Jump to content


Rate this topic


Recommended Posts



OK - I decided to put this up on the TorGuard Forum as I could not find a tutorial anywhere with specific step by step instructions for getting Torguard OPENVPN working with OpenWrt/ Lede. In advance, I want to thank the excellent support team at TorGuard ( especially Mike & Andy ) for assisting me with getting my Lede/Openwrt VPN router up and running.
I use davidc502 firmware which is described as  Moderately Customized LEDE Development Builds found here - https://davidc502sis.dynamic-dns.net/releases/ and here - https://davidc502sis.dynamic-dns.net/snapshots/ -- davidc502's forum found here - https://forum.lede-project.org/t/davidc502-wrt1200ac-wrt1900acx-wrt3200acm-wrt32x-builds/15839/80  - Dave's builds are for Linksys WRT1900AC v1 Linksys WRT1900AC v2 Linksys WRT1900ACS Linksys WRT3200ACM Linksys WRT1200AC models ONLY !!! One of the many benefits of using Dave's custom firmware is that it comes with many pre-installed and configured software packages - including OpenVpn and Dnscrypt - I use both in conjunction on my router. For full list of packages see Dave's configuration seed found here -   https://davidc502sis.dynamic-dns.net/releases/config.seed - However, the guide tutorial here will work on any and every OpenWrt/ Lede firmware based router. I also tested this with Lede stable firmware ( current version 17.01.4 ) found here - https://lede-project.org/downloads -

Anyway - here we go - this is Mike's detailed original answer to my inquiry concerning my request for assistance in setting up OpenVpn on OpenWrt /Lede. I have added a few edits in order to make this more comprehensible and easier to implement. This guide  will work Guaranteed if you follow instructions step by step.

Mike // Staff

Thank you, can you check if the steps below works ok for you

1) Then in Luci Gui  go to System > Software, do update first ( ssh command opkg update )
then search for openvpn and install openvpn-openssl and luci-app-openvpn. ( uci ssh command -  opkg install openvpn-openssl luci-app-openvpn )

These are necessary - Luci is GUI frontend for Openwrt - it comes pre-installed with davidc502's firmware. Also installed on Lede stable. 

2) Here you Generate OpenVpn config on https://torguard.net/tgconf.php?action=vpn-openvpnconfig choosing openwrt.

3) Login using ftp client like winscp to the router (openwrt) and the config file downloaded from the tool to be uploaded to box and renamed as /etc/config/openvpn
To make this simpler - you can copy and paste the newly generated text file to a text file on your desktop and /or download config file to your desktop. Install 

nano ( preferred text editor ) -  opkg install nano - if you need to install nano - (  if not already there / comes pre-installed in davidc502's builds )

to your router. SSH into router then type ( copy and paste ) -"  nano /etc/config/openvpn " ( without parenthesis )  - erase all contents of file ( hold Ctrl + k )  and replace ( copy and paste ) with contents of config file you copied and downloaded earlier. 

Sample of my  /etc/config/openvpn config file -  adjust yours as you see fit but stick with config from https://torguard.net/tgconf.php?action=vpn-openvpnconfig as your basic guide -

config openvpn 'TorGuard_AES256GCM_SHA256'
        option client '1'
        option dev 'tun'
        option proto 'udp'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/torguard/ca.crt'
        option remote_cert_tls 'server'
        option tls_auth '/etc/openvpn/torguard/ta.key 1'
        option cipher 'AES-256-GCM'
        option comp_lzo 'adaptive'         #   AS of March 2018 and OpenVpn  2.4.5  use option compress 'lzo'  otherwise you can not connect
        option verb '4'
        option fast_io '1'
        option auth_user_pass '/etc/openvpn/torguard/userpass.txt'
        option remote_random '0'
        option auth 'SHA256'
        option reneg_sec '0'
        option port '1195'
        list remote 'ny.east.usa.torguardvpnaccess.com'
        option sndbuf '393216'
        option rcvbuf '393216'
        option enabled '1'
        option keepalive '10 120'
        option auth_nocache '1'
        option tls_client '1'
        option setenv 'CLIENT_CERT 0'
        option tls_version_min '1.2'
        option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
        option ncp_ciphers 'AES-256-GCM:AES-128-GCM'
        option tun_mtu '1500'
        option tun_mtu_extra '32'
        option ncp_disable '1'
        option engine 'dynamic'
        option mute_replay_warnings '1'
        option disable_occ '1'
        option keysize '256'
        option mssfix '1450'
        option script_security '2'
        option reneg_bytes '1073741824'
        option mute '20'
        option pull '1'
        option log '/tmp/openvpn.log'

