Return to protonvpn.com Facebook   Twitter   Reddit   ProtonMail
Support Center / Download and setup / How to setup ProtonVPN on DD-WRT routers

How to setup ProtonVPN on DD-WRT routers

A step-by-step guide to setup ProtonVPN on your DD-WRT router.

Before you start, download the desired OpenVPN config from the ProtonVPN Dashboard. For detailed instructions check out [how to download OpenVPN config files for ProtonvPN].

1. Basic router settings

Login to your DD-WRT Administrative Interface, usually accomplished using your browser and opening the IP of your router (per default 192.168.1.1 or similar).

Navigate to Setup > Basic Setup.

Under Network Address Server Settings (DHCP), set the DNS values to the following ProtonVPN DNS addresses:

Static DNS 1 = 10.8.8.1
Static DNS 2 = 0.0.0.0
Static DNS 3 = 0.0.0.0 (default)
Use DNSMasq for DHCP = Checked
Use DNSMasq for DNS = Checked
DHCP-Authoritative = Checked

NOTE: If you are a FREE user and using FREE servers to configure your router, you will have to use 10.8.0.1 for Static DNS 1

Then, Save and Apply settings.

2. Disabling IPV6

Navigate to Setup > IPV6 and set IPv6 to Disable, then Save & Apply Settings. (this is a recommended step to make sure you get no IP leaks)

4. Open the desired *.ovpn config file with a text editor, such as Notepad.

In our example we chose de-03.protonvpn.com.udp1194.ovpn as an example.

 5. Configuring the OpenVPN service

Navigate to Service > VPN.

Under OpenVPN Client, set Start OpenVPN Client = Enable

Then set the necessary fields as follows:
Server IP/Name = copy the value in the line starting with 'remote', excluding the port number at the end, e.g. 123.123.123.123 or de.protonvpn.com
Port = copy the value behind the server IP, e.g. 1194 or 443
Tunnel Device = TUN
Tunnel Protocol = copy the value from the proto line, e.g. UDP or TCP
Encryption Cipher = AES-256-CBC
Hash Algorithm = SHA-512
User Pass Authentication = Enable
Username, Password = Your OpenVPN credentials
Note: If the Username and Password fields are missing, fill in the remaining fields and continue with step 5.1
Advanced Options = Enable (this will enable additional options)
TLS Cipher = None
LZO Compression = Yes
NAT = Enable

If you do not know your OpenVPN credentials please visit your account page here. The options not mentioned above should be kept with default values.

5.1. (Optional, depending on step 5.)

If the Username and Password fields are missing, go to Administration > Commands, and enter this code:
echo "YOURUSERNAME
YOURPASSWORD" > /tmp/openvpncl/user.conf
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon

Replace YOURUSERNAME and YOURPASSWORD with your respective OpenVPN login and OpenVPN password. If you do not know your OpenVPN credentials see [this article]

Click Save Startup, and return to the previous VPN tab.

6. In Additional Config box either enter or copy/paste these commands:

tls-client
remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping-timer-rem
reneg-sec 0

#log /tmp/vpn.log
# Delete ‘#’ in the line below if your router does not have credentials fields and you followed the 3.1 step:
# auth-user-pass /tmp/openvpncl/user.conf

7. Copy the CA Cert into the respective field.

Be sure the entire text gets pasted in, including
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

8. Copy the TLS Auth Key field into the respective field.

Be sure the entire text gets pasted in, including
-----BEGIN OpenVPN Static key V1----- and -----END OpenVPN Static key V1----- lines.

9. After entering all this data, Save and Apply Settings

10. To Verify the VPN is Working, Navigate to Status > OpenVPN

Under State, you should see the message: Client: CONNECTED SUCCESS.

11. To create a kill-switch,

Go into Administration > Commands, and enter this script:
WAN_IF='nvram get wan_iface'
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

Then select Save Firewall, Go into Administration > Management > Reboot router.

 

Post Comment

53 comments

  1. Sha

    All the article links are missing. try search for `[` and you can see which are missing. Looks like wrong wiki syntax.

  2. ProtonVPN Team

    Hello Sha, what exactly are you pointing out may we ask? you can contact our customer support team and let us know there too! https://protonvpn.com/support-form

  3. Quabbity

    They are saying that in your article above, whenever you say to follow “[this article]”, the links don’t exist. There are no hyperlinks, just plaintext that said “[this article].”

    Ie:
    “If you do not know your OpenVPN credentials see [this article]”

    They recommended you search the page for “[” because that character only appears in instances where you tell us to click a (non-existent) hyperlink.

  4. ProtonVPN Team

    Thank you for pointing that out, this has been fixed!

  5. Amanda

    No VPN connection by usein Static DNS 1 = 10.8.8.1 like descibe on How to. No problem with other DNS server. Please fix the wrong how to.

