How can we help you?

Topics

OpenWrt setup with NordVPN

Does NordVPN support OpenWrt?

Routers with OpenWRT firmware have been reported to support VPNs like NordVPN. However, please be aware that the following configuration has not been tested by NordVPN staff – it has been shared and tested by our wonderful customers instead. In particular, NordVPN would like to thank ulmwind, an active member of the OpenWRT community, for their continuous assistance in providing us with up-to-date OpenWRT instructions.

This article provides two OpenWrt setup guides:

If any issues arise, feel free to contact our support team for further help! This is an advanced tutorial, but it also provides some simpler instructions.

GUI instructions

In this guide, we will show you how to set up a NordVPN connection on routers using OpenWrt firmware via the LuCI web interface. 

  1. Access the LuCI interface of your OpenWrt router by entering its local IP address into your internet browser and logging in. The default IP address is 192.168.1.1 and the username is root.

    1 (8).png

    By default, there is no password set up, so you may leave this slot empty, however, when you log in you will get a message to set up a password.

    image__17_.png

    In order to do so, click on System > Administration and you may set up a password there.
     
  2. Once you have logged in, select the System tab and choose Software.

    2 (10).png
     
  3. Click the “Update lists” button and wait for the process to finish and click “Dismiss”.
     
  4. Install the following packages by typing in their name in the “Filter” field and clicking “Install…”.
     
    1. openvpn-openssl
    2. ip-full
    3. luci-app-openvpn

      3 (7).png
       
  5. Click “Save & Apply” and refresh the router page. Now you should see a new tab called VPN. Click on it and choose OpenVPN from the dropdown.
     
  6. Now you need to download OpenVPN client configuration files. For this, we recommend going into our recommended server utility: https://nordvpn.com/servers/tools/

    For the purpose of this guide, we will be using the us5104.nordvpn.com server.
     
  7. Under the “OVPN configuration file upload” section name the VPN connection in the “Instance name” field (we have named it “nordvpn_us”.) After that, click on the “Choose File” button, locate the downloaded server file and click “Upload”.

    5 (1).png
     
  8. In the “OpenVPN instances” section, click the “Edit” button next to the instance you have just created.

    7 (2).png
     
  9. In the lower field, enter your NordVPN service credential username and password into separate lines.

    username
    password


    9.png

    You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard:

    1. Click Set up NordVPN manually.

      1 (9).png
       
    2. You will receive a verification code in your email that you use for NordVPN services. Type the code in: 

      2 (11).png
       
    3. Copy the credentials using the “Copy” buttons on the right:

      3 (8).png
       
  10. Now, copy the path to the credentials file that is given right above the field containing the credentials and paste it next to the “auth-user-pass” line in the “Config file” section above.

    It should look like this: auth-user-pass /etc/openvpn/nordvpn_us.auth

    11.png
     
  11. Click on the Save button at the bottom.
     
  12. Click on the “Network” tab at the top of the page and choose “Interfaces“.
     
  13. Select the “Add new interface…” button and name it “nordvpntun”.
     
  14. Click on the “Protocol” dropdown menu and choose “Unmanaged”.
     
  15. In the “Interface” dropdown, enter the name “tun0” at the bottom -- custom -- field and press the Enter key.

    13.png
     
  16. Click the “Create interface” and “Save” buttons.
     
  17. Choose the “Network” tab at the top once more and head to the “Firewall” section.
     
  18. Click the “Add” button and adjust it as follows:
     
    1. Name it “vpnfirewall”;
    2. Set the “Input” option as “Reject”;
    3. Leave “Output” as “Accept” and “Forward” as “Reject”;
    4. Check the “Masquerading” option;
    5. Check the “MSS clamping” option;
    6. From the “Covered Networks” dropdown menu choose “nordvpntun”;
    7. In the “Allow forward from source zones” dropdown menu, choose “lan”;
    8. Click the “Save” button.

      15.png
       
  19. In the “Zones” section, find the zone named “lan”, and click on the “Edit” button.

    16.png
     
  20. In the “Allow forward to destination zones” dropdown check the “nordvpntun” entry.

    18.png
     
  21. Once more, click “Network'' at the top of the page and then choose “DHCP and DNS” from the dropdown list.
     
  22. In the “General Settings” tab, find the “DNS forwardings” option and enter NordVPN DNS addresses there. The addresses are: 103.86.96.100 and 103.86.99.100

    20.png
     
  23. Go to the “Resolv and Hosts Files” tab, check the “Ignore resolve file” checkbox, and click the “Save & Apply” button.

    21.png
     
  24. Lastly, please head back to the “VPN” > “OpenVPN” tab.
     
  25. In the “OpenVPN instances” section, check the “Enable” option next to the NordVPN option in the list, and click the “Save & Apply” button.

