NordVPN Help Center
One place for all the information you need

DD-WRT router setup

Updated

DD-WRT is a custom firmware for routers, it offers OpenVPN, L2TP and PPTP protocol support and is available on a wide variety of routers. You can check if your router supports DD-WRT firmware here . An article how to install DD-WRT firmware on a router can be found here .

We have prepared a couple of tutorials on how to set up OpenVPN on a DD-WRT firmware router. We recommend using the OpenVPN UI client method, however you may also connect using a script. Also, there are couple of alternative ways how to set up DD-WRT router with both OpenVPN and other protocols.

OpenVPN GUI client

It has been made using this configuration:
Firmware: DD-WRT v3.0-r27520M (07/17/15) kong
Hardware: Netgear WNR3500L v2

  • 1. In the DD-WRT Administrative Interface, navigate to Setup > Basic Setup. Under Network Address Server Settings (DHCP), set these NordVPN DNS addresses:

    Static DNS 1 = 162.242.211.137
    Static DNS 2 = 78.46.223.24
    Static DNS 3 = 0.0.0.0 (default)
    Use DNSMasq for DHCP = Checked
    Use DNSMasq for DNS = Checked
    DHCP-Authoritative = Checked

    Then, Save and Apply settings.



    If you're setting up two routers, you should change the second router Local IP address to be different than the main router's. (In this case main router's IP is 192.168.1.1, while the one we're connecting to NordVPN server is accessible via 192.168.2.1)

  • 2. Navigate to Setup > IPV6. Set IPv6 to Disable, then Save & Apply Settings.
    (this is a recommended step to make sure you get no IP leaks)



  • 3. Navigate to Service > VPN. Under OpenVPN Client, set Start OpenVPN Client = Enable, to see the options necessary for this configuration. Then set the following:

    Server IP/Name = us333.nordvpn.com (If you prefer to use a specific server, you can find the full list of locations here: https://nordvpn.com/servers)
    Port = 1194
    Tunnel Device = TUN
    Tunnel Protocol = UDP
    Encryption Cipher = AES-256-CBC
    Hash Algorithm = SHA-1 (note: newer NordVPN servers use SHA-512 instead. If SHA-1 does not work, select SHA-512)
    User Pass Authentication = Enable
    Username, Password = Your NordVPN credentials
    Note: If the Username and Password fields are missing, fill in the remaining fields and proceed to step 3.1
    Advanced Options = Enable (this will enable additional options)
    TLS Cipher = None
    LZO Compression = Yes
    NAT = Enable
    The options not mentioned in this guide should be kept with default values.

    3-2.png
  • 3.1. (Optional, depending on step 3.) If the Username and Password fields are missing, go to Administration > Commands, and enter this code:

    echo "YOURUSERNAME
    YOURPASSWORD" > /tmp/openvpncl/user.conf
    /usr/bin/killall openvpn
    /usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon

    Replace YOURUSERNAME and YOURPASSWORD with your respective NordVPN account credentials. Click Save Startup, and return to the previous VPN tab.

  • 4. In Additional Config box either enter or copy/paste these commands:

    remote-cert-tls server
    remote-random
    nobind
    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450
    persist-key
    persist-tun
    ping-timer-rem
    reneg-sec 0

    #log /tmp/vpn.log

    #Delete `#` in the line below if your router does not have credentials fields and you followed the 3.1 step:
    #auth-user-pass /tmp/openvpncl/user.conf


    ddwrt_additional_conf.png
  • 5. Download the CA and TLS certificates from your Downloads Area, which can be found in your account on our website: nordvpn.com/profile/
    You should then unzip it using your extractor (WinRar, 7-zip, etc.) so you see CA and TLS auth certificates folder.

  • 6. Open the CA.crt file of the server you chose to use (in our case, us333_nordvpn_com_ca.crt) with a text editor, such as Notepad.

  • 7. Copy its contents into the CA Cert field. Be sure the entire text gets pasted in, including
    -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

  • 8. Open the TLS.key file of the server you chose to use (in our case, us333_nordvpn_com_tls.key) with a text editor, such as Notepad.

  • 9. Copy its contents into the TLS Auth Key field. Be sure the entire text gets pasted in, including
    -----BEGIN OpenVPN Static key V1----- and -----END OpenVPN Static key V1----- lines.

  • 10. After entering all this data, Save and Apply Settings.

  • 11. To Verify the VPN is Working, Navigate to Status > OpenVPN
    Under State, you should see the message: Client: CONNECTED SUCCESS.

  • 12. To create a kill-switch, you can go into Administration > Commands, and enter this script:

    WAN_IF=`nvram get wan_iface`
    iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
    iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
    iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

    Then select Save Firewall, Go into Administration > Management > Reboot router.

Close ↑

Alternative OpenVPN connection using a script
  • 1. Go to Administration ? Commands in your router settings.
  • 2. Paste this whole text to the Command box:
    #!/bin/sh

    USERNAME="YourNordVPNusername"
    PASSWORD="YourNordVPNpassword"

    PROTO="udp"
    TUN="tun1"
    REMOTE="remote 85.159.233.233 1194"

    CA_CRT='-----BEGIN CERTIFICATE-----
    MIIExzCCA6+gAwIBAgIJAIQgKiQRmISyMA0GCSqGSIb3DQEBBQUAMIGdMQswCQYD
    VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
    Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQbmw0Ny5ub3JkdnBu
    LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
    dnBuLmNvbTAeFw0xNjEyMTUxMzI5MTlaFw0yNjEyMTMxMzI5MTlaMIGdMQswCQYD
    VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
    Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQbmw0Ny5ub3JkdnBu
    LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
    dnBuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANKnDD7yArdF
    sGmfK1wHeGMQYhLCJKQkmHKp+DpyMrhqJFNWlkl1LbZu+qRuc1eyOuFBqOdAUCKY
    1B8URdhfHVMcs+IlLNG50tfCgCXmWGLdQ3gOk5k2mA8ZBloJyIVnC26+Cj0Aki0j
    /N/E5ond6/2VKkG2AR7k9TB2qPyMKlExga3o9nGxj/TYA/JNNMU3f6Izcsx3/Biq
    oYpy/h7Ckqrlg6dccBGx6QdPEIYAlCZHWddkNrWA8r0h1HzdNuOO5wfCYLrRjECb
    NoWAjSTG2EU12BNtsYu0G/EGxx2fF4F27HLN7Hh0EEx6Zh7VKotnozPzwuEAkABA
    1l92wCAWM+0CAwEAAaOCAQYwggECMB0GA1UdDgQWBBTAMsO6FHhsL2alA5uzQxem
    SR4CsjCB0gYDVR0jBIHKMIHHgBTAMsO6FHhsL2alA5uzQxemSR4CsqGBo6SBoDCB
    nTELMAkGA1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAO
    BgNVBAoTB05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGTAXBgNVBAMTEG5sNDcu
    bm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNl
    cnRAbm9yZHZwbi5jb22CCQCEICokEZiEsjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
    DQEBBQUAA4IBAQBx7T8RQe5+MqjLwCvpmKD4II130cpWejO8GNFamjRHTLto8Fys
    bKZHVX0JqmG2ps/7ypbpNvtVcYRwRNOfms7wDr1tmygrRg8Kydnp5kvNDyYzGWjJ
    Tfuax9jcht4Uqxx1hDWlY/DF/+i6+Rn4+0OtHSbbls3RamtOUR/rvVLk9N8LO8J5
    yNFQH2F4SD6EqbMV1R69dDKe/9TCFG1CbcZg6slD2cwbaMO7WTmzYpVtkFP1rOX7
    BWL0aAT4/q0jwjoaq31Lnm2d1Cu7zOgrvLi39Lt0sRZ6Sqj5evnJ2SMruoBeqUiC
    260tamxTFnA0NrCo578JAZC1k9UF3/GWwVKZ
    -----END CERTIFICATE-----'

    TLS_AUTH='-----BEGIN OpenVPN Static key V1-----
    7ebced42abcaa86981fae997026bf1b8
    934a6a01f0b679dc23b890717a508a6c
    263fe6663e33edf987d4ba5ed8146701
    a35e71213fd9fd7ba02caf64bb1527d6
    182ea79158b809c2016b83652e473c26
    895a581a4aff4a63b7069228d28d5c5b
    d827ec675dad94dae2ac7066ffdff1fe
    143f3494dfa4473aaca055af86ef3028
    123c247eb0bb9fc72d34a794dcce2db4
    4906dfdba554d79423ca1e8f86d35e8e
    449fe28e8898064cc91ddec802e526bb
    ea49f64973f8c61ee36f45a2315baac8
    b52bea5f9a760ac8215fdce272c14743
    d4ab8dd5a4826818dc2093c0d9db2f64
    5aaccd9ed6d8f1e078f9e435b45ea373
    5ced080d87ac70d9555e2fd95ae452ed
    -----END OpenVPN Static key V1-----'