Then hit Ctrl + o - you will be asked to write file - hit enter to save file  - then Ctrl + x to close file and go back into shell

4) create folder /etc/openvpn/torguard and add under it the ca.crt, ta.key from https://torguard.net/downloads/ta.key and https://torguard.net/downloads/ca.crt   and create new file userpass.txt where in it put on first line your vpn username and second you vpn password. 

Create /etc/openvpn/torguard folder ( in ssh session into router - type - " mkdir /etc/openvpn/torguard "  ( without parenthesis )   - in order to proceed  -   

opkg install wget ( if you need to install wget )

ssh into router use wget ( install wget if not already there / comes pre-installed in davidc502's builds ) to issue following commands in order to install necessary

files to /etc/openvpn/torguard folder which you just created : type the following commands in shell 

A - "  wget -P /etc/openvpn/torguard https://torguard.net/downloads/ta.key "  ( without parenthesis ) - copy and paste - (  ta.key is downloaded to 

/etc/openvpn/torguard folder )

B - " wget -P /etc/openvpn/torguard https://torguard.net/downloads/ca.crt "  ( without parenthesis ) - copy and paste - ( ca.crt is downloaded to 

/etc/openvpn/torguard folder )

C - type ( copy and paste ) " nano /etc/openvpn/torguard/userpass.txt "  ( without parenthesis )  - in new text  file type ( copy and paste ) in first line your 

TorGuard Vpn username and on second line your TorGuard  Vpn password  - Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file  - then ( 

Ctrl + x ) to close file and go back into shell -   userpass.txt is now added under /etc/openvpn/torguard/ folder as well 

Now - these commands are required from my past experience - still in SSH type ( copy and paste )

chmod 0777 /etc/openvpn/torguard/ta.key     chmod 0777 /etc/openvpn/torguard/ca.crt   chmod 0400 /etc/openvpn/torguard/userpass.txt

There are two alternative methods available in order to create the necessary openvpn network interface and complimentary firewall rules. The first one I will 

feature is through the command line shell - using uci commands. 

The second is simply done through the Luci Web GUI. Personally, I use the uci command line approach as I feel the firewall rules for the vpn connection are more 

secure in nature using this method. For the sake of this tutorial, consider command line - uci - Scenario A - and Luci Web Gui method - Scenario B. Both will create 

an interface and working firewall rules and in the end - and leave you with a working TorGuard OpenVpn configuration and subsequent connection. GUARANTEED !

Remember this is either A or B - not A AND B !!! - you can not use both. It is one or the other.

Scenario A -

TorGuard OpenVpn Network Interface Creation and Setup via command line - uci 

uci set network.myvpnc=interface
uci set network.myvpnc.proto=none
uci set network.myvpnc.ifname=tun0
uci commit network

TorGuard OpenVpn Firewall Rules Setup via command line - uci

uci add firewall zone
uci set [email protected][-1]=zone
uci set [email protected][-1].name=myvpnc_fw
uci set [email protected][-1].network=myvpnc
uci set [email protected][-1].input=REJECT
uci set [email protected][-1].output=ACCEPT
uci set [email protected][-1].forward=REJECT
uci set [email protected][-1].masq=1
uci set [email protected][-1].mtu_fix=1
uci add firewall forwarding
uci set [email protected][-1]=forwarding
uci set [email protected][-1].src=lan
uci set [email protected][-1].dest=myvpnc_fw
uci commit firewall

Scenario B - 

TorGuard OpenVpn - Luci ( Web Gui ) Network Interface Creation and Setup and Firewall Rules Setup

1 ) Back on Luci ( Lede/OpenWrt Gui ). Go to Network > Interfaces and add new interface name the interface " MYVPN " - make sure the " Protocol of the new interface "  at top of page is set to  " Unmanaged " and at bottom of page select " Custom " and enter "  tun0 " ( tun number zero ) in the field next to custom radio button.

