Jump to content
Not connected, Your IP:

Howto: Setup airvpn on DD-WRT, refreshed guide.

Recommended Posts

It's been complained about in the forum the instructions on setting up a DD-WRT router with airvpn located at https://airvpn.org/ddwrt/?hl=ddwrt is out of date. For the DD-WRT release I use, the guide is indeed a little outdated, but comprehensible.


Still, without warranty and strictly on your own responsibility you could try my guide below. I am unable to provide any support, but this guide hopefully can help someone.


For this guide I presume you know what a kill switch is, you know how to set up all other parts of your DD-WRT router such as setting up DHCP for example, and you know how to log into your dd-wrt web interface.


In the client area of the airvpn web site, create config files, here. Select any server location and port, it doesn't need to be the one you will use, you only need the certificates & keys. Make sure to tick "Advanced Mode", and tick "Separate certs/keys from .ovpn file", then generate and download the configuration files.


Log into your DD-WRT router and ...


Step 1. Navigate to the "Services" tab then select the "VPN" tab.


Step 2. Select "Enable" under OpenVPN Client.


Step 3. Configure the first part of the screen as per screenshot below, noting comments below the screenshot.



In the "Server IP/Name" field, indicated by a red arrow, you can either

  • enter a specific server IP ( how to find a specific server IP )
  • substitute the "XX" with the ISO code of the country you wish to connect to (for example DE for Germany, NL for the Netherlands, BE for Belgium, etc.)
  • substitute the "XX" with the continent name (america, asia, earth, europe respectively)
  • leave the field completely empty IF you wish to use random servers from a selection you specify. In this case, make sure to follow step 5.

In the "IP Address" field, indicated by a green arrow, you should put the default IP of your router ("gateway"). How to find your router address is beyond this tutorial.


Step 4. To configure the second part of the screen we'll need copy-paste from the config files you generated earlier. As per screenshot below, noting comments below the screenshot.



Using your favorite text editor

  • Open up "ta.key" and copy all of the contents into the "TLS Auth Key" field. (green arrow)
  • Open up the file "ca.crt" and copy all of the contents into the "CA Cert" field. (blue arrow)
  • Open up the file "user.crt" and copy only and including "----- BEGIN CERTIFICATE----- to the end of ----- END CERTIFICATE----- " into the "Public Client Cert" field. (brown arrow)
  • Open up "user.key" and copy all of the contents into the "Private Client Key" field. (red arrow)

Step 5. And the yellow arrow "Additional Config" field ? If in Step 3 you left the "Server IP/Name" field empty because you would like to connect to airvpn servers in a relatively random fashion based on a select preset of countries and/or continents and/or specific servers, this step 5 is for you. Copy-paste and amend:



remote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)
remote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)
remote XX.vpn.airdns.org 443 (substitute XX with country or continent as explained earlier)


remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)

remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)

remote XXX.XXX.XXX.XXX 443 (substitute with specific server IP)

resolv-retry infinite

As an example, it should look something like:



remote AT.vpn.airdns.org 443
remote BE.vpn.airdns.org 443
remote BG.vpn.airdns.org 443

remote CA.vpn.airdns.org 443

remote asia.vpn.airdns.org 443

remote 443

remote 443

remote 443
resolv-retry infinite

Step 6. Click "Save" at the bottom of the page then "Apply Settings". It should work, but a reboot never hurts.




The Kill Switch in the original instructions may work for you. They did not work for me regardless of correct TUN. I used the below kill switch which I found to be working for me, so I share it here.


  • Go to the "Administration" tab then select the "Commands" tab.
  • Copy the following firewall rules into the command window

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -i br0 -o $WAN_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -m state --state NEW -j REJECT --reject-with tcp-reset

  • Click on "Save Firewall"




It's been said in the forums (not finding reference to link, search refuses "DNS") it is better to use the airvpn server IP as DNS server. On a DD-WRT router, this is hard to achieve if you do not connect to a specific pre-defined server (most users)., one of airvpn DNS, is the next best IP to use as DNS server. However ...


I found through trial and error - so this is only my pitiful experience - that if you do not put as primary DNS, DD-WRT will keep using your primary DNS regardless whether connected to airvpn or not. is not accessible outside the VPN, so you need a secondary VPN from another provider, such as opennic, find them here .


You will find this leads to occasional DNS fallback, leaks if you will, to the secondary/other DNS when is slow or disfunctional. But, such a DNS leak is still through the airvpn server IP, your location should still be hidden.


So I would recommend in the DD-WRT control panel section "Setup" - "Basic Setup" - "Network Address Server Settings (DHCP)" to set the primary DNS as and the secondary and further DNS as other free DNS servers, such as those from OpenNIC.


A moat does not protect against pigeons!

Share this post

Link to post

Thanks for this guide!  As a DD-WRT user, I found it especially useful.  Especially the "kill switch" firewall rules you provided.


Maybe one thing to mention.. checking 'nsCertType verification' only gives an error in the connection log.


Would it be better to put 'remote-cert-tls server' under Additional Config?

Share this post

Link to post

re: KillSwitch on ddwrt router.


Neither one of those 2 fw rules** added work for me 100% --- there will be an IP-Leak, when router is in-between start and fully loaded and simultaneously Windows10 is waiting for connect *  ... I dont think that happens with Eddies fw lock, just why cant i setup same on my router?



* for a full protocol i would have wireshark to record it ofc

** the original and yours




PS: Thank you very much for your effort

Share this post

Link to post

Thank you for this guide. 


What would be the steps necessary to use the new IPv4 + IPv6 features with tls-crypt with DD-WRT? Is it even possible at the moment?

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Security Check
    Play CAPTCHA Audio
    Refresh Image

  • Create New...