Router: How to configure OpenVPN for flashed DD-WRT routers

Please note the following requirements: 

• Router with alternative DD-WRT firmware and support of OpenVPN. Older versions need to be updated.
  Info: DD-WRT Website
• A CyberGhost account
  Info: Here's how to create a CyberGhost account online
  Info: How to manage your CyberGhost account
• A CyberGhost subscription
  Info: How to purchase or upgrade a subscription
  Info (only prepaid subscribers): Enter activation key

Disclaimer: Please keep in mind that, although the technical process is as thoroughly documented as possible, you need to have at least some technical understanding. There's always a chance for an overseen mistake and/or things have changed and the article is not updated yet. 

Some general notes on routers:

• Routers are usually not equipped with state of the art hardware, meaning you will have speed losses when using a VPN connection (due to low CPU power to process encryption). Direct connections from your PC, Laptop, Tablet, etc. to the VPN network (without the router providing the VPN software) will work better for you, if speed is among your favorite desires.
• If your flashed router doesn't provide DSL functionality, your Internet connection will still need to be managed by your DSL modem. In that case your device pool will hook on your router (via cable or wireless) and the router itself will be hooked to your DSL modem. So don’t forget to configure your WLAN devices to connect to the new router, so they won’t log in to the old WLAN. Alternatively you can deactivate your modem’s WLAN completely (only if you don’t need it for unencrypted traffic).
• If you flash your router with an alternative firmware you might lose your device’s guarantee; please consult your dealers’ policies regarding this matter. Furthermore it might happen that the flash process leaves your device unusable, e.g. after a power failure while flashing. CyberGhost is not to be held responsible for any damages, does not acknowledge any liabilities and will not adopt your manufacturer’s warranty.
• Also please note that not all routers with VPN client support will be able to connect to the CyberGhost network or might loose that ability with future firmware updates.

Step 1

First thing you should do is to make sure your DD-WRT router can connect to the Internet.

Connect to your Router Management console by starting your web browser and typing the following IP in the address bar: 192.168.1.1 (this is the default router management address, yours may differ if you've manually set a different one)

Now click on 'Setup' > 'Basic Setup' - ensure the 'Automatic Configuration' of IP addresses (DHCP) is set as the connection type and give your DD-WRT router a fixed local IP address under 'Network Setup' > Local IP Address - If you set this to something other than the default, please note that the address you enter here WILL be the one you'll be using when you wish to access the router Management Console (default is 192.168.1.1).

NOTE: The default settings should do just fine once 'Automatic Configuration' is selected, only tweak this if you have specific settings provided by your ISP

Step 2

Visit your CyberGhost VPN online account and login with your Premium Username and Password

Click on 'My Devices'  > click 'Other' > choose 'Configure new device'. 

At the new screen, in the 'Server configuration' tab, the desired parameters can be configured. For the purpose of setting OpenVPN for your DD-WRT Router, choose 'OpenVPN' from the Protocol drop down menu. Your desired country and server group, as described below, need to be defined too:

• Protocol: For Router configurations, please choose OpenVPN
• Country: Since native protocol connections may only be used with exactly one server you now have to choose the country you want to surf from; the server to be used in this country will be chosen by CyberGhost automatically.
• Server group: Choose the server group and the OpenVPN protocol (UDP or TCP) you want to use:
  UDP allows higher speed than the TCP version, but can result in broken downloads in some cases. This is the default setting.
  TCP allows more stable connections than the UDP version, but is a bit slower. Choose this version, if you have recurrent connection issues such as sudden disconnections.

After setting up your preferred settings, save them with 'Save and download configuration'.

To view the OpenVPN credentials that are generated for you on the configuration dashboard, press View Configuration. 

Once the new page is opened, your connection credentials are generated for you but make note of the following information:

• Server group: This is the address of the country (server) you want to be connected with, e.g. '12345-1-ca.cg-dialup.net'. Note: This address changes with every country you have chosen in the step before. The actual single server to be used will be chosen automatically by CyberGhost.
• User name: A solely for this protocol generated user name. This is NOT your regular CyberGhost account user name, it's used only to authenticate with our servers via Manual Configurations.
• Password (you need to check the "Show Password" option in order to see it): A solely for protocol usage generated password. This is NOT your regular CyberGhost account Password, it's used only to authenticate with our servers via Manual Configurations.
• Pre-Shared Key

Please download the configuration file. For that please click on 'Download configuration' and download the config file to your computer (it's recommended that you create a special folder for the config, somewhere accessible like your Desktop and Extract/Copy the contents of the .zip file there). 

