OpenWrt routers and Mullvad VPN


Last updated: 21 January 2021

Follow this guide to set up a router with OpenWrt and connect to the Mullvad VPN service.

What is OpenWrt?

Briefly, "OpenWrt is described as a Linux distribution for embedded devices." Visit OpenWrt's website for more information.

Installing OpenWrt on your router

First, check OpenWrt's list of supported routers to make sure yours is included.

Installing OpenVPN and Mullvad on your router comes with some benefits:

  • You can secure your whole network and all devices connected to the router.
  • You can run Mullvad on more than five devices (all devices connected to the router).
  • Via the router, you can even run Mullvad on devices that have no support for OpenVPN.
  • A router is designed for routing, naturally, and is not disturbed by other programs and settings like a program in a computer might be. It works well and is stable.

Expected performance of OpenVPN on a router

Running OpenVPN on a router is demanding. On a router with a 400mhz ARM CPU, you can expect performance around 7–10Mbps. It scales relatively linearly, so on a router with 1.6Ghz ARM CPU we would expect performance around 30–35 Mbps.

For other speed-related questions, please read our Speed Guide.

Also keep in mind that OpenVPN itself does not use multiple cores and that x86 CPUs will perform a lot better.


You will need the following to complete this guide:

  • the OpenWRT firmware for your specific router, downloadable from OpenWrt's website. Download the Firmware installation, not the upgrade if this is the first time you install on the router, and don't download the "snapshot". The snapshot does not include "luci".
  • a router
  • two Ethernet cables
  • SSH (login at command line) and SCP (transfer files) compatible programs. Linux and Mac have built-in tools for this. For Windows, use PuTTY and WinSCP.
  • a valid Mullvad account number.

Download necessary Mullvad files

  1. Go to our OpenVPN configuration file generator.
  2. Use "Linux" as platform, select a location and download the Zip archive.
  3. Extract the files Mullvad_ca.crt that is found in the root of the downloaded ZIP file to a directory on your computer.

Connect network cables to the router

  1. Connect your Internet cable to the Internet port of the intended OpenWrt router
  2. Plug the other network cable from your computer to the LAN port.
  3. Plug in the router and power it on.

Update the router's firmware to OpenWRT

Follow your router's instructions on how to connect and update the firmware to the OpenWrt firmware that you previously downloaded.

The router normally displays some status information and then restarts. Take extra care in downloading the correct version since doing this incorrectly could "brick" your router, making it completely unusable.

Initial configuration of OpenWrt

  1. Open a browser and navigate to
  2. Click the Login button. This logs you in with the default root user and no password.
  3. Once the Status page loads, you will see a message at the top saying “No password set!” Click go to Password Configuration
  4. On the Router Password page, set a secure and memorable password. Click the Save & Apply button at the bottom of the page.
  5. On the same page, in the SSH Access section, set the interface to LAN. Click the Save & Apply button.

Install necessary software packages

1. Navigate to system-software and press update lists
2. In download and install package enter:

  • openvpn-openssl
  • luci-app-openvpn
  • openssl-util

Add a new VPN connection

  1. Open a browser and navigate to
  2. In the menu, select "Services-OpenVPN".
  3. In the text field at the bottom, enter “mullvad_client” as a new name.
  4. Select “Simple client configuration for a routed point-to-point VPN” and click the Add button.
  5. You will immediately be taken to the configuration page. Click on “Switch to advanced configuration.”
  6. Click the “Networking” link at the top of the page.

On this Networking page, you need to make changes to certain settings. If you can't find a setting that we list, select the missing setting from the "Additional Field" drop-down menu found at the bottom of the page and click the Add button to include it.

  • ifconfig: make sure this field is blank/empty (if you don't have this field, skip it)
  • dev: tun
  • port: 1194
  • nobind: checked

Click the Save button at the bottom of the page.

Click on the “VPN” link at the top of the page. Here, you'll also make changes.

Just as on the Networking page, you might need to use the “Additional Field” drop-down menu to add any missing settings.

