How can we help you?

Topics ▼

OpenWrt setup with NordVPN

Does NordVPN support OpenWrt?

Reports indicate that routers with OpenWRT firmware support VPNs like NordVPN. However, be aware that the NordVPN staff have not tested the following configuration—it has been shared and tested by our wonderful customers. In particular, NordVPN would like to thank Unwind, an active member of the OpenWRT community, for their continuous assistance in providing us with up-to-date OpenWRT instructions.

GUI instructions

This guide will show you how to set up a NordVPN connection on routers using OpenWrt firmware via the LuCI web interface.

You can access the LuCI interface of your OpenWrt router by entering its local IP address into your internet browser and logging in. The default IP address is 192.168.1.1, and the username is root.

NOTE: The System does not set a password by default, so you may leave this slot empty. However, when you log in, the System will display a message asking you to set one.

To do so, click on System>Administration, and you can set up a password there.
Once you have logged in, select the System tab and choose Software.
Click the update lists button, wait for the process to finish, and click dismiss.
Install the following packages by typing their name in the filter field and clicking install…
1. openvpn-openssl
2. ip-full
3. luci-app-openvpn
Click Save & Apply and refresh the router page. You should now see a new tab called VPN. Click on it and choose OpenVPN from the dropdown.
You need to download the OpenVPN client configuration files now. Then, you can connect to a recommended server via your NordAccount.

Follow the steps below to find the service credentials for manual connection setup:
1. 1. Log in to your Nord Account, click NordVPN, and, under Manual setup, click on Service credentials. You'll find your username and password, which you will need to be able to connect manually.
  2. Now you will need to download the OpenVPN client configuration files.
    
    Follow the steps below to find the best server for your connection:
    1. Log in to your Nord Account and click NordVPN.
    2. Scroll down to Advanced Settings and click Set up NordVPN manually.
    3. Select the Server recommendation tab. Our algorithm will recommend the best server for you according to your location.
    4. By pressing Advanced filters, you can customize the recommended servers by selecting the Server type and the Security protocol.
      
      In case you wish to select a specific server, follow these steps:
      1. Under Set up NordVPN manually, select OpenVPN configuration files.
      2. You can find the server you'd like to connect to using the Search bar or by scrolling down. Then, you can download it by clicking Download UDP or Download TCP.
        
        For this guide, we will be using the us5104.nordvpn.com server.
Under the OVPN configuration file upload section, name the VPN connection in the instance name field (we have named it "nordvpn_us"). Then, click the choose file button, locate the downloaded server file, and click upload.
In the OpenVPN instances section, click the edit button next to the instance you created.
Enter your NordVPN service credentials, username, and password in the lower field on separate lines.

username
password

You can find your NordVPN service credentials (username and password) in the Nord Account dashboard.
Now, copy the path to the credentials file that is given right above the field containing the credentials and paste it next to the "auth-user-pass" line in the config file section above.

It should look like this: auth-user-pass /etc/openvpn/nordvpn_us.auth
To connect to the VPN server, click the Enabled checkbox and then the start button next to the created NordVPN instance.
Click on the save & apply button at the bottom.
At the top of the navigation menu, hover over System and click Reboot. Another page will open. Click the Perform reboot button, and then you must log back in.
Hover over the network tab at the top of the page and choose interfaces:

1. Click Add New Interface.
2. In the name section, write nordvpntun.
3. Click on protocol and choose unmanaged.
4. In the interface dropdown menu, enter the name tun0 in the bottom -- custom -- field and press Enter.
Click Create Interface and save.
Choose the network tab at the top and head to the firewall section.
Click the add button and adjust it as follows:
1. Name it "vpnfirewall".
2. Set the "Input" option as "Reject".
3. Leave "Output" as "Accept" and "Forward" as "Reject".
4. Check the "Masquerading" option.
5. Check the "MSS clamping" option.
6. From the "Covered Networks" dropdown menu, choose "nordvpntun".
7. In the "Allow forward from source zones" dropdown menu, choose "plan".
8. Click the "Save" button.
In the Zones section, find the zone named lan, and click the Edit button.
In the Allow Forward to Destination Zones dropdown, check the NordVPN entry.
Once more, click Network at the top of the page and then choose DHCP and DNS from the dropdown list.
Find the DNS forwardings option in the general settings tab and enter NordVPN DNS addresses. The addresses are: 103.86.96.100 and 103.86.99.100
Go to the resolv and hosts files tab, check the ignore resolve file checkbox, and click the B Save & Apply button.
Head back to the VPN > OpenVPN tab.
In the OpenVPN instances section, check the enable option next to the NordVPN option in the list, and click the save & apply button.
Click the start button once again to connect to the VPN server.

CLI instructions

If you want a more advanced tutorial, follow this guide instead. You need a router with both OpenWrt firmware and an enabled OpenVPN client to gain the benefits of a VPN on OpenWrt. The firmware's main page is https://openwrt.org/.

