Back to Guides

OpenWrt routers and Mullvad VPN

What is OpenWrt?

Briefly, "OpenWrt is described as a Linux distribution for embedded devices." Visit OpenWrt's website for more information.

Installing OpenWrt on your router

First, check OpenWrt's list of supported routers to make sure yours is included.

Installing OpenVPN and Mullvad on your router comes with some benefits:

  • You can secure your whole network and all devices connected to the router.
  • You can run Mullvad on more than five devices (all devices connected to the router).
  • Via the router, you can even run Mullvad on devices that have no support for OpenVPN.
  • A router is designed for routing, naturally, and is not disturbed by other programs and settings like a program in a computer might be. It works well and is stable.

Expected performance of OpenVPN on a router

Running OpenVPN on a router is demanding. On a router with a 400mhz ARM CPU, you can expect performance around 7–10Mbps. It scales relatively linearly, so on a router with 1.6Ghz ARM CPU we would expect performance around 30–35 Mbps.

For other speed-related questions, please read our Speed Guide.

Also keep in mind that OpenVPN itself does not use multiple cores and that x86 CPUs will perform a lot better.

Requirements

You will need the following to complete this guide:

  • the OpenWRT firmware for your specific router, downloadable from OpenWrt's website
  • a router (we are using a TP-LINK 710N version 2.1 in this case)
  • two Ethernet cables
  • SSH (login at command line) and SCP (transfer files) compatible programs. Linux and Mac have built-in tools for this. For Windows, use PuTTY and WinSCP.
  • a valid Mullvad certificate file (ca.crt) and a list of revoked servers (crl.pem)
  • a valid Mullvad account number.

Download necessary Mullvad files

  1. Log into Mullvad with your account number.
  2. Go to the Download page.
  3. Click on the button under the section "iOS, Android and other platforms" to come to the Configuration page.
  4. From the drop-down menu under Platform, select "Linux" and download the ZIP file.
  5. Extract the files ca.crt and crl.pem that are found in the root of the downloaded ZIP file to a directory on your computer.

Connect network cables to the router

  1. Plug one of the network cables into the LAN/WAN port of your router. Plug the other end into the Internet port.
  2. Plug the other network cable from your computer to the LAN port.
  3. Plug in the router and power it on.

Update the router's firmware to OpenWRT

Follow your router's instructions on how to connect and update the firmware to the OpenWrt firmware that you previously downloaded.

The router normally displays some status information and then restarts. Take extra care in downloading the correct version since doing this incorrectly could "brick" your router, making it completely unusable.

Install luci and OpenVPN

OpenWrt version 2.1 comes without the web user interface luci installed. Run SSH (Windows users, use PuTTY) to 192.168.1.1 with root login and no password (you will potentially get a security breach the first time) and then run

opkg update
opkg install luci

While connected, continue by installating packages needed for OpenVPN:

opkg install openvpn-openssl luci-app-openvpn

Initial configuration of OpenWrt

  1. Open a browser and navigate to http://192.168.1.1/.
  2. Click the Login button. This logs you in with the default root user and no password.
  3. Once the Status page loads, you will see a message at the top saying “No password set!” Click the link below it to configure a password.
  4. On the Router Password page, set a secure and memorable password. Click the Save & Apply button at the bottom of the page.
  5. On the same page, in the SSH Access section, set the interface to LAN. Click the Save & Apply button.

Add a new VPN connection

  1. Open a browser and navigate to http://192.168.1.1/.
  2. In the menu, select "Services-OpenVPN".
  3. In the text field at the bottom, enter “mullvad_client” as a new name.
  4. Select “Simple client configuration for a routed point-to-point VPN” and click the Add button.
  5. You will immediately be taken to the configuration page. Click on “Switch to advanced configuration.”
  6. Click the “Networking” link at the top of the page.

On this Networking page, you need to make changes to certain settings. If you can't find a setting that we list, select the missing setting from the "Additional Field" drop-down menu found at the bottom of the page and click the Add button to include it.

  • ipconfig: make sure this field is blank/empty (if you don't have this field, skip it)
  • dev: tun
  • port: 1194
  • nobind: checked
  • comp_lzo: yes

screenshot of Networking settings
Click to enlarge and see our Networking settings.

Click the Save button at the bottom of the page.

Click on the “VPN” link at the top of the page. Here, you'll also make changes.

Just as on the Networking page, you might need to use the “Additional Field” drop-down menu to add any missing settings.

  • auth_user_pass: make sure this field value is “/etc/openvpn/userpass.txt” (the file doesn’t exist yet, but we will address this later in the guide)
  • remote: this field should equal the hostname of whichever exit node you want to use (reference our list of servers if needed); in this guide we use se.mullvad.net

screenshot of VPN settings
Click to enlarge and see our VPN settings.

Now click on the "Cryptography" link. Here, you'll also make changes.

Just as on the other two pages page, you might need to use the “Additional Field” drop-down menu to add any missing settings.

  • ca: upload the ca.crt file that you downloaded earlier.

screenshot of Cryptography settings
Click to enlarge and see our Cryptography settings.

Click the Save button at the bottom.

Configure the interface as well as the firewall

  1. From the menu at the top, select Network → Interfaces.
  2. Click the “Add new interface” button.
  3. Make the following changes:
    • Name of new interface: enter “MULLVAD_VPN” (this must be entered exactly as shown)
    • Protocol of the new interface: Unmanaged
    • Cover the following interface: Custom Interface: tun0
      screenshot of Create Interface settings
  4. Click the Submit/Save button.

SSH

For the final few steps, we will switch back to SSH.

First, we need to create a file that will assist in logging you in to your Mullvad account. It is just a simple text file with the first line acting as a username (your Mullvad account number) and the second line as a password (always the letter "m").

Run the following commands, making sure to replace YOUR_MULLVAD_ACCOUNT with your actual account number:

cat > /etc/openvpn/userpass.txt << EOF
YOUR_MULLVAD_ACCOUNT
m
EOF

Now we will chmod it to set the correct permissions:

chmod 0400 /etc/openvpn/userpass.txt

Next, we will create the CRL file.

Start by copying the contents of the mullvad_crl.pem file you downloaded earlier.

Run the following command, making sure to replace PASTE_CONTENTS_HERE with your copied content.

cat > /etc/openvpn/crl.pem << EOF
PASTE_CONTENTS_HERE
EOF

Next, we will create the firewall settings:

cat >> /etc/config/firewall << EOF
config zone
option name 'VPN_FW'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'MULLVAD_VPN'
config forwarding
option dest 'VPN_FW'
option src 'lan'
EOF

Login to your router again from a browser.

From the main menu, navigate to Network → Interfaces → LAN → DHCP Server (found below the “Common Configuration” section) → Advanced Settings.

In the “DHCP-Options” field enter the value “6,10.8.0.1,193.138.219.228”.

Click on Save & Apply.

Warning!

Due to an error in the OpenVPN OpenWrt GUI plugin, you will need to repeat the following steps every time you change and save any settings via the GUI or – sadly – if you restart the router!

First, create a scheduled task by pasting the following text into the dialog box shown below:

*/1 * * * * sed -i '/secret/d' /tmp/etc/openvpn-mullvad_client.conf


Click the image to enlarge.

Then navigate to Services → OpenVPN. Enable the checkbox beside mullvad_client and then click on the Start button found in that same row.

screenshot of OpenVPN instances
Click on the image to enlarge.

Add a kill switch

Change firewall settings as shown below (remove WAN from LAN) in order to block all internet traffic from outside the VPN tunnel:

screenshot of Firewall settings
Click on the image to enlarge.