Remote working due to coronavirus? Harden Your Security with OpenWrt

Coronavirus vpn secure openwrt
Coronavirus vpn secure OpenWrt

Remote working due to coronavirus? Harden Home Security with OpenWrt

Having a secure network is becoming a real necessity with the recent pandemic outbreak of the coronavirus when a large portion of the population has to work remotely and securely from home. Especially for this purpose, it’s becoming a real necessity building a very low-cost firewall device for both indoors and outdoor usage.

OpenWrt is a Linux operating system targeting embedded devices. It’s an open software-based solution that is totally free and easy to configure, even for non-geeks. If you already have a router that already was OpenWrt pre-installed, it will make things a lot more simple.

With an OpenWrt device, you can configure your firewall, VPN accounts, block advertisements, block external hacking and malware attacks, and much more. For SBC (Single-board computers) users its highly recommend buying a cheap board based on a low power based on the Allwinner SoC, such as the NanoPi R2S that features a pair of ethernet ports and is very compact in size. You can burn the FriendlyWrt (OpenWrt) image on a Micro-SD card and update it online or install newer images.

Buying an SBC has a lot of advantages. It can be carried in a suitcase or even a small pocket and use it anywhere while traveling abroad. On top of that, it can be used as a gateway device to bridge between your desktop computer and your existing router, adding an extra layer of security when working on untrusted local networks. In this short tutorial, we will be configuring Ivacy’s VPN service to run OpenVPN through OpenWrt installed on a router.

Buy It Now on AliExpress!

Main Specifications:

  • Model Number: WR330
  • Software: OpenWrt 18.06 FW
  • Standard: IEEE 802.11 b/g/n/ac
  • Antenna: 2 x 3dBi Fixed Antenna
  • External Storage support: 1 x USB
  • Fast Ethernet: 4 Gigabit Ethernet ports.
  • CPU: MTK MT7621A 880MHz+MT7603E+MT7612E
  • Memory & Storage: DDR3 128MB, FLASH 16MB

Data rate:

  • 2.4GHz 802.11n up to 300Mbps
  • 5GHz 802.11ac up to 867Mbps
  • RJ45 for 10/100/1000/Gigabits BaseT for WAN x 1
  • RJ45 for 10/100/1000/Gigabits BaseT for LAN x 4
  • USB2.0 x 1
  • Power input x 1
  • Reset button x 1
  • WPS x 1

Ivacy config openwrt router

Method 1

Configuring Ivacy VPN Service through CLI

(Command-line Setup).

Connecting to the Router via SSH Connection

Download puTTY from here: Click Here

Launch puTTY,

Host Name: your router’s IP ( unless you changed it)
Port: 22
Connection type: SSH

Click “Open”

login as: “root”
enter your router’s password

Ivacy openvpn putty

Updating the package repository & installing OpenVPN

[email protected]:~# opkg update
[email protected]:~# opkg install  package


Packages to install:

6in4 luci-proto-ipv6
install openvpn-openssl
install ip-full

Creating the interface configuration file

Interface configuration:

[email protected]:~# cat >> /etc/config/network << EOF
config interface ‘Ivacy’
option ifname ‘eth0’
option proto ‘none’

Creating an Authentication Login file

Adding username & password:

[email protected]:~# cat >> /etc/openvpn/userpass.txt << EOF


Selecting a Server

Now you can select a preferred server based on geographic location. You can also use the PING command to pick the best server based on packet transfer speed response, measured in milliseconds. Having said that, There are two types of ports you can pick. UDP and TCP ports, where UDP is the ideal and best option for streaming applications. If your connection purpose is to unlock Netflix access Its high recommended picking a server from the following seven regions: US, France, Japan, UK, Australia, Germany & Canada.


Ivacy VPN servers list (A partial list)  

Ivacy vpn servers list

Creating an OpenVPN configuration file

[email protected]:~# cat >> /etc/config/openvpn << EOF

config openvpn ‘Ivacy’
option client ‘1’
option dev ‘tun’
option proto ‘udp’
option resolv_retry ‘infinite’
option nobind ‘1’
option persist_key ‘1’
option persist_tun ‘1’
option user ‘nobody’
option ca ‘/etc/openvpn/ca.crt’
option cert ‘/etc/openvpn/client.crt’
option key ‘/etc/openvpn/client.key’
option compress ‘lzo’
option verb ‘3’
list remote ‘’
option port ’53’
option auth_user_pass ‘/etc/openvpn/userpass.txt’
option auth ‘SHA1’
option cipher ‘AES-256-CBC’
option tls_auth ‘/etc/openvpn/Wdc.key’
option tls_client ‘1’
option enabled ‘1’
option dev_type ‘tun’
option float ‘1’

Creating the CA (Certificate Authority) file

[email protected]:~#  cat >> /etc/openvpn/ca.crt << EOF


Creating an OpenVPN static key (TLS) file

[email protected]:~# cat >> /etc/openvpn/Wdc.key << EOF

# 2048 bit OpenVPN static key
—–BEGIN OpenVPN Static key V1—–
—–END OpenVPN Static key V1—–

Starting OpenVPN Service

[email protected]:~# service openvpn start

Method 2

Configuring Ivacy VPN Service through LUCI Web Interface

Installing OpenVPN Client Packages

First, connect to LUCI (the interface on your router) by going through your browser. By default, your router should have the IP address

Login as root using your regular password for the router. Navigate to System → Software and click on Update lists.

Under Download and install package, search for the following packages:

6in4 luci-proto-ipv6
install openvpn-openssl
install ip-full

 Press OK on each of them to download and install them.

Openwrt packages update
Remote working due to coronavirus? Harden Your Security with OpenWrt 1

Downloading OpenVPN Configuration Files

From Ivacy website listed below:

If you are setting a router / SBC you need to download and extract the following zip file which contains Openvpn configuration files:

DD-WRT / Linux / Android / iOS Click here to Download File


     These are the files needed to configure Ivacy VPN:

  • ca.crt (Certificate Authority).
  • Wdc.key (Secret Key).
  • Secure-client.key -> renamed to client.key
  • Secure-client.crt  -> renamed to client.crt
  • United States-Chicago-UDP (server configuration file used as reference). content     

Ivacy vpn openvpn configs. Jpg

Creating a login file

SSH with your ROOT account via PuTTY or other SSH clients to your router / SBC IP address:

Using “TextPad” or similar create a new text file and put your user-name in the first line and your pass in the second line and save it as “userpass.txt“. Make sure you choose UNIX file format when saving!!

userpass.txt file content:



Connect to the router and upload configuration files:

  1. Next, download WinSCP from here: Click Here
  2. Launch WinSCP.

Ivacy openvpn winscp

Enter the following settings and information:

Hostname: your router’s IP (it’s unless you changed it)
Port number: 22
User Name: root
Password: your password to your router
Private key file: just leave it blank
File protocol: SCP

Click “Login” (Ignore the error about user groups.)

3. Using WinSCP transfer your files to /etc/openvpn directory of your router.

  • ca.crt
  • client.crt
  • client.key
  • userpass.txt

Configuring OpenVPN Client

Configuration category: Services

Navigate to Configuration category: Service

Type the name of the OpenVPN instance (e.g. Ivacy). Select Client configuration for a router multi-client VPN and click Add.

Ivacy openvpn client
 Finally, Click on the Save button.

Ivacy openvpn client

Click on the Edit button next to the Ivacy client name you just created.

Next, click on the dropdown that says ‘— Additional Field–‘ at the bottom and add the following options listed in the table below:

verb 3
port 53
dev_type tun
nobind Should be selected
client Should be selected
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
proto udp

Ivacy openvpn client

Finally, Click on the Save button.

  1. Next, click on Switch to advanced configuration. Note the new default main subcategory of menu items will be Service.
  2. Uploading OpenVPN Configuration Files: Point each file in the folder one by one where you extracted the

         Make sure the settings are as followed:

verb 3
mlock Should not be selected
disable_occ Should not be selected
passtos Should not be selected
suppress_timestamps Should not be selected
fast_io Should not be selected
Should not be selected
up_restart Should not be selected
client_disconnect Should not be selected

Ivacy openvpn client advanced

Finally, Click on the Save button.

Configuration category: Networking

  • Click on the dropdown that says ‘— Additional Field–‘ at the bottom of the page and add the following settings:
port 53
dev tun
dev_type tun
nobind Should be selected
float Should be selected
persiste-key Should be selected
persiste-tun Should be selected

Ivacy openvpn client networking

Finally, Click on the Save button.

Configuration category: VPN

  • Click on the dropdown that says ‘— Additional Field–‘ at the bottom of the page. Select ‘auth_user_pass’ and click on ‘Add’.
Client Should be selected
auth_user_pass /etc/openvpn/userpass.txt
remote_random Should not be selected
 proto udp
http_proxy_retry Should not be selected
resolv_retry infinite

Ivacy openvpn client vpn

Finally, Click on the Save button.

Configuration category: Cryptography

Click on the dropdown that says — Additional Field– at the bottom of the page. Make sure the settings are as followed:

auth SH1
cipher AES-256-CBC
mute_replay_warnings Should be not selected
tls_client Should be selected
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client-client.crt
key /etc/openvpn/client-client.key
single_session Should be not selected
tls_exit Should be not selected
tls_auth /etc/openvpn/Wdc.key
auth_nocache Should be not selected

Ivacy openvpn client crypto

Finally, Click on the Save & Apply button.

Configure the interface

Navigate to Networking → Interfaces. Click on Add new interface.

Make sure the settings are as followed:

Name of the new interface Ivacy
The protocol of the new interface Unmanaged
Cover the following interface Custom interface: tun

Ivacy openvpn interface

The final result:

Ivacy openvpn interface

Finally, Click Submit

Next, Navigate to Advanced Settings. Make sure the settings are as followed:

Bring up on boot Should be selected
Use builtin IPv6-management Should be selected

Ivacy openvpn interface

Click on the Save & Apply button

Next, Navigate to Firewall Settings.

In the field unspecified -or- create a field, write: ovpn_fw and press the enter key.

Ivacy openvpn interface

Finally, Click on the Save & Apply button.

Configure the firewall

Navigate to Networking → Firewall. Find ovpn_fw in the list of interfaces and click on Edit.

Ivacy openvpn firewall zones

                        Make sure the following settings are applied:

Input reject
Output accept
Forward reject
Masquerading Should be selected
MSS clamping Should be selected

Click on the Save & Apply button.

Scroll down to Inter-Zone Forwarding. Select Allow forward from source zones: lan

Covered networks Should be selected Ivacy
Allow forward from source lan
Forward reject


Finally, Click on the Save & Apply button.

Connect to Ivacy

Go back to LUCI (the interface on your router) by going through your browser. Navigate to Services → OpenVPN.

Make sure Enabled is selected for the OVPN profile and then click on Save & Apply. Click Start.

After a few seconds, a connection should be established. If you successfully connected to the server, you should see the following:

Ivacy openvpn service

Ivacy VPN Service

Ivacy VPN service offers a very reasonable value for the buck plans, as well as good and intuitive software clients across all mobile devices, including browser add-ons for chrome and firefox. If you are searching for a low-cost VPN to access Netflix, Ivacy service is one of the cheapest VPN providers out there worth considering.

Ivacy vpn banner

Ivacy VPN Plans

          1 Month

            1 Year
           2 Years
           5 Years





Save None

Save %66

Save %75

Save %87

*30-Day Money Back Guarantee
*10 Simultaneous Connections
*Unlimited High-speed Bandwidth
*Apps for All Devices
*2000+ Servers in 100+ Locations
*Military Grade 256-Bit Encryption
*Advanced IPsec & IKEV Protocols
*Dedicated Kodi App
*Browser Addons
*P2P Support
*Free sticky password manager included in the 5 Years plan!
*7 major Netflix Regions including US, FR, JP, UK, Aus, De & Ca.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts