My home DD-WRT configuration for privacy and security. Documenting so I can remember my preferred settings whenever I update/reset the router.
- Linksys WRT3200ACM: https://www.linksys.com/us/support-product?pid=01t340000046sOsAAI
- v3.0-r47911 std (12/23/21): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331086
- ProtonVPN: https://protonvpn.com/
- How to set up ProtonVPN on DD-WRT routers doc: https://protonvpn.com/support/vpn-router-ddwrt/
- How to download ProtonVPN OpenVPN configuration files doc: https://protonvpn.com/support/vpn-config-download/
- What is IKEv2/IPSec? doc: https://protonvpn.com/support/what-is-ikev2-ipsec/
Settings for configuring ProtonVPN.
Set ProtonVPN DNS addresses (UDP)
- Static DNS 1:
10.8.8.1 - Use DNSMasq for DNS:
Checked - DCHP-Authoritative:
Checked
- Time Zone:
America/Los_Angeles
Save and Apply Settings.
Ensure IPv6 is set to disable to make sure no IP leaks occur.
IPv6: Disabled
Save and Apply Settings.
Set Start OpenVPN Client to Enabled. Before configuring the OpenVPN service, log into ProtonVPN and download, download and open desired *.ovpn config file to fill out the necessary fields below:
- Server IP/Name : Port:
- Server IP/Name:
[*.ovpnfileservername].protonvpn.com, e.g. is-us-01.protonvpn.com - Port: Value behind the server IP, e.g.
1194or443(Leave unchanged, default is1194)
- Server IP/Name:
- Tunnel Device:
TUN - Tunnel Protocol:
udp - Encryption Cipher:
AES-256-CBC - Hash Algorithm:
SHA512 - User Pass Authentication:
Enabled- Username and Password:
OpenVPN IKEv2 credentials.- How to get OpenVPN IKEv2 credentials: Log into ProtonVPN account and in the menu navigation on the left, go to Account > OpenVPN / IKEv2 username.
- Append
+f2at the end of username to use PortonVPN NetShield to block malware, ads, and trackers, e.g. 123456789+f2.
- Username and Password:
- Advanced Options:
Enabled - TLS Cipher:
None - Compression:
No - NAT:
Enabled - Killswitch:
Checked - Source routing (PBR):
Route selected sources via VPN- To enable Policy based Routing that allows certain devices route via VPN.
- Additional config box:
-
tls-client remote-cert-tls server remote-random nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping-timer-rem reneg-sec 0 #log /tmp/vpn.log
-
- CA Cert: Copy and paste the entire CA Cert from the *.ovpn file. Be sure to include the entire text from
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----lines. - TLS Key: Copy and paste the entire TLS Key from the *.ovpn file. Be sure to include the entire text from
-----BEGIN OpenVPN Static key V1-----and-----END OpenVPN Static key V1-----lines.
Save and Apply Settings.
Go to Status > OpenVPN. Under State, Client should say: CONNECTED SUCCESS
Configure static leases for devices that were assigned dynamic IPs via DHCP for Policy based Routing.
- Go to Status > LAN > DHCP Clients to see the list of devices.
- Open a text editor, e.g. Notepad, and copy and paste the name of the devices with their respective MAC and IP addresses.
- Static Leases:
Addthe amount of IP addresses desired to assign static leases. - Input those devices from the text editor into the Static Leases.
Save and Apply Settings.
- Policy based Routing: Include the static IPs following the below format:
###Device name###IP address
To stop an IP address from being routed to VPN, comment out the IP address with three # on both sides of the IP, e.g. ###XXX.XXX.X.X####
Save and Apply Settings.