First, you must be able to access your router using SSH using its LAN IP address. By default, the IP address is 192.168.1.1, and the username is root; however, if you change any default values, the IP address may differ.
The router does not have the OpenVPN package in the firmware image by default. To install it, run the following commands:
```
opkg update
opkg install openvpn-openssl
opkg install ip-full
```
Additionally, you may install the LuCI component of the OpenVPN configuration; however, it is optional. You can do so by running this command:
```
opkg install luci-app-openvpn
```
Once you have installed the OpenVPN package, you can make it launch automatically whenever the router starts by running this command:
```
/etc/init.d/openvpn enable
```
Next, you will need to download the server configuration files. Follow these steps to do so:
1. Log in to your Nord Account and click NordVPN.
2. Scroll down to Advanced Settings and click Set up NordVPN manually.
3. Select the Server recommendation tab. Our algorithm will recommend the best server for you according to your location.
4. By pressing Advanced filters, you can customize the recommended servers by selecting the Server type and the Security protocol.
  
  In case you wish to select a specific server, follow these steps:
  1. Under Set up NordVPN manually, select OpenVPN configuration files.
  2. You can find the server you'd like to connect to using the Search bar or by scrolling down. Then, you can download it by clicking Download UDP or Download TCP.

For this guide, we used the server uk2054.nordvpn.com; however, you should use the website's suggested server.

To download a server file, select the country where you wish to connect, click on "Show available protocols," right-click on "Download config" for "OpenVPN TCP" or "OpenVPN UDP," and choose "Copy link address."

After that, return to your SSH session and run the following command:
```
wget -P /etc/openvpn https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/uk2054.nordvpn.com.udp.ovpn
```
However, use the link you copied for your specific server file. This command will download the configuration file to the /etc/openvpn directory for easy access.

Alternatively, you may download the server configuration file on a different machine and transfer it to the OpenWrt router using alternate methods, such as SCP or SFTP protocols.

For older OpenWrt builds:
You can simply download an archive here https://downloads.nordcdn.com/configs/archives/certificates/servers.zip. In the downloaded archive, you will find the corresponding files with .crt and .key extensions. The files are specific for each VPN server.
The OpenVPN configuration for NordVPN requires you to enter your NordVPN service credentials, username, and password every time OpenVPN starts. However, we will make some adjustments to provide the credentials automatically.

First, to make the process easier, we will install the nano text editor by running the following command:
```
opkg install nano
```
Otherwise, you may use the built-in vi text editor. For more information regarding text editors, refer to this article.

Now, open the downloaded server configuration file using the nano text editor. In our case, the command would be:
```
nano /etc/openvpn/uk2054.nordvpn.com.udp.ovpn
```
After that, append the word "secret" (without quotation marks) to the string "auth-user-pass". The resulting line should be:
```
auth-user-pass secret
```
You must create a new secret file to store the NordVPN service credentials. To do so, run the following command:
```
nano /etc/openvpn/secret
```
It will create and open a new file using the nano text editor.

In the first line of the file, enter your NordVPN service username, and in the second line, your NordVPN service password.

You can find your NordVPN service credentials (username and password) in the Nord Account dashboard.
Configure OpenVPN using the downloaded configuration file in one of two ways:
1. Change the file's extension from .ovpn to .conf, allowing OpenVPN to find it automatically by its extension.
  
  To do so, you can use the mv command:
```
mv /etc/openvpn/uk2054.nordvpn.com.udp.ovpn /etc/openvpn/uk2054.nordvpn.com.udp.conf
```
2. Specify the file name in "/etc/config/openvpn" by using the following "uci" commands:
```
uci set openvpn.nordvpn=openvpn
uci set openvpn.nordvpn.enabled='1'
uci set openvpn.nordvpn.config='/etc/openvpn/uk2054.nordvpn.com.udp.ovpn'
uci commit openvpn
```
  After that, the file "/etc/config/openvpn" should contain the following appended strings:
```
config openvpn 'nordvpn'
option enabled '1'
option config '/etc/openvpn/uk2054.nordvpn.com.udp.ovpn'
```
  You can check by running this command:
```
tail /etc/config/openvpn
```
  You may also change the file's extension from .ovpn to .conf and specify it in the "file/etc/config/openvpn" - in that case, however, OpenVPN will start with this configuration file just once.

Create a new network interface by running the following commands:

uci set network.nordvpntun=interface
uci set network.nordvpntun.proto='none'
uci set network.nordvpntun.ifname='tun0'
uci commit network

The file "/etc/config/network" will now contain the following appended strings:

config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'

You can check it by running this command:

 tail /etc/config/network

Create a new firewall zone and add a forwarding rule from LAN to VPN by running the following commands:

uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='nordvpntun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall

If done correctly, the file "/etc/config/firewall" should contain the following appended strings:

config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'

You can check by running this command:

tail -13 /etc/config/firewall

This will display the last 13 lines containing the strings above.

