:03:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170717 08:03:57 D MANAGEMENT: CMD ‘state’
20170717 08:03:57 MANAGEMENT: Client disconnected
20170717 08:03:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20170717 08:03:57 D MANAGEMENT: CMD ‘log 500’
19700101 00:00:00
0
Starting a new service without IPv6 is sad. Openvpn supports IPv6.
0
IPv6 support is in the making and coming in the future. In the meantime, having a working solution for IPv4 is better than none :)
0