Back to Guides

DD-WRT routers and Mullvad VPN

What is DD-WRT?

As stated on dd-wrt.com, DD-WRT is a Linux-based, alternative open-source firmware suitable for a wide variety of WLAN routers and embedded systems. The main emphasis is to provide the easiest-possible handling while at the same time supporting a great number of functionalities within the framework of the respective hardware platform used.

DD-WRT has support for OpenVPN and can be used to connect to the Mullvad VPN servers.

Installing DD-WRT on your router

You can check online if your router is supported and then download DD-WRT.

Installing OpenVPN and Mullvad on your router comes with some benefits:

  • You can secure your whole network and all devices connected to the router.
  • You can run Mullvad on more than three devices (all devices connected to the router).
  • Via the router, you can even run Mullvad on devices that have no support for OpenVPN.
  • A router is designed for routing, naturally, and is not disturbed by other programs and settings like a program in a computer might be. It works well and is stable.

Expected performance of OpenVPN on a router

Running OpenVPN on a router is demanding. On a router with a 400mhz ARM CPU, you can expect performance around 7–10Mbps. It scales relatively linearly, so on a router with 1.6Ghz ARM CPU we would expect performance around 30–40Mbps.

For other speed-related questions, please read our Speed Guide. Also keep in mind that OpenVPN itself does not use multiple cores and that x86 CPUs will perform a lot better.

Before you set up OpenVPN

A DD-WRT router's default IP address is normally 192.168.1.1. Sometimes this address is in conflict with other routers and you might have to change it. If so, try 192.168.10.1, but remember to change the default address everywhere that it is mentioned in this guide.

The first time you connect, you will be prompted to replace the admin login usernamn and password with your own.

Setting up Mullvad VPN

Follow the instructions below (please read through once before starting).

VPN tab

Click on the tab Services and then the subtab VPN. This is where you will set up the Mullvad VPN.

OpenVPN: Enable

Next to Start OpenVPN Client, choose Enable. 

Server IP/Name

Next to Server IP/Name, specify your preferred exit country by entering the corresponding server IP. For example:

  • se.mullvad.net (Sweden)
  • nl.mullvad.net (Netherlands).

For a list of all options, please look at our list of severs.

Port

Change to "1300".

Encryption Algorithm

Change to "AES-256 CBC".

Hash Algorithm

Change to "SHA1".

User Pass Authentication

Change to Enabled. Enter your Mullvad Account Number as username and use the password "m"

Enable advanced options

Next to Advanced Options, check "Enable".

LZO Compression

Change to "Yes".

NAT

Change to "Enable"

nsCertType verification

Check the box.

 

Additional Config

Enable Advanced Options in order to:

Under Additional Config, enter the following text:

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
verb 4

The "verb 4" text is optional and is used for more detailed logging to help with problem solving.

