OpenWrt setup with NordVPN (2024)

Does NordVPN support OpenWrt?

Routers with OpenWRT firmware have been reported to support VPNs like NordVPN. However, please be aware that the following configuration has not been tested by NordVPN staff – it has been shared and tested by our wonderful customers instead. In particular, NordVPN would like to thank ulmwind, an active member of the OpenWRT community, for their continuous assistance in providing us with up-to-date OpenWRT instructions.

This article provides two OpenWrt setup guides:

GUI interface instructions(simplified version)
CLI instructions(more advanced)

If any issues arise, feel free to contact our support team for further help! This is an advanced tutorial, but it also provides some simpler instructions.

GUI instructions

In this guide, we will show you how to set up a NordVPN connection on routers using OpenWrt firmware via the LuCI web interface.

Access the LuCI interface of your OpenWrt router by entering its local IP address into your internet browser and logging in. The default IP address is192.168.1.1and the usernameisroot.
By default, there is no password set up, so you may leave this slot empty, however, when you log in you will get a message to set up a password.
In order to do so, click onSystem>Administrationand you may set up a password there.
Once you have logged in, select theSystemtab and chooseSoftware.
Click the “Update lists” button and wait for the process to finish and click “Dismiss”.
Install the following packages by typing in their name in the “Filter” field and clicking “Install…”.
1. openvpn-openssl
2. ip-full
3. luci-app-openvpn
Click “Save & Apply” and refresh the router page. Now you should see a new tab calledVPN. Click on it and chooseOpenVPNfrom the dropdown.
Now you need to download OpenVPN client configuration files. For this, we recommend going into our recommended server utility:https://nordvpn.com/servers/tools/
For the purpose of this guide, we will be using theus5104.nordvpn.comserver.
Under the “OVPN configuration file upload” section name the VPN connection in the “Instance name” field (we have named it “nordvpn_us”.)After that, click on the “Choose File” button, locate the downloaded server file and click “Upload”.
In the “OpenVPN instances” section, click the “Edit” button next to the instance you have just created.
In thelower field, enter your NordVPN service credential username and password into separate lines.
username
password
You can find your NordVPN service credentials (service username and service password) in theNord Account dashboard:
1. ClickSet up NordVPN manually.
2. You will receive averification codein youremail that you use for NordVPN services. Type the codein:
3. Copy the credentials using the “Copy” buttons on the right:
Now, copy the path to the credentials file that is given right above the field containing the credentials and paste it next to the “auth-user-pass” line in the “Config file” section above.
It should look like this:auth-user-pass /etc/openvpn/nordvpn_us.auth
Click on theSavebutton at the bottom.
Click on the “Network” tab at the top of the page and choose “Interfaces“.
Select the “Add new interface…” button and name it “nordvpntun”.
Click on the “Protocol” dropdown menu and choose “Unmanaged”.
In the “Interface” dropdown, enter the name “tun0” at the bottom-- custom --field and press the Enter key.
Click the “Create interface” and “Save” buttons.
Choose the “Network” tab at the top once more and head to the “Firewall” section.
Click the “Add” button and adjust it as follows:
1. Name it “vpnfirewall”;
2. Set the “Input” option as “Reject”;
3. Leave “Output” as “Accept” and “Forward” as “Reject”;
4. Check the “Masquerading” option;
5. Check the “MSS clamping” option;
6. From the “Covered Networks” dropdown menu choose “nordvpntun”;
7. In the “Allow forward from source zones” dropdown menu, choose “lan”;
8. Click the “Save” button.
In the “Zones” section, find the zone named “lan”, and click on the “Edit” button.
In the “Allow forward to destination zones” dropdown check the “nordvpntun” entry.
Once more, click “Network''at the top of the page and then choose “DHCP and DNS” from the dropdown list.
In the “General Settings” tab, find the “DNS forwardings” option and enter NordVPN DNS addresses there. The addresses are:103.86.96.100and103.86.99.100
Go to the “Resolv and Hosts Files” tab, check the “Ignore resolve file” checkbox, and click the “Save & Apply” button.
Lastly, please head back to the “VPN” > “OpenVPN” tab.
In the “OpenVPN instances” section, check the “Enable” option next to the NordVPN option in the list, and click the “Save & Apply” button.
Click the “Start” button next to the created NordVPN instance to connect to the VPN server.

