OpenWrt routers and Mullvad VPN
What is OpenWrt?
Briefly, "OpenWrt is described as a Linux distribution for embedded devices." Visit OpenWrt's website for more information.
Installing OpenWrt on your router
First, check OpenWrt's list of supported routers to make sure yours is included.
Installing OpenVPN and Mullvad on your router comes with some benefits:
- You can secure your whole network and all devices connected to the router.
- You can run Mullvad on more than five devices (all devices connected to the router).
- Via the router, you can even run Mullvad on devices that have no support for OpenVPN.
- A router is designed for routing, naturally, and is not disturbed by other programs and settings like a program in a computer might be. It works well and is stable.
Expected performance of OpenVPN on a router
Running OpenVPN on a router is demanding. On a router with a 400mhz ARM CPU, you can expect performance around 7–10Mbps. It scales relatively linearly, so on a router with 1.6Ghz ARM CPU we would expect performance around 30–35 Mbps.
For other speed-related questions, please read our Speed Guide.
Also keep in mind that OpenVPN itself does not use multiple cores and that x86 CPUs will perform a lot better.
You will need the following to complete this guide:
- the OpenWRT firmware for your specific router, downloadable from OpenWrt's website
- a router (we are using a TP-LINK 710N version 2.1 in this case)
- two Ethernet cables
- SSH (login at command line) and SCP (transfer files) compatible programs. Linux and Mac have built-in tools for this. For Windows, use PuTTY and WinSCP.
- a valid Mullvad certificate file (ca.crt) and a list of revoked servers (crl.pem)
- a valid Mullvad account number.
Download necessary Mullvad files
- Log into Mullvad with your account number.
- Go to the Download page.
- Click on the button under the section "iOS, Android and other platforms" to come to the Configuration page.
- From the drop-down menu under Platform, select "Linux" and download the ZIP file.
- Extract the files ca.crt and crl.pem that are found in the root of the downloaded ZIP file to a directory on your computer.
Connect network cables to the router
- Plug one of the network cables into the LAN/WAN port of your router. Plug the other end into the Internet port.
- Plug the other network cable from your computer to the LAN port.
- Plug in the router and power it on.
Update the router's firmware to OpenWRT
Follow your router's instructions on how to connect and update the firmware to the OpenWrt firmware that you previously downloaded.
The router normally displays some status information and then restarts. Take extra care in downloading the correct version since doing this incorrectly could "brick" your router, making it completely unusable.
Install luci and OpenVPN
OpenWrt version 2.1 comes without the web user interface luci installed. Run SSH (Windows users, use PuTTY) to 192.168.1.1 with root login and no password (you will potentially get a security breach the first time) and then run
opkg install luci
While connected, continue by installating packages needed for OpenVPN:
opkg install openvpn-openssl luci-app-openvpn
Initial configuration of OpenWrt
- Open a browser and navigate to http://192.168.1.1/.
- Click the Login button. This logs you in with the default root user and no password.
- Once the Status page loads, you will see a message at the top saying “No password set!” Click the link below it to configure a password.
- On the Router Password page, set a secure and memorable password. Click the Save & Apply button at the bottom of the page.
- On the same page, in the SSH Access section, set the interface to LAN. Click the Save & Apply button.
Add a new VPN connection
- Open a browser and navigate to http://192.168.1.1/.
- In the menu, select "Services-OpenVPN".
- In the text field at the bottom, enter “mullvad_client” as a new name.
- Select “Simple client configuration for a routed point-to-point VPN” and click the Add button.
- You will immediately be taken to the configuration page. Click on “Switch to advanced configuration.”
- Click the “Networking” link at the top of the page.
On this Networking page, you need to make changes to certain settings. If you can't find a setting that we list, select the missing setting from the "Additional Field" drop-down menu found at the bottom of the page and click the Add button to include it.
- ipconfig: make sure this field is blank/empty (if you don't have this field, skip it)
- dev: tun
- port: 1194
- nobind: checked
- comp_lzo: yes
Click the Save button at the bottom of the page.
Click on the “VPN” link at the top of the page. Here, you'll also make changes.
Just as on the Networking page, you might need to use the “Additional Field” drop-down menu to add any missing settings.
- auth_user_pass: make sure this field value is “/etc/openvpn/userpass.txt” (the file doesn’t exist yet, but we will address this later in the guide)
- remote: this field should equal the hostname of whichever exit node you want to use (reference our list of servers if needed); in this guide we use se.mullvad.net
Now click on the "Cryptography" link. Here, you'll also make changes.
Just as on the other two pages page, you might need to use the “Additional Field” drop-down menu to add any missing settings.
- ca: upload the ca.crt file that you downloaded earlier.
Click the Save button at the bottom.
Configure the interface as well as the firewall
- From the menu at the top, select Network → Interfaces.
- Click the “Add new interface” button.
- Make the following changes:
- Name of new interface: enter “MULLVAD_VPN” (this must be entered exactly as shown)
- Protocol of the new interface: Unmanaged
- Cover the following interface: Custom Interface: tun0
- Click the Submit/Save button.
For the final few steps, we will switch back to SSH.
First, we need to create a file that will assist in logging you in to your Mullvad account. It is just a simple text file with the first line acting as a username (your Mullvad account number) and the second line as a password (always the letter "m").
Run the following commands, making sure to replace YOUR_MULLVAD_ACCOUNT with your actual account number:
cat > /etc/openvpn/userpass.txt << EOF
Now we will chmod it to set the correct permissions:
chmod 0400 /etc/openvpn/userpass.txt
Next, we will create the CRL file.
Start by copying the contents of the mullvad_crl.pem file you downloaded earlier.
Run the following command, making sure to replace PASTE_CONTENTS_HERE with your copied content.
cat > /etc/openvpn/crl.pem << EOF
Next, we will create the firewall settings:
cat >> /etc/config/firewall << EOF
option name 'VPN_FW'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'MULLVAD_VPN'
option dest 'VPN_FW'
option src 'lan'
Login to your router again from a browser.
From the main menu, navigate to Network → Interfaces → LAN → DHCP Server (found below the “Common Configuration” section) → Advanced Settings.
In the “DHCP-Options” field enter the value “6,10.8.0.1,220.127.116.11”.
Click on Save & Apply.
Due to an error in the OpenVPN OpenWrt GUI plugin, you will need to repeat the following steps every time you change and save any settings via the GUI or – sadly – if you restart the router!
First, create a scheduled task by pasting the following text into the dialog box shown below:
*/1 * * * * sed -i '/secret/d' /tmp/etc/openvpn-mullvad_client.conf
Then navigate to Services → OpenVPN. Enable the checkbox beside mullvad_client and then click on the Start button found in that same row.
Add a kill switch
Change firewall settings as shown below (remove WAN from LAN) in order to block all internet traffic from outside the VPN tunnel: