Back to Guides

OpenWrt routers and Mullvad VPN

What is OpenWrt?

As stated on the OpenWrt website, OpenWrt is described as a Linux distribution for embedded devices.

Instead of trying to create a single, static firmware, OpenWrt provides a fully writable filesystem with package management. This frees you from the application selection and configuration provided by the vendor and allows you to customize the device through the use of packages to suit any application.

For developers, OpenWrt is the framework used to build an application without having to build a complete firmware around it. For users, this means the ability for full customization, to use the device in ways never envisioned.

Installing OpenWrt on your router

Consult the OpenWrt website to see if your router is supported.

Installing OpenVPN and Mullvad on your router comes with some benefits:

  • You can secure your whole network and all devices connected to the router.
  • You can run Mullvad on more than three devices (all devices connected to the router).
  • Via the router, you can even run Mullvad on devices that have no support for OpenVPN.
  • A router is designed for routing, naturally, and is not disturbed by other programs and settings like a program in a computer might be. It works well and is stable.
  • Support for Tor is built into OpenWrt

Expected performance of OpenVPN on a router

Running OpenVPN on a router is demanding. On a router with a 400mhz ARM CPU, you can expect performance of around 7–10Mbps. It scales relatively linearly, so on a router with 1.6Ghz ARM CPU we would expect performance of around 30–35 Mbps.

For other speed-related questions, please read our Speed guide. Also keep in mind that OpenVPN itself does not use multiple cores and that x86 CPUs will perform much better.

Requirements

  • The corresponding firmware to your router, version 15.05 or later. Find your router on the OpenWrt website. In this guide, we are using a TP-LINK 710N version 2.1 router, and will therefore use "openwrt-ar71xx-generic-tl-wr710n-v2.1-squashfs-factory.bin".
  • A router (TP-LINK 710N version 2.1 in this case).
  • Two Ethernet cables.
  • SSH (login at command line) and SCP (transfer files) compatible programs. Linux and Mac have tools like this built in. For Windows, you can use PuTTY or WinSCP.
  • Paperclip or something similar.

Connect network cables to the router and plug it in

  1. Take a network cable, plug it into the LAN/WAN port, and connect the other end to "internet".
  2. Plug another network cable from your computer to the LAN port.
  3. Plug in the device (power on).

Update the router firmware to OpenWRT

Follow the instructions for your router in order to connect and update the firmware to the downloaded OpenWrt firmware. The router normally displays some status information and then restarts.

Install LuCI

OpenWRT version 2.1 comes without the web user interface LuCI installed. Run SSH (PuTTY) to 192.168.1.1 with root login and no password (you will get a potential security breach the first time) and then run the following two commands: opkg update and opkg install luci.

Initial Configuration of OpenWRT

  1. Open a browser and navigate to http://192.168.1.1/.
  2. Click the Login button. This logs you in with the default root user with no password.
  3. Once the Status page loads, there is a message at the top saying “No password set!” Click the Go to Password Configuration link found below it.
  4. On the Router Password page, set a secure and memorable password. Click the Save & Apply button at the bottom of the page.
  5. On the same page in the SSH Access section, set the interface to LAN. Click the Save & Apply button.

Untrusted Internet Wireless Network – for accessing internet (option)

Any existing wireless network can be used to complete this section. It’s better to not use an untrusted one yet.

  1. From the Web Management menu, select Network » Wireless.
  2. Click the Scan button located next to Generic MAC80211 802.11bgn (radio0).
  3. Find the network you want to connect to and click the Join Network button.
  4. Uncheck the Replace Wireless Configuration box.
  5. Enter a password if needed to connect.
  6. Make sure the name of the new network is "wwan".
  7. Make sure the Create / Assign firewall zone is "wan".
  8. Click the Submit button.
  9. In the next Wireless Network page, click the Save & Apply button.

Internal Wireless Network – for devices connecting to this router

This is the secure wireless network that your devices can connect to. It should be encrypted with a good password.

