DD-WRT routers and Mullvad VPN

ROUTERS

Last updated: 29 July 2020


What is DD-WRT?

As stated on dd-wrt.com, DD-WRT is a Linux-based, alternative open-source firmware suitable for a wide variety of WLAN routers and embedded systems. The main emphasis is to provide the easiest-possible handling while at the same time supporting a great number of functionalities within the framework of the respective hardware platform used.

DD-WRT has support for OpenVPN and can be used to connect to the Mullvad VPN servers.

Installing DD-WRT on your router

You can check online if your router is supported and then download DD-WRT.

Installing OpenVPN and Mullvad on your router comes with some benefits:

  • You can secure your whole network and all devices connected to the router.
  • You can run Mullvad on more than five devices (all devices connected to the router).
  • Via the router, you can even run Mullvad on devices that have no support for OpenVPN.
  • A router is designed for routing, naturally, and is not disturbed by other programs and settings like a program in a computer might be. It works well and is stable.

Expected performance of OpenVPN on a router

Running OpenVPN on a router is demanding. On a router with a 400mhz ARM CPU, you can expect performance around 7–10Mbps. It scales relatively linearly, so on a router with 1.6Ghz ARM CPU we would expect performance around 30–40Mbps.

For other speed-related questions, please read our Speed Guide. Also keep in mind that OpenVPN itself does not use multiple cores and that x86 CPUs will perform a lot better.

Before you set up OpenVPN

A DD-WRT router's default IP address is normally 192.168.1.1. Sometimes this address is in conflict with other routers and you might have to change it. If so, try 192.168.10.1, but remember to change the default address everywhere that it is mentioned in this guide.

The first time you connect, you will be prompted to replace the admin login username and password with your own.

Setting up Mullvad VPN

Follow the instructions below (please read through once before starting).

VPN tab

Click on the tab Services and then the subtab VPN. This is where you will set up the Mullvad VPN.

OpenVPN: Enable

Next to Start OpenVPN Client, choose Enable. 

Server IP/Name

Next to Server IP/Name, specify your preferred exit country by entering the corresponding server name or IP . For example:

  • se.mullvad.net (Sweden)
  • nl.mullvad.net (Netherlands).

For a list of all options, please look at our list of severs.

Port

Change to "1300".

Encryption Algorithm

Change to "AES-256 CBC".

Hash Algorithm

Change to "SHA1".

User Pass Authentication

Change to Enabled. Enter your Mullvad Account Number (without any spaces) as username and use the password "m"

Enable advanced options

Next to Advanced Options, check "Enable".

LZO Compression

Change to "No".

NAT

Change to "Enable"

nsCertType verification

Check the box.

 

Additional Config

Under Additional Config, enter the following text:

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
verb 4

The "verb 4" text is optional and is used for more detailed logging to help with problem solving.

CA Cert

Paste the following text to CA Cert

-----BEGIN CERTIFICATE-----
MIIGIzCCBAugAwIBAgIJAK6BqXN9GHI0MA0GCSqGSIb3DQEBCwUAMIGfMQswCQYD
VQQGEwJTRTERMA8GA1UECAwIR290YWxhbmQxEzARBgNVBAcMCkdvdGhlbmJ1cmcx
FDASBgNVBAoMC0FtYWdpY29tIEFCMRAwDgYDVQQLDAdNdWxsdmFkMRswGQYDVQQD
DBJNdWxsdmFkIFJvb3QgQ0EgdjIxIzAhBgkqhkiG9w0BCQEWFHNlY3VyaXR5QG11
bGx2YWQubmV0MB4XDTE4MTEwMjExMTYxMVoXDTI4MTAzMDExMTYxMVowgZ8xCzAJ
BgNVBAYTAlNFMREwDwYDVQQIDAhHb3RhbGFuZDETMBEGA1UEBwwKR290aGVuYnVy
ZzEUMBIGA1UECgwLQW1hZ2ljb20gQUIxEDAOBgNVBAsMB011bGx2YWQxGzAZBgNV
BAMMEk11bGx2YWQgUm9vdCBDQSB2MjEjMCEGCSqGSIb3DQEJARYUc2VjdXJpdHlA
bXVsbHZhZC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCifDn7
5E/Zdx1qsy31rMEzuvbTXqZVZp4bjWbmcyyXqvnayRUHHoovG+lzc+HDL3HJV+kj
xKpCMkEVWwjY159lJbQbm8kkYntBBREdzRRjjJpTb6haf/NXeOtQJ9aVlCc4dM66
bEmyAoXkzXVZTQJ8h2FE55KVxHi5Sdy4XC5zm0wPa4DPDokNp1qm3A9Xicq3Hsfl
LbMZRCAGuI+Jek6caHqiKjTHtujn6Gfxv2WsZ7SjerUAk+mvBo2sfKmB7octxG7y
AOFFg7YsWL0AxddBWqgq5R/1WDJ9d1Cwun9WGRRQ1TLvzF1yABUerjjKrk89RCzY
ISwsKcgJPscaDqZgO6RIruY/xjuTtrnZSv+FXs+Woxf87P+QgQd76LC0MstTnys+
AfTMuMPOLy9fMfEzs3LP0Nz6v5yjhX8ff7+3UUI3IcMxCvyxdTPClY5IvFdW7CCm
mLNzakmx5GCItBWg/EIg1K1SG0jU9F8vlNZUqLKz42hWy/xB5C4QYQQ9ILdu4ara
PnrXnmd1D1QKVwKQ1DpWhNbpBDfE776/4xXD/tGM5O0TImp1NXul8wYsDi8g+e0p
xNgY3Pahnj1yfG75Yw82spZanUH0QSNoMVMWnmV2hXGsWqypRq0pH8mPeLzeKa82
gzsAZsouRD1k8wFlYA4z9HQFxqfcntTqXuwQcQIDAQABo2AwXjAdBgNVHQ4EFgQU
faEyaBpGNzsqttiSMETq+X/GJ0YwHwYDVR0jBBgwFoAUfaEyaBpGNzsqttiSMETq
+X/GJ0YwCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggIBADH5izxu4V8Javal8EA4DxZxIHUsWCg5cuopB28PsyJYpyKipsBoI8+R
XqbtrLLue4WQfNPZHLXlKi+A3GTrLdlnenYzXVipPd+n3vRZyofaB3Jtb03nirVW
Ga8FG21Xy/f4rPqwcW54lxrnnh0SA0hwuZ+b2yAWESBXPxrzVQdTWCqoFI6/aRnN
8RyZn0LqRYoW7WDtKpLmfyvshBmmu4PCYSh/SYiFHgR9fsWzVcxdySDsmX8wXowu
Ffp8V9sFhD4TsebAaplaICOuLUgj+Yin5QzgB0F9Ci3Zh6oWwl64SL/OxxQLpzMW
zr0lrWsQrS3PgC4+6JC4IpTXX5eUqfSvHPtbRKK0yLnd9hYgvZUBvvZvUFR/3/fW
+mpBHbZJBu9+/1uux46M4rJ2FeaJUf9PhYCPuUj63yu0Grn0DreVKK1SkD5V6qXN
0TmoxYyguhfsIPCpI1VsdaSWuNjJ+a/HIlKIU8vKp5iN/+6ZTPAg9Q7s3Ji+vfx/
AhFtQyTpIYNszVzNZyobvkiMUlK+eUKGlHVQp73y6MmGIlbBbyzpEoedNU4uFu57
mw4fYGHqYZmYqFaiNQv4tVrGkg6p+Ypyu1zOfIHF7eqlAOu/SyRTvZkt9VtSVEOV
H7nDIGdrCC9U/g1Lqk8Td00Oj8xesyKzsG214Xd8m7/7GmJ7nXe5
-----END CERTIFICATE-----

