How to set up a dedicated VPN router with two routers

This tutorial will teach you how to set up a dual-router configuration with a dedicated VPN router behind another router (the primary router). This will work with any vpn-enabled router firmware, including DD-WRT, ASUSWRT (including Merlin), and Tomato.

We’ll be using what’s known as LAN-to-WAN router cascading, where each router is on a separate subnet.

This is an incredibly popular home network setup because:

  • It gives you access VPN and Non-VPN connections
  • Switch devices to/from the VPN  simply by switching networks
  • Connect devices like xbox, PS4, fire stick, or chromecast to a VPN
  • Added insulation of VPN network (double NAT = greater security).

Visualizing the setup two-router setup

Below is a diagram of the home network structure we’re going to create. Traffic is encrypted by the VPN router, and flows through the primary router to the modem/internet. All devices connected to the #2 (VPN) router will use the VPN tunnel. All devices connected to the #1 (primary) router will use your normal internet connection.

Image showing dual router VPN layout
Here’s how your network will look once you’ve set up a 2nd VPN router

What you’ll need for this tutorial

  1. A VPN-Capable Router: You can use any router with a CPU that can handle VPN math, and has (or supports) VPN-capable router firmware like Tomato, DD-WRT, or ASUSWRT (our favorite). Here’s our guide to the best VPN routers.
  2. A 2nd router: This will be the primary router (non-VPN). It can be any mid-range router that can comfortably handle the number of devices on your network. Ideally it should support AC wireless (for faster speeds) but it doesn’t need a fast CPU like the VPN router.
  3. Reliable, Fast VPN Provider: Preferably one that supports the OpenVPN protocol. We highly recommend Private Internet Access, NordVPN or IPVanish for router usage. PIA has 128-bit configs which allow for faster speeds.
  4. Ethernet Cable: This will be used to connect your two routers, for the dual-router setup. I love these low profile ones.

Part #1: Setup the primary router

There’s only minimal setup required on the main router, because it’s not actually doing anything besides passing on the already-encrypted traffic from the VPN router. You can use virtually any router in the world as long as it supports ‘vpn-passthrough’ (which most modern routers do).

Frequently people will use the router provided by their ISP/Internet Provider as the primary router. In fact, some cable TV/internet providers (like Verizon Fios) require you to use their router (or else your TV won’t work properly).

The Steps:

  1. Check the router’s subnet/gateway
  2. Check/Enable VPN-Passthrough

1. Check what subnet your router is on

Each device (including routers) on your home network has a ‘local’ IP address that identifies it’s location on your home network. Usually, IP addresses will start with 192.168.x.y and your router is the gateway, which is usually located at 192.168.x.1.

‘X’ is the subnet that your router is located on.

We’re going to need to put each router on a separate subnet so they don’t hand out the same IP address to different devices. To do that, we first have to check what the IP and subnet of your primary router is. The easiest way to do that (on windows) is:

  1. Connect to your router’s wireless network
  2. Run cmd.exe from the start menu
  3. Type ‘ipconfig on the command line and hit ‘enter’
  4. Look for the line that says ‘Default Gateway……..’ That’s your router’s IP
  5. The second to last set of numbers (192.168.X.1) is the subnet

Default Gateway in IPconfig
The Default Gateway is the router’s local IP address

Most consumer routers use 192.168.1.1 as the default gateway if that IP is available on your network. Don’t worry if yours isn’t, you don’t need to change it. Just remember the IP address for later.

2. Enable VPN Passthrough

Most routers have a setting to allow/block VPN traffic flowing though it. It’s usually enabled by default, but it’s worth checking. To do this, you need to log into your router’s control panel by typing it’s local IP address into your web browser (e.g. 192.168.1.1).

You can usually find the relevant setting under Firewall or NAT settings. Below is the VPN-passthrough settings in DD-WRT firmware:

DDWRT VPN-Passthrough

And ASUS’s ASUSWRT Firmware:

ASUSWRT VPN Passthrough
Settings > WAN > NAT Passthrough

That’s it, your primary router is now properly configured.

Part #2: Set up the VPN Router

In this section, we’ll change the subnet of the VPN router so that it doesn’t overlap with the primary router. We also need enable DHCP so the VPN router hands out IP addresses to devices that connect to it. And finally, you’ll need to set up a VPN connection on your router if you haven’t already.

Steps:

  1. Change the router subnet
  2. Enable DHCP
  3. Specify DNS Servers
  4. Connect VPN router to Primary router
  5. Test your setup
  6. Configure VPN Connection (if you haven’t already)

1. Change VPN router’s subnet

  1. Make sure your VPN router is powered on. It doesn’t need to be connected to the internet, and should NOT be connected to your primary router via ethernet cable yet.
  2. Connect to your VPN router’s wifi network (orrun an ethernet cable from your computer to the router)
  3. Log into the router’s control panel (type the router’s IP into your browser window and hit enter. If your not sure what it is, use IPconfig as in part #1 above).
  4. Find the router’s IP address settings (often in LAN or basic setup)
  5. Change the router to a different subnet than the primary router (so 192.168.2.1 if primary router is 192.168.1.1)

For DD-WRT:

Go to: Setup > Basic Setup > Network Setup (section) > Router IP

And if the router’s IP and subnet matches that of the primary router, change it:

DDWRT Router IP address
DD-WRT’s Router IP address settings

For ASUSWRT/ASUS Routers:

Go to: Advanced Settings > LAN > LAN IP

ASUSWRT Router IP Address

 

You can make the subnet anything you want as long as it’s 255 or less. In general, pick a smaller number (2 or 3) so you can easily remember it for future router panel logins.

2-3. Enable DHCP and specify DNS

We need to enable DHCP so your router can hand out IP addresses to all your other connected devices on the same subnet. We’ll also manually specify a DNS server as a troubleshooting step just in case your VPN provider doesn’t have their own.

DHCP and DNS settings can usually be found near each other, and probably in the same screen where you just specified your router’s IP address.

Which DNS To use: If your VPN provider has it’s own DNS servers, you can get it’s IP addresses from their support/help documentation and use that in this step. Otherwise, you can use any public DNS provider like FreeDNS, GoogleDNS, or ComodoDNS. In our example we used GoogleDNS.

  • GoogleDNS: 8.8.8.8 & 8.8.4.4
  • ComodoDNS: 8.26.56.26 & 8.20.247.20
  • OpenDNS: 208.67.222.222 & 208.67.220.220

Don’t worry if your router firmware only allows one DNS server (like ASUSWRT) that should be fine.