CA Cert

Past the following text to CA Cert

-----BEGIN CERTIFICATE-----
MIIGIzCCBAugAwIBAgIJAK6BqXN9GHI0MA0GCSqGSIb3DQEBCwUAMIGfMQswCQYD
VQQGEwJTRTERMA8GA1UECAwIR290YWxhbmQxEzARBgNVBAcMCkdvdGhlbmJ1cmcx
FDASBgNVBAoMC0FtYWdpY29tIEFCMRAwDgYDVQQLDAdNdWxsdmFkMRswGQYDVQQD
DBJNdWxsdmFkIFJvb3QgQ0EgdjIxIzAhBgkqhkiG9w0BCQEWFHNlY3VyaXR5QG11
bGx2YWQubmV0MB4XDTE4MTEwMjExMTYxMVoXDTI4MTAzMDExMTYxMVowgZ8xCzAJ
BgNVBAYTAlNFMREwDwYDVQQIDAhHb3RhbGFuZDETMBEGA1UEBwwKR290aGVuYnVy
ZzEUMBIGA1UECgwLQW1hZ2ljb20gQUIxEDAOBgNVBAsMB011bGx2YWQxGzAZBgNV
BAMMEk11bGx2YWQgUm9vdCBDQSB2MjEjMCEGCSqGSIb3DQEJARYUc2VjdXJpdHlA
bXVsbHZhZC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCifDn7
5E/Zdx1qsy31rMEzuvbTXqZVZp4bjWbmcyyXqvnayRUHHoovG+lzc+HDL3HJV+kj
xKpCMkEVWwjY159lJbQbm8kkYntBBREdzRRjjJpTb6haf/NXeOtQJ9aVlCc4dM66
bEmyAoXkzXVZTQJ8h2FE55KVxHi5Sdy4XC5zm0wPa4DPDokNp1qm3A9Xicq3Hsfl
LbMZRCAGuI+Jek6caHqiKjTHtujn6Gfxv2WsZ7SjerUAk+mvBo2sfKmB7octxG7y
AOFFg7YsWL0AxddBWqgq5R/1WDJ9d1Cwun9WGRRQ1TLvzF1yABUerjjKrk89RCzY
ISwsKcgJPscaDqZgO6RIruY/xjuTtrnZSv+FXs+Woxf87P+QgQd76LC0MstTnys+
AfTMuMPOLy9fMfEzs3LP0Nz6v5yjhX8ff7+3UUI3IcMxCvyxdTPClY5IvFdW7CCm
mLNzakmx5GCItBWg/EIg1K1SG0jU9F8vlNZUqLKz42hWy/xB5C4QYQQ9ILdu4ara
PnrXnmd1D1QKVwKQ1DpWhNbpBDfE776/4xXD/tGM5O0TImp1NXul8wYsDi8g+e0p
xNgY3Pahnj1yfG75Yw82spZanUH0QSNoMVMWnmV2hXGsWqypRq0pH8mPeLzeKa82
gzsAZsouRD1k8wFlYA4z9HQFxqfcntTqXuwQcQIDAQABo2AwXjAdBgNVHQ4EFgQU
faEyaBpGNzsqttiSMETq+X/GJ0YwHwYDVR0jBBgwFoAUfaEyaBpGNzsqttiSMETq
+X/GJ0YwCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggIBADH5izxu4V8Javal8EA4DxZxIHUsWCg5cuopB28PsyJYpyKipsBoI8+R
XqbtrLLue4WQfNPZHLXlKi+A3GTrLdlnenYzXVipPd+n3vRZyofaB3Jtb03nirVW
Ga8FG21Xy/f4rPqwcW54lxrnnh0SA0hwuZ+b2yAWESBXPxrzVQdTWCqoFI6/aRnN
8RyZn0LqRYoW7WDtKpLmfyvshBmmu4PCYSh/SYiFHgR9fsWzVcxdySDsmX8wXowu
Ffp8V9sFhD4TsebAaplaICOuLUgj+Yin5QzgB0F9Ci3Zh6oWwl64SL/OxxQLpzMW
zr0lrWsQrS3PgC4+6JC4IpTXX5eUqfSvHPtbRKK0yLnd9hYgvZUBvvZvUFR/3/fW
+mpBHbZJBu9+/1uux46M4rJ2FeaJUf9PhYCPuUj63yu0Grn0DreVKK1SkD5V6qXN
0TmoxYyguhfsIPCpI1VsdaSWuNjJ+a/HIlKIU8vKp5iN/+6ZTPAg9Q7s3Ji+vfx/
AhFtQyTpIYNszVzNZyobvkiMUlK+eUKGlHVQp73y6MmGIlbBbyzpEoedNU4uFu57
mw4fYGHqYZmYqFaiNQv4tVrGkg6p+Ypyu1zOfIHF7eqlAOu/SyRTvZkt9VtSVEOV
H7nDIGdrCC9U/g1Lqk8Td00Oj8xesyKzsG214Xd8m7/7GmJ7nXe5