  6. ProtonVPN Team

    Hello Amanda, please try using 10.8.0.1 or 10.7.7.1 and contact our support regarding your issue, https://protonvpn.com/support-form

  7. Francesco Armato

    I have followed the steps, but somehow the Status shows nothing, can’t get the OpenVPN connected. Under the Status – OpnVPN, is showing like below:
    State
    Server: : Local Address: Remote Address: Client: : Local Address: Remote Address:
    Under the log section I have the following message:
    Serverlog Clientlog 20180418 19:47:54 I OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013
    20180418 19:47:54 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
    20180418 19:47:54 W WARNING: file ‘/tmp/openvpncl/user.conf’ is group or others accessible
    20180418 19:47:54 W NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    20180418 19:47:54 W WARNING: file ‘/tmp/openvpncl/ta.key’ is group or others accessible
    20180418 19:47:54 I Control Channel Authentication: using ‘/tmp/openvpncl/ta.key’ as a OpenVPN static key file
    20180418 19:47:54 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
    20180418 19:47:54 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
    20180418 19:47:54 Socket Buffers: R=[114688->131072] S=[114688->131072]
    20180418 19:47:54 I UDPv4 link local: [undef]
    20180418 19:47:54 I UDPv4 link remote: [AF_INET]108.59.0.37:1194
    20180418 19:47:54 TLS: Initial packet from [AF_INET]108.59.0.37:1194 sid=53436fc2 45409790
    20180418 19:47:54 W WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    20180418 19:47:54 VERIFY OK: depth=2 C=CH O=ProtonVPN AG CN=ProtonVPN Root CA
    20180418 19:47:54 VERIFY OK: depth=1 C=CH O=ProtonVPN AG CN=ProtonVPN Intermediate CA 1
    20180418 19:47:54 Validating certificate key usage
    20180418 19:47:54 NOTE: –mute triggered…
    20180418 19:48:01 6 variation(s) on previous 3 message(s) suppressed by –mute
    20180418 19:48:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
    20180418 19:48:01 D MANAGEMENT: CMD ‘state’
    20180418 19:48:01 MANAGEMENT: Client disconnected
    20180418 19:48:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
    20180418 19:48:01 D MANAGEMENT: CMD ‘state’
    20180418 19:48:01 MANAGEMENT: Client disconnected
    20180418 19:48:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
    20180418 19:48:01 D MANAGEMENT: CMD ‘state’
    20180418 19:48:01 MANAGEMENT: Client disconnected
    20180418 19:48:01 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
    20180418 19:48:01 D MANAGEMENT: CMD ‘log 500’
    19700101 00:00:00

  8. ProtonVPN Team

    Hello Francesco, have you tried using a few different servers with different protocols , udp/tcp? Please contact our support team regarding that. https://protonvpn.com/support-form

  9. killswitch

    It seems the killswitch feature doesn’t work. After I set everything up (including firewall settings), I ran ‘killall openvpn’ command in the router to simulate VPN going down. I was still able to surf the internet using my own ISP IP.

  10. ProtonVPN Team

    Hello, if you are able to surf the internet even with that killswitch script as in our tutorial for the dd-wrt router, then there is something wrong with the script or error in it. This script will kill all network even if you disconnect the VPN yourself.

  11. Terry Witherspoon

    Hello, I need to hide my IP address. Do you do that with the dns or how does it work.

  12. ProtonVPN Team

    Hello Terry, with our VPN services you can hide IP addresses and get encrypted traffic too, so you are secure online and no one can see your online activities. Currently we ave applications that are easy to operate for Windows, macOS and android devices. iOS application is yet to come. 🙂

  13. LTHL

    My connection is successful and the VPN seems to be running however, I am not sure what steps I need to take next as I am unable to connect to any web pages even-though my status on all network devices states that I am connected to the Internet. I have a Server-client topology where my router is only the gateway and my server hands out DHCP. I am using a Linksys WRT 3700 ACM Router using DD-WRT as firmware.

  14. ProtonVPN Team

    Hello, May we ask, have you tried running pings? Try pining hostname like google.com and then their IP or DNS IP, like 8.8.8.8 . If IP does ping and hostname doesn’t it means that there is an issue with DNS settings. Please contact our support team for the investigation. https://protonvpn.com/support-form

  15. remote-random

    Can I change remote-random to remote-fastest to get the fastest server?

  16. ProtonVPN Team

    Hello. remote-fastest is not an option and it does not exist. Remote-random is not randomly selecting a server for you. You can find more information about it here – https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

  17. aepp

    When I enter a domain like de.protonvpn.com, then the status stays in “reconnect”. When I use an IP address it works fine. My internet connection is provided via static IP. I set up the DNS as described. What could be the reason?

