The best VPNs for DD-WRT routers and how to set up OpenVPN on DD-WRT

Published by on July 19, 2017 in VPN & Privacy

Linksys_WRT3200ACM_(0022)

Setting up a VPN on your wifi router offers two key advantages:

  • You can connect as many devices as you want to the VPN
  • You can connect devices that don’t normally support VPNs to the VPN

While most wifi routers don’t ship with VPN support built-in, you can replace many routers’ firmware with something that does. Perhaps the most popular router firmware for doing this is DD-WRT. DD-WRT is a free and open source solution based on Linux that works with a wide variety of third-party wireless routers. Among other benefits, most DD-WRT distributions allow users to configure OpenVPN connections directly from the router. Some providers sell DD-WRT routers pre-configured for their VPNs, saving you the headache of setting it up yourself.

Once this is set up, you can connect as many devices as you want to a single VPN connection, so long as you have bandwidth available. That includes devices that don’t normally support VPNs or VPN apps, including game consoles (PlayStation, Xbox) and streaming media devices (Chromecast, Roku, Amazon Fire TV, Apple TV).

To get started, you’ll need to find a VPN that offers the files and support you need to get connected. We’ve curated our list of the best 5 VPNs for DD-WRT routers based on the following criteria:

  • Allows you to download OpenVPN configuration files for each server
  • Offers support for DD-WRT users in the form of customer service and/or tutorials
  • OpenVPN connections include DNS leak protection
  • Fast and reliable performance
  • Strong security and no logs

ExpressVPN

expressvpn router
ExpressVPN is our top pick for users who want VPN-enabled routers. The provider offers tutorials, OpenVPN config files, and live customer support for DD-WRT users. On top of that, ExpressVPN makes its own easy-to-use firmware for a handful of LinkSys routers that you can install yourself, or buy the routers pre-configured. The firmware makes it far easier to get set up, switch servers, and configure split tunneling for every device in your home.

DNS leak protection is included with all server configurations. The company keeps no identifying activity or metadata logs. ExpressVPN uses the highest standards of security, including 256-bit AES channel encryption and perfect forward secrecy. It sets a gold standard when it comes to speed and stability. ExpressVPN can unblock geo-locked streaming services that most VPNs can’t, like US Netflix and Hulu.

Read our full ExpressVPN review.

Get 3 months free: You can get an extra 3 months free here with ExpressVPN’s annual plan. This includes a 30 day money-back guarantee so you can try risk free and receive a full, no questions asked, refund if you’re not happy or just need access for a short time.

IPVanishipvanish home page

The IPVanish website includes a directory of OpenVPN config files and instructions on how to use them. That includes all the necessary scripts that you’ll need to enter into the DD-WRT configuration. IPVanish pre-configured DD-WRT routers are available through Flashrouters.

IPVanish comes with DNS leak protection and IPv6 leak protection built in. The company keeps zero logs of user activity and metadata. PPTP and OpenVPN are both available for DD-WRT users, with 128- and 256-bit encryption, respecitvely. We recommend using the latter.

Read our full IPVanish review.

Cheap deal: There is a 60% saving on the IPVanish annual plan here or a 25% discount on the monthly plan.

NordVPNmac_cover nord

NordVPN offers customer support and tutorials for DD-WRT users. You can also buy Linksys, Netgear, or Asus routers with DD-WRT installed and NordVPN pre-configured from Flashrouters. OpenVPN config files for all of NordVPN’s servers, including the double-hop VPN and Tor over VPN servers, are available for download directly from the website.

DNS leak protection comes built in. NordPVN maintains a strict no-logs policy and thus doesn’t store any information or metadata related to your online activity on its servers. The company uses military-grade 256-bit encryption to protect your data, and you’ll have no problem finding a fast server on its huge network of servers around the world. NordVPN is able to unblock US Netflix and Hulu, streaming services that most VPNs are unable to access.

Read our full NordVPN review.

Hidden deal: Hidden away on NordVPN’s website (it’s not visible from the home page or pricing page) is a 2 year deal which offers a huge 72% discount on the 2 year plan.

VyprVPNvyprvpn website

VyprVPN’s website has tutorials and configuration details for connecting to any of its servers via OpenVPN and PPTP, although we strongly recommend the former. There are no pre-configured routers available. However, if your router will run Tomato firmware, VyprVPN does make a custom VPN app for that. Live customer service available should you need any help getting OpenVPN set up.

The company keeps no traffic logs but does record users’ source IP. That information is only retained for 30 days, but if it’s a privacy concern then consider looking elsewhere. Otherwise, VyprVPN offers top-notch security with 256-bit encryption, Netflix unblocking, and fantastic speeds. Unfortunately, if you added VyprVPN’s proprietary Chameleon protocol to your subscription, this can’t be set up on DD-WRT.

Read our full VyprVPN review.

CyberGhost ProCyberghost large image

CyberGhost offers a DD-WRT tutorial and configurations to paid users. You can even specify which features you want included in a custom configuration when adding a device from your user dashboard, such as tracking prevention, ad blocking, force HTTPS, and data compression.

CyberGhost keeps no identifying activity or metadata logs. 256-bit encryption is used to protect your connection along with DNS leak protection. The VPN performed well in our speed tests.

Try it risk free: CyberGhost has a huge 73% deal on the 2 year plan here which includes a 30 day money back guarantee so you can try it risk free.

