Note 2016/12/07: Since this article was written PIA have updated their config. While I have not personally tested this out, some commentators have reported success by doing 2 additional steps:

  • With the new CA file, you now need to specify the port under VPN settings (1198).
  • Specify encryption (AES-128-CBC) and authentication (SHA1).

Configuring OpenVPN to work on OpenWRT is relatively easy and straight forward, just not very well documented. This is an in depth, step-by-step guide to configure OpenVPN (VPN provider Private Internet Access – commonly called PIA) on an OpenWRT router.


  • You already have OpenWRT installed on your router
  • You know how to connect to your router via SSH and Web panel
  • Router is connecting to another device (Modem, other router, direct to ISP) that is supplying internet access

Lets being…

This tutorial will cover:

  • Installing and configuring OpenVPN
  • Configuring a network interface
  • Setting up some firewall rules & DNS Leak protection
  • Verify everything works


  1. First step, open a SSH connection to your router, login as root. You should see something like Figure 1 below.
    Fig 1

    Figure 1 – SSH Login


  2. Next we have to update packages and installed some required libraries, enter the following commands in the terminal:
  3. Next, download the OpenVPN config files from PIA – somewhere to your local machine. Extract all the files from the zip file. You are only interested in 2 files (ca.crt and crl.pem, we will get back to them later). You can safely delete the *.ovpn files.
  4. Now open your broswer and go to your router web panel, by default this should be:
  5. Once logged in you should notice a new menu item called Services, goto it and click the OpenVPN option, see Figure 2 below.
    Figure 2 - OpenVPN menu

    Figure 2 – OpenVPN menu


  6. Time to add our new configuration. At the bottom, in the text field, enter a new name “pia_client”, select “Simple client configuration for a routed point-to-point VPN” and click Add button (Figure 3)
    Figure 3 - Create config

    Figure 3 – Create config


  7. You will immediately be taken to the config page, click the link “Switch to advanced configuration”
    Figure 4 - Advanced Menu

    Figure 4 – Advanced Menu


  8. All settings on the Service page should be fine. Click the “Networking” link at the top.
  9. See Figure 5 below for how the settings should look like. A few notes:
    • If there is a line missing, use the “Additional Field” drop down at the bottom, select the missing field and press Add button
    • Ensure that “dev” is set to “tun” and not “tap”
    • If there is a field called “ifconfig” with an IP address, remove the address (i.e. make field blank)
    Figure 5 - Networking Setup

    Figure 5 – Networking configuration


  10. Click blue Save button on the bottom
  11. Now click on the “VPN” link to change to the VPN tab. As in Networking, there will be some fields missing, use the “Additional Field” drop down at the bottom again to add them. A few notes:
    • “auth_user_pass” field value should be “/etc/openvpn/userpass.txt” (It doesn’t exist yet, but we will get back to it in a few minutes)
    • The “remote” field should be the hostname of which ever exit node you want to use – see PIA Networking page for a complete list.
      Figure 6 - VPN configuration

      Figure 6 – VPN configuration


  12. Now click on the “Cryptography”. As  before, use the “Additional Field” drop down at the bottom to add missing fields.
    • IMPORTANT: for the “ca” field, you will need to browse to the location of the ca.crt file from the you downloaded in step 3.
    • The “crl_verify” path should be set to “/etc/openvpn/crl.pem”
      Figure 7 - Cryptography configuration

      Figure 7 – Cryptography configuration


  13. We have the VPN configuration done now, but we still need to configure the interface as well as the Firewall.
  14. From the Menu at the top select Networking -> Interfaces.
  15. Click the “Add new interface…” button.
    • Name: “PIA_VPN”(IMPORTANT: Name must be exactly this)
    • Protocol of the new interface: Unmanaged
    • Cover the following interface: Custom Interface: tun0
      Figure 8 - Create Interface

      Figure 8 – Create Interface


  16. Enter in the details and click the Save button.
  17. For the final few steps, we will switch back to SSH.
  18. Next we have to create a file that will store your PIA username and password. It is just a simple text file, with first line username and second line your password. Then we will chmod it to set correct permissions.
    Create username and password file

    Figure 9 – Create username and password file

  19. Now have to add the crl.pem file (from the, just open it in a text editor like notepad and copy the contents
    Figure 9 - Create CRL file

    Figure 10 – Create CRL file


  20. Now we need to setup some firewall rules to forward the VPN traffic
  21. Almost done!
  22. In order to protect against DNS Leaks, we need to update the DHCP server to supply the PIA DNS servers instead of your ISP’s DNS.
  23. From the main menu, goto: Network -> Interfaces -> LAN -> DHCP Server (below the “Common Configuration” section) -> Advanced Settingss. In the “DHCP-Options” field enter the value: “6,,”.
  24. Click “Save & Supply”
    Figure 10 - Interfaces - > LAN

    Figure 11 – Interfaces – > LAN

    Figure 11 - DNS settings

    Figure 12 – DNS settings


  25. All done! Now we can start the VPN connection.
  26. Goto: Services -> OpenVPN, check the Enabled checkbox beside our”pia_client”, then press the Start button, your VPN should now start up.
    Fig 12 - VPN Started

    Fig 13 – VPN Started


Verify it works…

  • To verify your traffic is going over VPN you can use the PIA What is My IP tool

    Figure 13 - Successs! VPN working

    Figure 14 – Successs! VPN working

  • If it isn’t working then you may have missed a step. Try going to Status -> System Log in the main menu, it may contain useful information.
  • To verify your DNS is not leaking use something like DNS Leak site (you may have to release & renew your DHCP IP before this will work)

Congratulations, your VPN tunnel is now setup!

