User Tools

Site Tools

This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at <<<<<<<<<<

OpenVPN client with TUN (Layer 3) device

:!: A lot of the instructions for OpenVPN are terrible. I have added this one to clear up a few things. The main issue I want to address is DNS leak resolution. This howto includes the use of Luci for at a minimum starting the connection. This was tested using OpenWrt Designated Driver 50097 in a virtual machine. The configuration was done using Private Internet Access VPN.



  • luci
  • luci-app-openvpn
  • openssl-util
  • openvpn-openssl


:!: These scripts are only required to stop DNS leaking. This information was taken from You will need to be able to log in to the router using SSH and create these files.

Create ovpn-up script

cat<<'EOF' > /usr/bin/ovpn-up
mv /tmp/ /tmp/
echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/
echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/
echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/

Create ovpn-down script

cat<<'EOF' > /usr/bin/ovpn-down
mv /tmp/ /tmp/

Make the scripts executable

chmod 0100 /usr/bin/ovpn-up
chmod 0100 /usr/bin/ovpn-down


You will need the .pem and .crt files supplied by your VPN provider. I placed mine under /etc/openvpn directory. The way I do this is to download the certificates on my computer and then do the following.

cat<<'EOF' > /etc/openvpn/ovpn.crt

Open the .crt file in a text editor on your computer and copy and paste its contents into the SSH session, followed by:


You will need to do the same for the .pem file.

cat<<'EOF' > /etc/openvpn/ovpn.pem

Paste in contents of the .pem file



You need to create a text file with your VPN connections username and password. The easiest way to do this is as follows.

cat<<'EOF' > /etc/openvpn/userpass.txt
You will then enter your username, press enter, type password, press enter, type EOF, press enter. This will create a file with your username on the first line and your password on the second.

OpenVPN Configuration

Since there are a lot of problems with the OpenVPN Luci App it will probably be easier to modify your /etc/config/openvpn configuration file to be something similar to below.

config openvpn 'Private_Internet_Access'
        option float '1'
        option client '1'
        option remote_random '0'
        option proto 'udp'
        option dev 'tun0'
        option comp_lzo 'yes'
        option auth 'sha256'
        option cipher 'aes-256-cbc'
        option auth_user_pass '/etc/openvpn/userpass.txt'
        option resolv_retry 'infinite'
        option remote ' 1197'
        option crl_verify '/etc/openvpn/ovpn.pem'
        option nobind '1'
        option persist_tun '1'
        option persist_key '1'
        option tls_client '1'
        option remote_cert_tls 'server'
        option reneg_sec '0'
        option up '/usr/bin/ovpn-up'
        option down '/usr/bin/ovpn-down'
        option script_security '2'
        option down_pre '1'
        option up_restart '1'
        option up_delay '5'
        option log '/var/log/openvpn.log'
        option ca '/etc/openvpn/ovpn.crt'
        option enabled '1'

playground/vpn.client.openvpn.tun.txt · Last modified: 2017/06/11 02:08 by simplexion