  • client: checked (Save)
  • auth_user_pass: make sure this field value is “/etc/openvpn/userpass.txt” (the file doesn’t exist yet, but we will address this later in the guide)
  • remote: this field should equal the hostname of whichever exit node you want to use (reference our list of servers if needed); in this guide we use

Click the Save button at the bottom of the page.

Now click on the "Cryptography" link. Here, you'll also make changes.

Just as on the other two pages page, you might need to use the “Additional Field” drop-down menu to add any missing settings.

  • ca: ca: upload the Mullvad_ca.crt file that you downloaded earlier.

Click the Save button at the bottom.

Configure the interface as well as the firewall

  1. From the menu at the top, select Network → Interfaces.
  2. Click the “Add new interface” button.
  3. Make the following changes:
    • Name of new interface: enter “MULLVAD_VPN” (this must be entered exactly as shown)
    • Protocol of the new interface: Unmanaged
    • Cover the following interface: Custom Interface: tun0 (type "tun0" at "Custom Interface" and press Enter)
  4. Click the Save & Apply button.


Now log in to the router with SSH" (using a Linux or MacOS terminal or PuTTY for Windows). Example:".

macOS / Linux:  ssh -l root
Windows : use putty and connect to as root

First, we need to create a file that will assist in logging you in to your Mullvad account. It is just a simple text file with the first line acting as a username (your Mullvad account number) and the second line as a password (always the letter "m").

Run the following commands, making sure to replace YOUR_MULLVAD_ACCOUNT with your actual account number (without any spaces) :

cat > /etc/openvpn/userpass.txt << EOF

Now we will chmod it to set the correct permissions:

chmod 0400 /etc/openvpn/userpass.txt

Next, we will create the firewall settings:

cat >> /etc/config/firewall << EOF
config zone
option name 'VPN_FW'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'MULLVAD_VPN'
config forwarding
option dest 'VPN_FW'
option src 'lan'

Login to your router again from a browser.

From the main menu, navigate to Network → Interfaces → LAN → DHCP Server (found below the “Common Configuration” section) → Advanced Settings.

In the “DHCP-Options” field enter the value “6,,”.

Click on Save & Apply.

Create a scheduled task

Due to an error in the OpenVPN OpenWrt GUI plugin, you will need to repeat the following steps every time you change and save any settings via the GUI or – sadly – if you restart the router!

First, create a scheduled task by pasting the following text into the dialog box (located in System -> Scheduled tasks ) shown below:

*/1 * * * * sed -i '/secret/d' /tmp/etc/openvpn-mullvad_client.conf

Then navigate to Services → OpenVPN. Enable the checkbox beside mullvad_client and then click on the Start button found in that same row. (It might take half a minute to start it and you have to refresh the page manually to see it)

screenshot of OpenVPN instances

Add a kill switch

Restart the Cron service:
System - Startup - Click on restart on the cron line.

Go to Network > Firewall and click on the Edit button for the "lan" zone.

Change firewall settings as shown below (remove WAN from LAN) in order to block all internet traffic from outside the VPN tunnel:

Test your IP address

Use our Connection check to see which IP address you are using. It should be one of Mullvad's and not your own.

Make sure that your clients that are using the router as a gateway that they renew their DHCP lease, so that they get the new DNS pushed to them.

Portforwarding (optional)

Click on Network -> Firewall -> Port forwards

  1. Replace with the IP-address you wish to forward the port to
  2. Replace 26801 with the port that you have been assigned.


DNS leaks

If the router is leaking the DNS servers from your Internet provider then try to change some of the following settings and then restart the router and the computers/devices in the local network that are connected to the router.

  1. Network > Interfaces > WAN (click edit) > Advanced Settings > Use DNS servers advertised by peer (disable)
  2. Network > DHCP and DNS > Advanced Settings > Strict order (enable)
  3. Network > Interfaces > LAN > DHCP Server > Advanced Settings > "Force DHCP on this network even if another server is detected" (enable)
  4. Network > Interfaces > LAN > DHCP Server > IPv6 Settings > Router Advertisement-Service (disable)