1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Servers
What Is a VPN?
Download VPN
Blog
Business VPN
Get NordVPN
Help
Log in
How can we help you?
Type your question here
FAQ
/ Connectivity / Router
NordVPN setup tutorials
General info
Features
OpenWrt setup with NordVPN
SmartPlay
SmartDNS
Billing
Payments
Subscription
Does NordVPN support OpenWrt?
Routers with OpenWRT firmware have been reported to support VPNs like NordVPN.
However, please be aware that the following configuration has not been tested by
NordVPN staff – it has been shared and tested by our wonderful customers instead. In
particular, NordVPN would like to thank ulmwind, an active member of the OpenWRT
community, for their continuous assistance in providing us with up-to-date OpenWRT
Cyber insurance benefits
instructions.
Connectivity
This article provides two OpenWrt setup guides:
Windows
• GUI interface instructions (simplified version)
macOS
• CLI instructions (more advanced)
Android
iOS
Linux
If any issues arise, feel free to contact our support team for further help! This is an
advanced tutorial, but it also provides some simpler instructions.
GUI instructions
Extension
Proxy
In this guide, we will show you how to set up a NordVPN connection on routers using
OpenWrt firmware via the LuCI web interface.
Router
NAS
1. Access the LuCI interface of your OpenWrt router by entering its local IP address
into your internet browser and logging in. The default IP address is 192.168.1.1 and the
username is root.
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
1/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Servers
What Is a VPN?
Download VPN
Business VPN
Blog
Get NordVPN
Help
Log in
By default, there is no password set up, so you may leave this slot empty, however,
when you log in you will get a message to set up a password.
In order to do so, click on System > Administration and you may set up a password
there.
2. Once you have logged in, select the System tab and choose Software.
3. Click the “Update lists” button and wait for the process to finish and click
“Dismiss”.
4. Install the following packages by typing in their name in the “Filter” field and
clicking “Install…”.
1. openvpn-openssl
2. ip-full
3. luci-app-openvpn
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
2/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Servers
What Is a VPN?
Download VPN
Blog
Business VPN
Get NordVPN
Help
Log in
5. Click “Save & Apply” and refresh the router page. Now you should see a new tab
called VPN. Click on it and choose OpenVPN from the dropdown.
6. Now you need to download OpenVPN client configuration files. For this, we
recommend going into our recommended server utility:
https://nordvpn.com/servers/tools/
For the purpose of this guide, we will be using the us5104.nordvpn.com server.
7. Under the “OVPN configuration file upload” section name the VPN connection in
the “Instance name” field (we have named it “nordvpn_us”.) After that, click on the
“Choose File” button, locate the downloaded server file and click “Upload”.
8. In the “OpenVPN instances” section, click the “Edit” button next to the instance
you have just created.
9. In the lower field, enter your NordVPN service credential username and password
into separate lines.
username
password
You can find your NordVPN service credentials (service username and service
password) in the Nord Account dashboard:
1. Click Set up NordVPN manually.
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
3/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Servers
What Is a VPN?
Download VPN
Business VPN
Blog
Get NordVPN
Help
Log in
2. You will receive a verification code in your email that you use for NordVPN
services. Type the code in:
3. Copy the credentials using the “Copy” buttons on the right:
10. Now, copy the path to the credentials file that is given right above the field
containing the credentials and paste it next to the “auth-user-pass” line in the “Config
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
4/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
file” section
Servers
What Is above.
a VPN?
Download VPN
Blog
Business VPN
Get NordVPN
Help
Log in
It should look like this: auth-user-pass /etc/openvpn/nordvpn_us.auth
11. Click on the Save button at the bottom.
12. Click on the “Network” tab at the top of the page and choose “Interfaces“.
13. Select the “Add new interface…” button and name it “nordvpntun”.
14. Click on the “Protocol” dropdown menu and choose “Unmanaged”.
15. In the “Interface” dropdown, enter the name “tun0” at the bottom -- custom -field and press the Enter key.
16. Click the “Create interface” and “Save” buttons.
17. Choose the “Network” tab at the top once more and head to the “Firewall”
section.
