1. Create your PAC file, for example
function FindProxyForURL(url, host) {
  if (shExpMatch(host, "*.google.com") || host == "google.com") {
   return "PROXY wpad:8888";
  else {
    return "DIRECT";
  1. SCP the PAC file to root@openwrt:/www/wpad.dat

  2. Go to Luci -> Network -> Hostnames and add wpad as an alias for your OpenWRT router’s IP

  3. Install the autossh software package through opkg

  4. SSH to the router and edit /etc/config/autossh

config autossh
  option ssh	'-2 -N -o ServerAliveInterval=60 -L -i /root/.ssh/id_rsa user@example.com'
  option gatetime	'0'
  option monitorport	'0'
  option poll	'600'
  1. Use dropbearkey to create an SSH keypair, save the private key in /root/.ssh/id_rsa

  2. Append the newly created public key to your server’s ~/.ssh/authorized_keys

  3. Enable and start the autossh service through Luci

You can test your setup with curl:

curl wpad/wpad.dat
curl --proxy wpad:8888 google.com

This will have created an SSH tunnel from your router to your remote server, reconnecting as soon as a disconnect happens. Clients on your network will route traffic through the proxy, as determined by your logic in the PAC file. Windows clients use WPAD by default, but for OSX clients this has to be explicitly enabled in Network Settings.