Avoid free VPNs

Most free VPNs don’t offer up their OpenVPN configurations to be used with routers. Even if they did, you probably would want to avoid them. Free VPNs tend to use poor security, can inject ads into your browser, and will even record your browsing activity to sell to advertisers. The limited number of servers tend to be congested, and caps on bandwidth or data are often implemented.

VPNBook is one provider that offers OpenVPN configurations free of charge, but relatively little is known about who is behind the operation. In 2013, hacker collective Anonymous once accused VPNBook of being a honeypot for law enforcement after logs from the provider appeared in court documents. This is just one example of why you should be extremely wary of any VPN that purports to give its service away for free.

Will DD-WRT work on my router?

Not all routers support DD-WRT. You can find a list of supported devices on the official DD-WRT website. Cheaper and newer routers are less likely to support the firmware. Old routers may use an outdated version of DD-WRT that doesn’t support OpenVPN. Your router will require at least 8 MB of flash memory.

Be doubly sure that you download and install the correct version of DD-WRT for your router, and follow the instructions provided by DD-WRT carefully. Attempting to flash an incompatible version or flashing improperly could permanently damage your device.

How to set up OpenVPN on DD-WRT

First off, go to your VPN provider’s website and download the OpenVPN configuration files–they’ll have a .ovpn extension–for all of the servers you want to connect to. You’ll also need your username and password for the VPN.

While connected to your router, preferably via LAN, go to your router dashboard in a web browser. You can usually do this by typing http://192.168.1.1 into the URL bar. If that doesn’t work, try http://192.168.0.1. Log into your dashboard using the credentials you set upon first installing DD-WRT.

Click on the Services tab, then VPN. Under OpenVPN Client, toggle Enable. The configuration panel will appear.dd wrt 1

What you do next depends on your version of DD-WRT. If your firmware has User Pass Authentication, you’ll need to open the configuration file for the server you want to connect to with a text editor such as Notepad. Copy over the settings from the config file, including the server address (an IP address or domain name), a username, and a password. Depending on your provider, you may also need to set the port, tunnel protocol, encryption cipher and/or hash algorithm. Consult your provider’s customer service or knowledge base to get these details.

dd wrt 2

If your firmware does not have User Pass Authentication, find the Additional Config text box and enter this command:

auth-user-pass /tmp/auth.txt

You’ll see several fields that correspond to those in your OpenVPN config file. Open the config (.ovpn) file in a text editor such as Notepad. You’ll need to copy over the server address (IP address or domain name) and the port number, which are shown after the “remote” line in the config file.

To configure keys and certificates, you’ll need to consult your VPN provider’s customer service or knowledge base to get the proper commands to enter into the Additional Config box. Copy and paste the TLS auth key, CA cert, public client cert, private client key, into each of the respective fields in the DD-WRT dashboard.

Once you’re done, click Apply settings to initiate the VPN connection.dd wrt 3

Setting the DNS on your router

If you want to prevent your ISP from receiving DNS requests, which can give away your location and browsing activity, you should also considering setting your DNS servers in DD-WRT. While you can usually specify these on individual devices, you can take care of all of them at once in DD-WRT.

In the DD-WRT dashboard, go to Setup > Basic Setup. Under Network Address Server Settings (DHCP) and enter the DNS addresses next to Static DNS 1, 2, and 3. You can use Google DNS, OpenNIC, or DNS servers provided by your VPN provider.dd wrt 4 dns

Click Save and Apply settings.

We’re not quite done yet. Go to Services > Services. Under DNSMasq, in the Additional DNSMasq Options, enter this command, replacing “dns.ip.1.here” with the DNS servers you used above:

dhcp-option=6, dns.ip.1.here, dns.ip.1.here, dns.ip.1.here, dns.ip.1.here

Enable DNSMasq. This will ensure all DNS requests are sent through the VPN tunnel.dd wrt 5

Split tunneling in DD-WRT

In some cases, you may only want certain devices to have their internet traffic routed through the VPN. Some builds of DD-WRT allow for split tunneling, which allows you to pick and choose which devices get tunneled through the VPN and which use the unencrypted ISP network.

To set this up, in the DD-WRT dashboard, go to Service > VPN. Find the Policy based routing box and enter IP addresses for each of the devices you want to go through the VPN.

If you want to enable split tunneling for specific websites, apps, servers or other traffic destinations, this will have to be set up in the firewall using iptables. Go to Administration > Commands. Under Firewall click Edit and enter the necessary commands. These vary widely depending on what exactly you want to accomplish, so some further googling will be required.

What about PPTP?

Some DD-WRT support the PPTP VPN protocol, but we don’t recommend using it. While it may work as a rudimentary VPN, it has known security vulnerabilities. You can read more about PPTP and its flaws here.

PPTP is simpler to set up and is generally considered faster than OpenVPN, however. So if you’re not concerned about security or privacy and just want a VPN to use as a basic proxy, PPTP could fit the bill.

The cons of using a VPN on your router

Configuring a VPN on your DD-WRT router has some clear benefits as described above, but it has some drawbacks to consider as well.

The first is that all devices are tunneled through a single VPN connection, which, depending on the provider and server, might get congested quickly if you have a lot of devices connected to the router.

If the server is experiencing downtime or for some reason doesn’t suit your needs, disabling the VPN or switching servers is a pain. Pre-configured routers or custom firmware, such as that offered by ExpressVPN, make these problems easier to deal with than stock DD-WRT.

Linksys WRT3200ACM” by Gregory Varnum licensed under CC BY-SA 4.0

Leave a Reply

Your email address will not be published. Required fields are marked *