DDWRT: 

DDWRT DHCP and DNS Settings
Turn on DHCP and Specify DNS (shown with GoogleDNS)

ASUSWRT:

ASUSWRT DHCP Server and DNS Server
Enable DHCP and specify 1 DNS server (shown with GoogleDNS)

4. Connect the VPN router to the Primary router

Now that your router settings are properly configured, we need physically connect the two routers via and Ethernet cable. It’s important to make sure you plug each end into the correct port though!

Plug the ethernet cable into each router as follows:

  • Primary Router: Any open LAN port
  • VPN Router: WAN Port (where you’d usually connect the modem)
Two router LAN to WAN setup
Plug Ethernet cable from LAN port of primary router to WAN port of VPN router

Note: The WAN port of the primary router should be connected to your modem (or however you get internet access).

5. Test the Two-Router setup

Make sure both routers are powered on and the ethernet cables or connected to the correct ports: VPN WAN > Primary LAN and Primary WAN > Modem.

  1. Connect wifi network of your VPN router.
  2. Try to open any web page in your browser

If the website loads properly, congratulations! You now have a properly configured two-router setup with a dedicated VPN router. If you don’t already have a VPN connection configured on your router, continue to part #3 to learn how.

Troubleshooting:

If you don’t have internet connectivity right away, here are a couple things to try (on Windows machines):

  1. Disable the VPN on your VPN router (to make sure that’s not the issue)
  2. Doublecheck you have a valid DNS server configured
  3. Open CMD.exe and run IPconfig to make sure your computer has an IP assigned on the VPN router’s subnet (if not, your DHCP server isn’t working correctly).
  4. Try flushing your computer’s DNS:
    1. Open CMD.exe
    2. Type IPConfig/FlushDNS and press Enter
    3. Type IPConfig/RegisterDNS and press Enter
    4. Type IPConfig/release and press Enter
    5. Type IPConfig/Renew and press Enter
  5. If you still get a DNS error, manually specify a DNS server in your TCP/IP settings
  6. Reboot the router

Part #3: Set up the VPN connection

If you haven’t already done so, you need to configure your 2nd router to create a full-time VPN connection. The exact method depends on the router firmware you’re running.

Currently there are 3 main router firmwares that can connect to a VPN.

Here are the OpenVPN client setup instructions for each:

You can also use a PPTP or L2TP/IPSec VPN connection if you prefer (or if your router doesn’t support OpenVPN). Setup guides are usually available from your VPN provider’s knowledgebase.

If you don’t have VPN yet, we recommend IPVanish or Private Internet Access. They are both fast and stable when run on a VPN-enabled router.

A few extra tips:

Static Routes: Because each router is on it’s own subnet, devices on separate subnets may not be able to find each other. In my experience, devices on the VPN router can connect  to some devices on the primary router (a printer for example) but not vice-versa. If you need devices to talk to each other between networks, you’ll need to build static routes, where you basically build a map or a path for a device between networks. The details of this are rather complicated, but here are tutorials for asuswrt and dd-wrt to get you started.

Speed: If you’ve never run a VPN on your router before, prepare for some speed loss. This is doubly true if your router has a single-core CPU or you’re using 256-bit AES encryption. The complex math behind VPN encryption quickly overwhelms the CPU on even high-end routers, so you’ll need to learn to be happy with 15-35mbps. If you need more bandwidth, you’ll have to run the VPN on your PC instead.

That’s it! I really hope you enjoyed this tutorial! If you still have any issues or questions, please make sure to leave a comment below. And don’t forget to follow us @vpnuniversity for the latest tutorials, reviews, and VPN deals.

 

 

 

135 thoughts on “How to set up a dedicated VPN router with two routers”

  1. Hi, when I specify a DNS server in my Asus Router, the internet connection gets blocked after a while. The solution is to disable them, but then DNS leaktest shows the DNS servers from my ISP. And I just wanted to prevent that….

    Reply
    • That’s strange. What DNS server are you using? Have you tried other options? I’ve had good luck with googleDNS and comodoDNS. Also, if you install ASUSWRT-Merlin, you can choose to force strict DNS settings for your VPN. This works best with VPN providers that host their own DNS servers.

      Reply
  2. I am looking for a better way to do the lan communication between the routers. It seems to me that the port forwarding is neither simple nor is it the best answer for my network. I would like to have a torrent box, my main pc and my freenas server behind the vpn on one router, then every other device in our house on the other router, but I need samba and windows file sharing to work across both routers and networks. Is this possible without many hours of work?

    Reply
    • Short answer: yes. Long answer: Yes, but I don’t have the technical expertise to give you specific guidance.

      Your best bet is to browse the smallnet builder forums on topics relating to ‘static routes’ which are like tunnels between subnets (sounds like what you need). If you’re struggling to adapt their tips to your specific situation, just start a new thread and ask for help. They have one of the most friendly and helpful communities I’ve found.

      Reply
  3. Thanks for this guide, it’s really helpful! With this set up, will ALL traffic be slowed due to the VPN, or just traffic connected specifically to the VPN router?

    Reply
    • The VPN router goes through the main router (non-vpn). If you’re connected to the main router, you should get full speeds. The VPN router will probably be slower (especially if you have a 50mbps+ connection) because of the CPU limits of your VPN router which struggles to handle VPN encryption at high speed. Also, many VPN providers will average between 15-40mbps max depending on server location.

      Reply
  4. First of, congrats for the great tutorial! However, I do have a few questions for you:

    On the Primary Router: Did you enabled DHCP server then manually entered the WAN Static IP of the VPN router? NAT disabled or enabled?

    On the VPN router: Under WAN, did your entered the Static IP (the manually entered IP in DHCP server on Primary router) or did you leave it on Automatic IP? NAT disabled or enabled?

    I am going to receive a second hand Router/Firewall Fortigate 60C in a few days….Here is how I was thinking to set everything up:

    Primary Router: WAN IP set to Automatic IP (public IP from cable modem) / LAN IP 192.168.0.1 / Subnet 255.255.255 / DHCP Server IP start 192.168.0.100 finish 192.168.0.100 (Client for this IP is the VPN Router WAN IP)

    VPN Router: WAN IP set to Static IP 192.168.0.100 / Subnet 255.255.255.0 / Gateway 192.168.0.1 / LAN IP 192.168.1.1 / DHCP Server IP from 192.168.1.100 to 192.168.1.114 (IP pool for all my client devices like PC, cellphones, etc)

    Let me know if it looks like it is going to work.

    Thank you!

    Reply
    • Yes this setup should work fine. I enable DHCP on both routers. You can automatically assign the IP address for both, or statically assign the IP for the secondary router (as you do in your proposed setup).

      Reply
  5. Does the vpn router need to have it’s firewall enabled. I find it’s faster disabled and I’m assuming the primary router is protecting the network with it’s firewall. Is this true?

    Reply
    • Correct, if you have the firewall enabled on both, that’s called double NAT and can sometimes slow speeds. If you prefer you can disable the firewall on the second router, though I usually opt to keep it enabled.