  1. From the menu, select Network » Wireless.
  2. Click the Edit button beside the OpenWrt network.
  3. Change the wireless name to the name you like (ESSID).

The wireless network name should be memorable, but without a way to tie it back to you.

  1. Make sure the mode is set to Access Point.
  2. Make sure the network is set to LAN.
  3. Click the Wireless Security tab.
  4. Change Encryption to WPA2-PSK.
  5. Change Cipher to Force CCMP (AES).
  6. Set the Key to the password you want to use.
  7. Click the Save & Apply button.

Firewall configuration

  1. From the web management menu, select Network » Firewall.
  2. In the General Settings section, change Input to drop and Forward to drop.
  3. In the Zones section for the wan zone, change Input to drop and Forward to drop.
  4. Click the Save & Apply button.

Make it blink (Maybe this work on TP LINK 710N only?)

There’s only one LED to show any kind of status. We’re going to make it do a slow blink by default. Then when the VPN is connected, it will automatically change to a fast blink, signalling that the VPN is working.

  1. From the Web Management menu, select System » LED Configuration.
  2. Click the Add button. Make sure the following options have these settings, making changes if necessary:
    • Name: slowblink
    • LED Name: tp-link:blue:system
    • Default state: checked
    • Trigger: timer
    • On-State Delay: 500
    • Off-State Delay: 5000
  3. Click the Save & Apply button.

The LED should start blinking on and then off roughly every 5 seconds.

Prepare for OpenVPN installation

For the OpenVPN installation you will need to create a number of files.

Create certificate files

You will need to create a Mullvad account and then download certificate files:

  1. Login to Mullvad with the account you are planning to use on your router.
  2. Download the Android settings file (Mullvad.opvn).
  3. In the downloaded file you will find three XML sessions, <ca>, <cert>, and <key>.
    • Cut the text from the <ca> part, the second certificate, starting from and including "----- BEGIN" all the way through and including" END CERTIFICATE-----" and save in a file called "ca.crt".
    • Cut the text from the <cert> part,  starting from and including "----- BEGIN" all the way through and including" END CERTIFICATE-----" and save in a file called "client.crt".
    • Cut the text from the <key> part, starting from and including "----- BEGIN" all the way through and including" END CERTIFICATE-----" and save in a file called "client.key".

Create reset file

Copy and paste the following text into a text editor. Save the file locally on your computer in the folder structure "/ect/rc.button/reset".

#!/bin/sh
[ "${ACTION}" = "released" ] || exit 0
. /lib/functions.sh
logger "$BUTTON super button pressed for $SEEN seconds"
if [ "$SEEN" -lt 1 ]
then
logger "Start OpenVPN"appropås
/etc/init.d/openvpn start
elif [ "$SEEN" -gt 20 ]
then
echo "FACTORY RESET" > /dev/console
jffs2reset -y && reboot &
elif [ "$SEEN" -gt 10 ]
then
echo "REBOOT" > /dev/console
sync
reboot
elif [ "$SEEN" -gt 1 ]
then
logger "Stop OpenVPN"
/etc/init.d/openvpn stop
fi

Create vpn.up file

Copy and paste the following text into a text editor. Save the file locally on your computer in the folder structure "/etc/openvpn/vpn.up".

#!/bin/sh
#ACTION=ifup DEVICE=tun0 INTERFACE=vpn /sbin/hotplug-call iface
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto
echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
/etc/openvpn//blink_led_fast.sh

Create vpn.down file

Copy and paste the following text into a text editor. Save the file locally on your computer in the folder structure "/etc/openvpn/vpn.down".

#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto
/etc/openvpn//blink_led_slow.sh

Create blink_led_slow.sh file

Copy and paste the following text into a text editor. Save the file locally on your computer in the folder structure "/etc/openvpn/blink_led_slow.sh".

