The DD-WRT UI is constantly evolving and there are multiple variations depending on the specific build and version of the firmware. You may not see the exact same options in the same order as below.

This guide was produced using DD-WRT v39715.

  1. Navigate to the home page of your router - By default 192.168.1.1.

  2. Go to Setup > Tunnels > and click the Add Tunnel button. Choose Enable and select WireGuard from the dropdown menu.

  3. Click the Generate Key button and go to the Client Area on the IVPN website to add the generated public key to the Key Management area. Make note of the IP address we assign to your public key and add it to the IP address field and enter 255.255.255.255 in the Subnet Mask field.

    Hint: After clicking Generate Key, it may or may not be possible to copy the public key displayed on the Tunnels page. Click the Save and Apply Settings buttons, then go to Administration > Commands and enter wg in the Commands box, then click Run Commands. This will display details of the WireGuard connection including the public key, which can be easily copied.

  4. Click the Add Peer button and enter the following peer configuration (as also shown in the screen shot below):

    • Peer Tunnel IP: 0.0.0.0
    • Peer Tunnel DNS: 172.16.0.1
    • Endpoint: Enable
    • Endpoint Address: Enter an IVPN WireGuard server IP address (available via the WireGuard Server List in the Client Area) and choose a port:
      udp 2049
      udp 2050
      udp 53
      udp 30587
      udp 41893
      udp 48574
      udp 58237
    • Allowed IPs: 0.0.0.0/0
    • Persistent Keepalive: 25
    • Peer Public Key: Enter an IVPN WireGuard server public key (available via the WireGuard Server List in the Client Area)
    • Use Pre-shared Key: Disable

    Note: You are welcome to use whichever server you prefer. The Endpoint Address and Peer Public Key in the example above are specific to our server in Sweden.

  5. Click the Save button, then click the Apply Settings button.

  6. In Administration > Commands, enter the following:

    Save Startup:

    sleep 30
    echo "Update route table on startup..."
    WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
    WANGW=$(/usr/sbin/nvram get wan_gateway)
    WANIF=$(/usr/sbin/nvram get wan_iface)
    route add -host $WGSERVER gw $WANGW dev $WANIF
    route del default
    route add default dev oet1
    ip route flush cache
    mkdir -p /tmp/etc/config
    ln -s /tmp/custom.sh /tmp/etc/config/wg-route-fix.wanup
    echo "... Done route table update."

    Save Firewall:

    WANIF=$(/usr/sbin/nvram get wan_iface)
    iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE
    iptables -I FORWARD -i br0 -o $WANIF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
    iptables -I FORWARD -i br0 -p tcp -o $WANIF -m state --state NEW -j REJECT --reject-with tcp-reset

    Note: The iptables commands above create a kill-switch firewall to prevent leaks. The routing table in DD-WRT is reset every time the Apply Settings button is clicked anywhere in the web interface and it takes time for the Custom Script to reapply the routing. If you prefer or do not mind leaks, please only enter

    iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE
    in the Save Firewall area.

    Save Custom Script:

    #!/bin/sh
    sleep 5
    echo "Update route table on wanup ..."
    WGSERVER=$(/usr/sbin/nvram get oet1_rem0)
    WANGW=$(/usr/sbin/nvram get wan_gateway)
    WANIF=$(/usr/sbin/nvram get wan_iface)
    route add -host $WGSERVER gw $WANGW dev $WANIF
    route del default
    route add default dev oet1
    ip route flush cache
    echo "... Done route table update."
  7. In Setup > Basic Setup, you might consider setting IVPN DNS servers in the Network Address Server Settings (DHCP) area:

    • Static DNS 1: 172.16.0.1
    • Static DNS 2: 198.245.51.147
  8. Click the Save button, then click the Apply Settings button.

  9. Reboot your router and wait for a minute or two for everything to settle, then reboot your computer system.