    23.png
     
  26. Click the “Start” button next to the created NordVPN instance to connect to the VPN server.

When you have followed these instructions, you should be connected using the configured connection. To check if you were successful, visit NordVPN’s homepage — the status at the top of the page should say “Protected

If you wish to disconnect the VPN connection, you can click on the “Stop” button next to the NordVPN option in the “VPN” > “OpenVPN” > “OpenVPN instances'' section.
 

CLI instructions

If you're looking for a more advanced tutorial, follow this guide instead. To gain the benefits of a VPN on OpenWrt, you need a router with both OpenWrt firmware and an enabled OpenVPN client. The main page of the firmware is https://openwrt.org/

  1. In order to start, you would need to access your router via SSH using its LAN IP address. By default, the IP address is set to 192.168.1.1 and the username is root, however, the IP address may differ if you changed any of the default values.
     
  2. The OpenVPN package is not included in the firmware image by default. To install it, please run the following commands:

    opkg update
    opkg install openvpn-openssl
    opkg install ip-full

    Additionally, you may install the LuCI component of the OpenVPN configuration, however, it is optional. You can do so by running this command:

    opkg install luci-app-openvpn
     
  3. Once you have installed the OpenVPN package, you can make it launch automatically whenever the router starts by running this command:

    /etc/init.d/openvpn enable
     
  4. Next, you will need to download the server configuration files. For this, we suggest using our recommended server utility. For this guide, we used the server uk2054.nordvpn.com, however, you should use the server that the website suggests for you.

    To download a server file, choose the country where you wish to connect, click on “Show available protocols”, right-click on “Download config” for “OpenVPN TCP” or “OpenVPN UDP” and choose “Copy link address”.

    After that, return to your SSH session and run the following command:

    wget -P /etc/openvpn https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/uk2054.nordvpn.com.udp.ovpn

    However, make sure to use the link you copied for your specific server file. This command will download the configuration file to the /etc/openvpn directory for easy access.

    Alternatively, you may download the server configuration file on a different machine and transfer it to the OpenWrt router using alternate methods, such as SCP or SFTP protocols.

    For older OpenWrt builds:
    You can simply download an archive here https://downloads.nordcdn.com/configs/archives/certificates/servers.zip. In the downloaded archive, you will find the corresponding files with .crt and .key extensions. The files are specific for each VPN server.
     
  5. The OpenVPN configuration for NordVPN requires you to enter your NordVPN service credential username and password every time OpenVPN starts. However, we will make some adjustments so the credentials would be provided automatically.

    First, to make the process easier, we will install the nano text editor by running the following command:

    opkg install nano

    Otherwise, you may use the built-in vi text editor. For more information regarding text editors, please refer to this article: https://openwrt.org/docs/guide-user/base-system/user.beginner.cli.

    Now, open the downloaded server configuration file using the nano text editor. In our case, the command would be:

    nano /etc/openvpn/uk2054.nordvpn.com.udp.ovpn

    After that, append the word “secret” (without quotation marks) to the string “auth-user-pass”. The resulting line should be:

    auth-user-pass secret

    Now, we need to create a new file named secret, where the NordVPN service credentials will be stored. To do so, run the following command:

    nano /etc/openvpn/secret

    It will create the new file and open it using the nano text editor.

    In the first line of the file enter your NordVPN service username, and the second - NordVPN service password.

    You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard:

    1. Click Set up NordVPN manually.

      1 (10).png
       
    2. You will receive a verification code in your email that you use for NordVPN services. Type the code in: 

      2 (12).png
       
    3. Copy the credentials using the “Copy” buttons on the right:

      3 (9).png
       
  6. Configure OpenVPN using the downloaded configuration file in one of two ways:
     
    1. Change the file’s extension from .ovpn to .conf, which will allow OpenVPN to find it automatically by its extension.

      To do so, you can use the mv command:

      mv /etc/openvpn/uk2054.nordvpn.com.udp.ovpn /etc/openvpn/uk2054.nordvpn.com.udp.conf
       
    2. Specify the file name in “/etc/config/openvpn” by using the following “uci” commands:

      uci set openvpn.nordvpn=openvpn
      uci set openvpn.nordvpn.enabled='1'
      uci set openvpn.nordvpn.config='/etc/openvpn/uk2054.nordvpn.com.udp.ovpn'
      uci commit openvpn

      After that, the file “/etc/config/openvpn” should contain the following appended strings:

      config openvpn 'nordvpn'
      option enabled '1'
      option config '/etc/openvpn/uk2054.nordvpn.com.udp.ovpn'

      You can check by running this command:

      tail /etc/config/openvpn

      You may also change the file’s extension from .ovpn to .conf and specify it in the file “/etc/config/openvpn” - in that case, however, OpenVPN will start with this configuration file just once.
       
