How to Set Up a VPN On NETGEAR R6300 with OpenVPN and DD-WRT

This is a fact: everyone's Internet freedom and privacy are at risk. Through SOPA to PIPA to the "six strikes" rule and frivolous lawsuits, the government, ISP's, the MPAA, the RIAA (and the list goes on) have shown that they definitely want to track your every move online. I support a free and open Internet, but in a world where ISP's can't be trusted, one has to take matters into their own hands. One simple way to do this is with a personal VPN service -- an inexpensive and simple method to protect your privacy online.

I talk a little bit about exactly what a VPN is in a previous article, along with some basic instructions for setting one up through a home router using either Tomato or DD-WRT firmware. The L2TP instructions found in that article should work for most providers with the R6300.

However, many users will likely prefer to use OpenVPN, as it generally offers the best performance and is the industry standard for VPN security. IVPN has an excellent guide comparing the benefits of OpenVPN versus the other two methods (although I personally feel L2TP is fine also).

So, if you have an R6300, we're ready to get started!

Step 1: Sign Up for VPN Service

For purposes of this article, I used Private Internet Access, a popular and well known VPN service that I have found to be reliable and a good value. In my testing, I found that another well known provider's instructions would not work on the R6300, basically bricking the router. Several others don't offer DD-WRT based installation or instructions for OpenVPN. Even the instructions for Private Internet Access, clearly provided on their website, did not work as outlined -- resulting in many hours of digging and searching for settings that could help things work.

Fortunately, Private Internet Access offers a low-cost monthly sign up for users to try out the service on their router. I recommend that if you want to follow the steps in this guide, that you select that plan to see if it works out for you before committing to a longer length of service.

Note that neither I nor MyOpenRouter are affiliated with Private Internet Access in any way, nor was I provided free service for purposes of writing this article. I am simply a normal user who is happy with their service, and I feel comfortable recommending them to our members.

Also note that other providers, no doubt, will work with OpenVPN on the R6300. It's simply not possible for me to test every one! My aim is to provide a simple way that an average user like me can get this up and running quickly; this can be done without knowing any code, compiling any software, and so on. I would love to see tutorials from other users who use other services!

Step 2: Perform a 30-30-30 Reset on the R6300

This will clear the NVRAM of the device and set it up for a clean implementation of the following instructions. Do not skip this. Here are some instructions (they are the same for any NETGEAR router on which this method is supported.)

Step 3: Install the Latest Build of DD-WRT for the R6300

The latest build of DD-WRT for the R6300 will need to be installed, as it contains OpenVPN functionality. We have a guide on installing DD-WRT; it's simple, so don't worry!

[Latest Build of DD-WRT for NETGEAR R6300 -- Download Here]

Step 4: Repeat Step 1

Yes, do another 30-30-30 and another reboot... it's crucial for ensuring a clean setup to work with.

Step 5: Set the Time to Match the VPN Server and Add an NTP Server

Now, log in to DD-WRT's web interface and, after setting up the new admin username and password, head to Setup -> Basic Setup and scroll to the bottom. Input the proper time to correspond with the VPN server you're choosing, and also enter an NTP time server address in the appropriate field. (More info on NTP plus some pool addresses here.)

Step 6: Change Your DNS Servers

This is the step (after completing setup originally and failing) that finally triggered OpenVPN to work for me on this router -- so I'm guessing it was necessary! I always use an alternate DNS provider anyway, but to reproduce my setup exactly, you'll want to use OpenDNS.

Step 7: Set up Custom Firewall Commands

I used the following firewall commands on the R6300 as part of the setup that would eventually work. I have not tested whether the connection will work without these settings or not; but a user on the DD-WRT forums provided it in an existing thread as a "recommended" setup.

iptables -N VPN
iptables -F VPN
iptables -I INPUT -i tun0 -j VPN
iptables -I FORWARD -i tun0 -j VPN
iptables -A VPN -i tun0 -o br0 -j ACCEPT
iptables -I POSTROUTING -t nat -o tun0 -j RETURN

This code should be added in Administration -> Commands. Type it into the command text field and click "Save Firewall."