  18. ProtonVPN Team

    Hello,
    It may be that you are entering wrong hostname address. Please contact our support team about it. https://protonvpn.com/support-form

  19. User

    Adding “How to setup ProtonVPN on “Open-WRT routers” will be great.
    VBR

  20. ProtonVPN Team

    Hello,
    We will consider doing so in the future, thank you for the suggestion. 🙂

  21. Colin

    I was able to setup a GL-MT300N-V2 OpenWrt router by uploading the ProtonVPN DD-WRT ovpn configuration files and setting the DNS to be 10.8.0.1 and 9.9.9.9. Passes DNS leak test 🙂

  22. User

    The GL-MT300N-V2 OpenWrt router is working with Proton VPN by useing other than 10.8.0.1 DNS. If you configure 9.9.9.9. as only one DNS its working too. Thats looks like, the Proton DNS 10.8.0.1 still not working.

  23. ProtonVPN Team

    Hello. 10.x.x.x is not a physical DNS server. By using let say 10.8.8.1 you set DNS address to call for the serve IP and since our all VPN servers run DNS server on them, thus you can use this to prevent leaks. You cant ping 10.8.8.1 while not connected to the VPN since that is not a DNS server like for example google 8.8.8.8, its a Subnet.

  24. Alex

    I have exactly the same issue as Fran above. The log just abruptly ends with:
    20180308 22:46:38 D MANAGEMENT: CMD ‘log 500’
    19700101 01:00:00
    Any thoughts?

  25. Alex

    I figured it out! I was using my protonvpn username and password instead of the openvpn username and password. I also had to factory reset the dd-wrt and install from scratch to ensure all settings were on default, except for the server domain, which I changed to 192.168.0.1 (default is 192.168.1.1). All working now!

  26. g

    I cannot get this to work. I have tried ever suggestion in the comments including removing the last 3 lines and nothing. I just end up like Peng. Not sure what im doing wrong.

  27. ProtonVPN Team

    Hello,
    Please contact our support team with all detailed information of your router and screenshots of its configuration that we could investigate.
    https://protonvpn.com/support-form

  28. bc

    I keep getting this warning in my log, Feb 26 12:28:43 DD-WRT daemon.warn openvpn[4347]: Option ‘explicit-exit-notify’ in [PUSH-OPTIONS]:5 is ignored by previous blocks. I don’t notice ‘explicit-exit-notify’ in my openvpn.conf file.

  29. ProtonVPN Team

    Hello,
    Could you please send some screenshots of your current router configuration to our support team using our support form:
    https://protonvpn.com/support-form

  30. Max

    Does anyone know how to configure the VPN on follow ?
    # Open WRT Router
    # AVM Fritz Box

  31. User

    Open WRT are working with Linux and DDWRT server config files and with country config files. Multi hop are not tested by me, depend on still waiting for onetime lifetime payment ffer and invoice…

  32. ititit

    My router GUI looks a bit different and am missing some fields. I have WRT54G 2.2.

    I see fields for Public Server cert, Public Client Cert, Private Client key.

    There are no fields for Additional Config, encryption cipher or hash algorithm.

  33. ProtonVPN Team

    Hello.
    Private client key = TLS auth key.
    Public server cert = CA cert. Try doing it this way and if you have any issues feel free to contact our support at https://protonvpn.com/support-form

  34. DFSEGA

    Does anyone know how to configure the VPN on Asus Router’s?

  35. ProtonVPN

    Hello, regarding the Asus router configuration we will need to have some correspondence, so please create a ticket through the following link, and we will assist you with the setup:

    https://protonvpn.com/support-form

  36. bc

    Where do I get the ca cert and tls auth key? And also whenever I open the opvn file in notepad it’s all encrypted. How can I view it in plain text?

  37. ProtonVPN Team

    Hey, each configuration file does have both CA Certificate TLS Auth key, they both begin with —–BEGIN CERTIFICATE—– for cert and —–BEGIN OpenVPN Static key V1—– for key. If you need both of them separately, you can copy/paste the info to a plain text file or write us an e-mail via our contact form and we will send them to you.

  38. Demetris Charalambous

    How do you connect to “Secure Core” servers using DD-WRT? The GUI only allows a single IP address for the VPN server.

  39. John

    Is Ddwrt Openvpn supported for free Proton VPN users?

  40. ProtonVPN

    Hey,

    It is supported indeed. You can download the free config files from the Downloads category on your account (in the Server configs tab), and set-up your router. We have a guide for the setup, which you can find on the following link:

    https://protonvpn.com/support/vpn-router-ddwrt/

  41. mekins

    I can’t find the download for the .ovpn file. Can anyone provide a link?

  42. ProtonVPN

    log in to account.protonvpn.com and on the left side you will see the Download section

  43. Alex

    What is the top VPN speed you’ve achieved on a DD-WRT and what router?