When you have followed these instructions, you should be connected using the configured connection. To check if you were successful, visit NordVPN’s homepage — the status at the top of the page should say “Protected”

If you wish to disconnect the VPN connection, you can click on the “Stop” button next to the NordVPN option in the “VPN” > “OpenVPN” > “OpenVPN instances'' section.

CLI instructions

If you're looking for a more advanced tutorial, follow this guide instead. To gain the benefits of a VPN on OpenWrt, you need a router with both OpenWrt firmware and an enabled OpenVPN client. The main page of the firmware ishttps://openwrt.org/.

In order to start, you would need to access your router via SSH using its LAN IP address. By default, the IP address is set to192.168.1.1and the username isroot, however, the IP address may differ if you changed any of the default values.
The OpenVPN package is not included in the firmware image by default. To install it, please run the following commands:
opkg update
opkg install openvpn-openssl
opkg install ip-full
Additionally, you may install the LuCI component of the OpenVPN configuration, however, it is optional. You can do so by running this command:
opkg install luci-app-openvpn
Once you have installed the OpenVPN package, you can make it launch automatically whenever the router starts by running this command:
/etc/init.d/openvpn enable
Next, you will need to download the server configuration files. For this, we suggest using our recommendedserver utility. For this guide, we used the serveruk2054.nordvpn.com, however, you should use the server that the website suggests for you.
To download a server file, choose the country where you wish to connect, click on “Show available protocols”, right-click on “Download config” for “OpenVPN TCP” or “OpenVPN UDP” and choose “Copy link address”.
After that, return to your SSH session and run the following command:
wget -P /etc/openvpnhttps://downloads.nordcdn.com/configs/files/ovpn_udp/servers/uk2054.nordvpn.com.udp.ovpn
However, make sure to use the link you copied for your specific server file. This command will download the configuration file to the/etc/openvpndirectory for easy access.
Alternatively, you may download the server configuration file on a different machine and transfer it to the OpenWrt router using alternate methods, such as SCP or SFTP protocols.
For older OpenWrt builds:
You can simply download an archive herehttps://downloads.nordcdn.com/configs/archives/certificates/servers.zip. In the downloaded archive, you will find the corresponding files with .crt and .key extensions. The files are specific for each VPN server.
The OpenVPN configuration for NordVPN requires you to enter your NordVPN service credential username and password every time OpenVPN starts. However, we will make some adjustments so the credentials would be provided automatically.
First, to make the process easier, we will install thenanotext editor by running the following command:
opkg install nano
Otherwise, you may use the built-invitext editor. For more information regarding text editors, please refer to this article:https://openwrt.org/docs/guide-user/base-system/user.beginner.cli.
Now, open the downloaded server configuration file using the nano text editor. In our case, the command would be:
nano /etc/openvpn/uk2054.nordvpn.com.udp.ovpn
After that, append the word “secret” (without quotation marks) to the string “auth-user-pass”. The resulting line should be:
auth-user-pass secret
Now, we need to create a new file namedsecret, where the NordVPN service credentials will be stored. To do so, run the following command:
nano /etc/openvpn/secret
It will create the new file and open it using the nano text editor.
In the first line of the file enter your NordVPN service username, and the second - NordVPN service password.
You can find your NordVPN service credentials (service username and service password) in theNord Account dashboard:
1. ClickSet up NordVPN manually.
2. You will receive averification codein youremail that you use for NordVPN services. Type the codein:
3. Copy the credentials using the “Copy” buttons on the right:
Configure OpenVPN using the downloaded configuration file in one of two ways:
1. Change the file’s extension from.ovpnto.conf, which will allow OpenVPN to find it automatically by its extension.
  To do so, you can use themvcommand:
  See Also
  WireGuard vs OpenVPN: Speed vs. Security
  mv /etc/openvpn/uk2054.nordvpn.com.udp.ovpn /etc/openvpn/uk2054.nordvpn.com.udp.conf
2. Specify the file name in “/etc/config/openvpn” by using the following “uci” commands:
  uci set openvpn.nordvpn=openvpn
  uci set openvpn.nordvpn.enabled='1'
  uci set openvpn.nordvpn.config='/etc/openvpn/uk2054.nordvpn.com.udp.ovpn'
  uci commit openvpn
  After that, the file “/etc/config/openvpn” should contain the following appended strings:
  config openvpn 'nordvpn'
  option enabled '1'
  option config '/etc/openvpn/uk2054.nordvpn.com.udp.ovpn'
  You can check by running this command:
  tail /etc/config/openvpn
  You may also change the file’s extension from.ovpnto.confand specify it in the file “/etc/config/openvpn” - in that case, however, OpenVPN will start with this configuration file just once.
Create a new network interface by running the following commands:
uci set network.nordvpntun=interface
uci set network.nordvpntun.proto='none'
uci set network.nordvpntun.ifname='tun0'
uci commit network
The file “/etc/config/network” should contain the following appended strings, if everything was done properly:
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
It can be checked by using thetail /etc/config/networkcommand.
Create a new firewall zone and add a forwarding rule from LAN to VPN by running the following commands:
uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='nordvpntun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall
If done correctly, the file “/etc/config/firewall” should contain the following appended strings:
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
You can check by runningtail -13 /etc/config/firewallcommand. This will display the last 13 lines, which should contain the aforementioned strings.
Now you need to configure the DNS servers. The simplest approach is to use NordVPN DNS for the WAN interface of the router. To add NordVPN DNS, run the following commands:
uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='103.86.96.100'
uci add_list network.wan.dns='103.86.99.100'
uci commit
If you receive an error message “uci: Entry not found” after running theuci del network.wan.dnscommand, you can disregard it.
The file “/etc/config/network” should contain the section ‘wan’ with the three bottom strings appended:
config interface 'wan'
<...>
option peerdns '0'
list dns '103.86.96.100'
list dns '103.86.99.100'
You can check by running thecat /etc/config/networkcommand and finding the ‘wan’ interface in the output.
You can also add different DNS addresses, such as Google’s by running these commands:
uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='8.8.8.8'
uci add_list network.wan.dns='8.8.4.4'
uci commit
The appended strings should be similar to the previous ones.