35 Comments » for Setup OpenVPN using OpenWRT
  1. Mad Squid says:

    I’m trying to follow this tutorial, but my VPN provider uses key to authenticate.

  2. Merritt says:

    The OpenWrt config can be daunting, but this tutorial was SUPER helpful. Kudos, and thank you very much!

  3. Juan Carbonell says:

    I’m so happy, it works !!!. Thanks so much. I just have a problem, I did this:
    From the main menu, goto: Network -> Interfaces -> LAN -> DHCP Server (below the “Common Configuration” section) -> Advanced Settingss. In the “DHCP-Options” field enter the value: “6,,”.
    but still have dns leak when I check into this page

    • Robert says:

      For me, I had to release and renew my IP from the DHCP server for this change to take effect. You’ll probably want to flush the DNS as well.

  4. Juan Carbonell says:

    Maybe I’ve found the fix for the problem I mentioned before, I’ve checked Force DHCP on this network even if another server is detected. second option of advanced settings. Now all is ok, no dns leak.

    • Robert says:

      Great, I’m glad that you found the tutorial useful and have been able to figure it out your issue.

      Just as an alternative for future readers, when I had a similar issue, releasing and renewing the IP on the client fixed a similar issue

  5. stuffie says:

    Everything is setup and works, but now i can’t access my router anymore from outside. All ports are closed. Is there a solution for this problem?

    • Robert says:

      Contact PIA about this, there could be multiple reasons for this. Your firewall rules might not allow it, the services might be bound/restricted to the internal IP rather than the external IP, etc…

  6. Lee says:

    Excellent guide! Thank you so much for sharing. I am getting better performance using openWRT with PIA vs. using the PIA-Tunnel VM appliance. Cheers!

  7. Lars says:

    Thank you very much for this description.
    I did exactly as described, and it worked. It is great to have a nice concise description that covers all you need.

    I did one thing different, and the OpenWRT router is setup as an Access Point. Usually, you will not allow an Access Point to do the DHCP, but that is necessary in this case. I limited the ip adresses that the OpenWRT router could hand out to above 192 and the router connected to the WAN to below 192.

  8. François says:


    May I ask you which router you are using? Is there any minimum requirement from your experience?


    • Robert says:

      I was using a cheap Asus router (RTAC55U I think). Just beware that the hardware (CPU and RAM) on these cheap routers are very limited and will effect your performance. The maximum transfer speed with the router was about 1.1 – 1.2 Mbits/sec. So if speed is needed (not in my case) invest in a quality router, something > €200.

  9. Matt says:

    Excellent guide. I have an existing PIA VPN setup using an older guide. Do you notice any issues with having to reboot or manually restart the VPN client every few days with your setup?

    • Robert says:

      I did have to occasionallyhave to restart the service, this happen usually though when there wasn’t any traffic on the connection for a while (gone on holidays, etc…)

  10. Ricky Hotton says:

    It doesn’t work anymore since PIA changed their CA certificate and port (either 1197 or 1198).

  11. Ricky Vippi says:

    With the new CA file, you now need to specifiy the port under VPN settings (1198).
    I also had to specify encryption (AES-128-CBC) and authentication (SHA1).

    Hope this helps!

  12. Chad Musak says:

    Any possibility of an updated guide being released?

    • Robert says:

      My router died from a power spike, so if someone wants to buy me a new router I’ll update this guide, otherwise it will have to stay as is.

  13. Josh says:

    Excellent tutorial!

  14. asd says:

    DO NOT specify encryption under OpenWRT 15.05.1 only:
    port 1198 and auth SHA1

  15. dreo says:

    ” With the new CA file, you now need to specify the port under VPN settings (1198).
    Specify encryption (AES-128-CBC) and authentication (SHA1).”

    As of 4/1/17 everything is still working with this config and PIA. You DO need to add all of the above quoted settings in addition to the original guide.

    Port is under advanced > networking then add additional field named port
    Encryption and authentication are both under advanced > cryptography then add fields. Encryption = cipher and authentication = auth.

  16. Excelent Setup Guide. Saved me hours of worry.
    I had to add VPN port setting (1198) andSpecify encryption (AES-128-CBC) and authentication (SHA1) as specified by dreo on april 2 2017.
    A whole heap of kudos to you both.

  17. P1ro says:

    Hi, good tutorial, but trying to start it ill get this error on syslog “Options error: specify only one of –tls-server, –tls-client, or –secret”
    i think i have done every step, i did recheck for it, but still no luck

  18. Adam says:

    Thank you so much for this information. I’ve followed all steps exactly and am unable to start the pia_client service. I do see this line repeated in the server log:

    Mon Nov 13 06:23:57 2017 daemon.err openvpn(pia_client)[6556]: Options error: specify only one of –tls-server, –tls-client, or –secret

  19. Adam says:

    Found a bug where a line containing “secet shared-secret.key” is being written to /var/etc/openvpn-pia_client.conf. Removing that line and then starting the openvpn service brought up tun0.

    FYI: I’m using the latest version of LEDE from

    • Adam Garibay says:

      Putting this in my scheduled tasks seems to allow me to bring up tun.

      */1 * * * * sed -i ‘/secret/d’ /tmp/etc/openvpn-pia_client.conf

Leave a Reply

Your email address will not be published. Required fields are marked *