Click On Submit then Save and Save and Apply Settings

2 ) Go to Network > Firewall section, click add " new zone " and make it to " "accept " ( all three up top - accept all options )  input/output/forward/masquarde, ( check " masquerade " box under where you accepting all .
Then choose - enter check mark in box next to  interface VPN  ( Covered networks ).
Then in bottom box " Inter-Zone Forwarding " (  Allow forward to destination zones: ) = LAN and  then

( Allow forward from source zones: ) = LAN

This means click both radio buttons next to lan in last section on firewall " newzone " you just created.

Lastly, Click On Save and Save and Apply Settings -

3 ) Go to Services > Openvpn and start the VPN service.

All should be up and running after this. Support said they would post this in tutorials for Openwrt/Lede firmware. As I said, I just put this up to save folks time 

if they run TorGuard VPN. By the way, it is an excellent VPN service.  Easier setup than PIA VPN - specifically on Lede/Openwrt. Again - thanks to TorGuard Support.

Bonus Feature- For Adding DNS-Over-TLS support to OpenWRT (LEDE) with Unbound see here:
https://torguard.net/forums/index.php?/topic/1374-adding-dns-over-tls-support-to-openwrt-lede-with-unbound/ or here:

Link to comment
Share on other sites

2 hours ago, Support said:

Thanks for your input on this - much appreciated :)


Dear Mike - Thanks for the appreciation but I could not have done it without your help. Happy Holidays to You and Yours - 

Always In Peace and God's Grace,


  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...

Hi, I followed your tutorial but it doesn't want to connect.  Not sure why any ideas, is there a way to see whats going wrong.   I am Using LEDE 17.01.4 any help would be appreciated.  Thanks

Link to comment
Share on other sites

  • 3 weeks later...
On 7/27/2018 at 5:12 PM, Proton said:

Hi, I followed your tutorial but it doesn't want to connect.  Not sure why any ideas, is there a way to see whats going wrong.   I am Using LEDE 17.01.4 any help would be appreciated.  Thanks

Dear Proton,

Well it is difficult for me to assist you without knowing your configurations. You should move up to  OpenWrt / Lede 18.06.0 Final found here: https://downloads.openwrt.org/releases/18.06.0/ and remember to use option comp_lzo 'adaptive'   for OpenVpn 2.45 and above. Also, try different ciphers depending on your router's hardware - it may not support TorGuard_AES256GCM_SHA256. Generally, cbc is enough - Generate OpenVpn config on https://torguard.net/tgconf.php?action=vpn-openvpnconfig choosing openwrt - These changes should get you up and running. If all else fails - contact Torguard support- Mike or Andy they are always very helpful and responsive.

Just open a support ticket.


directnupe - see official Guide here:  https://openwrt.org/docs/guide-user/services/vpn/openvpn.torguard     


Link to comment
Share on other sites

  • 3 months later...
On 12/2/2018 at 6:37 AM, Jgsieve said:

If I want to bypass specific urls from using the vpn, do I just put those in the Dnsmasq area? 

Dear Jgsieve,

Hello I am the OP of this guide. I hope that you are well. The easiest and simplest method to block url's on OpenWrt is to install  luci-app-adblock or Simple AdBlock - see here: https://openwrt.org/packages/pkgdata/luci-app-adblock or here: https://github.com/openwrt/packages/tree/master/net/simple-adblock/files

Look here for how to use - https://www.reddit.com/r/openwrt/comments/8jej3p/what_is_the_best_method_for_installing_unbound_on/ and look for my last post which is the last post on this page. In summary:

