This is a step-by-step guide to setting up Proton VPN on your DD-WRT router.

If you set up your VPN account to work on your router, you can protect the online activity of each device connected to your WiFi. Below we explain how to get Proton VPN to work on your DD-WRT router. 

You can skip this setup process by purchasing a pre-configured router from FlashRouters. FlashRouters makes it easy for anyone to have VPN security for all of the Internet-connected devices in their home, including smart phones, SmartTVs, and gaming consoles. No matter what Proton VPN plan you use, you can configure your router to work with your Proton VPN account. If you buy a Proton VPN pre-configured router, you will only need to enter your Proton VPN OpenVPN credentials.

Regardless of whether you are setting your router up yourself or using a pre-configured router, you will need your OpenVPN config files.  

Learn how to download OpenVPN config files for Proton VPN

1. Basic router settings

Log in to your DD-WRT Administrative Interface, usually accomplished using your browser and opening the IP of your router (per default 192.168.1.1 or similar).

Navigate to Setup → Basic Setup.

Under Network Address Server Settings (DHCP), set the DNS values to the following Proton VPN DNS addresses:
(The DNS values depend on which transport protocol you want to use, either UDP or TCP. Learn more about UDP vs. TCP.)

If you are using UDP:

Static DNS 1 = 10.8.8.1
Static DNS 2 = 0.0.0.0
Static DNS 3 = 0.0.0.0 (default)
Use DNSMasq for DHCP = Checked
Use DNSMasq for DNS = Checked
DHCP-Authoritative = Checked

NOTE: If you are a FREE user and using FREE servers to configure your router, you will have to use 10.8.0.1 for Static DNS 1

If you are using TCP:

Static DNS 1 = 10.7.7.1 
Static DNS 2 = 0.0.0.0 
Static DNS 3 = 0.0.0.0 (default) 
Use DNSMasq for DHCP = Checked 
Use DNSMasq for DNS = Checked 
DHCP-Authoritative = Checked

NOTE: If you are a FREE user and using FREE servers to configure your router, you will have to use 10.7.0.1 for Static DNS 1

Then, Save and Apply settings.

2. Disabling IPV6

Navigate to Setup > IPV6 and set IPv6 to Disable, then Save & Apply Settings. (this is a recommended step to make sure you get no IP leaks)

3. Open the desired *.ovpn config file with a text editor, such as Notepad.

In our example, we chose de-03.protonvpn.com.udp1194.ovpn as an example.

 

4. Configuring the OpenVPN service

Navigate to Service > VPN.

Under OpenVPN Client, set Start OpenVPN Client = Enable

Then set the necessary fields as follows:

Server IP/Name = copy the value in the line starting with 'remoteʼ, excluding the port number at the end, e.g., 123.123.123.123 or de.protonvpn.com

Port = copy the value following the server IP address. For example, 1194 or 443

Tunnel Device = TUN

Tunnel Protocol = copy the value from the proto line, e.g., UDP or TCP
Note: If you are using 10.8.8.1 or 10.8.0.1 as "Static DNS 1" in Step 1, then select UDP for Tunnel Protocol.
      If you are using 10.7.7.1 or 10.7.0.1 as "Static DNS 1" in Step 1, then select TCP for Tunnel Protocol.

Encryption Cipher = AES-256-CBC

Hash Algorithm = SHA-512

User Pass Authentication = Enable

Username, Password = Your OpenVPN credentials

If the Username and Password fields are missing, fill in the remaining fields and continue with step 5.1

Advanced Options = Enable (this will enable additional options)

TLS Cipher = None

LZO Compression = No

NAT = Enable

Note 1: To find your OpenVPN username and password, go to your Proton Account.  These are not the same as your regular Proton Account username and password.

Note 2: to use our NetShield DNS filtering feature, append the suffix +f1 to your Username to block malware, or +f2  to block malware, ads, and trackers (for example 123456789+f2).

Options not mentioned above should be kept with default values.

4.1. (Optional, depending on step 5.)

If the Username and Password fields are missing, go to Administration > Commands, and enter this code:

echo "YOURUSERNAME

YOURPASSWORD" > /tmp/openvpncl/user.conf

/usr/bin/killall openvpn

/usr/sbin/openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --down-pre /tmp/openvpncl/route-down.sh --daemon

Replace YOURUSERNAME and YOURPASSWORD with your respective OpenVPN login and OpenVPN password. If you do not know your OpenVPN credentials see this article.

Click Save Startup, and return to the previous VPN tab.

5. In Additional Config box either enter or copy/paste these commands:

tls-client

remote-cert-tls server

remote-random

nobind

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

persist-key

persist-tun

ping-timer-rem

reneg-sec 0

#log /tmp/vpn.log

# Delete ‘#’ in the line below if your router does not have credentials fields and you followed step 4.1:

# auth-user-pass /tmp/openvpncl/user.conf

6. Copy the CA Cert into the respective field.

Be sure the entire text gets pasted in, including

—–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines.

7. Copy the TLS Auth Key field into the respective field.

Be sure the entire text gets pasted in, including

—–BEGIN OpenVPN Static key V1—–   and  —–END OpenVPN Static key V1—– lines.

8. After entering all this data, Save and Apply Settings

9. To Verify the VPN is Working, go to Status > OpenVPN

Under State, you should see the message: Client: CONNECTED SUCCESS.

10. To create a kill-switch:

Go into Administration > Commands, and enter this script:

WAN_IF=`nvram get wan_iface`

iptables -I FORWARD -i br0 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited

iptables -I FORWARD -i br0 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset

iptables -I FORWARD -i br0 -p udp -o $WAN_IF -j REJECT --reject-with udp-reset

Then select Save Firewall, Go into Administration > Management > Reboot router.