Step 8: Add Startup Commands

This code, provided by Private Internet Access on their startup page, will run when the router restarts. It puts the VPN username and password into a text file stored on the router, which the OpenVPN client will access later. It also kills the existing OpenVPN process and restarts it, in the event the password isn't properly stored.

echo your_username >> /tmp/password.txt
echo your_password >> /tmp/password.txt
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --comp-lzo yes --route-up /tmp/openvpncl/route-up.sh --down-pre
/tmp/openvpncl/route-down.sh --daemon

Put this code into the same field as you did in Step 7, and click "Save Startup."

It's important to note that you do not put your username or password in quotes. Finally, I made one small change to the startup script, to overcome a bug in this DD-WRT release that prevents you from selecting the LZO Compression method in the next step.

Step 9: Configure the OpenVPN Client

Almost there. Head to Services -> VPN and enable the OpenVPN Client.

Then, enter the following settings:

  • Server: Input your server of choice here
  • Port: 1194
  • Tunnel Device: TUN
  • Tunnel Protocol: UDP
  • Encryption Cipher: Blowfish CBC
  • Hash Algorithm: SHA1
  • Advanced Options: Enable
  • TLS Cipher: None
  • LZO Compression: DON'T TOUCH THIS, leave it at disabled
  • NAT: Enable

Now, in the Additional Config box that will pop up after you enable Advanced Options, enter this:

comp-lzo yes
auth-user-pass /tmp/password.txt
persist-key
persist-tun
tls-client
remote-cert-tls server

Finally, in the last step, enter the contents of the ca.crt file that you download from Private Internet Access into the "CA Cert" field. Save and apply the settings.

Step 10: Reboot and Wait

At this point, all of the settings have been configured -- so all that's left is to reboot the router. It may take a few minutes upon reboot for the OpenVPN client to establish the tunnel, but it should work relatively quickly. If it does not, reboot again, and possibly restart your modem or Internet connection, which may help.

If everything is working correctly, your WAN IP will still show the IP of your modem or regular connection, but if you visit an IP checking site (e.g. WhatIsMyIP.com) it will show the address of the VPN server you are using rather than your actual IP.

Conclusions

I'm very happy with this firmware, and the fact that it does indeed support OpenVPN. Discovering the correct settings was no small feat and took some sleuthing, but was worth it. Overall, the OpenVPN connection is very stable and is slightly faster than what I was able to achieve on the same service/servers with an L2TP connection (~12-13 Mbps compared to ~9-10 Mbps) While this is certainly a big step down from my full bandwidth (~35 Mbps sustained) it's a worthy tradeoff. Plus, the VPN can be easily disabled from the DD-WRT GUI.

If you try this tutorial, please post a comment and let me know how it's working for you or if you have trouble.

Additionally, I'd love to hear from our community members if they have gotten OpenVPN working on the R6300 with any other provider, and if so, how it was done!

 

 

Tags: 

Fuzz
Fuzz's picture
I have followed every step in

I have followed every step in your article here and would appreciate one last bit of help since I am an utter newb when it comes to this. How can I "enter the contents of the ca.crt file that you download from Private Internet Access into the "CA Cert" field" - I am using OSX 10.7.5 and have zero experience doing this.

Peter Redmer
Peter Redmer's picture
Hi Fuzz, it's really easy

Hi Fuzz, it's really easy actually -- all you have to do is open the ca.crt file in a text editor (like TextWrangler), copy the contents, and paste them into the field :)

 

Fuzz
Fuzz's picture
Hey Peter,

Hey Peter,

Thanks so much for the reply. I love the website and all it's information and I am trying to self teach myself as much as possible quickly. I have now followed all your steps to a "t" and am still a failure! I just cannot get my connection to run an OpenVPN connection no matter what! Oh well back to the drawing board or possibly back to an L2tp connection.

Peter Redmer
Peter Redmer's picture
Are you using Private

Are you using Private Internet Access? I wrote this guide specifically for use with that VPN provider, so these instructions are not likely to work with other providers exactly as written. I gave a lot of details about my experience here in Step 1 -- I tried some other providers and didn't have any luck, and even Private Internet Access's instructions didn't work as written, so I had to experiment until I found a combination that worked.