      Reply
    • You would keep the same subnet for both routers, but you either have to only enable DHCP on the primary router (hands out IP addresses to connected devices).

      Or…

      Enable DHCP on both, but set the IP range on one to be 2-128 and 129-256 on the 2nd, so you never have IP conflicts.

      Reply
      • If you disable DHCP on the second router, how would you then be able to connect to the VPN servers? NordVPN has you update the DHCP settings to connect to their servers when enabling NordVPN on routers.

        Reply
        • DHCP shouldn’t have anything to do with how your router functions with NordVPN. It only affects whether the router hands out local IP addresses (on your network) or whether the primary router should do that instead.

          Reply
      • I am just wondering… If you do this (2 DHCP on the same network), how do you set which device gets an IP from which DHCP? Otherwise you will have two DHCP servers trying to serve an IP address to the same device, won’t you?

        Reply
        • As long as each device is set to a different subnet (192.168.SUBNET.xxx) it shouldn’t be an issue. Your device is only connected to one router, not both. So if you connect to the 2nd router (192.168.2.xxx) for example, that gateway will route your traffic properly to the main router (192.168.1.xxx)

          Reply
  6. Most vpn servers will not forward port 25. I run a mailserver and would like to connect my PC to the “vpn router” but still send receive mail through port 25 on the “primary router”bypassing the vpn, is this possible in any way.

    Reply
  7. I have the task of trying to link two home networks with their own internet together in order for both locations to simultaneously access a Quickbooks file located at one location. They don’t want Quickbooks online because it’s too different than the QB Desktop that they’re already used to. There’s a company that does “cloud” Quickbooks access, but what they do is basically have people RDP into a server and run QB on their machine, which is not an option.

    I’m assuming I’d need a VPN server at one location and a VPN client at the other. In the past I’ve setup an ASUS router using DDNS with VPN server enabled, and used Windows at another location to create a VPN to the server. That worked well for that situation, I was able to access Windows shares at the remote location. But that was more of a manual connection. For this task I’d like a more fixed link between the locations but still be able to use their own local internet, so I’d guess a VPN router at each location is required.

    Each location has a static IP, so no DDNS to worry about. They both use the same local ISP. They’re both even on the same property, but too far for a wifi bridge. Maybe a more powerful external wireless bridge would be best, but I’ll save that as a last resort.

    I’m not sure if I should just try to use their existing routers (not sure yet what they’re using) and just add a VPN box in the mix on both sides, or just replace both routers with a VPN router to make things simpler.

    Their internet may be around 10-20Mbit or so, which I know is fairly slow. And I know Quickbooks doesn’t work fast through WiFi connections, so I’d assume I’d get the same slow performance through the internet as well.

    But I’m wondering if I should try to get a couple ASUS RT-AC68U routers and just swap out whatever they’re using now. I’m also trying to figure out the best way to setup the IP address structure so one location can see a Windows share at the other location, maybe add a static route? That’s really all I need to do, is access a few files at the other location. I can’t use cloud storage, ie Dropbox, OneDrive, Qbox, because none of them play well with Quickbooks databases and/or allow simultaneous access.

    Any help would be much appreciated.

    Reply
  8. Thanks for the great guide. It helped me get this working after a previous 6-hour attempt fell flat, other than the last bit about the networks communicating with each other with static routes.

    We have a modem/router from our ISP. It has a desktop computer and some smart home things on it, as well as going out to the ASUS router. It’s not a big loss if this desktop can’t communicate down to the devices on the other ASUS or TP-Link sections. If we can do that, great, but if not, we’re not worried about it. This is the 192.168.1.0 subnet.

    Then we have an ASUS router which we want to be the main WiFi provider, as well as the Xbox and to the TP-Link. This is the 192.168.2.0 subnet.

    Then we have a TP-Link with DD-WRT that we want to be the VPN router. Behind it is the Roku. This is the 192.168.3.0 subnet.

    The VPN works as intended there, but they don’t communicate with each other. Practically it means that if we have our phones on the main ASUS network, we can’t use the Roku app to control the Roku. There’s also a Logitech Harmony Hub that could cause similar problems. Any ideas of how we could get around that?

    Reply
    • A number of people have run into this issue and I don’t think there’s an easy fix without doing some advanced modification of the router’s firmware (though there are tutorials on small net builder’s forums)

      I think the easiest solution is this:
      Get rid of either router #2 or router #3 and then use the selective routing capability of your VPN firmware to route specific devices inside/outside the VPN while keeping them on the same subnet. DDWRT can do this with some extra coding but it takes a bit of know-how. Here’s a tutorial. The easier option is to run the VPN on your ASUS router (if it’s a dual-core router that can handle faster VPN speeds) and install ASUSWRT-Merlin to handle the VPN and selective routing.

      Reply
  9. I have an Asus RT-AC86U router which is running Merlin on it and it connects to the VPN through this router. It then connects to the WAN through a Asus RT-AC66U. Everytime I connect to the VPN it seems to work however if the router is rebooted my devices lose connection to the internet. I am using NordVPN. What is the way to prevent this form happening?

    Reply
    • I don’t totally understand the issue. If the Router is providing internet access for the devices and it is running the VPN, then of course they will temporarily lose access to the internet when you reboot it. If there is an issue beyond this inconvenience, please clarify a bit more and I’ll do my best to help…

      Although one hint from memory, make sure to turn on the ‘Start with WAN’ option in the Merlin firmware, which will autoconnect to the VPN every time the router powers on.

      Reply
    • Thank you so much for the guide. I am having the same problem with “March 8, 2018 at 7:12 pm

      I have an Asus RT-AC86U router which is running Merlin on it and it connects to the VPN through this router. It then connects to the WAN through a Asus RT-AC66U. Everytime I connect to the VPN it seems to work however if the router is rebooted my devices lose connection to the internet. I am using NordVPN. What is the way to prevent this form happening? ”

      I followed your instruction. I use Tp link for primary router and Asus RT- CA68U for vpn router. Since I use nordvpn and asuswrt not merlin, I also follow this link to setup the last part of your guide https://nordvpn.com/tutorials/asuswrt/openvpn/ , The first attempt all works fine but after restarting the Asus router when you click activate the vpn , it won’t connect and just circling for a long time trying to make connection. I tried different .ovnp but still not working. Finally I restore factory setting for the Asus and redo the whole process then its working. Do you have any idea why this happen ? Thanks

      Reply
      • The best way to diagnose this would be to look at your router log file while the connection attempt is pending. If it’s not providing enough information, add the line ‘verb 3’ or ‘verb 4’ (without the quotes) to your config file by editing it with a text editor. This will make sure the openvpn connection sends enough info to your router log to see what’s going on. It should give you a clue as to why the connection is failing.