(Optional)To prevent traffic leakage in case the VPN tunnel disconnects, you can open the “/etc/firewall.user” file using a text editor and add the following content to it:

# This file is interpreted as a shell script.

# Put your custom iptables rules here, and they will be executed with each firewall (re-)start

# Internal uci firewall chains are flushed and recreated on reload, so

# put custom rules into the root chains, e.g. INPUT or FORWARD, or into the

# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then

iptables -I forwarding_rule -j REJECT

Additionally, you should create a file called “99-prevent-leak” in the folder “/etc/hotplug.d/iface” by runningnano /etc/hotplug.d/iface/99-prevent-leakand adding the following content to the file:

#!/bin/sh

if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then

iptables -D forwarding_rule -j REJECT

if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then

iptables -I forwarding_rule -j REJECT

In some cases, the OpenVPN connection can crash with a log output similar to “couldn’t resolve host…”. In this case, the VPN tunnel itself remains, however, the connection is lost. To reconnect to it automatically, first open the “/etc/rc.local” file using a text editor and add the following line:

/etc/openvpn/reconnect.sh &

In addition, you need to create the “reconnect.sh” file in the “/etc/openvpn” directory. It can be done by running thenano /etc/openvpn/reconnect.shcommand.

In the file, enter the following script contents:

#!/bin/sh

n=10

while sleep 50; do

t=$(ping -c $n 8.8.8.8 | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+')

if [ "$t" -eq 0 ]; then

/etc/init.d/openvpn restart

done

If you wish to disconnect the VPN connection, run the following command:

service openvpn stop

OpenWrt setup with NordVPN (2024)

Does NordVPN support OpenWrt?

GUI instructions

CLI instructions

References