Virtual Wireless Access Point with VPN on DD-WRT

I have received many request for more in-depth information on the post that I had on flashing DD-WRT and setting up a virtual AP that has traffic automatically tunnelled via a VPN service such as OpenVPN. I have recently flashed an Asus RT-68U router and have recorded the exact steps taken to do so (in the likely event I end up forgetting). If you have a different router make and model, the goal would be to research how to flash DDWRT on it and then follow step 2 in the later part of this post.

Step 1 – Flashing DDWRT on Asus RT-68U:

– Asus RT-68U on stock “Merlin” firmware, proceed to clear NVRAM via telnet:
– Enable Telnet by going to Advanced Settings -> Administration -> System -> Enable Telnet
– telnet (or whatever is your router’s IP)

Run commands:

mtd-erase2 nvram;

– Flash asus_rt-ac68u-firmware_30709.trx (Brainslayer build)
– Reboot the router
– Navigate to Administration -> Commands tab and run:

erase nvram; reboot;

– Flash dd-wrt.v24-K3_AC_ARM_STD.bin (Kong build) via Administration -> Firmware Upgrade Tab (set to factory)
– Reboot the router

Step 2 – Setting up Virtual Wireless AP with VPN Tunneling on DD-WRT:

On page: Setup -> Basic tab:
– (Optional) Rename router to whatever you want
– Set local IP of router 192.168.1.x (or whatever class A IP address you defined)
– Subnet mask (depends on your network)
– Gateway (or whatever your bridged router’s IP is, if bridging to ISP’s router)
– Local DNS
– (Optional) Set start IP address from e.g. 190
– Enable DHCP server
– Set static DNS1 to and static DNS2 to
– Enable “Use DNSMasq for DHCP”
– Enable DNSMasq for DNS
– Enable NTP server (e.g. or whatever timezone you are in)

Navigate to Wireless -> Basic settings tab:
– Add a virtual AP (with AP name etc)
– Enable optimize multicast traffic option and bridged mode
– Save and reboot the router

Navigate to Setup -> Networking tab:
– Add bridges br0 and br1
– Reboot
– Assign br0 to eth1 interface prio 63
– Assign br1 to wl1.1 interface prio 63
– Save and reboot the router
– bridging table should show:

br0 no vlan1 eth1 eth2
br1 no wl1.1

Navigate to Setup -> Networking tab:
– Scroll down to the br1 interface
– Enable masquerade / NAT, make sure the other options are disabled
– Add a subnet ip address you want this bridge to have e.g. with subnet mask
– Save and reboot the router

Navigate to Setup -> Networking tab:
– Scroll down to DHCPD
– enable DHCP0 for br1; e.g (ON, start 100, max 50, leasetime 3600)
– Save and reboot the router

Navigate to Services -> VPN tab:
– Scroll down to OpenVPN client and enable it
– Enter your OpenVPN server details (steps to setup OpenVPN server at bottom of post)
– Set tunnel device to TUN
– Set tunnel protocol to UDP
– Set encryption to Blowfish CBC
– Set hash algorithm to SHA1
– Enable user pass authentication if required and add the OpenVPN username and password
– Enable advanced options
– Set TLS ciphers to none
– Set LZO compression to yes
– Enable NAT
– Set firewall protection to disabled
– Leave IP address and subnet mask fields empty
– Set tunnel MTU setting to 1500
– Leave UDP fragment field empty
– Set UDP MSS-Fix to disabled
– Enable nsCertType vertication
– Export your openvpn.ovpn profile from your OpenVPN server (open .ovpn file in text editor. See Step 3 near the end of this post)
– Put the TLS auth key portion in the TLS Auth Key field
– Fields: add config, policy based routing, pkcs12, static key, all set to blank
– Place your CA cert in the CA Cert field
– Place your public client cert in the Public Cert field
– Place your private client key in the Private Key field
– Save and reboot the router

Navigate to Administration -> Commands tab and add the following as a startup script:

Start up script:

sleep 220; # sleep to allow enough time for NTP to update
tun_name=$(ifconfig | sed -n 's/.*\(tun[^ ]\).*/\1/p');
tun_addr=$(ifconfig $tun_name | sed -nr 's/.*P-t-P:([^ ]+) .*/\1/p');
ip rule add from table 200; # IP varies on your br1 subnet
ip route add default via $tun_addr dev $tun_name table 200;
ip route flush cache;

– Reboot and make sure NTP updates the router time, if not the TLS negotiation to the OpenVPN server will fail. A workaround is to reboot the router to let NTP attempt an update again

Step 3 – Setting up OpenVPN Server on VPS (such as RamNode):

– wget
– dpkg -i openvpn-as-2.0.11-Ubuntu12.i386.deb
– passwd openvpn
– Login to the interface and export the .ovpn file to be used for the steps mentioned above

That’s it!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s