        Reply
  10. Thanks for the guide. It is helpful. My primary use case is to setup a VPN server to allow myself securely connect to home network for when I am out of country.

    My primary router provided by ISP is a non-ddwrt compatible modem/router (hitron coda4582) so I have to get a 2nd router for VPN purpose. I have flashed an old linksys e3000 router with ddwrt firmware and configured it to use PPTP VPN (the intent is to try a simpler setup for now to get all the components and accesses in order before messing around with OpenVPN). I have the VPN router serially connected to the primary router (Internet –> primary router –> 2nd VPN router –> home devices) …When connecting from the home network, I am able to establish VPN connection to the VPN router using PPTP by specifying VPN router’s WAN address (192.168.0.x) ; the problem I am facing is that the internet traffic is not able to connect through to my VPN router using the primary router IP address. I am completely new on this and it is the first time I try to setup the VPN client/server… suspect issues with my setups and configuration between the routers…Are all the steps specified in the above guide apply to my use case?…Are you able to shed some lights for me? Thanks in advance.

    Reply
  11. Dear VPNuniversity, I work in China. My internet speed is 100mb I believe. I connect through PPPoe with a user name and password. I just bought a Netgear r7000 which is compatible with ExpressVPNs firmware. My other router is a basic TP Link 450 mb.

    Previously tested internet speeds are 30mb download – 10 up w/ tp link. 120mb download – 10 up w/ Netgear r7000 Nighthawk.

    My question is, since I need a 2 router package to have a dedicated VPN line; Which router should be the main router? A more powerful one with faster internet speed ? Or both? I can get rid of my tp link and get another Netgear r7000. Then I’ll have 2. If I put a more powerful router as the VPN router and the main non vpn router is weaker, does that funnel / limit speed?

    Any feedback would be greatly appreciated it. I’m trying to build an entertainment set here but the great firewall is killing me.

    Reply
    • The VPN router should be the more powerful one, as the limiting factor on speed is almost always the CPU power of the VPN router, though with a VPN active, the r700 should exceed 30mbps (the TP link tested speed) if using 128-bit encryption. When you tested the TP Link, did you use a wired or wireless connection? I’m assuming you will be connecting the 2 routers via an ethernet cable, which should help bring the max speed up substantially (assuming the previous test was via wifi only). In other words, the TP link shouldn’t be a limiting factor if you can get the wired speeds up to around 70 mbps without the VPN.

      If you decide to upgrade the primary router, you definitely don’t need something as powerful as the r7000. Any modern ‘AC’ wifi router should be able to handle wired speeds well in excess of 100mbps.

      Reply
  12. Thanks for the excellent guide. I followed the instructions but the second router (VPN router) doesnt connect to the internet.

    What settings should I use for the WAN connection type on the second router? Im using a Asus RT AC68U and chose Automatic IP but that gives an error message saying Your ISP’s DHCP does not function correctly.

    If I choose Static IP instead it asks me to specify an IP address, Subnet mask and Default gateway. Not sure what to put there if that’s the right option?

    Reply
    • Automatic IP should work as long as you have DHCP enabled on the primary router. You can also use a static IP. If the gateway address of the primary router is 192.168.1.1 then you could give the secondary router an IP address of 192.168.1.2 (on the main subnet). Its LAN address should be on a different subnet (192.168.2.1) as shown in the tutorial.

      Reply
    • There might be a bit of RF interference between the two routers (slowing speeds). This can be fixed somewhat by making sure they’re on separate wifi bands.

      Reply
  13. I have a isp that uses rg6 cable router. I have a asus 3100 and a linksys velop whw0301 that uses ethernet connections. Do I use their router as a primary or use my router with the vpn?

    Reply
    • I have a similar setup, where the isp providers their own router (required for TV service). So make the isp’s router the primary, set your ASUS router to a different subnet and run the VPN on it. You’ll also want to enable DHCP on both routers so they don’t assign the same IP-address range to your devices.

      Reply
  14. Hi; Great Article & Thanks. I set dual routers, one as a main router & the other as a VPN router. I have set up PPTP & have both the routers working. When I log on to my VPN router & use the VPN connection, it gives me the same public IP address as the Main networking router . I was under the impression that if I connect through my VPN router connections, it should give me a IP address that is different from the network router. Is there a issue with the way I set up these two routers ? (both of them are Netgear routers .R7000 & Nighthawk X10). Also to test, I put in a wrong PPT VPN password on my VPN router but it still allows me to connect to the internet . I would have thought, that it would fail connecting but it did not & still gave the same public IP address that for both the routers (VPN & Main network router) . Any help on this is greatly appreciated by anbody. Thanks.

    Reply
    • A couple questions:

      1. Are you running the VPN on both routers? or just the secondary router?
      2. Does your public IP belong to your VPN provider? Or is it the one assigned by your ISP?

      Reply
      • Great guide – I am about to purchase a dedicated VPN router (probably from FlashRouters) but I’d like to only use hardwired Ethernet connections for the devices connected to my new VPN router and essentially disable WiFi from the 2nd dedicated VPN router. This is because all the Roku devices I wish to run through a VPN have a hardwired Ethernet connection. This approach will also eliminate any WiFi interference issues. Do you see any issues with this approach? Any thought on router selections for my second dedicated VPN router with this use-case in mind?

        Reply
        • You can certainly use hardwired connections instead of Wifi. I don’t think this will change your hardware choice much as you’ll still need adequate processing power to give decent VPN speeds. I’d say at least dual-core 800mhz processors. 2 x 1000 would be better. But don’t waste any extra money on fancy buzzword features like ‘beamforming’ or ‘tri-band wifi’. You won’t be using it anyway.

          Reply
  15. Hello,
    and thank you for this great guide that is very clear even for such a novice like me.

    I have one question though.

    So far I use only my router 1 from my internet provider (PC+printer are WI-FI connected to the router 1).
    I have a NAS, shield TV and Apple TV that are connected by Ethernet to the switch on router 1.

    If I set a VPN routeur 2, on which one should I connect the NAS, shield TV and Apple TV that they continue to communicate with each other? I admit I would like to plug everything on VPN router 2 because of the low performance of my router 1. Besides, my NAS doesn’t need to be accessible outside my local network. Is it possible ?

    thank you for your help,

    cheers,

    seb

    Reply
    • I know it’s possible for devices to communicate between subnets by linking them with ‘Static Routes.’ ASUSWRT as well as DD-WRT firmware have this ability. Here’s a solid tutorial for (for DDWRT firmware) but the same principles apply if you have an asus router.

      Reply
  16. Hi!