Apply Settings

Click on the Apply Settings button.

Enable IPv6

Click on the tab Setup and then the subtab IPV6. Next to IPv6, click Enable. Mullvad will not function without this.
Select "DHCPv6 with Prefix Delegation" as IPv6 Type. No other settings need to be changed. Click on Apply Settings.

Set the DNS

Now you will set the DNS to Mullvad's DNS. This will ensure that information is not leaked to the provider running the local network and will therefore keep them from seeing which domain names are looked up.

Basic Setup tab

While still on the Setup tab, click on the Basic Setup tab

Static DNS

Set the following DNS servers:
Static DNS 1: 10.8.0.1
Static DNS 2: 193.138.218.74




Next to Local DNS , change the four fields so that the string reads 1.1.1.1 (or any other DNS server you might wish to use)

Apply

Click on the Apply Settings button.

Add a kill switch

Next, you will add the following firewall settings in order to disable all network access outside of the VPN tunnel.

Start IP Address and Maximum DHCP Users

While still on the Basic Setup page, take note of the input for Start IP Address and Maximum DHCP Users. You will need this information for the following steps.

In the example below, Start IP Address is 192.168.1.100 and Maximum DHCP Users is 50. This information tells you the range of IPs used by the DHCP server on your router, in this instance from 192.168.1.100 to 192.168.1.150.

Commands

Click on the tab Administration and then the subtab Commands.

In the Commands field, enter the following text and adjust the range according to the input from your router as mentioned above:

iptables -I FORWARD ! -o tun1 -m iprange --src-range 192.168.1.100-192.168.1.150 -j DROP

Save Firewall

Click on the Save Firewall button.

Keep Alive function

The following settings will ping the Mullvad DNS every six minutes (360 seconds) and restart the router if the connection goes down. Since the DNS is available only via the VPN tunnel, the router will restart if the tunnel stops working.

You might consider testing your VPN tunnel before implementing the Keep Alive settings because if something isn't working, a router that reboots every six minutes can get annoying.

Keep Alive tab

While still on the Administration tab, click on the subtab Keep Alive.

Use these settings

Adjust your settings to match the ones in the picture below.

Apply Settings

Click on the Apply Settings button.

Secure your WiFi

Wireless Security tab

Click on the tab Wireless and then the subtab Wireless Security.

Encryption and password

By default, the WiFi is unprotected on DD-WRT. You need to set Security Mode to WPA2-PSK. Change algorithm to AES and select a strong password in the box WPA Shared Key.
Some routers have several WiFi networks; make sure you secure all of them.
 

Click on the Apply Settings button.

 

Test your IP address

Use https://am.i.mullvad.net/  to see which IP address you are using. It should be one of Mullvad's and not your own.

 

How to add a port to be forwarded to any client behind the router.

Replace 12345 with the port number you have been assigned.

iptables -t nat -I PREROUTING -i tun+ -p tcp --dport 12345 -j DNAT --to 192.168.1.5:12345
iptables -t nat -I PREROUTING -i tun+ -p udp --dport 12345 -j DNAT --to 192.168.1.5:12345

 

 

Troubleshooting

Try the following:

  • Look at the OpenVPN logs under Status » OpenVPN.
  • Assign a different IP address to your router (in case of conflict with other devices) under Setup » Basic Setup.
  • Check that you correctly followed all of the instructions.
  • Restart the router.