VPN SETUP FOR OpenWRT Chaos Calmer 15.05.1


We are going to  setup OpenWRT Chaos Calmer 15.05.1 with OpenVPN in a simple LAN and WAN environment, where WAN is connected to the internet, and LAN will be the OpenVPN connection.

We are using our Netherlands VPN as an example.

Download Certificate and Keys

Download our zip file with configs and certificates:  blackvpn_linux.zip (MD5) (SHA1)

The zip file contains various .conf files (which should NOT be used for OpenWRT) as well as a folder called “ssl”. Within that folder, there are two files we need:

ca.crt (Certification Authority certificate) and ta.key (Transport Layer Security key)

Install OpenVPN

Open your routers webinterface.

Go to System -> Software, and open the Configuration tab.

Now we need to add the luci distribution feeds for our version of OpenWRT.

“src/gz luci http://downloads.openwrt.org/chaos_calmer/15.05.1/%version%/generic/packages/luci”

Where %version% is replaced with the version of OpenWRT you are running.

In our example we are running the ar71xx version, so we add the following string into the Distribution feeds field:

src/gz luci http://downloads.openwrt.org/chaos_calmer/15.05.1/ar71xx/generic/packages/luci

For someone using the broadcom brcm47xx version, it would instead be:

src/gz luci http://downloads.openwrt.org/chaos_calmer/15.05.1/brcm47xx/generic/packages/luci

and click Submit.

Go to the Actions tab

Click Update lists.

Wait until the update is completed.

Type openvpn-openssl in the Download and install package field and click OK.

Wait until the package is installed.

Type luci-app-openvpn in the Download and install package field and click OK.

Wait until the package is installed.

Install the English localization package for the luci-app-openvpn.

Type  luci-i18n-openvpn-en in the Download and install package field and click OK.

For other languages you can search for the localization, type luci-i18n-openvpn in the Filter field and press Find Package, to get a list of available localizations.

Now OpenVPN has been installed and will appear in the Services Menu.

Setup OpenVPN

Go to  Services -> OpenVPN

Type blackVPN in the configuration name field and select “Simple client configuration for a routed point-to-point VPN” Click Add.

You will be forwarded to  OpenVPN configuration page.

Click Switch to advanced configuration.

To add any missing OpenVPN parameters in the configuration screens, select the parameter in the dropdown menu at the bottom of the page, and then click Add.

Select Configuration category -> Service.

fast_io: check

Click Save

Select Configuration category -> Networking.

Select port in the dropdown menu and click Add.

Fill in details:

port: 443

comp_lzo: adaptive

persist_tun: check

persist_key: check

Click Save

Select Configuration category -> VPN.

Click the checkbox for client, some more options will be revealed.

select proto in the dropdown menu and click Add.

select auth_user_pass in the dropdown menu and click Add.

Fill in details:

auth_user_pass: we need to create the file /etc/openvpn/userpass.txt

SSH or Telnet to your OpenWRT, as a privileged user, and enter the following:

cat <<EOF >/etc/openvpn/userpass.txt

(where username and password are replaced with your blackVPN credentials)

pull: check
remote_random: check
proto: “udp” is recommended, “tcp” when having connection problems.”
remote: Choose your server from the list below.  (vpn.blackvpn.nl, for example)

Click Save

Select Configuration category -> Cryptography.

Select auth in the dropdown menu, and click Add.
Select cipher in the dropdown menu, and click Add.
Select ca in the dropdown menu, and click Add.
Select key_method in the dropdown menu, and click Add.
Select tls_auth in the dropdown menu, and click Add.
Select ns_cert_type in the dropdown menu, and click Add.

Fill in:

secret: blank
auth:  SHA512
cipher: AES-256-CBC
tls_client: checked
ca: click Choose File and choose the previously downloaded ssl/ca.crt file.
key_method: 2
ns_cert_type: server
tls_auth: We need to copy the downloaded file ssl/ta.key to /etc/openvpn/tlsauth.key

If we have SSH, we can copy the file to the router (where x.x.x.x is the IP of your OpenWRT) with :

scp ssl/ta.key root@x.x.x.x:/etc/openvpn/tlsauth.key

On Windows you can use pscp command to copy files from Windows to OpenWRT.
pscp is included with putty, but if you dont have it, you can download it from putty.org

Open cmd in the directory with pscp.exe file
Type command pscp source_file user@host:destination_file
For example:

pscp blackvpn_linux/ssl/ta.key root@
If there is only Telnet we can create the key with the following script.
cat <<EOF >/etc/openvpn/tlsauth.key

Open the downloaded ssl/ta.key in a text editor, and copy its contents to your clipboard, then paste it in the script replacing KEY so it looks something like:

cat <<EOF >/etc/openvpn/tlsauth.key
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

Click Save & Apply.

Add Interface

Go to Network -> Interfaces, and click Add new interface…

Enter the following data:

Name of the new interface: BLACK

Protocol of the new interface: Unmanaged

Cover the following interface: Custom Interface: tun0

Click Submit.

Go to the Advanced Settings tab.

Bring up on boot: checked

Use built-in IPv6-management: unchecked

Click Save.

Go to the Firewall Settings tab.

In the Create / Assign firewall-zone – unspecified -or- create: field, type the zone name : BLACK_FW

Click Save & Apply.


Setup Firewall


Go to Network -> Firewall

click Edit to the right of BLACK_FW

In the General Settings tab, select the following settings:

Input: reject

Output: accept

Forward: reject

Masquerading: checked

MSS clamping: checked

Covered networks: checked BLACK

In the Inter-Zone Forwarding: Check Allow forward from source zones: lan.

Click Save & Apply

Protect against DNS Leaks.

We need to update the LAN  DHCP server to supply the blackVPN DNS server,, to prevent it from leaking the router DNS.

Go to Network -> Interfaces -> LAN DHCP Server -> Advanced Settings.

In the “DHCP-Options” (below the “Common Configuration” section) field enter the value: “6,”.

Click Save & Apply


Start OpenVPN

Go to Services -> OpenVPN.

Set the checkbox Enabled for blackVPN and click Save & Apply.

Click start to the right of blackVPN.

It should take about 30 seconds to setup a connection with the VPN server.

You should now see that it says started yes

To confirm that the connection is happening in OpenWRT, go to Status > System Log

The word you’re looking for are “Initialization Sequence Completed”, and the full log should look something like this:



If no site loads, open a terminal and ping a reliable site like If you get no response.

If Services -> OpenVPN shows that the blackVPN link is up, and you can ping Internet sites, it’s probably DNS resolution that is the problem.


Reset router

If you need to do a factory reset, SSH or Telnet to your OpenWRT, and as a privileged user type the following:

mtd -r erase rootfs_data
reboot -f