    Great tutorial. Just had one query though. Which mode should I set the second router on ? It has the following modes:

    Wireless router mode (Default)
    Repeater mode
    Access Point(AP) mode
    Media Bridge

    If I set it to Wireless router mode, it will ask me for the username and password of my internet provider but my main oruter is already connected to internet. If I set it on the other three modes, it disables firewall and vpn sections. Am I missing something here ?

    Reply
    • You should set it to Wireless router made. You may need to reconfigure your ISP/WAN settings so it doesn’t ask you to log in.

      Reply
  17. Hey guys, thanks for such a great article and with such clear instructions.
    I ran out an go the AC68U router a few days ago to set things up based on what i thought should happen but quickly realized a big problem. I am in China and the provider is China Mobile (home based service over fibre) so the only box i can use is the telecom provider fibre to Wifi router box they provide which seems to offer (as expected) no option for VPN passthrough.

    I have no issues running my VPN clients on the Mac’s and phones but just don’t want the constant hassle. Is there anything i can do to get past this as i feel there is no way i can swap out the fibre box with any other brand.

    I already have an Asus 68U, Xiaomi 3G, Apple Airport kicking around and an Asus RT53 which i wanted to use as the primary option for non-VPN traffic but kinda stuck due to the core China product.

    Thanks

    Reply
    • That is an interesting problem. I haven’t tested in myself, but I wonder if connecting to a TCP VPN server on port 443 might work (if you’re VPN supports it). Several VPN providers also have ‘VPN obfuscation’ technology on special servers but I’m not certain whether this requires use of their custom VPN software or if it can be configured manually as well. If you happen to get it working, please report back. I’d love to write an article about it!

      Reply
  18. Great article I am looking forward to setting it up.

    I have google Wifi and a Asus Ac1300 with the VPN on the Asus. With this configuration will I still be protected if I connect my laptop to the Google wifi?

    Reply
    • Only if the Google Wifi router is behind the Asus router (connected to a LAN port on your Asus VPN-enabled router).

      Reply
  19. I setup an Asus router (latest firmware) with NordVPN on it. I followed all the directions and it works for a time, but at random times the VPN network crashes. Main network (Internet providing router) stays up.
    I either lose connection to the router, but the signal is still broadcasting. When I try to reconnect. I get either cannot connect to this network or wrong password.
    I stay connected, but lose internet.Triangle with exclamation mark. I also, cannot access the router when this happens.

    Reply
    • I have periodically had issues with NordVPN installed on a router, but usually only from specific computers. For example, my Mac works fine but my PC laptop will have issues. It’s annoying, and so far unexplained by NordVPN support.

      Reply
      • I have discovered the VPN router set to Access Mode still crashes as well. What setting should I look for on the Internet Router?

        Reply
  20. Why not do it the other way? Have your “main” router that all your devices connect to set up as a vpn server, then connect that to your VPN client router, and connect that to the modem?

    Reply
    • If you set the main router up as a ‘VPN Server’, then the encrypted tunnel would only be from the 2nd router to the 1st router. It would do nothing to protect encrypt your incoming/outgoing internet traffic

      Reply
  21. Is that mean when I want to connect to router with my computer, I connected with Main router. But if I want to use the VPN access, then I connect to the VPN router. Can I do that?

    Reply
    • Yes. That is how this setup works. The 1st router (main router) is not connected to the VPN. If you connect to that wifi network, your traffic won’t be encrypted. The 2nd router is connected to a VPN. To use the VPN, simply connect to the 2nd wifi network.

      Reply
  22. Hi

    I’m working off of a Mac and still can’t get internet connectivity after following the steps above to the tee (minus the trouble shooting as this section only applies to Windows OS).

    Please help me get internet connectivity.

    Primary router: Verizon FIOS Quantum Gateway
    Secondary router: ASUS RT-AC1900P; this is connected as per the picture in step 4 above.

    Thanks!

    Reply
    • I’m not completely familiar with the command line in OSX, but check your local IP address and see if it matches the IP address of the router you’re connected to. My guess is you either have a DHCP conflict or you don’t have DHCP enabled on the 2nd router, so you’re being assigned an IP address on the wrong subnet.

      Reply
  23. Can I connect to the VPN router (router 2) from outside my home? I.e., can it act as a VPN server so that I can access my home network from outside of it? Or is it hidden by router 1?

    Reply
    • ASUSWRT routers have a VPN server capability in addition to the VPN client function that we’ve used in our tutorials. If you set up a VPN server on your router, you should be able to access that network remotely (outside of your house) and possibly use that internet connection as well (again, remotely). I haven’t explored that feature myself yet, but you can probably find some tutorials on google or youtube.

      Reply
    • That’s correct. You’ll notice much faster VPN speeds on the 68U. You’ll get even better performance if you find a provider that allows you to configure 128-bit OpenVPN instead of 256-bit. Private Internet Access is one good example.

      Reply
    • That is a good question, but probably beyond my expertise. One suggestion: even if your ISP assigns an IPv6 address to your connection, I believe you can still use IPv4 for your local network.

      Reply
  24. Great tutorial!

    Can you please indicate what changes to the configuration are required to have the VPN router communicate to the primary router via WiFi? Other WiFi and hardwired device connections to the VPN router would still communicated over VPN to the primary router.

    Thanks!

    Reply
    • I think if you put the router in bridge mode like you’re describing, you lose the ability to run a VPN on the router. If you really must have a wireless connection between the two routers, then you could use a 3rd router as the VPN router, and plug that into the bridged router via ethernet.

      Reply
  25. A very useful article, a lot to gather from, to set up a VPN router with two routers, this article is the cool ever explained one could follow for the setup. Good content, keep posting with more this type of content, will help many more.

    Reply
    • A few post up you’re saying that firewall can be disabled on the 2nd vpn router because all the internet traffic goes through the 1st router and it’s firewall.

      Is this still the case when using a vpn connection on the 2nd router? So does router 1 with its firewall still protect the router 2 ? The internet traffic goes through a vpn tunnel then right?

      Reply
  26. So this works great if connecting to each network using wifi. What if I wanted the same setup but through hardwired ethernet cables. So id like to be able to choose to connect to either 192.168.x.1 main router and also 192.168.x.1 VPN without physically changing any network cables or using wifi. Is this possible? I currently have 2 subnets active (192.168.x.1 and 192.168.x.1 using subnet mask 255.255.255.252) basically to be able to access the modem through the router without changing cables.

    Reply
  27. thanks for tutorial, i’m having an issue, i have 2 RT N-12 Asus routers, i have a roku connected to my vpn router (router 2) and all other devices are connected to router 1. When i’m watching tv on my roku from vpn, i have extreme low speeds on my router 1, and suddenly the speed will increase to normal but my router 2 vpn will cut off. It’s like i can’t use the 2 routers together. Do you have any thoughts on what can be wrong ?

