Router: How to configure OpenVPN for flashed DD-WRT routers

Please note the following requirements: 

• Router with alternative DD-WRT firmware and support of OpenVPN. Older versions need to be updated.
  Info: DD-WRT Website
• A CyberGhost account
  Info: Here's how to create a CyberGhost account online
  Info: How to manage your CyberGhost account
• A CyberGhost subscription
  Info: How to purchase or upgrade a subscription
  Info (only prepaid subscribers): Enter activation key

Disclaimer: Please keep in mind that, although the technical process is as thoroughly documented as possible, you need to have at least some technical understanding. There's always a chance for an overseen mistake and/or things have changed and the article is not updated yet. 

Some general notes on routers:

• Routers are usually not equipped with state of the art hardware, meaning you will have speed losses when using a VPN connection (due to low CPU power to process encryption). Direct connections from your PC, Laptop, Tablet, etc. to the VPN network (without the router providing the VPN software) will work better for you, if speed is among your favorite desires.
• If your flashed router doesn't provide DSL functionality, your Internet connection will still need to be managed by your DSL modem. In that case your device pool will hook on your router (via cable or wireless) and the router itself will be hooked to your DSL modem. So don’t forget to configure your WLAN devices to connect to the new router, so they won’t log in to the old WLAN. Alternatively you can deactivate your modem’s WLAN completely (only if you don’t need it for unencrypted traffic).
• If you flash your router with an alternative firmware you might lose your device’s guarantee; please consult your dealers’ policies regarding this matter. Furthermore it might happen that the flash process leaves your device unusable, e.g. after a power failure while flashing. CyberGhost is not to be held responsible for any damages, does not acknowledge any liabilities and will not adopt your manufacturer’s warranty.
• Also please note that not all routers with VPN client support will be able to connect to the CyberGhost network or might loose that ability with future firmware updates.

Step 1

First thing you should do is to make sure your DD-WRT router can connect to the Internet, but also is in a different network class then any other router you might have. For that open your router settings, click on 'Setup' in the upper menu and on 'Basic Setup' in the lower menu, activate the automatic configuration of IP addresses (DHCP) for the WAN and give your DD-WRT router a fixed local IP address under 'Network Setup'.

Step 2

Visit your CyberGhost VPN online account.

Click on the menu entry 'My Devices' and then on button 'Add Device'.

In the list of Operating Systems you can CyberGhost use with, please click on 'Other' to be able to setup all necessary options for the OpenVPN protocol. When done the screen extends and gives way to 'Create new credentials'. Do it by clicking on the respective button.

Scroll up the page. As you see, the placeholder for a new device is now replaced by 'Linux, Router, etc.'. Click on that button:

Type a name for your new device and activate the wanted extra features, provided with each regular subscription:

Scroll down and generate the login and configuration data for the OpenVPN protocol: 

• Protocol: Choose the OpenVPN protocol you want to use:
  OpenVPN (UDP): UDP allows higher speed than the TCP version, but can result in broken downloads in some cases. This is the default setting.
  OpenVPN (TCP): TCP allows more stable connections than the UDP version, but is a bit slower. Choose this version, if you have recurrent connection issues such as sudden disconnections.
  
• Country: Since native protocol connections may only be used with exactly one server you now have to choose the country you want to surf from; the server to be used in this country will be chosen by CyberGhost automatically. (If you want or need different PPTP, L2TP or OpenVPN connections in different countries, repeat all steps for every country.)
• Server group: Depending on the chosen country as well as the availability of different server types as an attribute of your current plan you can also define a server group to use:
  Standard and Premium Server: This is the group of all paid service servers of the country chosen.
  NoSpy Server: This is the group of all exclusive NoSpy servers of the country chosen. These servers can only be accessed by those subscribers, who opt for them as an additional feature.

After setting up your connection wishes please note down the following data sets. You will need them to configure your device:

• Server: This is the address of the country (server) you want to be connected with, e.g. '1-ro.cg-dialup.net'. Note: This address changes with every country you have chosen in the step before. The actual single server to be used will be chosen automatically by CyberGhost.
• User name: A solely for protocol usage generated user name. This is NOT your regular CyberGhost account user name.
• Password: A solely for protocol usage generated password. This is NOT your regular CyberGhost account password.
  

