Jump to content


Rate this topic

Recommended Posts



OK - I decided to put this up on the TorGuard Forum as I could not find a tutorial anywhere with specific step by step instructions for getting Torguard OPENVPN working with OpenWrt/ Lede. In advance, I want to thank the excellent support team at TorGuard ( especially Mike & Andy ) for assisting me with getting my Lede/Openwrt VPN router up and running.
I use davidc502 firmware which is described as  Moderately Customized LEDE Development Builds found here - https://davidc502sis.dynamic-dns.net/releases/ and here - https://davidc502sis.dynamic-dns.net/snapshots/ -- davidc502's forum found here - https://forum.lede-project.org/t/davidc502-wrt1200ac-wrt1900acx-wrt3200acm-wrt32x-builds/15839/80  - Dave's builds are for Linksys WRT1900AC v1 Linksys WRT1900AC v2 Linksys WRT1900ACS Linksys WRT3200ACM Linksys WRT1200AC models ONLY !!! One of the many benefits of using Dave's custom firmware is that it comes with many pre-installed and configured software packages - including OpenVpn and Dnscrypt - I use both in conjunction on my router. For full list of packages see Dave's configuration seed found here -   https://davidc502sis.dynamic-dns.net/releases/config.seed - However, the guide tutorial here will work on any and every OpenWrt/ Lede firmware based router. I also tested this with Lede stable firmware ( current version 17.01.4 ) found here - https://lede-project.org/downloads -

Anyway - here we go - this is Mike's detailed original answer to my inquiry concerning my request for assistance in setting up OpenVpn on OpenWrt /Lede. I have added a few edits in order to make this more comprehensible and easier to implement. This guide  will work Guaranteed if you follow instructions step by step.

Mike // Staff

Thank you, can you check if the steps below works ok for you

1) Then in Luci Gui  go to System > Software, do update first ( ssh command opkg update )
then search for openvpn and install openvpn-openssl and luci-app-openvpn. ( uci ssh command -  opkg install openvpn-openssl luci-app-openvpn )

These are necessary - Luci is GUI frontend for Openwrt - it comes pre-installed with davidc502's firmware. Also installed on Lede stable. 

2) Here you Generate OpenVpn config on https://torguard.net/tgconf.php?action=vpn-openvpnconfig choosing openwrt.

3) Login using ftp client like winscp to the router (openwrt) and the config file downloaded from the tool to be uploaded to box and renamed as /etc/config/openvpn
To make this simpler - you can copy and paste the newly generated text file to a text file on your desktop and /or download config file to your desktop. Install 

nano ( preferred text editor ) -  opkg install nano - if you need to install nano - (  if not already there / comes pre-installed in davidc502's builds )

to your router. SSH into router then type ( copy and paste ) -"  nano /etc/config/openvpn " ( without parenthesis )  - erase all contents of file ( hold Ctrl + k )  and replace ( copy and paste ) with contents of config file you copied and downloaded earlier. 

Sample of my  /etc/config/openvpn config file -  adjust yours as you see fit but stick with config from https://torguard.net/tgconf.php?action=vpn-openvpnconfig as your basic guide -

config openvpn 'TorGuard_AES256GCM_SHA256'
        option client '1'
        option dev 'tun'
        option proto 'udp'
        option resolv_retry 'infinite'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option ca '/etc/openvpn/torguard/ca.crt'
        option remote_cert_tls 'server'
        option tls_auth '/etc/openvpn/torguard/ta.key 1'
        option cipher 'AES-256-GCM'
        option comp_lzo 'adaptive'         #   AS of March 2018 and OpenVpn  2.4.5  use option compress 'lzo'  otherwise you can not connect
        option verb '4'
        option fast_io '1'
        option auth_user_pass '/etc/openvpn/torguard/userpass.txt'
        option remote_random '0'
        option auth 'SHA256'
        option reneg_sec '0'
        option port '1195'
        list remote 'ny.east.usa.torguardvpnaccess.com'
        option sndbuf '393216'
        option rcvbuf '393216'
        option enabled '1'
        option keepalive '10 120'
        option auth_nocache '1'
        option tls_client '1'
        option setenv 'CLIENT_CERT 0'
        option tls_version_min '1.2'
        option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'
        option ncp_ciphers 'AES-256-GCM:AES-128-GCM'
        option tun_mtu '1500'
        option tun_mtu_extra '32'
        option ncp_disable '1'
        option engine 'dynamic'
        option mute_replay_warnings '1'
        option disable_occ '1'
        option keysize '256'
        option mssfix '1450'
        option script_security '2'
        option reneg_bytes '1073741824'
        option mute '20'
        option pull '1'
        option log '/tmp/openvpn.log'

Then hit Ctrl + o - you will be asked to write file - hit enter to save file  - then Ctrl + x to close file and go back into shell

4) create folder /etc/openvpn/torguard and add under it the ca.crt, ta.key from https://torguard.net/downloads/ta.key and https://torguard.net/downloads/ca.crt   and create new file userpass.txt where in it put on first line your vpn username and second you vpn password. 

