OpenVPN

Here is a tutorial on how to connect a DD-WRT router to NordVPN servers via the OpenVPN GUI client:

It has been made using this configuration:
Firmware: DD-WRT v3.0-r27520M (07/17/15) kong
Hardware: Netgear WNR3500L v2

1. In the DD-WRT Administrative Interface, navigate to Setup > Basic Setup. Under Network Address Server Settings (DHCP), set these NordVPN DNS addresses:

Static DNS 1 = 162.242.211.137
Static DNS 2 = 78.46.223.24
Static DNS 3 = 0.0.0.0 (default)
Use DNSMasq for DHCP = Checked
Use DNSMasq for DNS = Checked
DHCP-Authoritative = Checked

Then, Save and Apply settings.

1

 

If you’re setting up two routers, you should change the second router Local IP address to be different than the main router’s. (In this case main router’s IP is 192.168.1.1, while the one we’re connecting to NordVPN server is accessible via 192.168.2.1)

2. Navigate to Setup > IPV6. Set IPv6 to Disable, then Save & Apply Settings.

(this is a recommended step to make sure you get no IP leaks)

2

 

3. Navigate to Service > VPN. Under OpenVPN Client, set Start OpenVPN Client = Enable, to see the options necessary for this configuration. Then set the following:

Server IP/Name = us333.nordvpn.com (If you prefer to use a specific server, you can find the full list of locations here: https://nordvpn.com/servers)
Port = 1194
Tunnel Device = TUN
Tunnel Protocol = UDP
Encryption Cipher = AES-256-CBC
Hash Algorithm = SHA-1 (note: newer NordVPN servers use SHA-512 instead. If SHA-1 does not work, select SHA-512)
User Pass Authentication = Enable
Username, Password = Your NordVPN credentials
Note: If the Username and Password fields are missing, fill in the remaining fields and proceed to step 3.1
Advanced Options = Enable (this will enable additional options)
TLS Cipher = None
LZO Compression = Yes
NAT = Enable
The options not mentioned in this guide should be kept with default values.

 

3.1. (Optional, depending on step 3.) If the Username and Password fields are missing, go to Administration > Commands, and enter this code:

echo "YOURUSERNAME
YOURPASSWORD" > /tmp/openvpncl/user.conf
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon

Replace YOURUSERNAME and YOURPASSWORD with your respective NordVPN account credentials. Click Save Startup, and return to the previous VPN tab.

4. In Additional Config box either enter or copy/paste these commands:

tls-client
remote-cert-tls server
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

# log /tmp/vpn.log

# Delete '#' in the line below if your router does not have credentials fields and you followed the 3.1 step:
# auth-user-pass /tmp/openvpncl/user.conf

 

 

5. Download the CA and TLS certificates from your Downloads Area, which can be found in your account on our website: nordvpn.com/profile/
You should then unzip it using your extractor (WinRar, 7-zip, etc.) so you see CA and TLS auth certificates folder.

5

 

6. Open the CA.crt file of the server you chose to use (in our case, us333_nordvpn_com_ca.crt) with a text editor, such as Notepad.

6

 

7. Copy its contents into the CA Cert field. Be sure the entire text gets pasted in, including
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

7

 

8. Open the TLS.key file of the server you chose to use (in our case, us333_nordvpn_com_tls.key) with a text editor, such as Notepad.

8

 

9. Copy its contents into the TLS Auth Key field. Be sure the entire text gets pasted in, including
-----BEGIN OpenVPN Static key V1----- and -----END OpenVPN Static key V1----- lines.

9

 

10. After entering all this data, Save and Apply Settings.

10

 

11. To Verify the VPN is Working, Navigate to Status > OpenVPN
Under State, you should see the message: Client: CONNECTED SUCCESS.

11

12. To create a kill-switch, you can go into Administration > Commands, and enter this script:

WAN_IF='nvram get wan_iface'
iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

Then select Save Firewall, Go into Administration > Management > Reboot router.