Ignore WAN DNS = Checked
Note: This option was added in "DD-WRT" builds r44048, and higher.
Network Address Server Settings DHCP
Static DNS 1 = 103.86.96.100 (DNS of your choice) (Moderator: Keep your own DNS server e.g. 9.9.9.9 or 1.0.0.1 etc.)
Static DNS 2 = 103.86.99.100 (DNS of your choice) (Moderator: Keep your own DNS server e.g. 9.9.9.9 or 1.0.0.1 etc.)
Static DNS 3 = 0.0.0.0 (DNS of your choice, but 3rd DNS is not needed)
WINS = 0.0.0.0
Use DNSMasq for DNS = Checked
DHCP-Authoritative = Checked
Recursive DNS Resolving (Unbound) = Unchecked
Forced DNS Redirection = Unchecked
Path: Services>Services
Query DNS in strict order = Disable
______________________________
Path: Services>VPN
(OpenVPN Client)
Start OpenVPN Client = Enable
CVE-2019-14899 Mitigation = Enable
Server IP/Name = 0.0.0.0 https://nordvpn.com/servers/
Note: 0.0.0.0 is just a example of a IP address, and needs to be replaced with a valid IP address. Pick an actual "NordVPN" server IP address from the website URL provided above.
Port = 1194 (or 443 for the TCP protocol)
Tunnel Device = TUN
Tunnel Protocol = UDP4 (or TCP4)
Encryption Cipher = AES-256-CBC
Hash Algorithm = SHA-512
First Data Cipher = AES-256-CBC
Second Data Cipher = AES-128-GCM
Third Data Cipher = AES-256-GCM
User Pass Authentication = Enable
Username = Your NordVPN Username
Password = Your NordVPN Password
Advanced Options = Enable
TLS Cipher = None
LZO Compression = NO (No seems the right setting for Nord and not Disable (although that is the better setting))
NAT = Enable
Inbound Firewall on TUN = Checked
Killswitch = Checked (optional)
Tunnel MTU setting = 1400
Tunnel UDP MSS-Fix = Disable
Verify Server Cert = Checked
TLS Key choice = TLS Auth
Note: Data Cipher information for newer DD-WRT builds r44627, or higher.
Set a value for the Data Ciphers 1,2 and 3.
Set the First Data Cipher the same as your Encryption Cipher ("NordVPN" uses AES-256-CBC), set the Second Data Cipher at AES-128-GCM, and the Third Data Cipher at AES-256-GCM.
______________________________
Note: Paste the "TLS Key" here that is in the ovpn file downloaded from website URL's posted below. File can be opened in a text editor of your choice. "Notepad" works fine.
Note: The "TLS Key", and "CA Cert" does not have to change everytime you change "Server IP/Name" as long as the next "Server IP/Name" selected is in the same city of country used before.
Note: You can add multiple NordVPN servers for redundancy if you enable "Multiple servers"
With multiple NordVPN servers entered and "Choose Random Server" ticked/enabled, each time the router is rebooted it will randomly pick a different server to connect to.
In the Additonial Config add:
verb 4
In rare circumstances you might need to add
tun-mtu-extra 32
tun-mtu 1500
mssfix 1450
______________________________
Note: Paste the "CA Cert" below that is in the ovpn file downloaded from website URL posted below. File can be opened in a text editor of your choice. "Notepad" works fine.
Note: The "TLS Key", and "CA Cert" does not have to change everytime you change "Server IP/Name" as long as the next "Server IP/Name" selected is in the same city of country used before.
Note: After set-up its recommended to run a "DNS Leak Test" to make sure your DNS is not leaking. https://dnsleak.com/ Note: "WebRTC Leak Test" is just as important to pass as "DNS Leak Test" Follow the link below to start learning how to disable "WebRTC" in your web browser.
https://browserleaks.com/webrtc Note: "Firefox" on PC, and other web browers offer "Enable DNS over HTTPS". This will cause your DNS to leak to Provider picked, and sometimes is enabled by default. To disable in "Firefox" the Path: is (Toolbar) Open Menu: Options>General>Network Settings>Settings, and Then Uncheck "Enable DNS over HTTPS"
Run "DNS Leak Test" to verify its disabled.
Last edited by Justanotherbrokenrouter on Wed Aug 25, 2021 10:17; edited 32 times in total
FYI, there is no such thing as '--reject-with udp-reset'. udp is a stateless protocol, whereas tcp is stateful, and thus only tcp can be 'reset'. That iptables rule is simply erroring out. The following is sufficient.
Also, beware that 'nvram get wan_iface' is not 100% reliable. For example, when the WAN is configured w/ PPPoE, it may return nothing. That's why I prefer the following instead, which examines the actual routing table to find the relevant network interface for the WAN (based on a search for the default route (0.0.0.0/0)).
If anyone has any information that can help improve this guide please comment below with directions, and I will edit soon as possible. I obviously don't have problems doing so. Last edited by Justanotherbrokenrouter on Fri Feb 19, 2021 5:36; edited 16 times in total. I will try tonight to edit more information about Additional Configuration.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Feb 19, 2021 16:28 Post subject:
persist key and persist tun are already set by DDWRT so can be removed.
DDWRT (if no fragment is set) will use "mtu-disc yes" which will normally discover the right MTU size so there usually is no need for fragment and mssfix
So try without mssfix
I am not sure about tun-mtu-extra, I thought that it is for TAP connections so also try without.
So actually do what @eibgrad frequently tells us: "do not put anything in the additional config"
[quote="egc"]persist key and persist tun are already set by DDWRT so can be removed.
DDWRT (if no fragment is set) will use "mtu-disc yes" which will normally discover the right MTU size so there usually is no need for fragment and mssfix
So try without mssfix
I am not sure about tun-mtu-extra, I thought that it is for TAP connections so also try without.
So actually do what @eibgrad frequently tells us: "do not put anything in the additional config"
Wait till he chimes in he is our VPN expert [/quetc?
Your right many Additional config settings are already set by DD-WRT. With that said I will remove persist key, and tun. "mtu-disc yes" is very helpful, and should be added to Additional config. Mssfix, and fragment can be enabled, or set in OpenVPN Client so no real need to have those in Additional config either.
Just figured I'd ask. QOS doesn't work when OpenVPN Client is enabled. VPN works, but QOS no longer limits connection to values set until OpenVPN Client is disabled. I've tested with speed test. Yes I would like to hear from the VPN guru.
Any thoughts on QOS egc?
IIRC, QoS has *never* worked w/ the OpenVPN client. I'm pretty sure it's bound exclusively to the WAN.
The only way I know to have QoS associated w/ the OpenVPN client is indirectly. For example, suppose you use a secondary router daisy-chained to the primary (WAN to LAN respectively) that's configured w/ the OpenVPN client. You could specify the WAN ip of that router in the QoS of the primary router. From the perspective of QoS, that WAN ip is just another device on the primary router's network. Of course, *all* traffic on the secondary router, WAN or VPN bound, is treated the same by QoS. Whether that matters is up to you, but if you're not using PBR (policy based routing), everything ends up routed over the VPN anyway, so obviously it shouldn't matter.
IIRC, QoS has *never* worked w/ the OpenVPN client. I'm pretty sure it's bound exclusively to the WAN.
The only way I know to have QoS associated w/ the OpenVPN client is indirectly. For example, suppose you use a secondary router daisy-chained to the primary (WAN to LAN respectively) that's configured w/ the OpenVPN client. You could specify the WAN ip of that router in the QoS of the primary router. From the perspective of QoS, that WAN ip is just another device on the primary router's network. Of course, *all* traffic on the secondary router, WAN or VPN bound, is treated the same by QoS. Whether that matters is up to you, but if you're not using PBR (policy based routing), everything ends up routed over the VPN anyway, so obviously it shouldn't matter.
Other than that, and AFAIK, QoS and OpenVPN on the same router doesn't work.
Exactly what I was thinking, but not in so many words. Just wanted to be sure. Thanks eibgrad.
mtu-disc yes is also set by DDWRT unless you use fragment because fragment will stop the path mtu discovery as you set the mtu manually
I don't use fragment. If I don't use mtu-disc yes syslog returns message --mtu-disc is not supported on this OS
I haven't contacted NordVPN about this "tun-mtu-extra 32"
Not much talk about it on the internet. Could be the reason I'm having to write mtu-disc yes in Additional Config. if it is also a DD-WRT default also.
Last edited by Justanotherbrokenrouter on Mon Feb 22, 2021 15:54; edited 2 times in total
Its hard to write the Additional Config for everyone because Defaults change depending on DD-WRT build used. I'm on build DD-WRT v3.0-r44048 std (08/02/20)due to build just being more stable.
So I guess its best to write Additional Config to maybe what is missing, or needed according to your builds /tmp/openvpncl/openvpn.conf
So actually do what @eibgrad frequently tells us: "do not put anything in the additional config"
Yes that is indeed problematic you can not use the latest and greatest build without loosing stability it seems
and indeed not all things are available for you (like udp4) you can try with adding in the additional config:
proto udp4, but you need some extra work indeed
Correct! Well I think we have pulled this guide through the mud long enough. Time for me to leave well alone. Guide tested, and works.