Create /etc/openvpn/torguard folder ( in ssh session into router - type - " mkdir /etc/openvpn/torguard "  ( without parenthesis )   - in order to proceed  -   

opkg install wget ( if you need to install wget )

ssh into router use wget ( install wget if not already there / comes pre-installed in davidc502's builds ) to issue following commands in order to install necessary

files to /etc/openvpn/torguard folder which you just created : type the following commands in shell 

A - "  wget -P /etc/openvpn/torguard https://torguard.net/downloads/ta.key "  ( without parenthesis ) - copy and paste - (  ta.key is downloaded to 

/etc/openvpn/torguard folder )

B - " wget -P /etc/openvpn/torguard https://torguard.net/downloads/ca.crt "  ( without parenthesis ) - copy and paste - ( ca.crt is downloaded to 

/etc/openvpn/torguard folder )

C - type ( copy and paste ) " nano /etc/openvpn/torguard/userpass.txt "  ( without parenthesis )  - in new text  file type ( copy and paste ) in first line your 

TorGuard Vpn username and on second line your TorGuard  Vpn password  - Then hit ( Ctrl + o ) - you will be asked to write file - hit enter to save file  - then ( 

Ctrl + x ) to close file and go back into shell -   userpass.txt is now added under /etc/openvpn/torguard/ folder as well 

Now - these commands are required from my past experience - still in SSH type ( copy and paste )

chmod 0777 /etc/openvpn/torguard/ta.key     chmod 0777 /etc/openvpn/torguard/ca.crt   chmod 0400 /etc/openvpn/torguard/userpass.txt

There are two alternative methods available in order to create the necessary openvpn network interface and complimentary firewall rules. The first one I will 

feature is through the command line shell - using uci commands. 

The second is simply done through the Luci Web GUI. Personally, I use the uci command line approach as I feel the firewall rules for the vpn connection are more 

secure in nature using this method. For the sake of this tutorial, consider command line - uci - Scenario A - and Luci Web Gui method - Scenario B. Both will create 

an interface and working firewall rules and in the end - and leave you with a working TorGuard OpenVpn configuration and subsequent connection. GUARANTEED !

Remember this is either A or B - not A AND B !!! - you can not use both. It is one or the other.

Scenario A -

TorGuard OpenVpn Network Interface Creation and Setup via command line - uci 

uci set network.myvpnc=interface
uci set network.myvpnc.proto=none
uci set network.myvpnc.ifname=tun0
uci commit network

TorGuard OpenVpn Firewall Rules Setup via command line - uci

uci add firewall zone
uci set [email protected][-1]=zone
uci set [email protected][-1].name=myvpnc_fw
uci set [email protected][-1].network=myvpnc
uci set [email protected][-1].input=REJECT
uci set [email protected][-1].output=ACCEPT
uci set [email protected][-1].forward=REJECT
uci set [email protected][-1].masq=1
uci set [email protected][-1].mtu_fix=1
uci add firewall forwarding
uci set [email protected][-1]=forwarding
uci set [email protected][-1].src=lan
uci set [email protected][-1].dest=myvpnc_fw
uci commit firewall

Scenario B - 

TorGuard OpenVpn - Luci ( Web Gui ) Network Interface Creation and Setup and Firewall Rules Setup

1 ) Back on Luci ( Lede/OpenWrt Gui ). Go to Network > Interfaces and add new interface name the interface " MYVPN " - make sure the " Protocol of the new interface "  at top of page is set to  " Unmanaged " and at bottom of page select " Custom " and enter "  tun0 " ( tun number zero ) in the field next to custom radio button.

Click On Submit then Save and Save and Apply Settings

2 ) Go to Network > Firewall section, click add " new zone " and make it to " "accept " ( all three up top - accept all options )  input/output/forward/masquarde, ( check " masquerade " box under where you accepting all .
Then choose - enter check mark in box next to  interface VPN  ( Covered networks ).
Then in bottom box " Inter-Zone Forwarding " (  Allow forward to destination zones: ) = LAN and  then

( Allow forward from source zones: ) = LAN

This means click both radio buttons next to lan in last section on firewall " newzone " you just created.

Lastly, Click On Save and Save and Apply Settings -

3 ) Go to Services > Openvpn and start the VPN service.

