Meefik's Blog

Freedom and Open Source

OpenWRT with OpenVPN on TL-WR841N router

21 Apr 2018 | openwrt

The problem with the TL-WR841N router (v9 in my case) is that there’s only 4MB of flash memory and after the OpenWRT firmware, there’s only about 300KB left for personal use, which is not enough to install OpenVPN. The solution to this problem is in the post OpenWrt + VPNclient for a router with 4mb ROM, but several years have passed and scripts require changes.

I will describe in steps how to make OpenVPN client work on this router

1) OpenVPN client files should be placed in the /etc/openvpn/ directory on the router. To do this, pack the files ca.crt, client.conf, client.crt, client.key and ta.key into the tar archive and send them to the router via scp:

scp openvpn_client.tar root@

After that, go to the router via SSH and unpack the archive to the /etc/openvpn/ directory:

mkdir /etc/openvpn
tar xf /tmp/openvpn_client.tar -C /etc/openvpn

2) Settings of the OpenVPN client on the router in the file /etc/openvpn/client.conf:

dev tun
proto udp
remote 1194
resolv-retry infinite
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1
cipher AES-256-CBC
verb 3

3) Installing the tun module from the OpenWRT repository:

opkg update
opkg install kmod-tun

4) Create autorun script /etc/init.d/openvpn:

#!/bin/sh /etc/rc.common


. /etc/profile

install_pkg() {
  # install pkg
  cd /tmp
  tar xzf $(opkg download $1 |grep Downloaded |cut -d\  -f4 |sed '$s/.$//')
  tar xzf data.tar.gz
  # delete unnecessary things (save space)
  rm -f *.ipk control.tar.gz data.tar.gz debian-binary

install() {
  command opkg update || exit 1
  install_pkg openvpn-openssl
  install_pkg libopenssl
  install_pkg liblzo

start () {
  if [ -z "$(which openvpn)" ]
    sleep 10
  command openvpn --writepid /tmp/run/ --daemon --config /etc/openvpn/client.conf

stop() {
  PIDOF=$(ps |egrep openvpn |egrep  -v grep |awk '{print $1}')
  kill ${PIDOF}

5) Edit the PATH variable in the /etc/profile file and add LD_LIBRARY_PATH:

export PATH=/usr/sbin:/usr/bin:/sbin:/bin:/tmp/usr/sbin
export LD_LIBRARY_PATH=/tmp/usr/lib

6) Enable openvpn script autostart:

chmod +x /etc/init.d/openvpn
/etc/init.d/openvpn enable

7) Next, you need to go to the OpenWRT web interface in the “Network -> Interfaces” section and add a new interface with the “Add new interface…” button. Then specify the following parameters:

General Setup

Protocol: Unmanaged

Advanced Settings

Bring up on boot: checked
Use builtin IPv6-management: unchecked

Physical Settings

Custom Interface: tun0

Firewall Settings

Create / Assign firewall-zone -> unspecified -or- create: vpn

8) In the web interface, go to the “Network -> Firewall -> Zones” section and click the “Edit” button next to the line with the name “vpn”. On the zone editing page, specify the following parameters:

General Settings

Input: reject
Output: accept
Forward: reject
Masquerading: checked
MSS clamping: checked
Covered networks: vpn

Inter-Zone Forwarding

Allow forward from source zones: lan

9) Now you can reboot the router, the VPN should work for all customers of the local network.