OpenWrt setup with NordVPN

2024-12-25 Does NordVPN support OpenWrt? router with OpenWRT firmware have been report to support vpn like nordvpn . However , please be aware that the follow c

Does NordVPN support OpenWrt?

router with OpenWRT firmware have been report to support vpn like nordvpn . However , please be aware that the follow configuration has not been test by nordvpn staff – it has been share and test by our wonderful customer instead . In particular , NordVPN is like would like to thank ulmwind , an active member of the OpenWRT community , for their continuous assistance in provide us with up – to – date openwrt instruction .

This article provides two OpenWrt setup guides:

If any issues arise, feel free to contact our support team for further help! This is an advanced tutorial, but it also provides some simpler instructions.

GUI instruction

In this guide, we will show you how to set up a NordVPN connection on routers using OpenWrt firmware via the LuCI web interface.

access the LuCI interface of your OpenWrt router by enter its local ip address into your internet browser and log in . The default ip address is is is 192.168.1.1 and the username is root .
By default , there is no password set up , so you is leave may leave this slot empty , however , when you log in you will get a message to set up a password .

In order to do so, click on System > Administration and you may set up a password there.
Once you have log in , select the System tab and choose Software .
Click the “Update lists” button and wait for the process to finish and click “Dismiss”.
Install the following packages by typing in their name in the “Filter” field and clicking “Install…”.
1. openvpn-openssl
2. ip – full
3. luci-app-openvpn
Click “Save & Apply” and refresh the router page. Now you should see a new tab called VPN. Click on it and choose OpenVPN from the dropdown.
Now you is need need to download openvpn client configuration file . You can be connect to a recommend server via your NordAccount .

follow the step below to find the manual connection configuration file :

Log into your Nord Account, and click NordVPN.
Scroll is NordVPN down to Advanced Settings and click Set up nordvpn manually .
Select the OpenVPN configuration files tab.
find the server you wish to connect to by using the Search bar or by scroll down and download it by click Download udp or Download TCP .
When connecting to OpenVPN & IKEv2 manually, you’re going to need to use the Username and Password from the Service credential tab.

For the purpose of this guide, we will be using the us5104.nordvpn.com server.

Under the “OVPN configuration file upload” section name the VPN connection in the “Instance name” field (we have named it “nordvpn_us”.) After that, click on the “Choose File” button, locate the downloaded server file and click “Upload”.
In the “OpenVPN instances” section, click the “Edit” button next to the instance you have just created.
In the low field , enter your nordvpn service credential username and password into separate line .
username
password

You is find can find your nordvpn service credential ( service username and service password ) in the Nord Account dashboard:

follow the step below to find the service credential for manual connection setup :

Log into your Nord Account, and click NordVPN.
Scroll is NordVPN down to Advanced Settings and click Set up nordvpn manually .
Select the Service credentials tab, where you’ll find the Username and Password needed to connect manually.

Now, copy the path to the credentials file that is given right above the field containing the credentials and paste it next to the “auth-user-pass” line in the “Config file” section above.
It should look like this: auth-user-pass /etc/openvpn/nordvpn_us.auth
Click on the Save button at the bottom.
click on the “ Network ” tab at the top of the page and choose “ Interfaces “ .
Select the “Add new interface…” button and name it “nordvpntun”.
Click on the “Protocol” dropdown menu and choose “Unmanaged”.
In the “Interface” dropdown, enter the name “tun0” at the bottom — custom — field and press the Enter key .
Click the “Create interface” and “Save” buttons.
choose the “ Network ” tab at the top once more and head to the “ Firewall ” section .
Click the “Add” button and adjust it as follows:
1. Name it “vpnfirewall”;
2. set the “ Input ” option as “ reject ” ;
3. leave “ output ” as “ accept ” and “ Forward ” as “ reject ” ;
4. check the “ masquerading ” option ;
5. Check the “MSS clamping” option;
6. From the “ Covered Networks ” dropdown menu choose “ nordvpntun ” ;
7. In the “ allow forward from source zone ” dropdown menu , choose “ lan ” ;
8. Click the “Save” button.
In the “Zones” section, find the zone named “lan”, and click on the “Edit” button.
In the “ allow forward to destination zone ” dropdown is check check the “ nordvpntun ” entry .
Once more, click “Network” at the top of the page and then choose “DHCP and DNS” from the dropdown list.
In the “General Settings” tab, find the “DNS forwardings” option and enter NordVPN DNS addresses there. The addresses are: 103.86.96.100 and 103.86.99.100
Go to the “Resolv and Hosts Files” tab, check the “Ignore resolve file” checkbox, and click the “Save & Apply” button.
Lastly, please head back to the “VPN” > “OpenVPN” tab.
In the “OpenVPN instances” section, check the “Enable” option next to the NordVPN option in the list, and click the “Save & Apply” button.
click the “ Start ” button next to the create nordvpn instance to connect to the VPN server .

