[fastbond]

Also, there is this .ovpn files in the nordvpn download section, how can I use them?

[Kusanagi78]

Hi fastbond,

In your log we can see an error with your certicate. Check it, it must include "-----begin certificate-----" and "-----end certificate-----", something like this for CA certificate and tls auth.

For the openvpn files you can't use it because in DD-WRT it is not possible to import the files, but it's not a problem, in the menu Service/vpn configure the openvpn client with all information you have, like the first message of this topic, you can verify that parameters are well written with telnet connection

Code in cmd or terminal (windows or macOS ):
Tenlnet "ip adresse of the routeur"
Cd /tmp/openvpncl
Ls ( for seeing the list of files )
Cat user.conf (for read the text in the files, your username and password must be written here )

And if all is correct reboot the router and it must connect the vpn correctly


I hope I'm clear because my English is not perfect !

[fastbond]

Hi Kusanagi78, thanks for your answer.
I did everything again, but still no luck.
It's weird because it says it's connected, but no Internet.
Here are the Status page:
Client: CONNECTED SUCCESS
Local Address: 10.7.7.178
Remote Address: 10.7.7.177

Status
VPN Client Stats
TUN/TAP read bytes 19959
TUN/TAP write bytes 15290
TCP/UDP read bytes 20746
TCP/UDP write bytes 31785
Auth read bytes 15306
pre-compress bytes 10476
post-compress bytes 8358
pre-decompress bytes 5571
post-decompress bytes 8220


And the clientlog:
Clientlog:
20161206 23:43:52 I OpenVPN 2.3.12 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Oct 25 2016
20161206 23:43:52 I library versions: OpenSSL 1.0.2j 26 Sep 2016 LZO 2.09
20161206 23:43:52 W WARNING: file '/tmp/openvpncl/credentials' is group or others accessible
20161206 23:43:52 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:16
20161206 23:43:52 W WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
20161206 23:43:52 W NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
20161206 23:43:52 W WARNING: file '/tmp/openvpncl/ta.key' is group or others accessible
20161206 23:43:52 I Control Channel Authentication: using '/tmp/openvpncl/ta.key' as a OpenVPN static key file
20161206 23:43:52 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20161206 23:43:52 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
20161206 23:43:52 Socket Buffers: R=[87380->87380] S=[16384->16384]
20161206 23:43:52 I Attempting to establish TCP connection with [AF_INET]68.235.53.84:443 [nonblock]
20161206 23:43:53 I TCP connection established with [AF_INET]68.235.53.84:443
20161206 23:43:53 I TCPv4_CLIENT link local: [undef]
20161206 23:43:53 I TCPv4_CLIENT link remote: [AF_INET]68.235.53.84:443
20161206 23:43:53 TLS: Initial packet from [AF_INET]68.235.53.84:443 sid=a39877cf 2c698556
20161206 23:43:53 W WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
20161206 23:43:57 VERIFY OK: depth=1 C=PA ST=PA L=Panama O=NordVPN OU=NordVPN CN=us101.nordvpn.com name=NordVPN emailAddress=cert@nordvpn.com
20161206 23:43:57 VERIFY OK: depth=0 C=PA ST=PA L=Panama O=NordVPN OU=NordVPN CN=us101.nordvpn.com name=NordVPN emailAddress=cert@nordvpn.com
20161206 23:43:59 W WARNING: 'link-mtu' is used inconsistently local='link-mtu 1560' remote='link-mtu 1592'
20161206 23:43:59 W WARNING: 'tun-mtu' is used inconsistently local='tun-mtu 1500' remote='tun-mtu 1532'
20161206 23:43:59 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20161206 23:43:59 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20161206 23:43:59 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
20161206 23:43:59 NOTE: --mute triggered...
20161206 23:43:59 2 variation(s) on previous 3 message(s) suppressed by --mute
20161206 23:43:59 I [us101.nordvpn.com] Peer Connection Initiated with [AF_INET]68.235.53.84:443
20161206 23:44:01 SENT CONTROL [us101.nordvpn.com]: 'PUSH_REQUEST' (status=1)
20161206 23:44:02 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 dhcp-option DNS 78.46.223.24 dhcp-option DNS 162.242.211.137 route 10.7.7.1 topology net30 ping 5 ping-restart 30 ifconfig 10.7.7.178 10.7.7.177'
20161206 23:44:02 OPTIONS IMPORT: timers and/or timeouts modified
20161206 23:44:02 NOTE: --mute triggered...
20161206 23:44:02 3 variation(s) on previous 3 message(s) suppressed by --mute
20161206 23:44:02 I TUN/TAP device tun1 opened
20161206 23:44:02 TUN/TAP TX queue length set to 100
20161206 23:44:02 I do_ifconfig tt->ipv6=1 tt->did_ifconfig_ipv6_setup=0
20161206 23:44:02 I /sbin/ifconfig tun1 10.7.7.178 pointopoint 10.7.7.177 mtu 1500
20161206 23:44:02 /sbin/route add -net 68.235.53.84 netmask 255.255.255.255 gw 192.168.0.1
20161206 23:44:02 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.7.7.177
20161206 23:44:02 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.7.7.177
20161206 23:44:02 /sbin/route add -net 10.7.7.1 netmask 255.255.255.255 gw 10.7.7.177
20161206 23:44:02 I Initialization Sequence Completed
20161206 23:44:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161206 23:44:13 D MANAGEMENT: CMD 'state'
20161206 23:44:13 MANAGEMENT: Client disconnected
20161206 23:44:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161206 23:44:13 D MANAGEMENT: CMD 'state'
20161206 23:44:13 MANAGEMENT: Client disconnected
20161206 23:44:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161206 23:44:13 D MANAGEMENT: CMD 'state'
20161206 23:44:13 MANAGEMENT: Client disconnected
20161206 23:44:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161206 23:44:13 D MANAGEMENT: CMD 'status 2'
20161206 23:44:13 MANAGEMENT: Client disconnected
20161206 23:44:13 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161206 23:44:13 D MANAGEMENT: CMD 'log 500'
20161206 23:44:13 MANAGEMENT: Client disconnected
20161206 23:44:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161206 23:44:32 D MANAGEMENT: CMD 'state'
20161206 23:44:32 MANAGEMENT: Client disconnected
20161206 23:44:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161206 23:44:32 D MANAGEMENT: CMD 'state'
20161206 23:44:32 MANAGEMENT: Client disconnected
20161206 23:44:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161206 23:44:32 D MANAGEMENT: CMD 'state'
20161206 23:44:32 MANAGEMENT: Client disconnected
20161206 23:44:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161206 23:44:32 D MANAGEMENT: CMD 'status 2'
20161206 23:44:32 MANAGEMENT: Client disconnected
20161206 23:44:32 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:16
20161206 23:44:32 D MANAGEMENT: CMD 'log 500'
19700101 01:00:00