All should be up and running after this. Support said they would post this in tutorials for Openwrt/Lede firmware. As I said, I just put this up to save folks time 

if they run TorGuard VPN. By the way, it is an excellent VPN service.  Easier setup than PIA VPN - specifically on Lede/Openwrt. Again - thanks to TorGuard Support.

Bonus Feature- For Adding DNS-Over-TLS support to OpenWRT (LEDE) with Unbound see here:
https://torguard.net/forums/index.php?/topic/1374-adding-dns-over-tls-support-to-openwrt-lede-with-unbound/ or here:

Share this post

Link to post
Share on other sites
2 hours ago, Support said:

Thanks for your input on this - much appreciated :)


Dear Mike - Thanks for the appreciation but I could not have done it without your help. Happy Holidays to You and Yours - 

Always In Peace and God's Grace,


  • Like 1

Share this post

Link to post
Share on other sites

Hi, I followed your tutorial but it doesn't want to connect.  Not sure why any ideas, is there a way to see whats going wrong.   I am Using LEDE 17.01.4 any help would be appreciated.  Thanks

Share this post

Link to post
Share on other sites
On 7/27/2018 at 5:12 PM, Proton said:

Hi, I followed your tutorial but it doesn't want to connect.  Not sure why any ideas, is there a way to see whats going wrong.   I am Using LEDE 17.01.4 any help would be appreciated.  Thanks

Dear Proton,

Well it is difficult for me to assist you without knowing your configurations. You should move up to  OpenWrt / Lede 18.06.0 Final found here: https://downloads.openwrt.org/releases/18.06.0/ and remember to use option comp_lzo 'adaptive'   for OpenVpn 2.45 and above. Also, try different ciphers depending on your router's hardware - it may not support TorGuard_AES256GCM_SHA256. Generally, cbc is enough - Generate OpenVpn config on https://torguard.net/tgconf.php?action=vpn-openvpnconfig choosing openwrt - These changes should get you up and running. If all else fails - contact Torguard support- Mike or Andy they are always very helpful and responsive.

Just open a support ticket.


directnupe - see official Guide here:  https://openwrt.org/docs/guide-user/services/vpn/openvpn.torguard     


Share this post

Link to post
Share on other sites
On 12/2/2018 at 6:37 AM, Jgsieve said:

If I want to bypass specific urls from using the vpn, do I just put those in the Dnsmasq area? 

Dear Jgsieve,

Hello I am the OP of this guide. I hope that you are well. The easiest and simplest method to block url's on OpenWrt is to install  luci-app-adblock or Simple AdBlock - see here: https://openwrt.org/packages/pkgdata/luci-app-adblock or here: https://github.com/openwrt/packages/tree/master/net/simple-adblock/files

Look here for how to use - https://www.reddit.com/r/openwrt/comments/8jej3p/what_is_the_best_method_for_installing_unbound_on/ and look for my last post which is the last post on this page. In summary:

1- In Luci go to Services > Adblock > Along The Top of The Page > Go To Advanced

2 - Underneath Advanced > Click on Edit Configuration

3- Go to the end of the Standard Pre- Installed Entires

4- Skip a line and enter the following below:

config source 'stevenblack'

option adb_src 'https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts'

option adb_src_rset '\$0~/^0\.0\.0\.0[[:space:]]+([[:alnum:]_-]+\.){1,}[[:alpha:]]+([[:space:]]|$)/{print tolower(\$2)}'

option adb_src_desc 'unified blocklist, daily updates, approx. 32.000 entries'

option enabled '1'

5- Save. Next in Luci Adblock Settings for DNS Backend (DNS Directory) = dnsmasq for Download Utility = wget & Startup Trigger = wan. Then enter the following in the other settings:

A- Put check next to ( 1 ) Verbose Debug Logging ( 2 ) Force Local DNS ( 3 ) Flush DNS Cache under Extra Options and finally Max. Download Queue = 16 / Save and Apply in order to restart Adblock with new configuration which you just made.

6- References:

https://github.com/StevenBlack/hosts https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

https://forum.turris.cz/t/adblock-doesnt-seem-to-work-on-wifi/6722/6 ( Look 1/2 way down page for Steven Black configuration for adblock ) This is for the raw hosts file with base extensions containing 60,855 entries

You may add custom url's as well. Blacklist / whitelist and so on. Excuse the slow reply. Merry Christmas and all that rot - and good luck.


Peace In All Ways,




Share this post

Link to post
Share on other sites


I'm new to the world of OPENWRT and VPNs, but...

I followed these instructions fully, however it doesn't work, stops me from having internet. I have to stop openvpn to get my internet back.

Any suggestions?


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now