User Tools

Site Tools


OpenVPN client


  • This how-to describes the method for setting up OpenVPN client on OpenWrt.
  • You can use it to connect to your own OpenVPN server or a commercial OpenVPN provider.
  • Follow OpenVPN basic for server setup and OpenVPN extras for additional tuning.
  • If you wish to use LuCI to configure an OpenVPN client to connect to a VPN service provider, refer to OpenVPN client with LuCi web GUI
  • The performance of different SoCs can be found here OpenVPN Performance


  • Encrypt your internet connection to enforce security and privacy.
    • Prevent data leak and traffic spoofing on the client side.
  • Bypass regional restrictions using commercial providers.
    • Escape client side content filters and internet censorship.
  • Access your LAN services remotely without port forwarding.


1. Firewall

Consider VPN network as public and assign VPN interface to WAN zone to minimize firewall setup.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.wan.device="tun0"
uci add_list firewall.wan.device="tun0"
uci commit firewall
/etc/init.d/firewall restart

2. Basic client

Save your client profile. Install and configure VPN client. Drop VPN service privileges and ensure VPN interface name matches firewall configuration.

# Save VPN client profile
umask u=rw,g=,o=
cat << "EOF" > /etc/openvpn/client.conf
# Install packages
opkg update
opkg install openvpn-openssl
# Configure VPN client
sed -i -e "
\$a user nobody
\$a group nogroup
\$a dev $(uci get firewall.wan.device | sed -e "s/^.*\s//")
" /etc/openvpn/client.conf
/etc/init.d/openvpn restart

3. Commercial provider

If using a commercial VPN provider, set up credentials for username/password authentication and enforce gateway redirect.

# Save username/password credentials
umask u=rw,g=,o=
cat << "EOF" > /etc/openvpn/client.auth
# Configure VPN client
sed -i -e "
\$a auth-user-pass /etc/openvpn/client.auth
\$a redirect-gateway def1 ipv6
" /etc/openvpn/client.conf
/etc/init.d/openvpn restart


Establish the VPN connection. Verify your client traffic is routed via VPN gateway.


Check your client public IP addresses.

Make sure there is no DNS leak on the client side.

Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default.


Collect and analyze the following information.

# Restart the services, then try to reconnect
/etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10
# Log and status
logread -e openvpn; netstat -l -n -p | grep -e openvpn
# Runtime configuration
pgrep -f -a openvpn
ip address show; ip route show; ip rule show; iptables-save
ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save
# Persistent configuration
uci show network; uci show firewall; uci show openvpn
head -n -0 /etc/openvpn/*.conf
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/vpn/openvpn/client.txt · Last modified: 2020/01/14 04:13 by bill888