OpenVPN client on DD-WRT / Netgear WNDR 3800

By , last updated July 22, 2019

This will be a terse and succinct guide on how to install and setup DD-WRT client on your Netgear WNDR 3800 router / access point.

It worked for me, it’s not guaranteed it will work for you. Continue at own risk.

Oh, and use a cable into the LAN ports. It will make the process much more simpler.

Do a hard reset on the router to restore factory defaults.

The router will be flashed, and all settings will be gone anyways. It’s better to have factory defaults and have a smaller chance of bricking the device with default settings.

Press the reset pinhole with a needle or something other thin device and keep it pressed for 5 seconds, until the power light starts blinking amber / orange.

Download the firmware

Download the firmware from Netgear. It’s the last known firmware allowing flashing with a non-signed image.

Download the latest DD-WRT version

Have a look at the folder in the betas section. Go to the latest year, and then the latest month. Locate netgear-wndr3800 in the list and download wndr3800-factory.img.

Install DD-WRT

Open the management interface of your router, it should be at Default credentials are admin and password.

Open Administration -> Firmware Upgrade -> Choose file.

Select the downloaded image (wndr3800-factory.img), and install it.

After about 5 minutes the process should be completed. Do NOT power cycle the device. Doing so will probably brick it.

Configure DD-WRT

For some reason, the DD-WRT defaults to start the WiFi radio without any encryption. With the cable still connected to the LAN ports, open the management interface at At the first screen, you’re able to set the username and password you’ll use to log on later. Do not forget either the username or password. The only way to recover is to reset the device.

Under Wireless -> Basic Settings, set the access point names you’d like.

Under Wireless -> Wireless Security set the security options you prefer. WPA2 Personal with AES algorithm is a sufficient setup, until WPA3 becomes available during 2019-2020.

OpenVPN client

Usually the router will run the OpenVPN server, but in this case I was travelling and needed a safe connection. The advantage is that every device connecting through the WiFi router won’t have to have OpenVPN installed and configured. It’s only necessary to configure one client, the WiFi router.

OpenVPN client will run on the router, connecting to another OpenVPN server running on a Linux box elsewhere.

Add client to the server

For veracity, the instructions on how to add a new client to an existing OpenVPN server running on Gentoo Linux are as follows (for my system):

Service name

It is possible to run multiple OpenVPN services under Gentoo, and as such, they have their own names. To simplify, I’m using the variable $vpn for this.

$ export vpn="vpn"

Generate client certificates

$ cd /etc/openvpn/$vpn/easy-rsa
$ source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/vpn/easy-rsa/keys
$ ./build-key routerclient

At this point, you’ll be filling out a certificate for your own use. Answer the questions.

Configure the router

Configuring OpenVPN on the router is pretty straight forward if you’ve configured any OpenVPN clients and server before.

Most of the settings are self-explainatory. It’s important the client settings are identical to the server settings.

  • Server IP/hostname and port. Config local and port.
  • Tunnel device (TUN or TAP). Config dev.
  • Protocol. UDP is really recommended with OpenVPN. Config proto.

If you’re using a static key file, most commonly called ta.key with configuration option tls-auth, the advanced settings have to be enabled and the contents of ta.key must be pasted into the field TLS Auth Key.

Config option Usual filename DD-WRT OpenVPN GUI Option Starts with
tls-auth ta.key TLS-Auth -----BEGIN OpenVPN Static key V1-----
ca ca.crt CA Cert -----BEGIN CERTIFICATE-----
cert $vpn.crt Public Client Cert -----BEGIN CERTIFICATE-----
key $vpn.key Private Client Key -----BEGIN PRIVATE KEY-----

If there are additional options not covered by the GUI, they go into Additional Config. Custom values for sndbuf and rcvbuf goes there.

One final option. NAT must be enabled if you’re going to connect to anything behind the VPN.


Press Save, and then Apply. Hopefully it will connect to your OpenVPN server.