Install Private Internet Access OpenVPN on OpenWRT

Install OpenVPN onto the router

SSH into OpenWRT

ssh root@<openwrt>

Update OpenWRT package repositories

opkg update

Install required packages for OpenVPN

opkg install luci-app-openvpn openvpn-openssl

Download PIA certificates

cd /etc/openvpn/
wget https://www.privateinternetaccess.com/openvpn/ca.crt
wget https://www.privateinternetaccess.com/openvpn/ca.rsa.2048.crt
wget https://www.privateinternetaccess.com/openvpn/ca.rsa.4096.crt

Create credentials file

# Insert your actual Private Internet Access username and password!

echo your_pia_username_here > credentials.txt
echo your_pia_password_here >> credentials.txt

Reboot and exit

reboot

Configure OpenWRT interfaces

Network > Interfaces > Add new network interface (example PIA_VPN).

Protocol = unmanaged.

Cover the following > Custom interface : tun0.

---

Network > Interfaces > WAN

Advanced Settings > Use DNS servers advertised by peer [disabled]

Advanced Settings > Use custom DNS servers [209.222.18.222, 209.222.18.218]

Configure OpenWRT firewall zones

Network > Firewall > Zones > wan (edit)

Covered networks [wan, wan6, pia_vpn]

Configure OpenVPN settings

Use cryptography details from the following table:

Auth	Cipher	Cert	UDP Port	TCP Port
SHA1	BF-CBC	ca.crt	53, 8080, 9201	80, 110, 443
SHA1	AES-128-CBC	ca.rsa.2048.crt	1198	502
SHA256	AES-256-CBC	ca.rsa.4096.crt	1197	501

Services > OpenVPN

Enter a descriptive name such as SWEDEN_AES_256_CBC_UDP (if connecting to Sweden VPN using UDP).

Simple client configuration for routed point-to-point VPN [enabled]

Switch to advanced configuration >>

-Service > verb [3]

-Networking > port [check table above]

-Networking > nobind [enabled]

-Networking > dev [tun]

-Networking > persist_tun [enabled]

-Networking > persist_key [enabled]

-VPN > client [enabled]

-VPN > auth_user_pass [/etc/openvpn/credentials.txt]

-VPN > remote [vpn server url]

-VPN > proto [udp]

-VPN > resolve_retry [infinite]

-Cryptography > auth [consult table above]

-Cryptography > cipher [consult table above]

-Cryptography > mute_replay_warnings [enabled]

-Cryptography > tls_client [enabled]

-Cryptography > client [enabled]

-Cryptography > remote_cert_ca [consult table above]

-Cryptography > remote_cert_tls [server]

Modify OpenVPN config file

SSH into OpenWRT

ssh root@<openwrt>

Edit the OpenVPN config file

vi /etc/config/openvpn

Find and remove the 'shared-secret.ket' option

# Use / to search, enter the search text, then Enter
/shared-secret

# Delete the entire line
dd

# Save and quit
:wq

Reboot and exit

reboot

Enable the VPN and test connectivity

Services > OpenVPN [enabled]

Check connectivity

ping 1.1.1.1
ping www.google.co.uk

Confirm VPN IP

curl ifconfig.io

Visit the following websites and perform the security tests to confirm your security:

IPv4 Leak Test: privateinternetaccess.com This leak test is a banner at the top of the page.
IPv6 Leak Test: http://ipv6leak.com/
DNS Leak Test: http://dnsleak.com/

Source

https://www.privateinternetaccess.com/helpdesk/guides/routers/lede/lede-firmware-openvpn-setup