  44. Jason

    Any recommendations on the best router to use for ProtonVPN?

    Thank you

  45. joffaMac

    Some points I found:
    1. If you copy the # lines from step 6, in my setup at least, the word ‘step’ from the second last line appears on a new line and I think made the whole connection fail – I just removed all 3 # lines altogether.
    2. The kill switch settings as per step 11 did just that – they killed my connection – so I’m not using that. Either somethings wrong with that command or my set-up.
    3. It takes a while for the VPN connection to be established (far longer than my previous PIA setup).
    Anyways, thanks ProtonVPN. Will plug away with this – hopefully your speeds stay as are (PIA slowed down my internet speed heaps)

  46. Anon

    “Static DNS 1 = 10.8.8.1”

    I think the right IP is 10.8.0.1, not 10.8.8.1

  47. Sebastian

    Hi, I followed all the steps mentioned above and I’m getting tls-error message: “19700101 01:04:23 Socket Buffers: R=[172032->131072] S=[172032->131072]
    19700101 01:04:23 I UDPv4 link local: [undef]
    19700101 01:04:23 I UDPv4 link remote: [AF_INET]185.159.156.3:1194
    19700101 01:04:23 N TLS_ERROR: BIO read tls_read_plaintext error: error:140830B5:lib(20):func(131):reason(181)
    19700101 01:04:23 N TLS Error: TLS object -> incoming plaintext read error
    19700101 01:04:23 N TLS Error: TLS handshake failed
    19700101 01:04:23 I SIGUSR1[soft tls-error] received process restarting
    19700101 01:04:23 Restart pause 2 second(s) ”

  48. Aaa

    After router restart it doesn’t reconnect with other vpn providers it works

  49. Peng

    I have followed the steps, but somehow the Status shows nothing, can’t get the OpenVPN connected. Under the Status – OpnVPN, is showing like below:
    State
    Server: : Local Address: Remote Address: Client: : Local Address: Remote Address:

    Status

    Log
    Serverlog Clientlog

  50. condor

    Make sure you uncomment the last line in Step 6. This solved the issue for me.

  51. Fran

    I erased the comment, lost internet connection and got this in Log:
    Serverlog Clientlog 20170717 08:03:51 I OpenVPN 2.3.0 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Mar 25 2013
    20170717 08:03:51 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
    20170717 08:03:51 W WARNING: file ‘/tmp/openvpncl/user.conf’ is group or others accessible
    20170717 08:03:51 W WARNING: –ping should normally be used with –ping-restart or –ping-exit
    20170717 08:03:51 W NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    20170717 08:03:51 W WARNING: file ‘/tmp/openvpncl/ta.key’ is group or others accessible
    20170717 08:03:51 I Control Channel Authentication: using ‘/tmp/openvpncl/ta.key’ as a OpenVPN static key file
    20170717 08:03:51 Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
    20170717 08:03:51 Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
    20170717 08:03:51 Socket Buffers: R=[114688->131072] S=[114688->131072]
    20170717 08:03:51 I UDPv4 link local: [undef]
    20170717 08:03:51 I UDPv4 link remote: [AF_INET]209.58.129.100:1194
    20170717 08:03:51 TLS: Initial packet from [AF_INET]209.58.129.100:1194 sid=a61723dc 52fb6efb
    20170717 08:03:51 W WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
    20170717 08:03:52 VERIFY OK: depth=2 C=CH O=ProtonVPN AG CN=ProtonVPN Root CA
    20170717 08:03:52 VERIFY OK: depth=1 C=CH O=ProtonVPN AG CN=ProtonVPN Intermediate CA 1
    20170717 08:03:52 Validating certificate key usage
    20170717 08:03:52 NOTE: –mute triggered…
    20170717 08:03:57 6 variation(s) on previous 3 message(s) suppressed by –mute
    20170717 08:03:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
    20170717 08:03:57 D MANAGEMENT: CMD ‘state’
    20170717 08:03:57 MANAGEMENT: Client disconnected
    20170717 08:03:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
    20170717 08:03:57 D MANAGEMENT: CMD ‘state’
    20170717 08:03:57 MANAGEMENT: Client disconnected
    20170717 08:03:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
    20170717 08:03:57 D MANAGEMENT: CMD ‘state’
    20170717 08:03:57 MANAGEMENT: Client disconnected
    20170717 08:03:57 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
    20170717 08:03:57 D MANAGEMENT: CMD ‘log 500’
    19700101 00:00:00

  52. Thomas Schäfer

    Starting a new service without IPv6 is sad. Openvpn supports IPv6.

  53. ProtonVPN

    IPv6 support is in the making and coming in the future. In the meantime, having a working solution for IPv4 is better than none 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Don't find your answer? We're happy to help you!     Contact Our Support Team

Secure Your Internet Today

Get ProtonVPN