Which provider are you using? Did you try following the provider's instructions first?

 

Fuzz
Fuzz's picture
I am using Private Internet

I am using Private Internet Access along with Netgear R6300 and the latest compatible dd-wrt firmware. I'm pretty sure I've followed all steps exactly but I'm guessing I've made a rookie mistake along the way. I guess I'll try a 30-30-30 and try again.

Peter Redmer
Peter Redmer's picture
Yes, this didn't work on the

Yes, this didn't work on the first try for me. Some other things you can try is to use a different Private Internet Access server or alternate DNS provider.

Additionally, did you make sure to set the correct time on the router to match whatever server you chose? I had forgotten that in the beginning, and didn't realize how important of a step it was!

 

Fuzz
Fuzz's picture
This just will not work for

This just will not work for me for whatever reason. I am sure I am doing something wrong as the information on your site is awesome. I made sure to follow every step exactly, however, even after switching DNS servers as well as a different Private Internet Access server with correct time, I am still showing my IP address and not one from Private Internet Access. Love the site and will carry on trying to figure this out. Thanks.

Peter Redmer
Peter Redmer's picture
Hi Fuzz -- it might actually

Hi Fuzz -- it might actually be working, and you just don't know it!

In step 10, I mention that the DD-WRT interface will still show your regular IP address. This is the case even when the OpenVPN tunnel is on and working.

Try going to an IP address checking site (e.g., WhatIsMyIp.com, which I use but there are many out there) and see if it's linking to the VPN server.

 

Fuzz
Fuzz's picture
Yeah it's still showing my

Yeah it's still showing my local IP and not the Private Internet Access IP. I just can't for the life of me figure this out! I appreciate all your help but there is obviously something I am omitting or doing incorrectly.

Joe Ayala
Joe Ayala's picture
This tutorial does not work.

This tutorial does not work. I have tried following all steps carefully twice and the VPN does not enter. I even suscribed to privateinternetaccess.

I do not recommend anyone to try it.

I will try some options and in case it Works, I´ll report back.

Joe Ayala
Joe Ayala's picture
Please explain REBOOT

Please explain REBOOT opperation in detail. Is it just to turn it off and on again?

Thanks.

Peter Redmer
Peter Redmer's picture
Hi Joe -- when I say "reboot"

Hi Joe -- when I say "reboot" I mean to power cycle the unit -- just unplug it and plug it back in.

A 30-30-30 reset is something different and should be done before and after flashing any custom firmware.

For what it's worth, I have been having some issues with certain servers with Private Internet Access right now; my preferred server seemed to be having some connectivity and ping issues. That may be part of the problem; try using some different servers.

If you still can't get OpenVPN to work, you can always use L2TP, which is much easier to configure and get running.

More info on how to set it up with L2TP;
http://www.myopenrouter.com/article/43334/How-to-Set-Up-a-VPN-on-DD-WRT-...

 

cipher
cipher's picture
Hi Peter;

Hi Peter;

I installed the DD-WRT on my Netgear R6300 following every line and it won't work. Worst yet, it seems I can't get the erase the DD-WRT and get the original (Netgear Firmware) rolled back.

Do you have instructions for rolling back this thing? I've tried doing it via TFTP and it just won't do it.

Thanks!

MilkmanCDN
MilkmanCDN's picture
Hi Peter,

Hi Peter,

I followed your directions. OpenVPN client connects successfully to my VPN server (private internet access), but when I try to browse the web, I get nothing.

I'm using Kong's build 22250 of DD-WRT and perhaps OpenVPN is broken in that version.

Thoughts?

Peter Redmer
Peter Redmer's picture
@MilkmanCDN - I would try

@MilkmanCDN - I would try rebooting both your modem and router and waiting a few minutes, sometimes it takes a bit of time for the tunnel to establish itself.

I have also noticed that certain servers with PIA encounter issues or downtime. Try switching to a different server just to see if it resolves the problem... in fact, I had to do this yesterday as my regularly used server was being finicky.

