Setting up a VPN on an OpenWRT router offers an advanced level of privacy and security for your network. OpenWRT is a versatile open-source router firmware that allows for the configuration of a VPN directly on your router. This process ensures that all devices connected to your network benefit from the VPN, without needing to configure each device individually.
Prerequisites
OpenWRT installed on your router.
Access to your router’s web interface (LuCI) or command line (SSH).
A VPN service account (e.g., NordVPN, ExpressVPN, or any OpenVPN-compatible provider).
Basic knowledge of using SSH or the LuCI web interface.
Step 1: Accessing Your OpenWRT Router
First, you need to log into your OpenWRT router. You can either use the LuCI web interface or access it via SSH.
To log in via SSH, open a terminal on your computer and run:
ssh root@192.168.1.1
Replace 192.168.1.1 with your router’s IP address if it’s different.
Step 2: Installing the VPN Client
OpenWRT uses the opkg package manager to install software. To configure a VPN, you need to install the required VPN client, typically OpenVPN or WireGuard.
To install OpenVPN, run the following command:
opkg update
opkg install openvpn-openssl
For WireGuard, use this command:
opkg update
opkg install wireguard
Once the installation is complete, verify that the packages are correctly installed by running:
opkg list-installed | grep openvpn
Step 3: Configuring the VPN Client
Next, you’ll need to configure the VPN client. This involves setting up the configuration files provided by your VPN provider. These files include the VPN server address, authentication credentials, and encryption settings.
For OpenVPN, you will typically be provided with a .ovpn file. You can upload this file to your router’s file system and reference it in the OpenVPN configuration. Copy the .ovpn file to the router’s /etc/openvpn/ directory using the following command:
uci set openvpn.vpnclient=config
uci set openvpn.vpnclient.enabled='1'
uci set openvpn.vpnclient.config='/etc/openvpn/your-vpn-config.ovpn'
uci commit openvpn
For WireGuard, the configuration file is different, typically ending in .conf. You will need to configure the WireGuard interface by editing the file at /etc/config/network:
After configuring the VPN client, it’s time to start the service.
For OpenVPN, enable and start the service with the following commands:
uci set openvpn.vpnclient.enabled='1'
uci commit openvpn
/etc/init.d/openvpn start
/etc/init.d/openvpn enable
For WireGuard, use:
uci set network.wg0.enabled='1'
uci commit network
/etc/init.d/network restart
Step 5: Configuring Firewall Rules
Next, ensure that your firewall is configured to allow VPN traffic. OpenWRT has a default firewall setup, but you may need to add specific rules for your VPN.
For OpenVPN, add a rule to allow VPN traffic on UDP port 1194:
uci add firewall rule
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='1194'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
/etc/init.d/firewall restart
For WireGuard, allow traffic on the WireGuard port (e.g., 51820):
uci add firewall rule
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='51820'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
/etc/init.d/firewall restart
Step 6: Testing the VPN Connection
Once everything is configured, it’s important to test the VPN connection to ensure it’s working properly. You can do this by checking your public IP address from a device connected to your router.
To check your IP address, you can use a command like curl:
curl ifconfig.me
If the VPN is working correctly, the returned IP address should match the location of the VPN server and not your actual IP.
