This guide explains how to configure a router using DD-WRT firmware version 3.0-r40559 with Private Internet Access (PIA) OpenVPN configuration files.
If you prefer a preconfigured setup, FlashRouters offers plug-and-play DD-WRT routers with Private Internet Access (PIA) already installed.
Before you begin, download and extract the OpenVPN configuration file you want to use. This guide uses the California file from the Default set.
Available configuration sets:
Also, decide what DNS servers fit your needs. There are four options:
- 10.0.0.241 — this can provide access to all three of the following
- 10.0.0.242 — DNS only
- 10.0.0.243 — forwards streaming domains to the parent proxy for potential access to some streaming services
- 10.0.0.244 — MACE
Important: These DNS options cannot be directly specified in DD-WRT. To avoid DNS leaks, configure DNS settings on individual devices connected to the router.
Steps
Step 1: Basic Setup (System Configuration)
- Log in to your DD-WRT router interface.
- Go to Setup > Basic Setup.
- Configure the following settings:
- Set a base DNS server (not PIA DNS).
Example used: 1.1.1.1 (Cloudflare) - Set a secondary DNS server.
Example used: 8.8.8.8 (Google) - Enable NTP Client
- Set your correct local time zone
- Set a base DNS server (not PIA DNS).
- Click Apply Settings.
Step 2: Disable IPv6
- Go to Setup > IPv6.
- Set IPv6 to Disable.
- Click Apply Settings.
Step 3: Enable OpenVPN Client
- Go to Services > VPN.
- Under OpenVPN Client, set Start OpenVPN Client to Enable.
- Click Apply Settings.
Step 4. Configure OpenVPN Settings
- Input the Server IP/Name — you can locate this on the remote line of the OpenVPN configuration files we provide. (This guide has used us-west.privateinternetaccess.com.)
- Input the Port number, specific to the dependencies table below.
| AUTH | CIPHER | CERTIFICATE | UDP PORT | TCP PORT |
|---|---|---|---|---|
| SHA1 | AES-128-CBC/GCM | ca.rsa.2048.crt | 1198 | 502 |
| SHA256 | AES-256-CBC/GCM | ca.rsa.4096.crt | 1197 | 501 |
- For Tunnel Device PIA VPN connections use a TUN interface.
- Tunnel Protocol will be set to UDP in this guide. In most cases UDP provides better speeds than TCP. If TCP is used, be sure to use the port shown in the dependencies table.
- Encryption Cipher is also specific to your preferences from the dependencies table.
- Hash Algorithm is another setting specific to your preferences from the dependencies table.
- User Pass Authentication must be set to Enable.
- In the Username field, input your PIA username — that is always in the format of p1234567 and cannot be replaced with any other information.
- The Password field requires the input of the password for your PIA account, which is assigned to you, but you have the ability to customize in the client control panel.
- Set Advanced Options to Enable, this will reveal additional fields that require input.
- From the drop-down menu, set TLS Cipher to None.
- In the drop-down menu, set LZO Compression to Yes.
- The Additional Config section will require multiple specific lines of text; copy and paste the following into this field:
persist-key persist-tun tls-client remote-cert-tls server pull-filter ignore "auth-token" copy
- The CA Cert will need to be downloaded from the dependencies table, specific to the encryption you are using. Links for each of the three certificates can be found in the dependencies table at the beginning of the guide. Open the certificate in a text editor and copy the contents into the CA Cert field. (Note: The contents of this must include the begin and end certificate lines as well; be sure to copy the whole thing.)
- At the bottom of the page, click Apply Settings to save what you have done and set up the connection.
Your router is now set up to establish a PIA VPN connection. You can confirm the status of your connection in the Status > OpenVPN tab, shown highlighted in red.
If the connection does not start after specifying and applying the settings, power down your router, wait 10 seconds, and turn it back on — that should initiate the VPN connection as the router reboots.