@cipher - So sorry for missing this post! I haven't tried recovering the R6300 via USB-TTL, but this may be what you need to do to bring things back. I will see what I can find out.

 

tommyg
tommyg's picture
Hi,

Hi,

I'm kinda a noob at this kind of stuff, but no matter what I do, I can't get the enable openvpn to show up as an option. I'm using an r6300 and followed all the steps. Am I missing something?

grk
grk's picture
Thank you mate, this guide is

Thank you mate, this guide is fine here.
I've not used firewall part and activated LZO via frontend.
Hardware: Linksys E900
Firmware: DD-WRT v24-sp2 (05/27/13) big

Subhra
Subhra's picture
tommyg said: Hi, I'm kinda a

tommyg said: Hi, I'm kinda a noob at this kind of stuff, but no matter what I do, I can't get the enable openvpn to show up as an option. I'm using an r6300 and followed all the steps. Am I missing something?

First ensure that you are using the latest firmware (Link given in Step3). Then Go to "Services->VPN"  tab, you will find "OpenVPN Client" option.

manspider138
manspider138's picture
Hi Peter,

Hi Peter,

Is there any way I can remotely manage my DD-WRT router with VPN service running?

kamaaina
kamaaina's picture
I have used your tutorial now

I have used your tutorial now to set RIA VPN up on the r7000, exactly as you described. Initial connection works fine.

I tried two other tutorials before w/ the r7000 and they worked for 2-3 days and then the connection froze, e.g. I had to restart the router as nothing would get Internet any longer. Let's hope it works stable with your tutorial now.

I had it run for a while very stable on an older E3000 as well as the RT-N66R, both with Tomato.

nblagotic
nblagotic's picture
Hi there,

Hi there,

I have Netgear WGR614L router and I'm having issues at setting up VPN on it. I followed all of your instructions but in the end it seems not to be working. Still can't use VPN. Could you please help me and try to find what could be a mistake? I followed instructions very carefully. Cheers and thanks in advance!

Nebojsa

Subhra
Subhra's picture
Get log of openvpn client and

Get log of openvpn client and see what is creating problem.

nblagotic
nblagotic's picture
How can I get log? I'm having

How can I get log? I'm having Super VPN Deluxe SSL Plan. Sorry, not very technical guy.

Subhra
Subhra's picture
Enable "Services->Services-

Enable "Services->Services->System Log" to start logging facility in your router.
Telnet into router address (192.168.1.1) and view the openvpn client log.

mmmyyy
mmmyyy's picture
Working pretty well for me. I

Working pretty well for me. I was wondering if there was a way for my guest wifi network traffic on br1 can be routed through the normal wan interface not the openvpn tunnel tun0.

Thanks

lbdublb
lbdublb's picture
Dows DD-WRT support facebook

Dows DD-WRT support facebook wlan on Netgear R6300? Thanks!

tigs
tigs's picture
Thanks Peter,

Thanks Peter,

This worked for me very well. I use Kong;s dd-wrt with a netgear r7000. I have one question for you. How to ensure the VPN is running or there is no internet at all? and, how to stop DNS leak through iptablesin firewall?

here is post saying he accomplished this with these firewall rules:

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

can you comment on this?

here is the link to that post:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=4287...

He is with airvpn, I gather we should be able to accomplish as well.

thanks

havoc0351
havoc0351's picture
How can I get this to work

How can I get this to work with VPN Secure?

RobertL
RobertL's picture
I dont have the option to

I dont have the option to configure OpenVPN as stated in step 8. Under "Services>VPN", I only have PPTP Server and PPTP Client (ie. no "enable the OpenVPN Client")

I have installed dd-wrt.v24-K26_R6300_19-10-2012.chk.

thanks for your help,

Robert

John Zimm
John Zimm's picture
I am about to buy a pre

I am about to buy a pre-configured PIA router from flash routers... But if I could configure it myself I could save 100 bucks... Or spend the same and get a better router. But I don't know how to set up the kill switch feature... Do you use this feature?

Pages