Connect to Private Internet Access through OpenVPN on OpenWRT

Introduction

Whatever the reason you want to use a VPN, whether it’s for added security, or to get an online service that’s limited to certain countries, you may find that the device you want to connect doesn’t provide the functionality.  Such as an Xbox.

But using your router to establish the VPN tunnel will make it automatic and transparent to all of your connected devices.  Which will anonymize all traffic from your ISP, or make Netflix think you’re connecting from the right side of the border.

This is a guide that will attempt to document the steps I took to connect my router to a VPN service.

I personally use Private Internet Access, so this guide will be specific to them, although a couple tweaks should allow this to work with any OpenVPN compatible service.

Prerequisites

  1. A router with OpenWRT installed
  2. A Private Internet Access account
  3. WinSCP installed (for transferring the config files onto your router)
  4. Putty installed (for testing the openvpn connection)

Guides and References I Used

  • Private Internet Access official guide for connecting through OpenVPN in DD-WRT – Link
  • OpenVPN official howto – Link
  • A helpful forum post in the OpenWRT forums.  The user had similar frustrations to me with existing guides. – Link
  • HideMyAss Wiki article for connecting to OpenVPN through OpenWRT (Most Helpful) Link
  • List of Free and Public DNS Servers – Link

Guide

Add OpenVPN to OpenWRT:

1. Log into your OpenWRT admin console, and navigate to “System -> Software” as seen below:

system software2. Get the latest list of available software by clicking “Update lists”:

update lists3. Click on “Available packages”:

available packages4. Type “openvpn” in the filter and look for exactly that in the packages list that returns:

filter for openvpn5. Install it.

Edit: Missing Steps!

Readers have mentioned that something seemed missing, as a successful connection in the router didn’t seem to translate to the devices connected to the router.  So, I set up two virtual machines – one running OpenWRT and one running Ubuntu, which would connect through the OpenWRT VM – and discovered that the missing steps involve setting up the new interface for the VPN connection.

The below steps (5.1+) are the missing steps.

5.1 Navigate to Network -> Interfaces, and click “Add New Interface”

network - interfaces - add new5.2 Use the settings:

  • Name -> tun0
  • Protocol -> unmanaged
  • Bridge? -> unchecked
  • Cover which interfaces? -> custom: “tun0”

tun0 interface initial settings

5.2b Hit submit

5.3 In the common config of your new interface, go to Firewall Settings, and set it to wan.  Then save the settings.

new tun0 interface firewall settings

Private Internet Access OpenVPN config files:

6. Download the official config files from here: link.

7. Use WinSCP to connect to your router:
— a. Use the protocol “SCP”
— b. Use your same root credentials that you use to log into LuCI (your OpenWRT admin page)

8. Navigate to /etc/openvpn/ and copy the following files into that directory (out of the config zip you downloaded from Private Internet Access):
– a. ca.crt
– b. crl.pem
– c. (optional) an ovpn file for the destination you choose to connect to.

Above, step C was optional because we can specify the server as part of the startup command later in this process.  But you will still want an ovpn configuration file.  I took one of the location specific ones and simply removed the server and port from it, creating a type of generic configuration file I can reuse if I want to connect to different parts of the world.

I also added the option “keepalive 10 120” to it after I was experiencing some connection issues, which seemed to help.

So in the end, this is the contents of my “generic-pia.ovpn” OpenVPN config file:

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass auth
auth-nocache
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem
keepalive 10 120

8a. Create a file called “auth” which is also located in “/etc/openvpn/” with the following format:

USERNAME
PASSWORD

Which will give you this, as a recap:

winscp etc openvpn listing

Test VPN Through Putty:

9. Open Putty and connect to your router, then navigate to /etc/openvpn and run the following command:

/usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/generic-pia.ovpn --remote ca-toronto.privateinternetaccess.com 1194

If all goes well you should see this in the output, indicating a successful vpn connection from your router to PIA:

Sun Jul 27 14:11:06 2014 Initialization Sequence Completed

But, I bet if you open up a web browser, you can’t navigate the web. This is a DNS issue.

Set Your Own DNS Servers:

10. Resolving the DNS issue is fairly straightforward in OpenWRT, as it has a spot where you can specify your own.  To find a list of free public DNS servers, refer to this page.

Once you have picked the DNS server(s) you would like to use, open up your router’s admin page and navigate to Network -> DHCP and DNS, and place the IP addresses there.  Like so:

openwrt dns settings

Click save and apply, and then restart the VPN connection, you should now be able to navigate the web through your VPN tunnel.

Note: You can test this by using a website such as http://whatismyipaddress.com/.  Check the IP location matches the location of the server you chose.

Set VPN to Auto Start with Your Router:

11.  The final step is to configure the VPN to automatically start up with your router.  So that you don’t have to open up putty and reissue the command every time your router reboots.

Navigate to System -> Startup and look near the bottom for “Local Startup”.  Which is basically a place for you to enter commands you want the router to execute on boot.  This is what I have in that spot:

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

# VPN custom init
# Ensure only one VPN connection is made. 
/usr/bin/killall openvpn

# Toronto
/usr/sbin/openvpn --cd /etc/openvpn --daemon --config /etc/openvpn/generic-pia.ovpn --remote ca-toronto.privateinternetaccess.com 1194 &

exit 0

Reboot your router, and test to see that you still can browse the web, and that your IP location is in the right spot. Hopefully all went according to plan and you’re good to go.

Happy surfing.

27 thoughts on “Connect to Private Internet Access through OpenVPN on OpenWRT

  1. isaac

    This is just what I was looking for! However, my router didn’t have enough storage to install openvpn – wondering if it is safe to remove a few packages whose features I am not using?

    Reply
    1. matthewurch Post author

      That’s an excellent question. Unfortunately, I’ve never tried to remove existing packages. Doing some research led me to this OpenWRT wiki page, which says,

      How do I free up some space?
      By removing packages you installed after flashing OpenWrt onto your Router. You cannot remove packages on the SquashFS partition!

      Reply
  2. Brandon

    All went well until the step to test it with the command in putty, I got this:

    “Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/generic-pia.ovpn:1: client (2.3.4)
    Use –help for more information.”

    Reply
  3. Rob

    Hey, Thanks great guide. I got right to the end and fell at the last hurdle.
    Everything was going well….
    Tue Dec 2 21:09:51 2014 Initialization Sequence Completed

    Unfortunately nothing on the LAN can access the internet.
    I changed the DNS as you suggested, but I can’t even ping any remote IP from within the LAN.
    I’ve been having a look around and I might need to add some routing to the firewall to make traffic go over the TUN interface.

    Any ideas?
    Thanks

    Reply
    1. matthewurch Post author

      I would verify you have the correct DNS IP addresses set. Perhaps try some other DNS servers. And make sure you restart the VPN service after you set the DNS, so that it takes effect and try it again.

      Reply
  4. Matt

    Thank you for this easy to follow guide.
    Everything appeared to work, but browsing from either my phone or tablet will not work.

    Thinking it might be DNS, I add both Google’s and OpenDNS hosts in, restart VPN and reconnect via WIFI.
    Still no content in Chrome on either device.

    In OpenWRTNetworkDHCP and DNS I enable logging
    *Write received DNS requests to syslog

    Via putty, I follow the log file
    logread -f

    I see lots of DNS requests and successful resolution.