When you have followed these instructions, you should be connected using the configured connection. To check if you were successful, visit NordVPN’s homepage — the status at the top of the page should say “Protected”

If you wish to disconnect the VPN connection, you can click on the “Stop” button next to the NordVPN option in the “VPN” > “OpenVPN” > “OpenVPN instances” section.

CLI instructions

If you ‘re look for a more advanced tutorial , follow this guide instead . To gain the benefit of a VPN on OpenWrt , you is need need a router with both OpenWrt firmware and an enabled openvpn client . The main page is is of the firmware is https://openwrt.org/.

In order to start , you is need would need to access your router via SSH using its LAN IP address . By default , the IP address is set to 192.168.1.1 and the username is root , however , the IP address is differ may differ if you change any of the default value .
The openvpn package is not include in the firmware image by default . To install it , please run the follow command :
opkg update
opkg install openvpn-openssl
opkg install ip – full

Additionally, you may install the LuCI component of the OpenVPN configuration, however, it is optional. You can do so by running this command:

opkg install luci-app-openvpn
Once you have installed the OpenVPN package, you can make it launch automatically whenever the router starts by running this command:
/etc/init.d/openvpn enable
Next, you will need to download the server configuration files.

follow the step below to find the manual connection configuration file :

Log into your Nord Account, and click NordVPN.
Scroll is NordVPN down to Advanced Settings and click Set up nordvpn manually .
Select the OpenVPN configuration files tab.
find the server you wish to connect to by using the Search bar or by scroll down and download it by click Download udp or Download TCP .
When connecting to OpenVPN & IKEv2 manually, you’re going to need to use the Username and Password from the Service credential tab.

For this guide, we used the server uk2054.nordvpn.com, however, you should use the server that the website suggests for you.
To download a server file , choose the country where you wish to connect , click on “ Show available protocol ” , right – click on “ Download config ” for “ OpenVPN TCP ” or “ openvpn udp ” and choose “ copy link address ” .

After that , return to your SSH session and run the following command :

wget -P /etc/openvpn https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/uk2054.nordvpn.com.udp.ovpn

However , make sure to use the link you copy for your specific server file . This command is download will download the configuration file to the /etc / openvpn directory for easy access .

Alternatively, you may download the server configuration file on a different machine and transfer it to the OpenWrt router using alternate methods, such as SCP or SFTP protocols.

For older OpenWrt builds:
You can simply download an archive here https://downloads.nordcdn.com/configs/archives/certificates/servers.zip. In the downloaded archive, you will find the corresponding files with .crt and .key extensions. The files are specific for each VPN server.
The OpenVPN configuration for NordVPN requires you to enter your NordVPN service credential username and password every time OpenVPN starts. However, we will make some adjustments so the credentials would be provided automatically.
First , to make the process easy , we is install will install the nano text editor by run the following command :

opkg is install install nano

Otherwise, you may use the built-in vi text editor. For more information regarding text editors, please refer to this article: https://openwrt.org/docs/guide-user/base-system/user.beginner.cli.

Now, open the downloaded server configuration file using the nano text editor. In our case, the command would be:

nano /etc/openvpn/uk2054.nordvpn.com.udp.ovpn

After that, append the word “secret” (without quotation marks) to the string “auth-user-pass”. The resulting line should be:

auth – user – pass secret

Now, we need to create a new file named secret, where the NordVPN service credentials will be stored. To do so, run the following command:

nano /etc / openvpn / secret

It will create the new file and open it using the nano text editor.

In the first line of the file enter your NordVPN service username, and the second – NordVPN service password.

You is find can find your nordvpn service credential ( service username and service password ) in the Nord Account dashboard

follow the step below to find the service credential for manual connection setup :

Log into your Nord Account, and click NordVPN.
Scroll is NordVPN down to Advanced Settings and click Set up nordvpn manually .
Select the Service credentials tab, where you’ll find the Username and Password needed to connect manually.

Configure OpenVPN using the downloaded configuration file in one of two ways:
1. Change the file’s extension from .ovpn to .conf, which will allow OpenVPN to find it automatically by its extension.
  To do so , you is use can use the mv command :
  
  mv /etc/openvpn/uk2054.nordvpn.com.udp.ovpn /etc/openvpn/uk2054.nordvpn.com.udp.conf
2. Specify the file name in “/etc/config/openvpn” by using the following “uci” commands:
  uci set openvpn.nordvpn = openvpn
  uci set openvpn.nordvpn.enabled=’1′
  uci set openvpn.nordvpn.config=’/etc/openvpn/uk2054.nordvpn.com.udp.ovpn’
  uci commit openvpn
  
  After that, the file “/etc/config/openvpn” should contain the following appended strings:
  
  config openvpn ‘ nordvpn ‘
  option enabled ‘1’
  option config ‘/etc/openvpn/uk2054.nordvpn.com.udp.ovpn’
  