Now, the saved config is a ZIP file, which contains the following single files:

• ca.crt: This is the certificate of the certification authority
  
• client.crt: This is the user certification file 
• client.key: This is your private key file
• openvpn.ovpn: This is your OpenVPN configuration file

If you need to change the country you connect to, you must re-configure the location to use in your account management and download the new zipped config file.

Step 3

Open your router interface, as before, by starting your web browser and typing the following IP in the address bar: 192.168.1.1 (this is the default router management address, yours may differ if you've manually set a different one)

Once in the router management console, 'Services' > then 'VPN'.

Scroll down to 'OpenVPN Client' and check the 'Enable' option next to 'Start OpenVPN Client' .

Now you can quickly fill in the client's settings as shown below:

• Server IP / Name: Please enter the server address of Step 2, e. g. '10-1-ca.cg-dialup.net'. Depending on the country to connect with, fist part of each address will be changed, e.g. instead of '10-1-ca.cg-dialup.net‘ (CA meaning Canada and 10-1 being the server group), when choosing a different country, the first part would be similar to '4-1-gb.cg-dialup.net' (GB meaning Great Britain and 4-1 the server group).
• Port: 443
• Tunnel Device: TUN
• Tunnel Protocol: UDP or TCP, depending on which protocol type you have chosen in step 1
• Encryption Cipher: AES-256 CBC
  
• Hash Algorithm: SHA256
• User Pass Authentication: ENABLE
• USERNAME: The Username you have generated when adding the device in STEP 1 (this is NOT your regular CyberGhost Username)
• PASSWORD: The Password you have generated when adding the device in STEP 1 (this is NOT your regular CyberGhost Password)
• Advanced Options: Enabled
• TLS Cipher: None
  
• LZO Compression: Adaptive
• NAT: Disable
• IP Address: leave blank
• Subnet Mask: leave blank 
• Tunnel MTU setting: 1500
• Tunnel UDP Fragment: 1300
• Tunnel UDP MSS-Fix: Disable
• nsCertType verification: Leave unchecked
• TLS Auth Key: leave blank
• Additional Config: Go to the folder where you've extracted the downloaded configuration, right-click the 'openvpn.ovpn' file and open it with a TEXT editor (any text editor will do but WordPad displays the config. more clearly).

  - Once open, select the passage from 'resolv-retry infinite' to 'comp-lzo' and right-click > COPY the selected text (or use CTRL+C)

  

  - Right-click in the 'Additional Config' field and click PASTE

  

• Policy based Routing: leave blank
• PKCS12 Key: leave blank
• Static Key: leave blank
• CA Cert: In this box please copy all of the text found in the 'CA.crt' file. Just like with the .ovpn file, right-click the 'CA.crt' file and choose Open With > WordPad/Notepad > copy ALL of the text 'ca.crt' and PASTE it in this box
• Public Client Cert:  In this box please copy all of the text found in the 'client.crt' file. Just like with the .ovpn file, right-click the 'client.crt' file and choose Open With > WordPad/Notepad > copy ALL of the text 'client.crt' and PASTE it in this box
  
• Private Client Key: In this box please copy all of the text found in the 'client.key' file. Just like with the .ovpn file, right-click the 'client.key' file and choose Open With > WordPad/Notepad > copy ALL of the text 'client.key' and PASTE it in this box

Click on 'Save' and then on 'Apply Settings'.

Below is an example of a properly configured router:

 

Step 4

FInally, click on the 'Administration' tab > "Commands'.

In the 'Command Shell' field, copy and paste the following commands (from this article, select all commands beginning with 'iptables'  > right-click > copy):

 

 

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

 

Right-click in the 'Commands' box > PASTE > click on 'Save Firewall'.

NOTE: You may need to wait some time (upwards of 1 minute, depending on the router) for the settings to apply.

You can now reboot the device by going to 'Administration' > Management > scroll all the way down and click REBOOT ROUTER.

NOTE2: You WILL need to Reboot the Router each time you set a different country

Finally, restart your browser (this is extremely important as location info may be cached in the browser) and visit a website like iplocation.net to verify the change of your IP