#!/bin/sh
echo 5000 >/sys/devices/platform/leds-gpio/leds/tp-link:blue:system/delay_off
echo 500 >/sys/devices/platform/leds-gpio/leds/tp-link:blue:system/delay_on

Create blink_led_fast.sh file

Copy and paste the following text into a text editor. Save the file locally on your computer in the folder structure "/etc/openvpn/blink_led_fast.sh".

#!/bin/sh
echo 500 >/sys/devices/platform/leds-gpio/leds/tp-link:blue:system/delay_off
echo 750 >/sys/devices/platform/leds-gpio/leds/tp-link:blue:system/delay_on

Create openvpn file

Copy and paste the following text into a text editor. Save the file locally on your computer in the folder structure "/etc/config/openvpn".

config openvpn 'myvpn'
option enabled '1'
option dev 'tun'
option persist_tun '1'
option persist_key '1'
option proto 'udp'
option comp_lzo 'yes'
option verb '3'
option tun-ipv6
option log '/tmp/openvpn.log'
option status '/tmp/openvpn-status.log'
option ca '/etc/openvpn/ca.crt'
option client '1'
option resolv_retry 'infinite'
option nobind '1'
option cipher 'AES-256-CBC'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option ns_cert_type 'server'
option script_security '2 system'
option up '/etc/openvpn/vpn.up'
option down '/etc/openvpn/vpn.down'
option remote 'se.mullvad.net 1300'
option tls-cipher 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA

If you would like to connect to a different server than se.mullvad.net, please change "option remote" to another of our Mullvad servers.

Add the interface for the VPN

  1. From the Web Management menu, select Network » Interfaces.
  2. Click the Add New Interface button. Make sure the following options have these settings, making changes if necessary:
    • name of the new interface: VPN
    • protocol of the new interface: select Unmanaged
    • in Cover the Following Interface, select Custom Interface and enter "tun0" into the box beside it
    • Click the Submit button.
  3. On the next page, Interfaces – VPN
    • select the Firewall Settings tab
    • make sure Unspecified or Create is selected and enter "vpn" in the box beside it
    • click the Save & Apply button.
  4. From the Web Management menu, select Network » Firewall.
  5. Click the Edit button beside the vpn zone.
  6. Under the Zones section of the webpage:
    • enable Masquerading
    • enable MSS clamping
    • in the Inter-Zone Forwarding section:
      • for Allow forward to destination zones, select wan
      • for Allow forward from source zones, select lan.
  7. Click the Save & Apply button.

Installing OpenVPN

  1. From the menu, select System » Software.
  2. Change to the Available packages tab.
  3. Click the Update list button.
  4. Wait for the page to update.
  5. In Download and install package, enter "openvpn-openssl" and click OK. This may take a couple of minutes.

Copying files to the device

The next step involves copying the configuration files to the device. If you aren't not familiar with Linux systems, SSH and SCP are methods for logging in and copying files. Windows doesn’t have this method by default, but PuTTY and WinSCP are great tools to use on Windows systems. We’re going to use WinSCP to copy the files over.

  1. Open WinSCP. You should be presented with a login screen.
  2. Change the File protocol to SCP.
  3. In Host name, enter "192.168.1.1".
  4. In Username, enter "root".
  5. In Password, enter the password you set.
  6. Click the Login button.
  7. The first time you connect to a system, it will give an unknown server warning. Click the Yes button.
  8. On the right side (the router), navigate to /etc/openvpn.
  9. Copy the files that you created earlier – ca.crt, client.crt, client.key, blink_led_fast.sh, blink_led_slow.sh, vpn.down, and vpn.up – to the folder /etc/openvpn.
  10. Change Permissions:
    • On the right side, select all the files and click the Properties button.
    • In Octal, enter "0600". The permissions checkboxes should automatically change.
    • Click OK.
    • On the right side, select the blink_led_fast.sh, blink_led_slow.sh, vpn.down, and vpn.up files and click the Properties button.
    • In Octal, enter "0700".
    • Click OK.
  11. Navigate up one level (to etc) and open the config folder.
  12. Copy the openvpn file to the right side (in /etc/config).
  13. On the Overwrite File dialog screen, click the Yes button.
  14. Navigate up one level (to etc) and open the rc.button folder.
  15. Copy the reset file to the right side (in /etc/rc.button).
  16. On the Overwrite File dialog screen, click the Yes button.
  17. Close WinSCP.

