What is DD-WRT?
As stated on dd-wrt.com, DD-WRT is a Linux-based, alternative open-source firmware suitable for a wide variety of WLAN routers and embedded systems.
This guide uses OpenVPN protocol to connect to the Mullvad VPN servers.
Installing DD-WRT on your router
You can check online if your router is supported and then download DD-WRT.
Installing OpenVPN and Mullvad on your router comes with some benefits:
- You can secure your whole network and all devices connected to the router.
- You can run Mullvad on more than five devices (all devices connected to the router).
- Via the router, you can even run Mullvad on devices that have no support for OpenVPN.
- A router is designed for routing, naturally, and is not disturbed by other programs and settings like a program in a computer might be. It works well and is stable.
Expected performance of OpenVPN on a router
Running OpenVPN on a router is demanding. On a router with a 400mhz ARM CPU, you can expect performance around 7–10Mbps. It scales relatively linearly, so on a router with 1.6Ghz ARM CPU we would expect performance around 30–40Mbps.
For other speed-related questions, please read our Speed Guide. Also keep in mind that OpenVPN itself does not use multiple cores and that x86 CPUs will perform a lot better.
Before you set up OpenVPN
A DD-WRT router's default IP address is normally 192.168.1.1. Sometimes this address is in conflict with other routers and you might have to change it. If so, try 192.168.10.1, but remember to change the default address everywhere that it is mentioned in this guide.
The first time you connect, you will be prompted to replace the admin login username and password with your own.
Setting up Mullvad VPN
Follow the instructions below (please read through once before starting).
This guide was written and tested on DD-WRT v3.0 [Beta] build 51440.
VPN tab
Click on the tab Services and then the subtab VPN. This is where you will set up the Mullvad VPN.
OpenVPN: Enable
Next to Start OpenVPN Client, choose Enable.
Server IP/Name
Next to Server IP/Name, specify your preferred exit country by entering the corresponding server IP .
In this example we'll use 185.213.154.140 (which is se-got-010.mullvad.net).
For a list of all servers, please look at our list of severs.
Port
Change to "1300".
Encryption Cipher
Change to "AES-256 CBC".
Hash Algorithm
Change to "SHA1".
User Pass Authentication
Change to Enabled. Enter your Mullvad Account Number (without any spaces) as username and use the password "m"
Enable advanced options
Next to Advanced Options, check "Enable".
LZO Compression
Change to "No".
NAT
Change to "Enable"
Killswitch
Check the box.
Verify Server Cert.
Check the box.
Additional Config
Under Additional Config, enter the following text:
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
verb 4
The "verb 4" text is optional and is used for more detailed logging to help with problem solving.
CA Cert
Paste the following text to CA Cert
-----BEGIN CERTIFICATE----- MIIGIzCCBAugAwIBAgIJAK6BqXN9GHI0MA0GCSqGSIb3DQEBCwUAMIGfMQswCQYD VQQGEwJTRTERMA8GA1UECAwIR290YWxhbmQxEzARBgNVBAcMCkdvdGhlbmJ1cmcx FDASBgNVBAoMC0FtYWdpY29tIEFCMRAwDgYDVQQLDAdNdWxsdmFkMRswGQYDVQQD DBJNdWxsdmFkIFJvb3QgQ0EgdjIxIzAhBgkqhkiG9w0BCQEWFHNlY3VyaXR5QG11 bGx2YWQubmV0MB4XDTE4MTEwMjExMTYxMVoXDTI4MTAzMDExMTYxMVowgZ8xCzAJ BgNVBAYTAlNFMREwDwYDVQQIDAhHb3RhbGFuZDETMBEGA1UEBwwKR290aGVuYnVy ZzEUMBIGA1UECgwLQW1hZ2ljb20gQUIxEDAOBgNVBAsMB011bGx2YWQxGzAZBgNV BAMMEk11bGx2YWQgUm9vdCBDQSB2MjEjMCEGCSqGSIb3DQEJARYUc2VjdXJpdHlA bXVsbHZhZC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCifDn7 5E/Zdx1qsy31rMEzuvbTXqZVZp4bjWbmcyyXqvnayRUHHoovG+lzc+HDL3HJV+kj xKpCMkEVWwjY159lJbQbm8kkYntBBREdzRRjjJpTb6haf/NXeOtQJ9aVlCc4dM66 bEmyAoXkzXVZTQJ8h2FE55KVxHi5Sdy4XC5zm0wPa4DPDokNp1qm3A9Xicq3Hsfl LbMZRCAGuI+Jek6caHqiKjTHtujn6Gfxv2WsZ7SjerUAk+mvBo2sfKmB7octxG7y AOFFg7YsWL0AxddBWqgq5R/1WDJ9d1Cwun9WGRRQ1TLvzF1yABUerjjKrk89RCzY ISwsKcgJPscaDqZgO6RIruY/xjuTtrnZSv+FXs+Woxf87P+QgQd76LC0MstTnys+ AfTMuMPOLy9fMfEzs3LP0Nz6v5yjhX8ff7+3UUI3IcMxCvyxdTPClY5IvFdW7CCm mLNzakmx5GCItBWg/EIg1K1SG0jU9F8vlNZUqLKz42hWy/xB5C4QYQQ9ILdu4ara PnrXnmd1D1QKVwKQ1DpWhNbpBDfE776/4xXD/tGM5O0TImp1NXul8wYsDi8g+e0p xNgY3Pahnj1yfG75Yw82spZanUH0QSNoMVMWnmV2hXGsWqypRq0pH8mPeLzeKa82 gzsAZsouRD1k8wFlYA4z9HQFxqfcntTqXuwQcQIDAQABo2AwXjAdBgNVHQ4EFgQU faEyaBpGNzsqttiSMETq+X/GJ0YwHwYDVR0jBBgwFoAUfaEyaBpGNzsqttiSMETq +X/GJ0YwCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL BQADggIBADH5izxu4V8Javal8EA4DxZxIHUsWCg5cuopB28PsyJYpyKipsBoI8+R XqbtrLLue4WQfNPZHLXlKi+A3GTrLdlnenYzXVipPd+n3vRZyofaB3Jtb03nirVW Ga8FG21Xy/f4rPqwcW54lxrnnh0SA0hwuZ+b2yAWESBXPxrzVQdTWCqoFI6/aRnN 8RyZn0LqRYoW7WDtKpLmfyvshBmmu4PCYSh/SYiFHgR9fsWzVcxdySDsmX8wXowu Ffp8V9sFhD4TsebAaplaICOuLUgj+Yin5QzgB0F9Ci3Zh6oWwl64SL/OxxQLpzMW zr0lrWsQrS3PgC4+6JC4IpTXX5eUqfSvHPtbRKK0yLnd9hYgvZUBvvZvUFR/3/fW +mpBHbZJBu9+/1uux46M4rJ2FeaJUf9PhYCPuUj63yu0Grn0DreVKK1SkD5V6qXN 0TmoxYyguhfsIPCpI1VsdaSWuNjJ+a/HIlKIU8vKp5iN/+6ZTPAg9Q7s3Ji+vfx/ AhFtQyTpIYNszVzNZyobvkiMUlK+eUKGlHVQp73y6MmGIlbBbyzpEoedNU4uFu57 mw4fYGHqYZmYqFaiNQv4tVrGkg6p+Ypyu1zOfIHF7eqlAOu/SyRTvZkt9VtSVEOV H7nDIGdrCC9U/g1Lqk8Td00Oj8xesyKzsG214Xd8m7/7GmJ7nXe5 -----END CERTIFICATE-----
Apply Settings
Click on the Apply Settings button.
Enable IPv6
Click on the tab Setup and then the subtab IPV6. Next to IPv6, click Enable. Mullvad will not function without this.
Select "DHCPv6 with Prefix Delegation" as IPv6 Type. No other settings need to be changed. Click on Apply Settings.
Set the DNS
Now you will set the DNS to Mullvad's DNS. This will ensure that information is not leaked to the provider running the local network and will therefore keep them from seeing which domain names are looked up.
Basic Setup tab
While still on the Setup tab, click on the Basic Setup tab
Static DNS
Set the following DNS servers:
Static DNS 1: 10.8.0.1
Note that the DNS server 193.138.218.74 is decommissioned and no longer works
Next to Local DNS , change the four fields so that the string reads 1.1.1.1 (or any other DNS server you might wish to use)
Apply
Click on the Apply Settings button.
Keep Alive function
The following settings will ping the Mullvad DNS every six minutes (360 seconds) and restart the router if the connection goes down. Since the DNS is available only via the VPN tunnel, the router will restart if the tunnel stops working.
You might consider testing your VPN tunnel before implementing the Keep Alive settings because if something isn't working, a router that reboots every six minutes can get annoying.
Keep Alive tab
While still on the Administration tab, click on the subtab Keep Alive.
Use these settings
Adjust your settings to match the ones in the picture below.
Apply Settings
Click on the Apply Settings button.
Secure your WiFi
Wireless Security tab
Click on the tab Wireless and then the subtab Wireless Security.
Encryption and password
By default, the WiFi is unprotected on DD-WRT. You need to set Security Mode to WPA2-PSK. Change algorithm to AES and select a strong password in the box WPA Shared Key.
Some routers have several WiFi networks; make sure you secure all of them.
Click on the Apply Settings button.
Test your IP address
Use our Connection check to see which IP address you are using. It should be one of Mullvad's and not your own.
How to add a port to be forwarded to any client behind the router (optional)
Replace 12345 with the port number you have been assigned.
iptables -t nat -I PREROUTING -i tun+ -p tcp --dport 12345 -j DNAT --to 192.168.1.5:12345
iptables -t nat -I PREROUTING -i tun+ -p udp --dport 12345 -j DNAT --to 192.168.1.5:12345
Troubleshooting
Try the following:
- Look at the OpenVPN logs under Status » OpenVPN.
- Assign a different IP address to your router (in case of conflict with other devices) under Setup » Basic Setup.
- Check that you correctly followed all of the instructions.
- Restart the router.