Once done, please download the configuration file. For that please click on 'Download Configuration' and save the file on your computer. It's a ZIP file, which contains the following single configuration files:

• ca.crt: This is the certificate of the certification authority
  
• client.crt: This is the user certification file 
• client.key: This is your private key file
• openvpn.ovpn: This is your OpenVPN configuration file

If you need to change the country to surf from, you must re-configure the location to use in your account management and download the new zipped config file.

Step 3

Open your router interface and click in the upper menu on ‚Services‘ and in the lower menu on ‚VPN‘. Locate the area 'OpenVPN Client' and click right to 'Start OpenVPN Client' on 'Enable'.

Now you need to start filling in the client's settings:

• Server IP / Name: Please enter the server address of Step 2, e. g. '4-de.cg-dialup.net'. Depending on the country to connect with, the second block of each address will be exchanged, e.g. instead '4-de.cg-dialup.net‘ (for Germany with Standard Server Group) '4-ro.cg-dialup.net‘ (for Romania with Standard Server Group). When configuring location and server group, the complete and proper address will be generated automatically for you. It includes encrypted information about your plan, the country, the server group chosen and the domain name; the protocol to be used will be detected automatically when connecting to CyberGhost.
• Port: The port address is '443'.
• Tunnel Device: TUN
• Tunnel Protocol: UDP or TCP, depending on which protocol type you have chosen in step 1
• Encryption Cipher: AES
• Hash Algorithm: SHA256
• nsCertType verification: not checked
• Advanced Options: Enabled
• TLS Cipher: not checked
• LZO Compression: Adaptive
• NAT: Disable
• Bridge TAP to br0: Disable (we will do this with firewall commands)
• IP Address: leave blank
• Subnet Mask: leave blank 
• Tunnel MTU setting: 1500
• Tunnel UDP Fragment:1300
• Tunnel UDP MSS-Fix: Disable
• LS Auth Key: leave blank
• Additional Config: In this box please type in 'auth-user-pass /tmp/key.txt' and then copy from your downloaded 'openvpn.ovpn' configuration file the passage from 'resolv-retry infinite' to 'comp-lzo' into it. For that you open the file with an editor, mark the passage, copy the text with 'Control-C' and insert the text here with 'Control-V'. Afterwards the content should look similar to this sample (see also screen shot below):

auth-user-pass /tmp/key.txt
resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
nobind
cipher AES-256-CBC
auth SHA256
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2 [Note: Some routers don't understand this command. In cases of doubt or if the configuration doesn't work, please remove this entry.]
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500
fragment 1300
mssfix
verb 4
comp-lzo

Please don’t copy the example text above and use your downloaded OpenVPN file instead, because a server configuration might have been changed after publishing this article.

Now take care of the next options:

• Policy based Routing: leave blank
• PKCS12 Key: leave blank
• Static Key: leave blank
• CA Cert: In this box please copy all text of the file 'ca.crt'. For that you open the respective file with a simple editor and copy the text like you have done before with the 'openvpn.ovpn'.
• Public Client Cert: In this box please copy all text of the file 'client.crt'.
• Private Client Key: In this box please copy all text of the file 'client.key'.

At last click on 'Save' and then on 'Apply Settings'.

Step 4

Activate the tab 'Administration' in the upper menu and 'Commands' in the lower menu. In the area 'Command Shell' you now enter the following commands:

echo 'username' > /tmp/key.txt
echo 'password' >> /tmp/key.txt

Please enter the user name created in step 1 instead 'username' and the password created in step 1 instead 'password' , e.g. 'echo johndoe12345 > /tmp/key.txt'.

DO NOT use your regular CyberGhost user name and password, which you use to login in the client and your account management!

Click on 'Save Startup'.

Now enter the following commands, again in the 'Command Shell':

iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j REJECT
iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE

Click on 'Save Firewall'.

You can now reboot the device and after the reboot you are connected to CyberGhost. You can check this on your router's interface under 'Status > OpenVPN'.