Adding a kill switch

Make sure no traffic is allowed from the LAN to internet without passing the tunnel. If the tunnel is down, there will be no internet access at all.

  1. From the Web Management menu, select Network » Firewall.
  2. Under Zones, click on Edit next to the "lan" row.
  3. In the Inter-Zone Forwarding section, make sure "vpn" is the only allowed forward (checked); both "destination" and "source" zones should not be checked.
  4. Click the Save & Apply button.

Adding DNS leak protection

  • To be done?

Adding a watchdog

With OpenWrt, it’s fairly easy to implement a simple watchdog that pings a public IP address every minute and triggers /etc/init.d/networking to restart in case the ping fails a couple of times in a row.

Store the following shell script at /root/ and name the file "wan-watchdog.sh".

#!/bin/sh
tries=0
while [[ $tries -lt 5 ]]
do
    if /bin/ping -c 1 8.8.8.8 >/dev/null
    then
        exit 0
    fi
    tries=$((tries+1))
done
/etc/init.d/network restart

Don’t forget to make it executable using the command "chmod +x /root/wan-watchdog.sh".

Afterwards, add the following entry in System » Scheduled Tasks in LuCI:

* * * * * /root/wan-watchdog.sh

Reset the device

  1. From the web management menu, select System » Reboot.
  2. Click the Perform reboot link.
  3. The device LED will blink while it’s loading, then go into a very slow blink cycle (once every 5 seconds).
  4. After a couple of seconds, the LED should start a fast blink cycle (OpenVPN has started).
  5. To test, open a web browser and go to a geolocation website such as IP Location. It should show a location different than yours.

That’s it. You’re done!

Troubleshooting

If nothing happens when you press the button, check all of the configuration files uploaded to the device and the permissions in /etc/openvpn. These are the files which start the VPN when you press the button and control the LED.

For everything else, compare the web interface to the instructions and make sure you didn’t miss a step.

Hardcore troubleshooting on the command line

When all else fails, consider using the command line. For the Windows system, this requires a SSH tool like PuTTY to be installed.

  1. Run PuTTY. The PuTTY configuration dialog box should appear.
  2. In Host Name, enter "192.168.1.1".
  3. Click the Open button. The main window should open.
  4. Next to login as, enter "root".
  5. Next to root@192.168.1.1’s password, enter the password you set.
  6. Type in the following command:
    • /etc/init.d/openvpn start
  7. Check to see if the LEDs start to fast blink. If not, enter the following command to stop the VPN:
    • /etc/init.d/openvpn stop
  8. Enter this command below to start watching the VPN log:
    • tail -f /tmp/openvpn.log
  9. Press the Reset button to start the VPN.

If nothing happens, the /etc/rc.button/reset configuration may not be correct. If text starts scrolling by, look for messages like "cannot connect to server" or "invalid username/password" which may indicate that the VPN provider configuration files or the /etc/openvpn/myvpn.pass file may not be correct. You can fix these on your systems and use WinSCP to re-upload the files.

Out of memory issues

On our TP-LINK710N, memory is a limited resource. We had to edit the /etc/opgk/distrfeeds.conf and commented out "driver_management, driver_telephony" in order to get enough memory to install openvpn-openssl.

If you edit the OpenVPN settings file with a Windows computer, you might get extra line-feed characters in the file. Use SSH (PuTTY) and open all the files in the "vi" editor to make sure there are no rows ending with "^M". If this is the case, remove those characters.