    Thanks

    Reply
    • Do you have some sort of load balancing on the first router than limits the speeds of each individual LAN port? So perhaps the 2nd router has restricted bandwidth.

      Also important: are you running a VPN directly on the RT N-12? If so, this is why your speeds are slow. That router doesn’t have a powerful enough CPU to run a VPN. We recommend the AC-68U at a minimum, which is the cheapest dual-core CPU router that ASUS sells.

      Reply
      • Thanks for the response, my issue is that when 1 router works, the other does not. If i’m using router 2 with the vpn, my wifi laptop does not have internet on router 1. If i keep on trying, it will suddenly start working but then router 2 will stop working. I have a serial link appears to be disconnected in the logs.

        Reply
  28. Thank you for a great tutorial. This may be a dumb question, but just so I can understand it clearly ~ with the setup you describe ~ when I actually use my pc for internet browsing (with a ethernet cable) I would stick the ethernet cable from the pc into one of the lan ports in the primary router (this should keep the connection up to maximum speed because it’s not going through the VPN? (In this everyday scenario I am just doing general browsing ~ don’t need the security of a VPN), but then when streaming (so need to un-geo-block) I would have the Roku (or other streamer) connected via the secondary (VPN) router?
    Much thanks for a response! Paul

    Reply
  29. Outstanding, informative, and well written article. I’ve been able to connect a NordVPN Linksys router to a Netgear 1750. This setup enables me to use my Firestick devices knowing that my VPN is always on.

    Thanks

    Reply
  30. Would this way enable me to assign STATIC IP or rather fixed IP addresses to some of my devices and those devices would remain on the same IP address while I could toggle those devices between main and vpn router connections as and when required…

    Reply
  31. I have done and it works great. But my main concern is if it is possible to not connect two routers via ethernet cable and connect the VPN router to the main router through WIFI only? I understand there may be speed drops but I would like to keep each other in a distant location.

    Reply
  32. A fantastic tutorial thank you for the effort of putting all this together. I have got my double router setup happening after following your instructions and everything appears to be working. I just have a couple of questions. One has to do with the NAT Passthrough settings. In your tutorial you mention what the settings need to be for the Primary Router but what should the setting be for the VPN router? Should they be the same for both routers? I have got them setup the same and it works but i was just wondering if this is correct?

    Reply
    • You need passthrough enabled on the primary router so that VPN packets get routed through it correctly. I don’t think you need it configured on the VPN router, but leaving it enabled is fine too. If it works, don’t mess with it.

      Reply
  33. Is it possible to accomplish the same with one router but two wireless networks? wifi-A broadcast data directly from WAN and wifi-B configured to broadcast data via configured VPN? I’d imagine it would take specialized hardware if at all possible

    Reply
    • It be possible if your router supports ‘bridge mode’ via wifi instead of an ethernet connection. Then you can configure the VPN on the bridged router.

      Reply
  34. Great tutorial. Just had one question for my setup.
    I am on a hitron cable modem as the main router and have a Cisco RV042 VPN router as my second router. The setup is as you outlined. The problem I am facing is that the VPN router wan address is a local address. I need it to be a public address to setup a gateway to gateway VPN connection to my office. I can achieve that by putting the isp’s router into bridge mode but I loose TV and WiFi.
    Is there another way to get the VPN router’s wan address be a public one?

    Reply
    • I think maybe with static routes that create a tunnel from the subnet to the primary network? It’s beyond my expertise unfortunately, but please share if you find a solution!

      Reply
  35. Thank you for your instructions. I set this up with two ASUS RT-AC66U (1750 AC) routers. I had an original RT-AC66U (MIPS Processor version), and a newer RT-AC66U Rev B (which is a dual core identical to the RT-AC68U). I was trying to figure out what to do with the older RT-AC66U when I came across your post, as I actually searched the very concept.

    Used the lower powered MIPS router as primary and the more powerful Rev B as the VPN router (it was already set up as VPN router), I am now able to get Netflix and Prime to run without complaining about being on a VPN.

    Prior to your instructions, I had to turn off the VPN to use prime on the smart TV, or even to cast it to our Chromecast. Now, I just connect the TV with Wifi to the non vpn router and voila it works like a charm.

    BTW I connect all things like Alexa, Smart Refrig, and Google Nest thermostat on their own separate guest network behind the vpn. These things should not be on the same wifi network as your computers! The FBI even said as much….. They are spying on you….Why does my thermostat have a microphone anyhow, Google? Yeah right it is not turned on. Screw you.

    Reply
  36. thanks for the easy to understand tutorial yet I have one question:

    is there any way devices attached to the primary router to get routed thru the vpn router?

    all my devices have a static IP address.

    Reply
  37. I followed this guide and successfully set up my VPN dual router. I have the ASUS rt-ac68u as recommended by this site. I was totally happy with the connection speed and set up went smoothly.

    I have recently switched broadband suppliers and have rigged the VPN router to the new supplier router, the VPN still works however my with my previous supplier I was getting a regular speeds between 24mbps to 36mbps and VPN speeds of between 16mbps to 20mbps.

    With the new supplier I am getting regular speeds of around 50mbps but a VPN speed of between 1mbps to 14mbps.

    Not sure why the VPN speed has now massively reduced. Would you recommend resetting up the VPN router again from scratch? As all I have done is check the IP address of both routers don’t clash and connected up the two routers lan to wan.

    Reply
    • Your settings shouldn’t need to change just because you have a different mobile provider. If you have a new primary router (provided by your ISP) you might want to make sure that VPN passthrough is enabled on that router.

      But to be honest this sounds like textbook throttling. Your new ISP may throttle encrypted VPN traffic. To test whether it’s your router setup or the ISP do this:

      Disable the VPN on your router, connect to your primary router and run the VPN software on your computer. If speeds are much faster, then it may be a router issue. If speeds are still bad then it’s your ISP.

      Reply
  38. I have the setup and wanted to create a true killswitch. What I did in my Asus router was not to use the redirect internet choice which is suppose to kill the internet if the tunnel goes down, but instead in my router under WAN I turn off NAT. What happens is that once the tunnel goes down, the NAT is off so the router cannot find any internet since it cannot connect to the main router.

    Let me know if it makes sense. If I turn off the VPN, the internet is dead. It only works when the VPN is running.

    Is this really a true and failsafe technique to prevent my ISP from seeing anything when the VPN tunnel goes down? The reason I did this was because Merlin in older versions had DNS leaks when you used the redirect internet traffic command. I heard it was fixed, but I just want to play it safe. I only want the internet to work when the router is accessing data over the VPN.

    Reply
    • That’s an interesting trick, thanks for sharing.

      If your devices have no internet access when the tunnel goes down then it shouldn’t be possible for your ISP to see any data (there isn’t any).

