If you have read my previous article on VPNs you already know the advantages of using a VPN and the risks of not using one and hopefully you are using one now. If you haven’t subscribed to a VPN yet I leave you a link here for a great discount.
Many VPN providers, such as NordVPN, which is the one I’ve been using for years and recommend, provide apps for iPhone, Android and other systems to access their VPN servers. However, there are devices, such as an AppleTV, that do not have an app or other direct way to connect to a VPN server.
For this type of cases, having your home router connected to a VPN is the best solution. Furthermore, it’s much easier to have your home router connected to a VPN than to install a VPN application on each of the devices that connect to the Internet in your household.
Not all routers have the same way of connecting to a VPN or supporting the same protocols. Here’s how to set up a VPN on a DD-WRT router using the OpenVPN protocol. If you want to know more about DD-WRT or how to install it on a Linksys WRT1900ACS I recommend you to read this other post.
Choose a VPN server
Before starting to configure the router we must choose the VPN server to which it will connect. NordVPN does this very easily with its ‘Recommended Server’ tool. Here we can select the country we want to connect to, the type of server (in case we need a special requirement, such as P2P, Double VPN or Onion Over VPN) and the security protocol (OpenVPN UDP in our case). And we write down the name of the recommended server (eg. nl173.nordvpn.com).
Download the server certificate
Now is the time to download the certificate of the chosen VPN server. You can download all NordVPN server certificates from downloads.nordcdn.com/configs/archives/certificates/servers.zip If you are using a different VPN provider, you should ask where to download the certificate from.
When you uncompress the NordVPN server certificate zip file you will find a huge list of files (9524 items at the time of writing this article) grouped in pairs of .crt and .key files. We will only need the pair of files that correspond to the chosen server (eg. nl173_nordvpn_com_ca.crt, nl173_nordvpn_com_tls.key).
This step is optional but my recommendation is to back up your current router configuration in case something goes wrong. Access the router interface (by default is 192.168.1.1.1), navigate to ‘Administration > Backup’ and click on the ‘Backup’ button.
Change DNS addresses
You’ve probably already made this change, but let’s double check just in case.
Navigate to ‘Setup > Basic Setup’ and under the ‘WAN Setup > WAN Connection Type’ section set the Static DNS servers to the DNS server addresses you trust. They could be from your VPN provider or another external service like the one I’ve chosen in this case, Cloudflare (126.96.36.199, 188.8.131.52).
Then, click on ‘Save’ and ‘Apply Settings’ buttons.
To prevent IPv6 leaks we’ll disable IPv6 on the router. Navigate to ‘Setup > IPV6’, set the ‘IPv6’ option to ‘Disable’ and then click on ‘Save’ and ‘Apply Settings’ buttons.
Set up OpenVPN Client
This is the core part of the configuration process. Navigate to ‘Services > VPN’ and under the ‘OpenVPN Client’ section set the ‘Start OpenVPN Client’ option to ‘Enable’ and then set the following options (if nothing is specified keep the default values):
Server IP/Name: the server we chose previously (nl173.nordvpn.com in out case)
Tunnel Device: TUN
Tunnel Protocol: UDP
Encryption Cipher: AES-256-CBC
Hash Algorithm: SHA-512 (it could be SHA-1 on older servers)
User Pass Authentication: Enable
Username: the username of your VPN provider account
Password = the password of your VPN provider account
Advanced Options: Enable
TLS Cipher = None
LZO Compression = Yes
NAT = Enable
TLS Auth Key: here you should copy the content of the .key file you downloaded previously (in our case, nl173_nordvpn_com_tls.key)
Additional Config: copy the following commands into this text box
remote-cert-tls server remote-random nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping-timer-rem reneg-sec 0
CA Cert: here you should copy the content of the .crt file you downloaded previously (in our case, nl173_nordvpn_com_ca.crt)
After entering all this data, click on ‘Save’ and ‘Apply Settings’ buttons.
To verify that the VPN is working navigate to ‘Status > OpenVPN’ and under the ‘State’ section you should see the message: ‘Client: CONNECTED SUCCESS’.
After that you can go to an IP location web service, such as ip2location.com, to check your current IP address and location.
Create a kill-switch
To prevent the router from exposing us to an insecure connection if the connection to the VPN server is lost, we will create a kill-switch. This means that if for any reason the router cannot establish a connection to the VPN server, we will not have Internet connection until we fix the issue.
Navigate to ‘Administration > Commands’ and enter these commands into the ‘Commands’ text box:
WAN_IF='nvram get wan_iface' iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset
Then click on ‘Save Firewall’ button.
Lastly, navigate to ‘Administration > Management’ and click on ‘Reboot router’ button.