    Fri Dec 12 14:18:59 2014 daemon.info dnsmasq[1987]: reply android.l.google.com is 74.125.28.113
    Fri Dec 12 14:18:59 2014 daemon.info dnsmasq[1987]: reply android.l.google.com is 74.125.28.139
    Fri Dec 12 14:18:59 2014 daemon.info dnsmasq[1987]: reply android.l.google.com is 74.125.28.100
    Fri Dec 12 14:18:59 2014 daemon.info dnsmasq[1987]: reply android.l.google.com is 74.125.28.102
    Fri Dec 12 14:18:59 2014 daemon.info dnsmasq[1987]: reply android.l.google.com is 74.125.28.138
    Fri Dec 12 14:19:40 2014 daemon.info dnsmasq[1987]: query[A] http://www.googleapis.com from fd66:67b7:4126:0:bcb8:c83f:11e4:4307
    Fri Dec 12 14:19:40 2014 daemon.info dnsmasq[1987]: forwarded http://www.googleapis.com to 8.8.4.4
    Fri Dec 12 14:19:40 2014 daemon.info dnsmasq[1987]: forwarded http://www.googleapis.com to 8.8.8.8
    Fri Dec 12 14:19:40 2014 daemon.info dnsmasq[1987]: forwarded http://www.googleapis.com to 208.67.220.220
    Fri Dec 12 14:19:40 2014 daemon.info dnsmasq[1987]: forwarded http://www.googleapis.com to 208.67.222.222
    Fri Dec 12 14:19:40 2014 daemon.info dnsmasq[1987]: forwarded http://www.googleapis.com to 208.67.220.220
    Fri Dec 12 14:19:40 2014 daemon.info dnsmasq[1987]: forwarded http://www.googleapis.com to 208.67.222.222
    Fri Dec 12 14:19:40 2014 daemon.info dnsmasq[1987]: forwarded http://www.googleapis.com to 8.8.8.8
    Fri Dec 12 14:19:40 2014 daemon.info dnsmasq[1987]: forwarded http://www.googleapis.com to 8.8.4.4
    Fri Dec 12 14:19:40 2014 daemon.info dnsmasq[1987]: reply http://www.googleapis.com is
    Fri Dec 12 14:19:40 2014 daemon.info dnsmasq[1987]: reply googleapis.l.google.com is 173.194.79.95

    back on the phone using a utility, ping http://www.google.com
    Name resolves, but no packet received back. work’s fine from my PC (LAN/no vpn).

    So not name resolution.
    Any ideas?

    Reply
  5. Matt

    Interestingly, web pages are rendering now, but when I look at whatismyip.com, I see it’s showing an address associated with my ISP.

    So my guess is traffic is not routing via the VPN at all.
    `ifconfig -a` show very little traffic for tun0.

    So, should we perhaps create a VPN network interface and some how only let traffic go via VPN?
    Otherwise a failed VPN will not be noticed.

    Reply
  6. Steve

    I agree with Matt. It shows my IP address as being my true ISP one. And no traffic going through tun0. What do we need to do to make sure all traffic actually goes via VPN? Thanks.

    Reply
  7. debo

    Ya, i,m getting same problem.
    I can start openvpn and can ping google.com from router test suite, but not from client-pc.
    On client i too get no reply from ping of 8.8.8.8 or whatever ip.

    Anyone have en answer to this?

    Reply
  8. matthewurch Post author

    As it appears several readers are experiencing the same issue, I’m going to go over this post with a fine tooth comb and look for anything I may have left out. This will be a few days from now however as I am away from the router with OpenWRT.

    Reply
  9. Andrew

    http://wiki.openwrt.org/doc/howto/vpn.client.openvpn.tap#routing_traffic_over_nat

    To actually access the resources behind the VPN server, first create a new interface in /etc/config/network:

    config interface ‘VPN_client’
    option proto ‘none’
    option ifname ‘tap0’
    And then modify your /etc/config/firewall:

    config zone
    option name ‘VPN_client’
    option masq ‘1’
    option input ‘ACCEPT’
    option forward ‘REJECT’
    option output ‘ACCEPT’
    option network ‘VPN_client’

    config forwarding
    option dest ‘VPN_client’
    option src ‘lan’

    Reply
  10. JRH

    As everybody else, everything went OK, but no connection.

    Also tryed Andrew´s suggestions, but maybe did not find the right order to put them in – no connection still.

