How can we help you?

OpenWrt CI setup with NordVPN

Does NordVPN support OpenWrt?

Routers with OpenWRT firmware have been reported to support VPNs like NordVPN. However, please be aware that the following configuration has not been tested by NordVPN staff – it has been shared and tested by our wonderful customers instead. In particular, NordVPN would like to thank ulmwind, an active member of the OpenWRT community, for their continuous assistance in providing us with up-to-date OpenWRT instructions.

If any issues arise, feel free to contact our support team for further help! This is an advanced tutorial, but it also provides some simpler instructions.

1. To get the benefits of a VPN on OpenWRT, you need a router with both OpenWRT firmware and an enabled OpenVPN client. The main page of the firmware is https://openwrt.org. A router flashed with an OpenWRT firmware image accepts connections only via the telnet protocol, so you should connect to it via telnet with the IP address 192.168.1.1 and change the root password by using the "passwd" command. Once done, the router will accept SSH connections. The OpenVPN package isn't included in the firmware image by default, so install it by typing:

opkg update
opkg install openvpn-openssl
opkg install ip-full

You can additionally install the LuCI component of the OpenVPN configuration, but this is optional:

opkg install luci-app-openvpn

You can also build a firmware image with OpenVPN. We recommend using this reference manual on a general OpenVPN client configuration. This guide follows it with modifications for NordVPN on OpenWRT. Once you have installed the OpenVPN package, you can make it launch automatically whenever the router starts:

/etc/init.d/openvpn enable

2. Next, you will need to download the configuration files. We suggest using our recommended server utility. To download a configuration, click “Show available protocols” and then “Download config” for UDP or TCP. The file contains OpenVPN configuration files with the .ovpn extension. The file name in the archive defines the server’s country, number, and used protocol. For example, in the file name “al1.nordvpn.com.tcp.ovpn,” “al” stands for Albania, “1” is the server number, and “tcp” means TCP protocol.

We will use this file as an example. Copy the file "al1.nordvpn.com.tcp.ovpn" using the PSCP or WinSCP programs on Windows or the scp command on Linux to the “/etc/openvpn/” folder of the router’s filesystem. If you run into any copy problems, you should make the program switch to the SCP protocol (it can also use SFTP).

If you have an older OpenWRT build, you can simply download an archive here https://downloads.nordcdn.com/configs/archives/certificates/servers.zip. In the downloaded archive, you will find the corresponding files with .crt and .key extensions. The files are specific for each VPN server.

The OpenVPN configuration for NordVPN requires you to enter your NordVPN username and password every time OpenVPN starts. To provide credentials automatically, append the word "secret" (without the quotation marks) to the string “auth-user-pass.” The resulting string should be:

auth-user-pass secret.

Create a file with the name "secret" in the same folder and enter the credentials in it. The first line is your NordVPN service username, and the second is your NordVPN service password:

username
password 

You can find your NordVPN service credentials in the Nord Account dashboard. Copy the credentials using the “Copy” buttons on the right.

For private internet access with a VPN on OpenWRT, you need your credentials from your Nord Account

 

3. Configure OpenVPN using the "al1.nordvpn.com.tcp.ovpn" file in one of two ways:

1) Change the file’s extension from .ovpn to .conf, which will allow OpenVPN to find it automatically by its extension.
2) Specify the file name in “/etc/config/openvpn.” You can use the “uci” command:

uci set openvpn.nordvpn=openvpn
uci set openvpn.nordvpn.enabled='1'
uci set openvpn.nordvpn.config='/etc/openvpn/al1.nordvpn.com.tcp.ovpn'
uci commit openvpn

The file "/etc/config/openvpn" should contain the following appended strings:

config openvpn 'nordvpn'
        option enabled '1'
        option config '/etc/openvpn/al1.nordvpn.com.tcp.ovpn'

You can also change the file’s extension from .ovpn to .conf and specify it in the file “/etc/config/openvpn” — in this case, OpenVPN will start with this configuration file just once.

4. Create a new network interface. Note that these are two different ways to do it, and we do not recommend using both at the same time. We recommend the following interface method:

uci set network.nordvpntun=interface
uci set network.nordvpntun.proto='none'
uci set network.nordvpntun.ifname='tun0'
uci commit network

The file "/etc/config/network" should contain the following appended strings:

config interface 'nordvpntun'
        option proto 'none'
        option ifname 'tun0'

5. Create a new firewall zone and add a forwarding rule from LAN to VPN:

uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='nordvpntun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall

The file "/etc/config/firewall" should contain the following appended strings:

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'nordvpntun'
config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

6. Now you need to configure the DNS servers. The simplest approach is to use NordVPN DNS for the WAN interface of the router. Here’s how to add NordVPN DNS:

uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='103.86.96.100'
uci add_list network.wan.dns='103.86.99.100'
uci commit

The file "/etc/config/network" should contain the section 'wan' with the following strings (the three bottom strings have been appended):


config interface 'wan'
        option ifname 'eth0.2'
        option force_link '1'
        option proto 'dhcp'
        option peerdns '0'
        list dns '103.86.96.100'
        list dns '103.86.99.100' 

You can also add GoogleDNS:


uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='8.8.8.8'
uci add_list network.wan.dns='8.8.4.4'
uci commit

The appended strings should be similar to the previous ones.

(Optional) To prevent traffic leakage in case the VPN tunnel drops, you can edit the file “/etc/firewall.user” with the following content:

# This file is interpreted as a shell script.
# Put your custom iptables rules here, and they will be executed with each firewall (re-)start
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains, e.g. INPUT or FORWARD, or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
 
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
       iptables -I forwarding_rule -j REJECT
fi

You should also create the file "99-prevent-leak" in the folder "/etc/hotplug.d/iface/" with the following content:

#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then
       iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
       iptables -I forwarding_rule -j REJECT
fi

In some cases, OpenVPN crashes with a log message like “couldn't resolve host…” In this case, the tunnel remains, but the connection is lost. To reconnect to it manually, first add the following script to “/etc/rc.local:”

/etc/openvpn/reconnect.sh &

"reconnect.sh" should also contain this script:

#!/bin/sh
n=10
while sleep 50; do
t=$(ping -c $n 8.8.8.8 | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+')
if [ "$t" -eq 0 ]; then
/etc/init.d/openvpn restart
fi
done

When you have finished following these instructions, you should be connected using the configured connection. To check if you were successful, visit NordVPN’s homepage — the status at the top of the page should say “Protected.”

Related Articles
© Copyright 2022 all rights reservedSelf-service by