  7. Create a new network interface by running the following commands:

    uci set network.nordvpntun=interface
    uci set network.nordvpntun.proto='none'
    uci set network.nordvpntun.ifname='tun0'
    uci commit network

    The file “/etc/config/network” should contain the following appended strings, if everything was done properly:

    config interface 'nordvpntun'
    option proto 'none'
    option ifname 'tun0'

    It can be checked by using the tail /etc/config/network command.
     
  8. Create a new firewall zone and add a forwarding rule from LAN to VPN by running the following commands:

    uci add firewall zone
    uci set firewall.@zone[-1].name='vpnfirewall'
    uci set firewall.@zone[-1].input='REJECT'
    uci set firewall.@zone[-1].output='ACCEPT'
    uci set firewall.@zone[-1].forward='REJECT'
    uci set firewall.@zone[-1].masq='1'
    uci set firewall.@zone[-1].mtu_fix='1'
    uci add_list firewall.@zone[-1].network='nordvpntun'
    uci add firewall forwarding
    uci set firewall.@forwarding[-1].src='lan'
    uci set firewall.@forwarding[-1].dest='vpnfirewall'
    uci commit firewall

    If done correctly, the file “/etc/config/firewall” should contain the following appended strings:

    config zone
    option name 'vpnfirewall'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    list network 'nordvpntun'

    config forwarding
    option src 'lan'
    option dest 'vpnfirewall'

    You can check by running tail -13 /etc/config/firewall command. This will display the last 13 lines, which should contain the aforementioned strings.
     
  9. Now you need to configure the DNS servers. The simplest approach is to use NordVPN DNS for the WAN interface of the router. To add NordVPN DNS, run the following commands:

    uci set network.wan.peerdns='0'
    uci del network.wan.dns
    uci add_list network.wan.dns='103.86.96.100'
    uci add_list network.wan.dns='103.86.99.100'
    uci commit

    If you receive an error message “uci: Entry not found” after running the uci del network.wan.dns command, you can disregard it.

    The file “/etc/config/network” should contain the section ‘wan’ with the three bottom strings appended:

    config interface 'wan'
    <...>
    option peerdns '0'
    list dns '103.86.96.100'
    list dns '103.86.99.100'

    You can check by running the cat /etc/config/network command and finding the ‘wan’ interface in the output.

    You can also add different DNS addresses, such as Google’s by running these commands:

    uci set network.wan.peerdns='0'
    uci del network.wan.dns
    uci add_list network.wan.dns='8.8.8.8'
    uci add_list network.wan.dns='8.8.4.4'
    uci commit

    The appended strings should be similar to the previous ones.
     

(Optional) To prevent traffic leakage in case the VPN tunnel disconnects, you can open the “/etc/firewall.user” file using a text editor and add the following content to it:

# This file is interpreted as a shell script.

# Put your custom iptables rules here, and they will be executed with each firewall (re-)start

# Internal uci firewall chains are flushed and recreated on reload, so

# put custom rules into the root chains, e.g. INPUT or FORWARD, or into the

# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

 

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then

iptables -I forwarding_rule -j REJECT

fi

Additionally, you should create a file called “99-prevent-leak” in the folder “/etc/hotplug.d/iface” by running nano /etc/hotplug.d/iface/99-prevent-leak and adding the following content to the file:

#!/bin/sh

if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then

iptables -D forwarding_rule -j REJECT

fi

if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then

iptables -I forwarding_rule -j REJECT

fi

In some cases, the OpenVPN connection can crash with a log output similar to “couldn’t resolve host…”. In this case, the VPN tunnel itself remains, however, the connection is lost. To reconnect to it automatically, first open the “/etc/rc.local” file using a text editor and add the following line:

/etc/openvpn/reconnect.sh &
 

In addition, you need to create the “reconnect.sh” file in the “/etc/openvpn” directory. It can be done by running the nano /etc/openvpn/reconnect.sh command.

In the file, enter the following script contents:

#!/bin/sh

n=10

while sleep 50; do

t=$(ping -c $n 8.8.8.8 | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+')

if [ "$t" -eq 0 ]; then

/etc/init.d/openvpn restart

fi

done

When you have followed these instructions, you should be connected using the configured connection. To check if you were successful, visit NordVPN’s homepage — the status at the top of the page should say “Protected.”

If you wish to disconnect the VPN connection, run the following command:

service openvpn stop

Was this article helpful?
Thanks!