1- In Luci go to Services > Adblock > Along The Top of The Page > Go To Advanced

2 - Underneath Advanced > Click on Edit Configuration

3- Go to the end of the Standard Pre- Installed Entires

4- Skip a line and enter the following below:

config source 'stevenblack'

option adb_src 'https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts'

option adb_src_rset '\$0~/^0\.0\.0\.0[[:space:]]+([[:alnum:]_-]+\.){1,}[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'

option adb_src_desc 'unified blocklist, daily updates, approx. 32.000 entries'

option enabled '1'

5- Save. Next in Luci Adblock Settings for DNS Backend (DNS Directory) = dnsmasq for Download Utility = wget & Startup Trigger = wan. Then enter the following in the other settings:

A- Put check next to ( 1 ) Verbose Debug Logging ( 2 ) Force Local DNS ( 3 ) Flush DNS Cache under Extra Options and finally Max. Download Queue = 16 / Save and Apply in order to restart Adblock with new configuration which you just made.

6- References:

https://github.com/StevenBlack/hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

https://forum.turris.cz/t/adblock-doesnt-seem-to-work-on-wifi/6722/6 ( Look 1/2 way down page for Steven Black configuration for adblock ) This is for the raw hosts file with base extensions containing 60,855 entries

You may add custom url's as well. Blacklist / whitelist and so on. Excuse the slow reply. Merry Christmas and all that rot - and good luck.


Peace In All Ways,




Link to comment
Share on other sites

  • 1 month later...


I'm new to the world of OPENWRT and VPNs, but...

I followed these instructions fully, however it doesn't work, stops me from having internet. I have to stop openvpn to get my internet back.

Any suggestions?


Link to comment
Share on other sites

  • 1 year later...

I got this working on my setup on my WRT3200ACM ... is there anyway to get wireguard working instead or openvpn  ? I heard it provides better performance  as there is less overhead .

Link to comment
Share on other sites

@Boostfor wireguard there is config tool as well as full installation by script for those who say they are new to openwrt etc... . I also replied to you in that same thread where you asked, you have to copy and paste one codebox, that is all. If it is too complicated, then you might simply create wireguard config with torguard's openwrt config, install luci-app-wireguard and put manually all those values (or ask torguard support)

@directnupeGuide is from 2017 and I dont expect it to be updated as torguard already added those guides to their knowledge base, but I would like to drop few notes which might be helpful for some and maybe not for some other.

I would not encourage anybody to use some builds created by some person because openwrt can be compiled as well as there are stable versions (with gui) as well as snapshots (without gui). There is also a reason why snapshots do not have gui. For wrt3200, this is the info page: https://openwrt.org/toh/linksys/linksys_wrt3200acm

Here one can download latest stable release, and here latest snapshot, as well as the original if somebody wants to revert it.

If you really need some additional packages, then you do not have to use some third party unverified builds, you better use snapshot where you can of course configure it the way in which you can upgrade your snapshot to always latest one and it would preserve all installed packages, as I wrote it already in several guides and pointed to it, I believe there is no need to explain sysupgrade, as on openwrt it is explained very well. This is by far better option for anybody who wants to have customized firmware, be sure that it is genuine as well as ability to even daily reflash with latest snapshot which is built daily, saving a user a need to compile those daily. Stable release can be upgraded only with stable release, snapshot only with snapshot, your own only with your own having same packages etc...

For those who want actually to change the code of openwrt or include own packages or create own feeds, those have then to compile, which is also better than using some 3rd party.

But I would not encourage anybody to use images compiled by some user.

Additionally, many packages are not required for most users, your tested router might not show you any difference if you run luci, but some older will, as well as default luci uses httpd, but there is also nginx version, having those preinstalled like in release images or some third party leaves you actually with no ability to upgrade those, at least not in ROM where they reside, meaning, you can waste space for it. Then, if you add things like tor and i2p, yes, even wrt3200 would be brought to its knees, especially if they run over openvpn, in that case one would for sure see some performance gain if there is no http server at all.

Another suggestion would be also to maybe edit/remove dead links which back then were probably alive, simply because we see that your guide is still used, I just clicked on one and page does not exist: https://openwrt.org/docs/guide-user/services/vpn/openvpn.torguard

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...