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGHDCCBASgAwIBAgIEEAAAADANBgkqhkiG9w0BAQsFADCBnzELMAkGA1UEBhMC
U0UxETAPBgNVBAgMCEdvdGFsYW5kMRMwEQYDVQQHDApHb3RoZW5idXJnMRQwEgYD
VQQKDAtBbWFnaWNvbSBBQjEQMA4GA1UECwwHTXVsbHZhZDEbMBkGA1UEAwwSTXVs
bHZhZCBSb290IENBIHYyMSMwIQYJKoZIhvcNAQkBFhRzZWN1cml0eUBtdWxsdmFk
Lm5ldDAeFw0xODExMDIxMTI2MDNaFw0xOTExMDIxMTI2MDNaMIGdMQswCQYDVQQG
EwJTRTERMA8GA1UECAwIR290YWxhbmQxFDASBgNVBAoMC0FtYWdpY29tIEFCMRAw
DgYDVQQLDAdNdWxsdmFkMS4wLAYDVQQDDCVNdWxsdmFkIFRyYW5zaXRpb24tSW50
ZXJtZWRpYXRlIENBIHYxMSMwIQYJKoZIhvcNAQkBFhRzZWN1cml0eUBtdWxsdmFk
Lm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOAvizkx9wPHo9qH
TKdSe1ckgoe20PsN++pAnIZ1ZrrUAW/Y/7HjeZvPH1nJHWtQaoY72mQKbl3WVafZ
THm+t0qtnAGcI+1dZjAERmPBZyVtbsOegITqWiAyw5QGfq/+pmC752a8NxHy73Pt
cvt81vML87dx0vzOm2IPCr2mdsdxMsoETuBCED/gY6N4BEnK/NS5JjNnpynq4bZb
obzKuLKTmFabU5CVttg7eBcI4O6KhOYbP4T6Xpo+ALRN7+fyAjir2YKIifccftf5
eiB23Ov1kt9k4nIc3lt6tDHaz6INPHjigHJ2AuJDb7V3GH0czdu2Elr5tZC+5sDX
NcMSOPNA9L4o9svA553c21tg/1cwKUD3GJoCzIN9k9+ba9VWnpOiebNakdTUlegy
5LlzO+aVpZbMoAHoP/1PHqPe9Nz62vrt2wtTfuP5cTCHkTIFy6X6LWitWmox3lLo
aaruQ2x6WF64bGuFHKLDlMNRWd63GE/ZE3AXTmmYIE+CgZ6aPyFuUluAA9C6r7bU
052ddBIuQLBZ2Pj4yZ0UK2aymjS4OBYddzLkPM4B5Mttcj3nbk8FKHDHTXLlyIvE
9BQAejH2p+sOboWudHyw7B7kDqWt9aHHYrQbSimnaY6QoJ8VisyFZVrrIQMQxwLw
AvBScVkmBDTP1iG0B4tGzCRTIilPAgMBAAGjYDBeMB0GA1UdDgQWBBQVxpaQ55d1
yngyg7YEXMuTDc9hPzAfBgNVHSMEGDAWgBR9oTJoGkY3Oyq22JIwROr5f8YnRjAL
BgNVHQ8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEA
STee9JP7tegxul90VTRyG53l37fuZGjrp70tYQfl8676lTyFyZVBF7tAFrJwc1K9
2d1JnMbyHzyR7LzZr/7tB3w7eIR8Q7TiBAe9eHleMlmK975ivcAhrY0fJ+BO8xgw
6KE7dOI1jeeff5wF/2KmXybeq2M1phA3KGy+sxc8KrLCVHfXfOnv+b9HRKDqE4/c
3ALMVHXir9sXDyY5bH7jcOGyVQTPI5ZLxvjndunCkXG595pJqDqUWXS8BYcFExIf
IQuJ5omt+tyM9U17yOPvwTyadbRW2m7LIcTwPEwC3IUHCUQzqLZkmF2pCQa8hV2b
q3eK/hV1mHvFbfZcQ+TPl8vl4cRT92vLQGGy51D9t8bVs4bBET0DSPivVcnMqkSO
vAz7xdXqya36iri27iI3aUdBI/XihT1LkxAJhas9YBt+T2xz7xN+WU/ImB+Cq+sH
nJNIcB+wE50/rBb+gTaOpEx80Onq277N3TUByVLjCztl1J6cWIy1XObhRVgXLUcT
B6/Z/zRblHt7f/f5TTUmAwMc+VwvnjpweSV98DpP0MLV6ZEpmh/ij0Dwpc6IoD8u
Lwvyq9jhkSAki5LHO2t1mw0jIjtncxEq/9RmrVP1e3/weYvyhy1T4Mq4NCcPGFR0
+TUxbjSUGVUuHIPxiR+XptxDWguRhwSYEKSy3EwfOMc=
-----END CERTIFICATE-----