Now you need to configure the DNS servers. The most straightforward approach is to use NordVPN DNS for the router's WAN interface. To add NordVPN DNS, run the following commands:
```
uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='103.86.96.100'
uci add_list network.wan.dns='103.86.99.100'
uci commit
```
NOTE: If you receive an error message "uci: Entry not found" after running the uci del network.wan.dns command, you can disregard it.

The file "/etc/config/network" should contain the section ''wan'' with the three bottom strings appended:
```
config interface 'wan'
<...>
option peerdns '0'
list dns '103.86.96.100'
list dns '103.86.99.100'
```
You can check by running the command and finding the ''wan'' interface in the output:
```
cat /etc/config/network 
```
You can also add different DNS addresses, such as Google's, by running these commands:
```
uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='8.8.8.8'
uci add_list network.wan.dns='8.8.4.4'
uci commit
```
The appended strings should be similar to the previous ones.

(Optional) Killswitch for OpenWRT 22.02 or older builds (iptables)

To prevent traffic leakage in case the VPN tunnel disconnects, follow these steps:

Open the firewall file using a text editor:
```
sudo nano /etc/firewall.user
```

Add the following content :

# This file is interpreted as a shell script.
# Put your custom iptables rules here, and they will be executed with each firewall (re-)start
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains, e.g. INPUT or FORWARD, or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then

iptables -I forwarding_rule -j REJECT

fi

Create a file called "99-prevent-leak" in the folder "/etc/hotplug.d/iface" by running this command:
```
nano /etc/hotplug.d/iface/99-prevent-leak
```

Adding the following content to the script:

#!/bin/sh

if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then

iptables -D forwarding_rule -j REJECT

fi

if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then

iptables -I forwarding_rule -j REJECT

fi

(Optional) Killswitch for OpenWRT 22.03 or newer builds (nftables)

Please follow these steps to prevent traffic leakage if the VPN tunnel doesn't work.

Edit the custom firewall rules file:
```
sudo nano /etc/firewall.user
```

Write this function:

# when tun0 interface is down and within nftables no chain "forwarding_rule" exists, then do the following.
if (! ip a s tun0 up) && (! nft list chain inet fw4 forwarding_rule; then
# add new chain named forwarding_rule
   nft add chain inet fw4 forwarding_rule
# add rule within chain forward to jump to chain forwarding_rule
   nft add rule inet fw4 forward jump forwarding_rule

# add rule within chain forward_rule to reject all traffic
   nft add rule inet fw4 forwarding_rule reject
fi

Then, you need to create a hotplug script to engage the killswitch automatically:
```
sudo nano /etc/hotplug.d/iface/99-prevent-leak
```

Write the following content into the script:

#!/bin/sh

# if action ifup is triggered, interface tun0 is up and the nftables chain "forwarding_rule" contains text "reject", then flush that chain in order to allow traffic.
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (nft list chain inet fw4 forwarding_rule | grep -q 'reject'); then
nft flush chain inet fw4 forwarding_rule
fi


# if action ifdown is triggered, interface tun0 is not up and the nftables chain "forwarding_rule" does not contain text "reject", then add a rule to that chain in order to reject all traffic.
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! nft list chain inet fw4 forwarding_rule | grep -q 'reject'); then
nft add rule inet fw4 forwarding_rule reject
fi

Automatic reconnect script

The OpenVPN connection can sometimes crash with a log output similar to "couldn't resolve host…". In this case, the VPN tunnel remains; however, the connection is lost. To create a script that would reconnect to it automatically, follow these steps:

Open the "/etc/rc.local" file using a text editor:
```
sudo nano /etc/rc.local
```
Add the following line:
```
/etc/openvpn/reconnect.sh &
```
Create the "reconnect.sh" file in the "/etc/openvpn" directory by running this command:
```
sudo nano /etc/openvpn/reconnect.sh
```

In the file, enter the following script contents:

#!/bin/sh

n=10

while sleep 50; do

t=$(ping -c $n 8.8.8.8 | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+')

if [ "$t" -eq 0 ]; then

/etc/init.d/openvpn restart

fi

done

Connection status

When you have followed these instructions, the router should connect using the configured connection. To check if you were successful, visit NordVPN's homepage — the status at the top of the page should say "Protected."

If you wish to disconnect the VPN connection, click the stop button next to the NordVPN option in the VPN > OpenVPN > OpenVPN instances section if you followed the GUI steps. However, if you wish to disconnect the VPN connection, run the following command:

service openvpn stop

Was this article helpful?

Still having issues?

Live chat

Contact our support to solve an issue live.
Email form

Fill out an email form so we can help you with an issue.

Email us

Our Support team will get back to you within 24 hours. We’ll reply to the email address you provide.

Attach a file (Optional)

Supported formats: JPEG, PNG.

We couldn’t process your form. Please try again or come back later.

Thank you! We've got your message and will get back to you within 24 hours.