    And it really messed up my router =)

    Using ROOter OpenWRT build MultiWeb_2015-01-04 ( OpenWRT r43751 )

    Reply
    1. matthewurch Post author

      Sorry to hear that it messed up your router. There is a failsafe option in OpenWRT that tells it to ignore all config. http://wiki.openwrt.org/doc/howto/generic.failsafe

      Also, if you don’t need to do quite as much as a failsafe boot, try to run the firstboot script to return your router to OpenWRT defaults http://stackoverflow.com/a/13830865/475735

      As for the no connection, I am still planning on starting over one step at a time to see which step is missing. I believe it is a firewall setting that will actually tell the vpn to tunnel to the wan port.

      Reply
      1. JRH

        No worries, Matthew – managed to get in an right it up again.

        Will follow your posts, and will try to hack it myself, you got the PIA OpenVpn going right there.

        Reply
  11. Robert Longworth

    Same problems here. I look forward to any findings.

    I imagine this is a firewall related issue but haven’t had much time to mess around with this myself yet

    I’m using OpenWRT in a virtual environment and would like all the VM’s running over the VPN. I had it working with PfSense but the VPN side of things appeared very unstable.

    Reply
  12. JRH

    One (and surprisingly) only tutorial found so far from a VPN provider is this: https://www.ovpn.se/guides/openwrt/

    It is in Swedish, but the general context is easy to follow.

    Will try to use it, but the first bit posted here by Matthew is very much more simple – but, as you can see, they create an tun0 interface to get it going.

    Generally, I think that the VPN providers feel that OpenWRT is really too difficult to the user.

    DD-WRT and of cause Tomato are very simpe indeed to configure OpenVPN.

    Reply
    1. matthewurch Post author

      Yes, the missing step(s) involve a new interface needing to be made. I’ve set up a couple VM’s that talk to each other (one is a virtual router running OpenWRT, the other is Ubuntu that gets its connection from the other VM) and am going to iron out the missing steps and make sure this guide is complete. The update should be fairly soon, if I can hopefully find the time.

      Reply
  13. JRH

    My thought was to try OVPN´s guide, and then translate it to PIA.

    OVPN has a free 5 hour try it option.

    You need it to get access to the full OpenWRT guide.

    Using a mix of Matthew´s WinSPC guide, and OVPN´s guide – still no success.

    The OVP´s guide is also broken in the end, and does not work – a pity, as there are no other guides on how to do this on the net.

    Reply
  14. Michael

    Any new suggestions how to close this connection and make OpenVPN work for Private Internet Access? Very interested here: have tried your steps but also have same problem that internet traffic doesn’t seem to get routed over the VPN connection.

    Reply
    1. Nikita

      Mahdi, you should check on your client computer (the one that connects to your router) what are the DNS servers it gets from the router. On Ubuntu, you would do something like that:

      nmcli -t -f IP4.DNS device show wlan0 <— if you are connected on wlan0 interface

      You should see 209.222.18.222 and 209.222.18.218 – two DNS servers that are recommended by PIA to avoid DNS leaks. If it's not the case, you need to make sure that router is given out these DNS addresses.

      Reply
  15. Nikita

    Just wanted to thank you for taking time to write that. After a little bit of tinkering and using these instructions, got PIA working on WRT54GL v1.1 after some unsuccessful attempts with Tomato and DD-WRT firmware. Thanks!

    Reply
  16. Nathan

    Thank you so much for your instruction. I now have my TP-Link (TL-WR842N/ND v2) on OpenWRT (ROOter | FunnelWeb), with an Android MetroPCS phone as my Internet connection. I’m now getting closer to the off-grid Internet solution of my dreams, and your help in this part was instrumental.

    Reply
  17. phpsystems

    I have a newer ver of openwrt, can you help with install thriugh skype? openvpn is laready installed with root+ on usb stick, it seems the openvpn application has sample config, any skype ID?
    would be small paid effort, thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *