You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.

How do I use DD-WRT with Private Tunnel?

To use DD-WRT with your Private Tunnel account, please download your connection profile by clicking here.

Once the profile has been downloaded, open it your favorite text editor. Please note that if you are using the Windows operating system, you will need to use a text editor that understands the Unix EOL convention. Thus, text editors such as notepad will not work. In this case, use text editors such as Notepad++, Wordpad, or Microsoft Word.

** IMPORTANT: The instructions below will only work on more recent versions of DD-WRT. Generally speaking, any versions dated before late 2014 will not work (the date is displayed on the right top hand corner of the router configuration page). In other words, if you are running the stock version of DD-WRT provided on the main website, these instructions will NOT work for you. To update to the latest version, please update to the latest versions by visiting here: You should make sure that you follow all flashing instructions for your particular device, otherwise your device could be rendered inoperable. We are not be responsible for any devices that are unusable due to incompatible or bad flashes.

Before you begin, make sure your router is properly configured for a NTP server. This setting could be found under the Setup tab in your router configuration. Under Time settings, make sure the NTP Client is set to Enable and the Server IP / Name is populated with a proper time server. If you do not know what your time server is, please fill in in the text box as indicated. If an NTP server is not configured properly, your connection will fail to connect even though all the settings have been configured properly.

Afterwards, visit the Services tab, then the VPN tab. Under the section Start OpenVPN Client, click the Enable radio box. If you do not see this section, it is possible that your DD-WRT build is not OpenVPN enabled. Please consult the proper DD-WRT documentation for more information on the various DD-WRT builds.

Once you have selected that option, also check the Enable option under Advanced Options, this will allow you to define options required by Access Server and for the VPN connection to work.

The following screen should then be displayed, as depicted below. Please note that if you are not seeing the same list of options as listed above, then you are probably running an outdated DD-WRT version. Please update your firmware using the link previously to the latest version and the options should then match.

Configuration Descriptions:

Start OpenVPN Client: Enables/Disables the OpenVPN client connection.

Server IP/Name: The hostname of the VPN server you are trying to connect to. If you do not know what this is, look inside your profile for entries starting with remote. For example, the entry remote 1194 udp indicates that the hostname is (Note that this is the default server for Private Tunnel's San Jose, CA server)

Port: The port number the VPN server is listening on. Private Tunnel currently listens on UDP port 1194 and TCP port 443.

Tunnel Device: What operating mode your Access Server is operating on. Please select TUN as a tunnel device for Private Tunnel.

Tunnel Protocol: Preferably, for best performance, you should select UDP here. However, you may also elect to use TCP if you are under technical restrictions that prevent you from using UDP. When using UDP, please make sure the port is set to 1194. Likewise for TCP, the port should be set to 443.

Encryption Cipher: Private Tunnel uses BF-CBC as an encryption cipher. You may not select any other encryption ciphers in this list or the connection will fail to function.

Hash Algorithm: SHA1 is the hash algorithm used by Private Tunnel, so you should select this here.

User Pass Authentication: PrivateTunnel uses certificates to authenticate to its services. You should select Disable for this function.

Advanced Options: As described previously, this option must be Enabled for you to set the required options necessary for a successful VPN connection.

TLS Cipher: What encryption algorithm OpenVPN should use for encrypting its control channel.Selecting None will allow DD-WRT to auto-negotiate the strongest available cipher.

LZO Compression: Enables compression over VPN. This option is controlled by the server, so selecting Nois appropriate here.

NAT: Creates a NAT layer over the VPN tunnel. This should be Enabled for your connection to work successfully.

Firewall Protection: Enables the internal firewall for the VPN tunnel. PrivateTunnel by default already firewalls any external traffic before reaching your device, so this option can either be Enabled or Disabled at your discretion.

IP Address: Please leave this field blank.

Subnet Mask: Please leave this field blank.

Tunnel MTU setting: The maximum transmission unit (MTU) used over the VPN tunnel. This value should be set at 1500.

Tunnel UDP Fragment: Please leave this field blank.

Tunnel UDP MSS-Fix: Whether to limit the TCP MSS values to fit the tunnel MTU. Select Disableunless instructed by our support staff.

nsCertType verification: Checks to see if the remote server is using a valid type of certificate meant for OpenVPN connections. As this is a security feature of OpenVPN, it should be left enabled.

TLS Auth Key: The static key OpenVPN should use for generating HMAC send/receive keys. You may find this key surrounded by the <tls-auth>..</tls-auth> brackets. Copy the contents from your profile, starting from --BEGIN OpenVPN Static key V1-- until you reach --END OpenVPN Static key V1--.

Additional Config: Any additional configurations you want to define for the VPN connection. If you would like to run a split tunnel over the VPN, you can use the directive syntax below:

route <VPN server address> net_gateway
route <hostname or IP of subnet here> <subnet mask here> vpn_gateway
route <hostname 2 or IP of subnet 2 here> <subnet mask 2 here> vpn_gateway

For example, to redirect only over the us-ca-sj-001.privatetunnel.comVPN server, use the following directives:

route net_gateway
route vpn_gateway

Policy based Routing: This field should be left blank.

PKCS12 Key: This field should be left blank.

Static Key: This field should be left blank.

CA Cert: The CA certificate used by the VPN server, found between the <ca>...</ca> brackets inside the profile. Start copying from --BEGIN CERTIFICATE-- until you hit the first --END CERTIFICATE--.

Public Client Cert: The CA certificate used by the VPN client, found between the <cert>..</cert> and <extra-certs>..</extra-certs> brackets inside the profile. Start copying from --BEGIN CERTIFICATE-- until you hit --END CERTIFICATE--. Please make sure you have copied both sections from <cert> and <extra-certs> into this field.

Private Client Key: The client’s private key used by the VPN client, found between the <key>..</key> brackets inside the profile. Start copying from --BEGIN RSA PRIVATE KEY-- until you hit --END RSA PRIVATE KEY--.

To start the VPN connection, click the Apply Settings towards the bottom of the page. You may view the status of your VPN connection by visiting the Status tab, and then the OpenVPN tab.

  • 12
  • 11-Apr-2018