User Tools

Site Tools


OpenVPN Client

VPN Client Purpose

  • An OpenVPN Client on Your Router Allows You to:
    • Encrypt your connection to the internet [WAN]

    • Circumvent firewall & content filters not blocking the VPN itself:
      Bypass China's Great Firewall [GFW] for internet access

    • Spoof location-based services:
      Access region-restricted content on sites like Netflix

  • Prevents your Internet Service Provider (ISP) from:
    • Snooping through your traffic and DNS requests
    • Meddling with your DNS requests and/or traffic

File & Folder Locations

  1. Config Locations:
    • Firewall: /etc/config/firewall
    • Network: /etc/config/network
    • OpenVPN: /etc/config/openvpn

  2. Folder Locations:
    • OpenVPN: /etc/openvpn/

VPN Client Usage

  • Obtain credentials from a corresponding OpenVPN Server:
    • Private host (router/VPS) running an OpenVPN server
    • Commercial third party OpenVPN provider

  • Once Router's Configured as a Client:
    • Route certain traffic from a specific interface
    • Route all WAN traffic over the VPN

Install Packages

Opkg Wiki



Network Wiki

  • Create Network Interface:
    uci set network.vpnclient="interface"
    uci set network.vpnclient.ifname="tun0"
    uci set network.vpnclient.proto="none"
    uci commit network && service network restart


Firewall Wiki

  • Configure Default Rules & Forwarding:
    uci add firewall zone
    uci set firewall.@zone[-1].name="vpnclient"
    uci add_list firewall.@zone[-1].network="vpnclient"
    uci set firewall.@zone[-1].input="REJECT"
    uci set firewall.@zone[-1].output="ACCEPT"
    uci set firewall.@zone[-1].forward="REJECT"
    uci set firewall.@zone[-1].masq="1"
    uci set firewall.@zone[-1].mtu_fix="1"
    uci add firewall forwarding
    uci set firewall.@forwarding[-1].src="lan"
    uci set firewall.@forwarding[-1].dest="vpnclient"
    uci commit firewall && service firewall restart


OpenVPN HowTo OpenVPN Man Page

  1. Configure basic Client:
    uci set openvpn.vpnclient="openvpn"
    uci set openvpn.vpnclient.enabled="1"
    uci set openvpn.vpnclient.config="/etc/openvpn/vpnclient.ovpn"
    uci commit openvpn && service openvpn restart
  2. Additional configuration for commercial third party OpenVPN provider:
    wget --no-check-certificate -O /etc/openvpn/vpnclient.ovpn ""
    sed -r -i "
    s:^(auth-user-pass).*:\1 /etc/openvpn/vpnclient.auth\nauth-nocache:
    s:^(redirect-gateway).*:\1 def1:
    " /etc/openvpn/vpnclient.ovpn
    cat << "EOF" > /etc/openvpn/vpnclient.auth && chmod 600 /etc/openvpn/vpnclient.auth
    service openvpn restart


Managing Services

  1. Ensure OpenVPN Client service is running
    ps | grep [o]penvpn; echo && logread -e openvpn
  2. Validate Your External IP-address has Changed
    1. If It Has Not:
      1. Verify config options are correct
      2. Create a thread in the OpenWrt | OpenVPN forum, providing the information requested in Troubleshooting


  1. Verify OpenVPN successfully started:
    ps | grep [o]penvpn; echo && logread -e openvpn
  2. Change protocol to tcp and increase log verbosity:
    1. Client:
      uci set openvpn.vpnclient.verb='7'
      uci set openvpn.vpnclient.proto='tcp'
      uci commit openvpn && service openvpn restart
      ps | grep [o]penvpn; echo && logread -e openvpn
  3. If asking for help in a forum, please perform the above and include the following in your initial post:
    uci show firewall; echo && uci show network; echo && uci show openvpn; echo && logread -e openvpn


docs/guide-user/services/vpn/openvpn/client.txt · Last modified: 2018/12/29 02:10 by tmomas