ca /tmp/openvpncl/ca.crt management 127.0.0.1 16 management-log-cache 100 verb 3 mute 3 syslog writepid /var/run/openvpncl.pid client resolv-retry infinite nobind persist-key persist-tun script-security 2 dev tun1 proto tcp-client cipher aes-256-cbc auth sha1 auth-user-pass /tmp/openvpncl/credentials remote us101.nordvpn.com 443 comp-lzo yes tun-mtu 1500 mtu-disc yes tun-ipv6 tls-auth /tmp/openvpncl/ta.key 1

Any help would be really appreciated.

[fastbond]

Anyone?

[fastbond]

[fastbond]

After trying almost everything, it worked.
My dd-wrt was siting behind my internet provider cable modem and after changing this cable modem to bridge mode and letting the dd-wrt router act as gateway, it worked!

The weird thing is that any VPN started from a device behind the dd-wrt would work with this config, but the dd-wrt itself.

Everything is fine now, thank you @eibgrad and others for the help!

[jsooner02]

Hey all, wanted to ask whether anyone had tried to configure Policy Based routing with NordVPN and DDWRT. I am attempting to configure the routing so that a single IP range will utilize the OpenVPN configuration while others will not. I am utilizing the UI for this and I was under the impression that it was simple as having the following under Policy Based Routing.

"10.0.1.0/32"

and then all of my other clients (10.0.0.0/32) would connect directly to the internet.

However when I check my IP address from 10.0.0.x it shows the VPN IP.