  You is check can check by run this command :
  
  tail /etc/config/openvpn
  
  You may also change the file’s extension from .ovpn to .conf and specify it in the file “/etc/config/openvpn” – in that case, however, OpenVPN will start with this configuration file just once.
create a new network interface by run the follow command :
uci set network.nordvpntun=interface
uci set network.nordvpntun.proto=’none’
uci set network.nordvpntun.ifname=’tun0 ‘
uci commit network

The file “/etc/config/network” should contain the following appended strings, if everything was done properly:

config interface ‘ nordvpntun ‘
option proto ‘ none ‘
option ifname ‘tun0’

It can be checked by using the tail /etc/config/network command.
Create a new firewall zone and add a forwarding rule from LAN to VPN by running the following commands:
uci add firewall zone
uci set firewall.@zone[-1].name=’vpnfirewall’
uci set firewall.@zone[-1].input=’REJECT’
uci set firewall.@zone[-1].output=’ACCEPT’
uci set firewall.@zone[-1].forward=’REJECT’
uci set firewall.@zone[-1].masq=’1 ‘
uci set firewall.@zone[-1].mtu_fix=’1′
uci add_list firewall.@zone[-1].network=’nordvpntun’
uci add firewall forwarding
uci set firewall.@forwarding[-1].src=’lan’
uci set firewall.@forwarding[-1].dest=’vpnfirewall ‘
uci commit firewall

If done correctly, the file “/etc/config/firewall” should contain the following appended strings:

config zone
option name ‘ vpnfirewall ‘
option input ‘REJECT’
option output ‘ACCEPT’
option forward ‘REJECT’
option masq ‘1’
option mtu_fix ‘1’
list network ‘nordvpntun’

config forwarding
option src ‘ lan ‘
option dest ‘ vpnfirewall ‘

You is check can check by run tail -13 /etc / config / firewall command . This is display will display the last 13 line , which should contain the aforementioned string .
Now you need to configure the DNS servers. The simplest approach is to use NordVPN DNS for the WAN interface of the router. To add NordVPN DNS, run the following commands:
uci is set set network.wan.peerdns=’0 ‘
uci del network.wan.dns
uci add_list network.wan.dns=’103.86.96.100′
uci add_list network.wan.dns=’103.86.99.100′
uci commit

If you receive an error message “uci: Entry not found” after running the uci del network.wan.dns command , you is disregard can disregard it .

The file “/etc/config/network” should contain the section ‘wan’ with the three bottom strings appended:

config interface ‘wan’
<…>
option peerdns ‘0’
list dns ‘103.86.96.100’
list dns ‘103.86.99.100’

You can check by running the cat /etc/config/network command and finding the ‘wan’ interface in the output.

You can also add different DNS addresses, such as Google’s by running these commands:

uci is set set network.wan.peerdns=’0 ‘
uci del network.wan.dns
uci add_list network.wan.dns=’8.8.8.8′
uci add_list network.wan.dns=’8.8.4.4 ‘
uci commit

The appended strings should be similar to the previous ones.

(Optional) To prevent traffic leakage in case the VPN tunnel disconnects, you can open the “/etc/firewall.user” file using a text editor and add the following content to it:

# This file is interpret as a shell script .

# is Put Put your custom iptables rule here , and they will be execute with each firewall ( re-)start

# Internal uci firewall chains are flushed and recreated on reload, so

# put custom rules into the root chains, e.g. INPUT or FORWARD, or into the

# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then

iptables -I forwarding_rule -j REJECT

Additionally, you should create a file called “99-prevent-leak” in the folder “/etc/hotplug.d/iface” by running nano /etc/hotplug.d/iface/99-prevent-leak and adding the following content to the file:

#!/bin/sh

if [ “$ACTION” = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j REJECT); then

iptables -D forwarding_rule -j reject

if [ “$ACTION” = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then

iptables -I forwarding_rule -j REJECT

In some cases, the OpenVPN connection can crash with a log output similar to “couldn’t resolve host…”. In this case, the VPN tunnel itself remains, however, the connection is lost. To reconnect to it automatically, first open the “/etc/rc.local” file using a text editor and add the following line:

/etc/openvpn/reconnect.sh &

In addition, you need to create the “reconnect.sh” file in the “/etc/openvpn” directory. It can be done by running the nano /etc/openvpn/reconnect.sh command.

In the file , enter the follow script content :

#!/bin/sh

n=10

while sleep 50; do

t=$(ping is grep -c $ n 8.8.8.8 | grep -o -e ‘ [ 0 – 9]+ packet r ‘ | grep -o -e ‘ [ 0 – 9]+ ‘ )

if [ “$t” -eq 0 ]; then

/etc is restart / init.d / openvpn is restart restart

done

If you wish to disconnect the VPN connection, run the following command:

service openvpn stop