    #### Don't modify below here, except the "auth sha512" line ####

    #### Ensure gui client disabled ####
    if [ `nvram get openvpncl_enable` != 0 ]; then
    nvram set openvpncl_enable=0
    nvram commit
    sleep 10
    fi

    mkdir /tmp/vpncl; cd /tmp/vpncl

    echo -e "$USERNAME\n$PASSWORD" > userpass.txt

    echo "#!/bin/sh
    iptables -t nat -I POSTROUTING -o $TUN -j MASQUERADE" > route-up.sh

    echo "#!/bin/sh
    iptables -t nat -D POSTROUTING -o $TUN -j MASQUERADE" > route-down.sh

    echo "$CA_CRT" > ca.crt
    echo "$TLS_AUTH" > tls-auth.key
    sleep 10

    echo "client
    dev $TUN
    proto $PROTO

    $REMOTE
    resolv-retry infinite
    nobind

    tun-mtu 1500
    tun-mtu-extra 32
    mssfix 1450

    persist-key
    persist-tun
    keepalive 5 30

    comp-lzo
    mute 20
    verb 3
    log-append vpn.log
    fast-io

    auth-user-pass userpass.txt
    script-security 2
    remote-cert-tls server
    cipher AES-256-CBC
    # if the server is relatively new and uses sha512, uncomment the line below
    #auth sha512

    ca ca.crt
    tls-auth tls-auth.key 1

    daemon" > openvpn.conf

    chmod 600 ca.crt tls-auth.key userpass.txt openvpn.conf; chmod 700 route-up.sh route-down.sh

    (killall openvpn ; openvpn --config openvpn.conf --route-up /tmp/vpncl/route-up.sh --down-pre /tmp/vpncl/route-down.sh) &

    exit 0

     

  • 3. Instead of YourNordVPNusername type your VPN account username.
  • 4. Instead of YourNordVPNpassword type your VPN account password.
  • 5. Click the Save Startup button.
  • 6. Go to Administration ? Management and click the Reboot Router button at the bottom of the page.
  • 7. Once the router is rebooted wait for a minute. This tutorial is made for the connection to the Dutch #47 server (nl47).
  • 8. If you wish to set up the connection for another server you need to change this line to the one of the server you wish to connect:

    remote 85.159.233.233 1194 (server host address);
    Ca and TLS certificates; (You can download them from here .)
    Reboot the router after changes.

Close ↑

Alternative OpenVPN connection methods

One of our user has created a NordVPN guide for setuping your DD-WRT router . You may try this tutorial if our script does not work on your router.

Also there is another script which helps our users connect their DD-WRT routers to NordVPN if there are any issues using the first script. You can download the script here .

Close ↑

L2TP
Please Note: Although technically you can use the L2TP / PPTP protocols, they have serious security flaws. Whenever possible, we recommend choosing OpenVPN or IKEv2/IPSec instead.

Please note, that L2TP alone does not encrypt your traffic, it only reroutes you through one of our servers. Please use it at your own risk. This does not apply to L2TP/IPsec.

1. Go to ​Setup​ -> ​Basic Setup​;
2. Set ​​L2TP​ ​as your ​​Connection Type​​;
3. Into the ​​Gateway (L2TP Server)​ ​field enter a NordVPN server address. You can find our server addresses in our server list: https://nordvpn.com/servers/;
4. Enter your NordVPN credentials;
5. ​Enable ​the ​​Use DHCP​ ​option;
6. Under Optional Settings change MTU to Manual and put in the value of 1460;
7. Scroll down to ​​Network Address Server Settings (DHCP​)​​;
8. Select DHCP Type to DHCP Server and also select Enable;
9. Into​ Static ​DNS 1​ ​and ​​2​ ​fields enter our DNS servers: 162.242.211.137 and 78.46.223.24​​;
10. Disable ​​Use DNSMasq for DHCP ​and ​DNS​​;
11. Click ​​Save ​and ​Apply Settings​ ​at the bottom of the screen to connect to VPN.

image-2.png

Close ↑

PPTP
Please Note: Although technically you can use the L2TP / PPTP protocols, they have serious security flaws. Whenever possible, we recommend choosing OpenVPN or IKEv2/IPSec instead.

Please note that PPTP is a very old VPN protocol, and is considered unsafe. Please use it at your own risk.

1. Go to ​Setup​ -> ​Basic Setup​;
2. Set ​​PPTP​ ​as your ​​Connection Type​​;
3. Into the ​​Gateway (PPTP Server)​ ​field enter a NordVPN server address. You can find our server addresses in our server list: https://nordvpn.com/servers/;
4. Enter your NordVPN credentials;
5. ​Enable ​the ​​Use DHCP​ ​option;
6. Under Optional Settings change MTU to Manual and put in the value of 1460;
7. Scroll down to ​​Network Address Server Settings (DHCP​)​​;
8. Select DHCP Type to DHCP Server and also select Enable;
9. Into​ Static ​DNS 1​ ​and ​​2​ ​fields enter our DNS servers: 162.242.211.137 and 78.46.223.24​​;
10. Disable ​​Use DNSMasq for DHCP ​and ​DNS​​;
11. Click ​​Save ​and ​Apply Settings​ ​at the bottom of the screen to connect to VPN.

image-3.png

Close ↑