[egc]

Almost right
you need to enter each IP addres or a range of IP addresses using www.ipaddressguide.com/cidr

I assume that the local subnet you want to route through the VPN is 10.0.1.0 and your DHCP IP address is 10.0.1.1 (if you have one). Then you want the range 10.0.1.2 - 10.0.1.254 to route through the VPN. Fo that you should add:

10.0.1.2/31
10.0.1.4/30
10.0.1.8/29
10.0.1.16/28
10.0.1.32/27
10.0.1.64/26
10.0.1.128/26
10.0.1.192/27
10.0.1.224/28
10.0.1.240/29
10.0.1.248/30
10.0.1.252/31
10.0.1.254/32

to the PBR field.

/32 only routes that particular IP address

To make it simple 10.0.1.100/32 only routes that particular local address through the VPN

Oh and do not route the routers/DHCP address

Hope this helps, it is working for me but I use Private internet accces, it could be that you use a script which bypasses these settings.

[sploit]

Also for everyone that likes to switch servers

NordVPN requires a different cert setup for each server...

there are also alot of other settings that need to be adjusted within ddwrt for this Service.

I install these services professionally

If you get frustrated and want it done right message me and I will do it for ya for $25.00 paypal.

Every VPN provider is different has has different tricks.

I know what stops the tunnel routing on each one. NordVPN is one of the trickier and all their manuals are wrong.

Just Make sure and have teamviewer installed.

[sysnoise]

Just wanted to throw this little gem in here...

I don't think this page existed when I first started trying to set this up a few months ago: https://nordvpn.com/tutorials/dd-wrt/openvpn-gui/. But I tried it again recently and it basically worked almost verbatim with the server us323 with a minor amount of tinkering (but this server, being static IP, has certain practical limitations, shall we say...)

However, when trying to get this configuration to work with other servers (e.g. us5xx+) there was one line in that page which I skimmed over but proved to be critical: note: newer NordVPN servers use SHA-512 instead. If SHA-1 does not work, select SHA-512. Once I switched to SHA512...golden.[/b]

[jibthis]

I am a complete rookie at this dd-wrt setup but I currently have everything nordvpn related working on my router. However I am having trouble figuring out how to create a script to restart my router after the killswitch is engaged. I do not know where to begin and am in need of either somewhere to begin reading or a walkthrough. I tried using the keepalive from the GUI but it doesn't seem to work for me.

[usershmusername]

[wajirah]

@usershmusername.

You seems to be the only one online who has figured out how to configure dd-wrt version 3 for nordvpn! Congratulations of not having frequent lost connections.

Could you please, please do a dummies guide? Please post your refined full script. You will be very popular, just look at the amount of views of this thread!!

Many thanks

[sploit]

As I set these up professionally I figured I'd share this info for all of you going nuts on NordVPN

1) NordVPN servers get frequently taken down by DMCA mandates. (Expect that if you are using one it will die at some point)

2) Each NordVPN server requires a different certs (found in the .ovpn files) This is extremely annoying and is the primary thing that pisses me off about their service. None of their servers are Dynamic and also you cant just simply change the server name and be good on the router.

3) Disconnects. The primary reason I built the VPN Watchdog was because of NordVPN and PureVPN disconnects. There isnt any way around them. My theory is that they are constantly updating their servers with something that requires a quick restart of the OpenVPN server.

4) As one user stated above. Inconsistent SHA1 or SHA512 usage. No standardization. Again. Annoyance.


My primary work around's have been to use servers people are unlikely to use (like in the 800 rang)

I also install my sw_watchdog script to keep the tunnel alive in less than 1 minute upon failure in combination with the firewall kill switch. This has been favored so far by my customers using it.

Preferable I tell people to change VPN providers from Nord of they want easier router maintenance.

Also for routers, any company that forces 256bit encryption is crazy. It just slows down the connection for no reason. AES-128 is fine

[wajirah]

@sploit I can understand your frustration. However I managed to get a good 3 year deal from nordvpn, and I don't mind tinkering with the router.

I am running the build 33375 (19 Sep 2017) and followed @usershmusername advice. For days my VPN connection is solid and there were no dropouts.

========================================================
My advice to newbies like me is to follow the tutorial in the nordvpn website;
https://nordvpn.com/tutorials/dd-wrt/openvpn-gui/

BUT replace their additional settings with:

tls-client
remote-cert-tls server
remote-random
nobind
tun-mtu-extra 32
persist-key
persist-tun
ping 60
ping-restart 120
reneg-sec 0

========================================================

Happy tinkering!