This is an advanced tutorial on how to connect a router with OpenWRT firmware to NordVPN.
Please note that this configuration has not been tested by NordVPN staff – it has been shared and tested by our wonderful customers instead. However, if any issues arise, feel free to contact our support team with further help! Also, being an advanced tutorial, it glances over some simpler instructions.
NordVPN would like to thank ulmwind, an active member of OpenWRT community, for his continuous assistance in providing us with the up to date OpenWRT instructions.
1. Initially, you should have a router with OpenWRT firmware with the OpenVPN client enabled. The main page of the firmware is http://openwrt.org The router, flashed with OpenWRT firmware image, initially accepts connection only via the telnet protocol, so you should connect to it via telnet to the IP 192.168.1.1 and change the root password with command "passwd". After this command, it accepts a connection via SSH. By default the OpenVPN package isn't included in the firmware image, so you should install it by use of opkg:
opkg update opkg install openvpn-openssl opkg install ip-full
You can also install luci-component of openvpn configuration but it is optional:
opkg install luci-app-openvpn
You can also build firmware image with openvpn. A good reference manual of a general OpenVPN client configuration you can find on this page: https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client .We will follow it with modifications, specific for NordVPN. After installing the OpenVPN package you can make it start automatically when the router starts:
2. You will need to download our configuration files. We suggest using our "Recommended server" utility, that can be found here, to download a single configuration you need to click on "Show available protocols" and then "Download config" for UDP or TCP.This file contains OpenVPN configuration files with extension "ovpn". File name in the archive defines country, number and protocol. For example, consider first file "al1.nordvpn.com.ovpn" "al" means Albania, "1" means server number in the country and "tcp" means TCP protocol.
We will use this file as an example. Other files are treated similarly. Copy the file "al1.nordvpn.com.tcp.ovpn" with pscp or WinSCP programs in Windows, scp command in Linux to /etc/openvpn/ folder of router filesystem. In case of copy problems you should force using exactly scp protocol (it also can use sftp).
(Optional) Do this step only if you have an older build of OpenWRT. Newer builds can skip this one.
If you have an older OpenWRT Build, you can also download an archive here: https://downloads.nordcdn.com/configs/archives/certificates/servers.zip and find in it corresponding files with extensions "crt" and "key". The files are specific for each VPN-server.
The OpenVPN configuration specific for NordVPN requires the input of username and password in each start of OpenVPN. To provide credentials automatically, append the word "secret" with space to the string "auth-user-pass", so the resulting string should be "auth-user-pass secret".
Create the file with the name "secret" in the same folder, and provide credentials in it as follows: the first line is your login, the second line is your password:
The file itself contains contents of file "ca.crt" between tags "<ca>" and "</ca>" and contents of file "ta.key" between tags "<tls-auth>" and "</tls-auth>". You can create separate files "ca.crt" and "ta.key" with corresponding content excluding tags, in the same folder, and replace tags with content in the original file with the following strings.
ca ca.crt tls-auth ta.key 1
3. A configuration of OpenVPN using the file "al1.nordvpn.com.tcp.ovpn" could be implemented in two ways:
1) Change the extension of the file "ovpn" to "conf". In this case OpenVPN will find it automatically by extension.
2) Specify file name in /etc/config/openvpn . You can use uci:
uci set openvpn.nordvpn=openvpn uci set openvpn.nordvpn.enabled='1' uci set openvpn.nordvpn.config='/etc/openvpn/al1.nordvpn.com.tcp.ovpn' uci commit openvpn
The file /etc/config/openvpn should contain following appended strings:
config openvpn 'nordvpn' option enabled '1' option config '/etc/openvpn/al1.nordvpn.com.tcp.ovpn'
You can also change the extension of the file "ovpn" to "conf", and specify it in the file /etc/config/openvpn, in this case, OpenVPN will start with this configuration file just once.
4. Create a new network interface. Note that these are two ways to do it, and we do not recommend doing both at the same time. Yet we recommend the following interface method:
uci set network.nordvpntun=interface uci set network.nordvpntun.proto='none' uci set network.nordvpntun.ifname='tun0' uci commit network
The file /etc/config/network should contain following appended strings:
config interface 'nordvpntun' option proto 'none' option ifname 'tun0'
5. Create a new firewall zone and add forwarding rule from LAN to VPN:
uci add firewall zone uci set firewall.@zone[-1].name='vpnfirewall' uci set firewall.@zone[-1].input='REJECT' uci set firewall.@zone[-1].output='ACCEPT' uci set firewall.@zone[-1].forward='REJECT' uci set firewall.@zone[-1].masq='1' uci set firewall.@zone[-1].mtu_fix='1' uci add_list firewall.@zone[-1].network='nordvpntun' uci add firewall forwarding uci set firewall.@forwarding[-1].src='lan' uci set firewall.@forwarding[-1].dest='vpnfirewall' uci commit firewall
The file /etc/config/firewall should contain the following appended strings:
config zone option name 'vpnfirewall' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' list network 'nordvpntun' config forwarding option src 'lan' option dest 'vpnfirewall'
6. Now we should configure DNS servers. The simplest approach is to use NordVPN DNS for the WAN interface of the router. You can add NordVPN DNS:
uci set network.wan.peerdns='0' uci del network.wan.dns uci add_list network.wan.dns='126.96.36.199' uci add_list network.wan.dns='188.8.131.52' uci commit
The file /etc/config/network should contain section 'wan' with following strings (three bottom strings has been appended):
config interface 'wan' option ifname 'eth0.2' option force_link '1' option proto 'dhcp' option peerdns '0' list dns '184.108.40.206' list dns '220.127.116.11'
You can also add GoogleDNS:
uci set network.wan.peerdns='0' uci del network.wan.dns uci add_list network.wan.dns='18.104.22.168' uci add_list network.wan.dns='22.214.171.124' uci commit
The appended strings should be similar to the previous one.
(Optional) To prevent traffic leakage in case VPN-tunnel drops you can edit the file /etc/firewall.user with the following content:
# This file is interpreted as shell script. # Put your custom iptables rules here, they will# be executed with each firewall (re-)start. # Internal uci firewall chains are flushed and recreated on reload, so # put custom rules into the root chains e.g. INPUT or FORWARD or into the # special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi
You should also create the file 99-prevent-leak in the folder /etc/hotplug.d/iface/ with following content:
#!/bin/sh if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then iptables -D forwarding_rule -j REJECT fi if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then iptables -I forwarding_rule -j REJECT fi
In some cases, OpenVPN hangs with log message like (couldn't resolve host …). In this case, a tunnel stays up but the connection is lost. It should be reconnected manually, with the following script /etc/openvpn/reconnect.sh, which is added to /etc/rc.local as:
"reconnect.sh" should contain this script:
#!/bin/sh n=10 while sleep 50; do t=$(ping -c $n 126.96.36.199 | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+') if [ "$t" -eq 0 ]; then /etc/init.d/openvpn restart fi done
When you finish these instructions, the connection should be configured, and you should be connected successfully. You can check by visiting NordVPN.com/profile/ and checking if you show up as “Protected”.