 

 

Apply Settings

Click on the Apply Settings button.

Enable IPv6

Click on the tab Setup and then the subtab IPV6. Next to IPv6, click Enable. Mullvad will not function without this.

Set the DNS

Now you will set the DNS to Mullvad's DNS. This will ensure that information is not leaked to the provider running the local network and will therefore keep them from seeing which domain names are looked up.

Basic Setup tab

Click on the tab Setup and then the subtab Basic Setup.

Static DNS 1

Next to Static DNS 1, change the four fields so that the string reads 10.8.0.1.

Apply

Click on the Apply Settings button.

Add a kill switch

Next, you will add the following firewall settings in order to disable all network access outside of the VPN tunnel.

Start IP Address and Maximum DHCP Users

While still on the Basic Setup page, take note of the input for Start IP Address and Maximum DHCP Users. You will need this information for the following steps.

In the example below, Start IP Address is 192.168.1.100 and Maximum DHCP Users is 50. This information tells you the range of IPs used by the DHCP server on your router, in this instance from 192.168.1.100 to 192.168.1.150.

Commands

Click on the tab Administration and then the subtab Commands.

In the Commands field, enter the following text and adjust the range according to the input from your router as mentioned above:

iptables -I FORWARD ! -o tun1 -m iprange --src-range 192.168.1.100-192.168.1.150 -j DROP

Save Firewall

Click on the Save Firewall button.

Keep Alive function

The following settings will ping the Mullvad DNS every six minutes (360 seconds) and restart the router if the connection goes down. Since the DNS is available only via the VPN tunnel, the router will restart if the tunnel stops working.

You might consider testing your VPN tunnel before implementing the Keep Alive settings because if something isn't working, a router that reboots every six minutes can get annoying.

Keep Alive tab

Click on the tab Administration and then the subtab Keep Alive.

Use these settings

Adjust your settings to match the ones in the picture below.

Apply Settings

Click on the Apply Settings button.

Secure your WiFi

Wireless Security tab

Click on the tab Wireless and then the subtab Wireless Security.

Encryption and password

By default, the WiFi is unprotected on DD-WRT. You need to set Security Mode to WPA2 Personal, change algorithm to AES and select a strong password in the box WPA Shared Key.
Some routers have several WiFi networks; make sure you secure all of them.

Test your IP address

Use https://am.i.mullvad.net/  to see which IP adress you are using. It should be one of Mullvad's and not your own.

 

How to add a port to be forwarded to any client behind the router.

Replace 12345 with the port number you have been assigned.

iptables -t nat -I PREROUTING -i tun+ -p tcp --dport 12345 -j DNAT --to 192.168.1.5:12345
iptables -t nat -I PREROUTING -i tun+ -p udp --dport 12345 -j DNAT --to 192.168.1.5:12345

 

 

Troubleshooting

Try the following:

  • Look at the OpenVPN logs under Status » OpenVPN.
  • Assign a different IP address to your router (in case of conflict with other devices) under Setup » Basic Setup.
  • Check that you correctly followed all of the instructions.
  • Restart the router.