18. Click the “Add” button and adjust it as follows:
1. Name it “vpnfirewall”;
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
5/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Business VPN
theIs“Input”
as “Reject”;
Servers2. Set
What
a VPN? option
Download
VPN
Blog
Get NordVPN
3. Leave “Output” as “Accept” and “Forward” as “Reject”;
Help
Log in
4. Check the “Masquerading” option;
5. Check the “MSS clamping” option;
6. From the “Covered Networks” dropdown menu choose “nordvpntun”;
7. In the “Allow forward from source zones” dropdown menu, choose “lan”;
8. Click the “Save” button.
19. In the “Zones” section, find the zone named “lan”, and click on the “Edit” button.
20. In the “Allow forward to destination zones” dropdown check the “nordvpntun”
entry.
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
6/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Servers
What Is a VPN?
Download VPN
Business VPN
Blog
Get NordVPN
Help
Log in
21. Once more, click “Network'' at the top of the page and then choose “DHCP and
DNS” from the dropdown list.
22. In the “General Settings” tab, find the “DNS forwardings” option and enter
NordVPN DNS addresses there. The addresses are: 103.86.96.100 and
103.86.99.100
23. Go to the “Resolv and Hosts Files” tab, check the “Ignore resolve file” checkbox,
and click the “Save & Apply” button.
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
7/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Servers
What Is a VPN?
Download VPN
Business VPN
Blog
Get NordVPN
Help
Log in
24. Lastly, please head back to the “VPN” > “OpenVPN” tab.
25. In the “OpenVPN instances” section, check the “Enable” option next to the
NordVPN option in the list, and click the “Save & Apply” button.
26. Click the “Start” button next to the created NordVPN instance to connect to the
VPN server.
When you have followed these instructions, you should be connected using the
configured connection. To check if you were successful, visit NordVPN’s homepage —
the status at the top of the page should say “Protected”
If you wish to disconnect the VPN connection, you can click on the “Stop” button next
to the NordVPN option in the “VPN” > “OpenVPN” > “OpenVPN instances'' section.
CLI instructions
If you're looking for a more advanced tutorial, follow this guide instead. To gain the
benefits of a VPN on OpenWrt, you need a router with both OpenWrt firmware and an
enabled OpenVPN client. The main page of the firmware is https://openwrt.org/.
1. In order to start, you would need to access your router via SSH using its LAN IP
address. By default, the IP address is set to 192.168.1.1 and the username is root,
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
8/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Business VPN
however,
the
address
may differ
if youBlog
changed any of the default values.
Servers
What
Is aIP
VPN?
Download
VPN
Get NordVPN
Help
Log in
2. The OpenVPN package is not included in the firmware image by default. To install
it, please run the following commands:
opkg update
opkg install openvpn-openssl
opkg install ip-full
Additionally, you may install the LuCI component of the OpenVPN configuration,
however, it is optional. You can do so by running this command:
opkg install luci-app-openvpn
3. Once you have installed the OpenVPN package, you can make it launch
automatically whenever the router starts by running this command:
/etc/init.d/openvpn enable
4. Next, you will need to download the server configuration files. For this, we suggest
using our recommended server utility. For this guide, we used the server
uk2054.nordvpn.com, however, you should use the server that the website suggests
for you.
To download a server file, choose the country where you wish to connect, click on
“Show available protocols”, right-click on “Download config” for “OpenVPN TCP” or
“OpenVPN UDP” and choose “Copy link address”.
After that, return to your SSH session and run the following command:
wget -P /etc/openvpn
https://downloads.nordcdn.com/configs/files/ovpn_udp/servers/uk2054.nordvpn.
After that, return to your SSH session and run the following
command: wget -P /etc/openvpn
However, make sure to use the link you copied for your specific server file. This
command will download the configuration file to the /etc/openvpn directory for easy
access.
Alternatively, you may download the server configuration file on a different machine
and transfer it to the OpenWrt router using alternate methods, such as SCP or SFTP
protocols.
For older OpenWrt builds:
You can simply download an archive here
https://downloads.nordcdn.com/configs/archives/certificates/servers.zip. In the
downloaded archive, you will find the corresponding files with .crt and .key
extensions. The files are specific for each VPN server.
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
9/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Business VPN
5. TheWhat
OpenVPN
configuration
NordVPN
Servers
Is a VPN?
Downloadfor
VPN
Blog requires you to enter your NordVPN
Get NordVPN
Help
Log in
service credential username and password every time OpenVPN starts. However, we
will make some adjustments so the credentials would be provided automatically.
First, to make the process easier, we will install the nano text editor by running the
following command:
opkg install nano
Otherwise, you may use the built-in vi text editor. For more information regarding text
editors, please refer to this article:
https://openwrt.org/docs/guide-user/base-system/user.beginner.cli.
Now, open the downloaded server configuration file using the nano text editor. In our
case, the command would be:
nano /etc/openvpn/uk2054.nordvpn.com.udp.ovpn
After that, append the word “secret” (without quotation marks) to the string “authuser-pass”. The resulting line should be:
auth-user-pass secret
Now, we need to create a new file named secret, where the NordVPN service
credentials will be stored. To do so, run the following command:
nano /etc/openvpn/secret
It will create the new file and open it using the nano text editor.
In the first line of the file enter your NordVPN service username, and the second NordVPN service password.
You can find your NordVPN service credentials (service username and service
password) in the Nord Account dashboard:
1. Click Set up NordVPN manually.
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
10/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Servers
What Is a VPN?
Download VPN
Blog
Business VPN
Get NordVPN
Help
Log in
2. You will receive a verification code in your email that you use for NordVPN
services. Type the code in:
3. Copy the credentials using the “Copy” buttons on the right:
6. Configure OpenVPN using the downloaded configuration file in one of two ways:
1. Change the file’s extension from .ovpn to .conf, which will allow OpenVPN to
find it automatically by its extension.
To do so, you can use the mv command:
mv /etc/openvpn/uk2054.nordvpn.com.udp.ovpn
/etc/openvpn/uk2054.nordvpn.com.udp.conf
2. Specify the file name in “/etc/config/openvpn” by using the following “uci”
commands:
uci set openvpn.nordvpn=openvpn
uci set openvpn.nordvpn.enabled='1'
uci set
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
11/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Business VPN
Serversopenvpn.nordvpn.config='/etc/openvpn/uk2054.nordvpn.com.udp.ovpn'
What Is a VPN?
Download VPN
Blog
Get NordVPN
Help
Log in
uci commit openvpn
After that, the file “/etc/config/openvpn” should contain the following appended
strings:
config openvpn 'nordvpn'
option enabled '1'
option config '/etc/openvpn/uk2054.nordvpn.com.udp.ovpn'
You can check by running this command:
tail /etc/config/openvpn
You may also change the file’s extension from .ovpn to .conf and specify it in the
file “/etc/config/openvpn” - in that case, however, OpenVPN will start with this
configuration file just once.
7. Create a new network interface by running the following commands:
uci set network.nordvpntun=interface
uci set network.nordvpntun.proto='none'
uci set network.nordvpntun.ifname='tun0'
uci commit network
The file “/etc/config/network” should contain the following appended strings, if
everything was done properly:
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
It can be checked by using the tail /etc/config/network command.
8. Create a new firewall zone and add a forwarding rule from LAN to VPN by running
the following commands:
uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='nordvpntun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall
If done correctly, the file “/etc/config/firewall” should contain the following appended
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
12/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
strings:
Servers
What Is a VPN?
Download VPN
Blog
Business VPN
Get NordVPN
Help
Log in
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
You can check by running tail -13 /etc/config/firewall command. This will display
the last 13 lines, which should contain the aforementioned strings.
9. Now you need to configure the DNS servers. The simplest approach is to use
NordVPN DNS for the WAN interface of the router. To add NordVPN DNS, run the
following commands:
uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='103.86.96.100'
uci add_list network.wan.dns='103.86.99.100'
uci commit
If you receive an error message “uci: Entry not found” after running the uci del
network.wan.dns command, you can disregard it.
The file “/etc/config/network” should contain the section ‘wan’ with the three bottom
strings appended:
config interface 'wan'
<...>
option peerdns '0'
list dns '103.86.96.100'
list dns '103.86.99.100'
You can check by running the cat /etc/config/network command and finding the
‘wan’ interface in the output.
You can also add different DNS addresses, such as Google’s by running these
commands:
uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='8.8.8.8'
uci add_list network.wan.dns='8.8.4.4'
uci commit
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
13/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Servers
What Is a VPN?
Download VPN
Blog
Get NordVPN
The appended strings should be similar to the previous ones.
Business VPN
Help
Log in
(Optional) To prevent traffic leakage in case the VPN tunnel disconnects, you can open
the “/etc/firewall.user” file using a text editor and add the following content to it:
# This file is interpreted as a shell script.
# Put your custom iptables rules here, and they will be executed with each firewall
(re-)start
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains, e.g. INPUT or FORWARD, or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
if (! ip a s tun0 up) && (! iptables -C forwarding_rule -j REJECT); then
iptables -I forwarding_rule -j REJECT
fi
Additionally, you should create a file called “99-prevent-leak” in the folder
“/etc/hotplug.d/iface” by running nano /etc/hotplug.d/iface/99-prevent-leak and
adding the following content to the file:
#!/bin/sh
if [ "$ACTION" = ifup ] && (ip a s tun0 up) && (iptables -C forwarding_rule -j
REJECT); then
iptables -D forwarding_rule -j REJECT
fi
if [ "$ACTION" = ifdown ] && (! ip a s tun0 up) && (! iptables -C forwarding_rule -j
REJECT); then
iptables -I forwarding_rule -j REJECT
fi
In some cases, the OpenVPN connection can crash with a log output similar to “couldn’t
resolve host…”. In this case, the VPN tunnel itself remains, however, the connection is
lost. To reconnect to it automatically, first open the “/etc/rc.local” file using a text editor
and add the following line:
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
14/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
/etc/openvpn/reconnect.sh
&
Servers
What Is a VPN?
Download
VPN
Blog
Business VPN
Get NordVPN
Help
Log in
In addition, you need to create the “reconnect.sh” file in the “/etc/openvpn” directory. It
can be done by running the nano /etc/openvpn/reconnect.sh command.
In the file, enter the following script contents:
#!/bin/sh
n=10
while sleep 50; do
t=$(ping -c $n 8.8.8.8 | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+')
if [ "$t" -eq 0 ]; then
/etc/init.d/openvpn restart
fi
done
When you have followed these instructions, you should be connected using the
configured connection. To check if you were successful, visit NordVPN’s homepage —
the status at the top of the page should say “Protected.”
If you wish to disconnect the VPN connection, run the following command:
service openvpn stop
Was this article helpful?
Yes
No
Related Articles
Setting up a router with NordVPN
Setting up TP-Link with NordVPN
Routers that do not support NordVPN
How to configure your Asus router running original firmware (AsusWRT)
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
15/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
Features
Servers
What Is a VPN?
Download VPN
Blog
Business VPN
© Copyright 2023 all rights reserved
Get NordVPN
Help
Log in
Self-service by
Download the NordVPN mobile app for iOS or Android.
NORDVPN
VPN APPS
About Us
Windows
Careers
macOS
VPN Free Trial
Linux
VPN Routers
Android
Reviews
iOS: iPhone / iPad
Student & Employee Discount
Chrome
Refer a Friend
Firefox
Research Lab
Edge
ENGAGE
HELP
What Is a VPN?
Support Center
IP Lookup
Tutorials
What Is My IP?
FAQ
Cybersecurity Glossary
Privacy Policy
Social Responsibility
Terms of Service
Cybersecurity Hub
Contact Us
Press Area
Become a Partner
FOLLOW US
DISCOVER
Facebook
Nord Security
Twitter
NordLayer
LinkedIn
NordPass
YouTube
NordLocker
Instagram
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
16/17
1/14/24, 9:50 PM
OpenWrt setup with NordVPN | NordVPN support
Pricing
English
Features
Servers
What Is a VPN?
Download VPN
Business VPN
Blog
Get NordVPN
Help
Log in
© 2024 Nord Security. All Rights Reserved · support@nordvpn.com
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWrt-CI-setup-with-NordVPN.htm
17/17