User Tools

Site Tools


OpenVPN client with LuCi web GUI


  • This guide describes how install and operate the OpenVPN client using LuCi OpenWrt web interface
  • You can use it to connect to your own OpenVPN server or a commercial OpenVPN provider.
  • Follow OpenVPN basic for server setup and OpenVPN extras for additional tuning.
  • The performance of different SoCs can be found here OpenVPN Performance


  • Encrypt your internet connection to enforce security and privacy.
    • Prevent data leak and traffic spoofing on the client side.
  • Bypass regional restrictions using commercial providers.
    • Escape client side content filters and internet censorship.
  • Access your LAN services remotely without port forwarding.


1. Install needed packages

install openvpn-openssl and luci-app-openvpn

A new page in the Luci web interface should appear.
Click on VPN button in the bar and then on OpenVPN to open the OpenVPN config managment page (provided by the luci-app-openvpn package you just installed)

2.a Write the configuration manually to create a config file

Create a new config with the “Template-based configuration” line by choosing the template, writing a name and clicking Add button to create it.

Then it will appear in the table and you can edit this configuration file by clicking on Edit button to open the edit page for this configuration.

2.b Upload a OpenVPN config file

This is available from OpenWrt 19.07 onwards (19.07-snapshots are currently available).

All self-respecting commercial OpenVPN providers will offer self-sufficient OpenVPN config files you can load in your consumer router or network appliance to connect to their service.
You can use them in OpenWrt too.

Use the “OVPN configuration file upload” to give a name and upload one of such config files.
It will appear in the table of available OpenVPN configurations.

If your provider requires you to write your username and a password, click on the Edit button, and in the edit page, write your username and password in the second text box, as shown in this example

3. Start and enable the client

Start the client by pressing on the Start button in the table of available configurations. OpenVPN startup and shutdown are slow, it can take up to 10 seconds to complete.

If you want this VPN client connection to be started on boot and always active, click in the Enable checkbox of its line in the table.

4. Firewall

The firewall settings panel used in this guide is not available in OpenWrt 18.06 and 19.07. It relies on this commit in the Luci repository

If you don't have that panel, you will have to connect with ssh and do the first step of the OpenVPN CLI tutorial, or review the alternative guide linked at the bottom of this page which includes instructions for the 'old' firewall method.

At this point the VPN is set up and the router can use it, but devices in the LAN of your router won't be able to access the internet anymore.

We need to set the VPN network interface as public by assigning VPN interface to WAN zone.

Click on Network in the top bar and then on Firewall to open the firewall configuration page.

Click on the Edit button of the wan (red) zone in the Zones list at the bottom of the page.

Click on the Advanced Settings tab and select the tunX interface (tun0 in the screenshot, which is the most likely if you have a single OpenVPN client/server running)

You can see the interface name if you click on Status on the top bar and then click on System Log.

A few lines from the system log where you can see the interface name of the OpenVPN client started with the configuration file “NLMiramUDP443E3

 Fri Aug 30 11:28:32 2019 daemon.notice openvpn(NLMiramUDP443E3)[7993]: TUN/TAP device tun0 opened
 Fri Aug 30 11:28:32 2019 daemon.notice openvpn(NLMiramUDP443E3)[7993]: TUN/TAP TX queue length set to 100
 Fri Aug 30 11:28:32 2019 daemon.notice openvpn(NLMiramUDP443E3)[7993]: /sbin/ifconfig tun0 netmask mtu 1500 broadcast

5. Test that all is working

Establish the VPN connection. Verify your client traffic is routed via VPN gateway.


Check your client public IP addresses.

Make sure there is no DNS leak on the client side.

Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default.


Open a ssh remote terminal connection to the router.

Collect and analyze the following information.

# Restart the services, then try to reconnect
/etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10
# Log and status
logread -e openvpn; netstat -l -n -p | grep -e openvpn
# Runtime configuration
pgrep -f -a openvpn
ip address show; ip route show; ip rule show; iptables-save
ip -6 address show; ip -6 route show; ip -6 rule show; ip6tables-save
# Persistent configuration
uci show network; uci show firewall; uci show openvpn
head -n -0 /etc/openvpn/*.conf

Alternative guide for OpenVPN client with LuCI

The link below is to a tutorial which was written for the BT Home Hub 5A and Windows Users in mind, but is sufficiently generic to apply to most other OpenWrt routers with a working internet connection. It has been tested with Linksys EA6350v3, TPlink Archer C50 v4 etc.

v1.1 guide supports LEDE 17 and OpenWrt 18. v1.2 guide is for OpenWrt 19.07 snapshot with new ovpn file upload function.

Link to

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/vpn/openvpn/client-luci.txt · Last modified: 2020/01/14 04:12 by bill888