      Reply
  39. Hi – I did the exact steps. but when I connect through desktop to VPN router, the iplocation still gives me non-vpn routers location, i.e., PPTP does not kick in. any reason why?

    I changed the subnet on VPN router, I used google dns on vpn router, but kept the dns on primary router default.

    Reply
    • It’s hard to say for sure without seeing your setup, your router logs or knowing your VPN service. I tried enabling PPTP myself and here’s what worked:

      First I tried using ‘Auto’ in the ‘PPTP Options’ dropdown. That did not work. The VPN I used is Private Internet Access.

      The router logs confirmed the connection was failing. So I switched to ‘MPPE 128’ as the specified encryption type. Then (IMPORTANT) I restarted the router. The PPTP connection works perfectly, no issues now.
      ASUSWRT PPTP Settings

      Reply
  40. Can you add more than one additional router?

    As in

    Router 1: main, non-VPN router to local ISP
    Router 2: VPN set to UK server
    Router 3: VPN set to Canadian server

    Great tutorial BTW

    Reply
    • Sure. You would connect each router’s WAN port to a different LAN port on Router 1. Then set each Router to a different subnet. So:

      Router 1: 192.168.1.xxx
      Router 2: 192.168.2.xxx
      Router 3: 192.168.3.xxx

      Reply
  41. Great Tutorial.
    All I’m trying to do is have everything on my set up go through VPN but ISP’s router can’t be configured to use VPN. Nor can my Mesh system which I need to keep in Bridge mode.
    Currently ISP router is sole DHCP provider with WiFi switched off so everything connects through Mesh.
    I’m proposing (after reading your tutorial) the following set up:
    1. ISP router left as is (192.168.1.#) but disable DHCP & LAN to WAN link to 2nd. router.
    2. 2nd. router (192.168.2.#)with VPN installed (DD-WRT) DHCP enabled & connected to mesh LAN to WAN.
    3. Mesh (192.168.5.#) left in Bridge mode (hence DHCP disabled). Hence all addresses issued by router 2.
    Hope that this makes sense & would appreciate any comments/advice you may have or any problems you forsee. TIA.

    Reply
    • Yep that should work. You can leave DHCP ON on the ISP router, just set it to a separate subnet than the DD-WRT router. It’s also worth checking with your ISP to see if your DD-WRT router can replace the ISP router altogether. Quite frequently it can, with the correct settings.

      Reply
  42. Fantastic article and very easy to follow. I manged to set up my network in minutes.
    I’ve used an ASUS DSL AC689U as the primary with an Archer C7 as the secondary using L2TP.
    LAN to WAN connection.

    Reply
  43. Hi
    I have an Arris modem/router from my ISP and I just bought a TP Link Archer A7. I’m trying to setup OPENVPN on the TP Link. I followed the instructions using port 1194. But when I try to connect it does not work. Is it because the vpn router is behind another router? Any suggestion would be appreciated.

    Reply
    • Check the router logs to confirm whether it’s your network configuration or an error in your VPN configuration. Also, you can try connecting the VPN router directly to the modem and see if it makes a difference.

      Reply
  44. Well my network exactly works as explained in this tutorial. My final goal is to make sure anyone on each router not to be able to communicate to each other. Currently when I am connected to router 1( main router without vpn) , I can not log into router 2 ( the one with vpn) and that is what i want, but the problem is when i am connected to router 2, i can log into web page of both routers! And I don’t want that! What should I do?

    Router 1 (192.168.0.1) is a combo ( modem+router) and connected through its LAN port to Router 2’s (192.168.1.1) WAN port. Router 1 has no VPN and router 2 has VPN and both are working fine. All I want to achieve is , when I am on Router 2, not to be able to communicate or access router 1’s configuration page through browser! I want both router not to see or communicate with each other and only internet access travel from router 1 to router 2.

    Reply
  45. Dear VPN Uni Team,

    my primary router does not support VPN passthrough. Can I use port forwarding to solve this? If so how do I know which port to open?
    How come the VPN client on my PC can access the VPN server through my primary router but the VPN Client on a router cannot?

    Thanks for the help!

    Alisdair

    Reply
    • VPN Pass-through is only necessary for L2TP or PPTP. If you’re using an OpenVPN connection you shouldn’t need pass-through. That’s why your VPN client on your computer works.

      Reply
  46. Dear VPN Uni Team

    I’m guessing a Huawei B310S-22 won’t do as a primary router in this set-up?
    It has VPN Pass-through, but only has one port, a wan/lan auto-switch.

    Thanks in advance

    Reply
  47. Hello.
    Thank you for the very useful instructions and the discussions, they are most helpful.
    Will your configuration work with a BT Smarthub 2 as the main router, and an Asus RT-AC68U as the dedicated VPN router, taking into account the rather limited access to settings available on the BT SH2?
    Is there a VPN that would be best suited to this arrangement, perhaps one that employs openvpn to avoid pass-through problems?
    Also, could the Asus router be used as an access point (lan to lan) to the SH2, but still run a VPN successfully, with wi-fi access on both routers?
    Thank you,
    Tom.

    Reply
    • Almost any router will work as the primary router (as long as it has LAN ports) so yes, the BTSH2 should work. I don’t think you can run the VPN in AP mode, it has to be in ‘Router’ mode.

      Reply
  48. Thank you for this very useful guide.

    I purchased a Asus RT-AC66U_B1, and followed your instructions for the installation and it all worked (remarkable given how much of a tech imbecile I am). My smart tv, apple TV, iPad and computer were all being passed through the VPN. But I then needed to send an email (and, as per the question above, the VPN tunnel did not want to allow for this). I wanted to switch my computer to the main router (frankly I would like to have it on the main router all the time). But I could not see how. In my list of wifi networks, ASUS no longer showed up, only my main ISP network. If I typed 192.168.1.1 or 192.168.2.1 into my browser they both take me to the page for my main router, and there was no way I could see to get to the ASUS router’s page (I can, by turning off my main router, but then it seems to configure it as no internet access)

    Can you offer any advice on this please. And thank you again!

    Reply
    • If your Asus router is a …2.1 and your main at 1.1 you can only access one or the other IP address. It depends which wifi network you’re connected to at the time. One thing to make sure is that neither router is set up in Access Point or Bridge mode. They both need to be in router mode. That could explain why your other wifi network isn’t visible.

      Reply
  49. Hello.

    Further to my earlier post, I thought I would provide a progress update on setting up my ASUS RT-AC68U VPN router behind the ISP supplied router.

    I have followed your instructions but encountered a problem with the VPN router not connecting to the internet, there are also suggestions in its log about using the 192.168.2.1 subnet address, but it doesn’t appear to be terminal. I used the following settings that are now working but without a running VPN:

    1. Wan Connection type: Select “Automatic IP”.

    2. Enable WAN, NAT and UPnP options.

    3. Connect to DNS Server automatically: Check “No”.

    4. DNS Server1: 8.8.8.8 .

    5. DNS Server2: 8.8.4.4 .

    6. DHCP query frequency: Select “Aggressive Mode”.

    7. Once all the settings are entered click “Apply”.

    With your suggestions and these settings both routers have access to the internet with comparable download, upload, and latency values.

    I am changing my VPN provider, so I haven’t yet set up a VPN on the ASUS router, and that is the next task.

    I’ll let you know how I get on with the final step.

    Thanks again for your help.

    Regards,

    Tom.

    Reply
  50. Hello again.

    I have now subscribed to a replacement VPN and it is running on the Asus RT-AC68U as a VPN router behind the ISP router.

    The public IP address is substituted and data flowing through both routers is encrypted.

    The connection speeds are reduced significantly but still adequate for most purposes.

    The first VPN client was unable to authenticate the connection with the configuration, but the second connected first time and a sample of the available servers all functioned, with the furthest being slower than those closer. WiFi connections were slower still, and remote servers reduced the speed over WiFi to a level that might not be sufficient for some purposes.

    Overall, the configuration is working successfully, but the choice of server and connection mode needs to be managed, with ethernet giving better results for more remote servers.

    Thank you for your help.

    Regards,

    Tom.

    Reply
  51. I am looking to set up a second router as a VPN router. The first router is a combined Modem/Router supplied by my ISP. This is at a holiday home in France; my home is in the UK. I currently have a ADSL line but this will shortly be upgrade to fibre. I am not certain what configuration will be permitted on the original modem/router but my current ADSL one is limited. (I can’t look at it as travel is not permitted). I was looking at possible routers and TP Link specify that the 1st router must be set to Modem Only Mode I am uncertain is this is possible. I am also considering an ASUS RT-AC66U and can find no reference to use with a Modem/Router. Would this be a problem? Thanks, Peter

    Reply
    • Hi Peter,

      First off, the primary router should work in modem mode or in router mode. The situation where it doesn’t work is if set to repeater mode or access point mode or if it’s part of a mesh network.

      As for which VPN router to use, I own the AC66U and it’s just not powerful enough for regular VPN use. I max out around 11-20 Mbps depending on how strong of encryption is used. I’ve used the Asus AC68U for years and it’s been solid but still maxes around 30Mbps with 256-bit encryption.

      Depending on your budget, you may want to look at the new AX86U from Asus. Users are reporting OpenVPN speeds over 100Mbps and great latency.

      Also, the AX86U and AX88U are supported by AsusWRT Merlin, which is a 3rd-party firmware for Asus routers. It adds extra VPN functionality like split-routing, but keeps the familiar user interface.

      Reply
  52. I set this up with a TP-Link archer A7 and a VILFO VPN router.

    When the vilfo is connected separately to the router, it works.

    Once the vilfo WAN is connected to TP-link LAN, vilfo cannot connect to internet. Also cannot connect to the Vilfo admin panel but can connect to wifi. This is with VPN turned off too. IPconfig says “media disconnected”. Windows networking troubleshooting says windows cannot communicate with the device or resource (primary dns server). Early into the connection it appears to connect to the internet for a brief few seconds then disconnects.

    Subnets are changed per the article.

    Anything else I can try?

    Reply
    • I’ve never used a Vilfo router. I just checked out the website, looks like a beast of a device. The first thing I would do is make sure DHCP is enabled on both routers and you’ve got them set to separate subnets. Also specify DNS servers on both and see if that helps. Check the IP address you’re being assigned when on the Vilfo router and see if it matches what you expect.

      Beyond that, I’d contact Vilfo support. At that price-point they’ve gotta have a tech team who can help you troubleshoot. I’d love to hear back about your experience with the router and what sort of speeds you’re getting.

      Reply
  53. Hello,

    First off thanks for the guide, really well written out! I have a tp-link archer router as my primary and I flashed an old linksys router with tomato firmware on it. I followed the instructions and used protonvpn to get the certs and setup the vpn on the tomato router. I have everything working it appears and am able to get internet on the tomato router and have an ip address from that subnet, however, when I go to whatismyip it is still showing my home IP address. Have you ever run into this before? If I check the status of the VPN section in Tomato it says it is running but it says the client is not running or status could not be read on the status tab. Thank you so much for your help!

    Reply
    • My best advice would be to check the router logs to see what is happening during the intial VPN connection. Sometimes when misconfigured the router might report it’s connected, but the logs show it’s not.

      Reply
  54. Hi Team,
    I can’t get my VPN working, ipleak.net still shows my ISP’s IP address (but DNS servers are shown correctly from VPN provider).

    Here is my setup:
    LAN-to-WAN router cascading as described above
    Primary router: Cisco EPC3925 Voice Gateway EuroDOCSIS 3.0 (VPN Passthroug Enabled for IPSec and PPTP)
    VPN router: Asus RT-AC66U (newest stock FW, Ver. 3.0.0.4.382_52287)

    VPN connection configured according to my VPN provider (Surfshark) web pages, via a downloaded OVPN file. Asus shows the OpenVPN client connection as Connected.

    Any thoughts what could be wrong?
    Thank you!

    Reply
    • The first step would be to check the logfiles on the ASUS router. Sometimes you can get the green checkmark but the logs show an error.

      Also, depending out what IP-check tool you’re using, sometimes they don’t update correctly when you refresh the page. I’m not sure if it’s a browser caching issue or what. Try checking on a different device if possible.

      But in my experience, every time there’s a connection issue it shows up in the router logs.

      Reply
  55. Excellent guide. Just a question if I may. On section 2-3 (Enable DHCP & Specify DNS), would the “Local DNS” number be the same as my ISP DNS number? Thanks in advance for all your help.

    Reply
  56. Great article for exactly what I’m trying to accomplish, but I have one question. My current home network consists of a Netgear cable modem, an older Netgear Orbi (RBR20) mesh system, and a 16 port switch. I’d like to use the new, secondary router, as the VPN and only use it for my ROKU/TV to bypass sports blackouts. I’d like to remove the ethernet cable to the ROKU/TV from the switch and connect it directly to the VPN router . Since the primary router (Orbi) is connected to the switch, how would the VPN be connected to the Orbi? My thought is that the WAN port of the VPN would be connected to the switch. Is that correct? The Orbi only has two ethernet ports, Internet (to cable modem) and Ethernet (to switch). Thanks for any help you can provide.

    Reply
    • If I’m understanding correctly, your network setup is: Modem > Switch > Orbi.

      So yes, you can just connect the VPN router’s WAN to the switch, and the Roku to the VPN router.

      Reply

Leave a Comment