This is an advanced tutorial on how to connect a router with OpenWrt firmware to NordVPN.
Please note that this configuration has not been tested by NordVPN staff – it has been shared and tested by our wonderful customers instead. However, if any issues arise, feel free to contact our support team for further help! This is an advanced tutorial, but it also provides some simpler instructions.
NordVPN would like to thank ulmwind, an active member of the OpenWrt community, for his continuous assistance in providing us with up-to-date OpenWRT instructions.
1. First, you need a router with OpenWrt firmware and an enabled OpenVPN client. The main page of the firmware is https://openwrt.org. A router flashed with an OpenWrt firmware image accepts connections only via the telnet protocol, so you should connect to it via telnet with the IP address 192.168.1.1 and change the root password by using the "passwd" command. Once done, the router will accept SSH connection. The OpenVPN package isn't included in the firmware image by default, so you need to install it:
opkg update opkg install openvpn-openssl opkg install ip-full
You can additionally install the LuCI component of the OpenVPN configuration, but this is optional:
opkg install luci-app-openvpn
You can also build a firmware image with OpenVPN. Here is a good reference manual on a general OpenVPN client configuration:https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client. We will follow it with modifications specific to NordVPN. Once you have installed the OpenVPN package, you can make it launch automatically whenever the router starts:
2. Next, you will need to download the configuration files. We suggest using our recommended server utility, which can be found here. To download a configuration, click Show available protocols and then Download config for UDP or TCP. The file contains OpenVPN configuration files with the .ovpn extension. The file name in the archive defines the server’s country, number, and used protocol. For example, in the file name al1.nordvpn.com.ovpn, al stands for Albania, 1 is the server number, and tcp means TCP protocol.
We will use this file as an example. Copy the file "al1.nordvpn.com.tcp.ovpn" using the PSCP or WinSCP programs on Windows or the scp command on Linux to the /etc/openvpn/ folder of the router’s filesystem. If you run into any copy problems, you should force the program to use the SCP protocol (it can also use SFTP).
(Optional) Do this step only if you have an older build of OpenWrt. Newer builds can skip it.
If you have an older OpenWrt build, you can download an archive here: https://downloads.nordcdn.com/configs/archives/certificates/servers.zip. In the downloaded archive, you will find the corresponding files with .crt and .key extensions. The files are specific for each VPN server.
The OpenVPN configuration for NordVPN requires you to input the username and password every time OpenVPN starts. To provide credentials automatically, append the word "secret" with a preceding space to the string auth-user-pass. The resulting string should be auth-user-pass secret.
Create a file with the name "secret" in the same folder and enter the credentials in it. The first line is your NordVPN service username, and the second is your NordVPN service password:
You can find your NordVPN service credentials in the Nord Account dashboard. Copy the credentials using the “Copy” buttons on the right.
The file itself contains the contents of the file "ca.crt" between the tags "<ca>" and "</ca>", and the contents of the file "ta.key" between the tags "<tls-auth>" and "</tls-auth>". You can create separate "ca.crt" and "ta.key" files with corresponding contents excluding the tags in the same folder and replace the tags with content in the original file with the following strings:
ca ca.crt tls-auth ta.key 1
3. Configuring OpenVPN using the "al1.nordvpn.com.tcp.ovpn" file could be done in two ways:
1) Change the file’s extension from .ovpn to .conf, which will allow OpenVPN to find it automatically by the extension.
2) Specify the file name in /etc/config/openvpn. You can use uci:
uci set openvpn.nordvpn=openvpn uci set openvpn.nordvpn.enabled='1' uci set openvpn.nordvpn.config='/etc/openvpn/al1.nordvpn.com.tcp.ovpn' uci commit openvpn
The file /etc/config/openvpn should contain the following appended strings:
config openvpn 'nordvpn' option enabled '1' option config '/etc/openvpn/al1.nordvpn.com.tcp.ovpn'
You can also change the file’s extension from .ovpn to .conf and specify it in the file /etc/config/openvpn. In this case, OpenVPN will start with this configuration file just once.
4. Create a new network interface. Note that these are two different ways to do it, and we do not recommend using both at the same time. We recommend the following interface method:
uci set network.nordvpntun=interface uci set network.nordvpntun.proto='none' uci set network.nordvpntun.ifname='tun0' uci commit network
The file /etc/config/network should contain the following appended strings:
config interface 'nordvpntun' option proto 'none' option ifname 'tun0'
5. Create a new firewall zone and add a forwarding rule from LAN to VPN:
uci add firewall zone uci set firewall.@zone[-1].name='vpnfirewall' uci set firewall.@zone[-1].input='REJECT' uci set firewall.@zone[-1].output='ACCEPT' uci set firewall.@zone[-1].forward='REJECT' uci set firewall.@zone[-1].masq='1' uci set firewall.@zone[-1].mtu_fix='1' uci add_list firewall.@zone[-1].network='nordvpntun' uci add firewall forwarding uci set firewall.@forwarding[-1].src='lan' uci set firewall.@forwarding[-1].dest='vpnfirewall' uci commit firewall
The file /etc/config/firewall should contain the following appended strings:
config zone option name 'vpnfirewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' list network 'nordvpntun' config forwarding option src 'lan' option dest 'vpnfirewall'
6. Now you need to configure the DNS servers. The simplest approach is to use NordVPN DNS for the WAN interface of the router. Here’s how to add NordVPN DNS:
uci set network.wan.peerdns='0' uci del network.wan.dns uci add_list network.wan.dns='126.96.36.199' uci add_list network.wan.dns='188.8.131.52' uci commit
The file /etc/config/network should contain the section 'wan' with the following strings (the three bottom strings have been appended):
config interface 'wan' option ifname 'eth0.2' option force_link '1' option proto 'dhcp' option peerdns '0' list dns '184.108.40.206' list dns '220.127.116.11'
You can also add GoogleDNS:
uci set network.wan.peerdns='0' uci del network.wan.dns uci add_list network.wan.dns='18.104.22.168' uci add_list network.wan.dns='22.214.171.124' uci commit
The appended strings should be similar to the previous ones.
(Optional) To prevent traffic leakage in case the VPN tunnel drops, you can edit the file /etc/firewall.user with the following content:
# This file is interpreted as a shell script. # Put your custom iptables rules here, and they will be executed with each firewall (re-)start # Internal uci firewall chains are flushed and recreated on reload, so # put custom rules into the root chains, e.g. INPUT or FORWARD, or into the # special user chains, e.g. input_wan_rule or postrouting_lan_rule.if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi
You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with the following content:
#!/bin/sh if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then iptables -D forwarding_rule -j REJECT fi if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi
In some cases, OpenVPN hangs with a log message like “couldn't resolve host …”. In this case, the tunnel stays, but the connection is lost. You should reconnect it manually with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:
"reconnect.sh" should contain this script:
#!/bin/sh n=10 while sleep 50; do t=$(ping -c $n 126.96.36.199 | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+') if [ "$t" -eq 0 ]; then /etc/init.d/openvpn restart fi done
When you finish these instructions, the connection should be configured, and you should be connected successfully. You can check this by visiting NordVPN's homepage and checking if your status at the top of the page says Protected.