Install OpenVPN onto the router

SSH into OpenWRT

ssh root@<openwrt>

Update OpenWRT package repositories

opkg update

Install required packages for OpenVPN

opkg install luci-app-openvpn openvpn-openssl

Download PIA certificates

cd /etc/openvpn/

Create credentials file

# Insert your actual Private Internet Access username and password!

echo your_pia_username_here > credentials.txt
echo your_pia_password_here >> credentials.txt

Reboot and exit


Configure OpenWRT interfaces

Network > Interfaces > Add new network interface (example PIA_VPN).

Protocol = unmanaged.

Cover the following > Custom interface : tun0.


Network > Interfaces > WAN

Advanced Settings > Use DNS servers advertised by peer [disabled]

Advanced Settings > Use custom DNS servers [,]

Configure OpenWRT firewall zones

Network > Firewall > Zones > wan (edit)

Covered networks [wan, wan6, pia_vpn]

Configure OpenVPN settings

Use cryptography details from the following table:

Auth Cipher Cert UDP Port TCP Port
SHA1 BF-CBC ca.crt 53, 8080, 9201 80, 110, 443
SHA1 AES-128-CBC ca.rsa.2048.crt 1198 502
SHA256 AES-256-CBC ca.rsa.4096.crt 1197 501

Services > OpenVPN

Enter a descriptive name such as SWEDEN_AES_256_CBC_UDP (if connecting to Sweden VPN using UDP).

Simple client configuration for routed point-to-point VPN [enabled]

Switch to advanced configuration >>

-Service > verb [3]

-Networking > port [check table above]

-Networking > nobind [enabled]

-Networking > dev [tun]

-Networking > persist_tun [enabled]

-Networking > persist_key [enabled]

-VPN > client [enabled]

-VPN > auth_user_pass [/etc/openvpn/credentials.txt]

-VPN > remote [vpn server url]

-VPN > proto [udp]

-VPN > resolve_retry [infinite]

-Cryptography > auth [consult table above]

-Cryptography > cipher [consult table above]

-Cryptography > mute_replay_warnings [enabled]

-Cryptography > tls_client [enabled]

-Cryptography > client [enabled]

-Cryptography > remote_cert_ca [consult table above]

-Cryptography > remote_cert_tls [server]

Modify OpenVPN config file

SSH into OpenWRT

ssh root@<openwrt>

Edit the OpenVPN config file

vi /etc/config/openvpn

Find and remove the 'shared-secret.ket' option

# Use / to search, enter the search text, then Enter

# Delete the entire line

# Save and quit

Reboot and exit


Enable the VPN and test connectivity

Services > OpenVPN [enabled]

Check connectivity


Confirm VPN IP


Visit the following websites and perform the security tests to confirm your security: