This tutorial will teach you how to set up a dual-router configuration with a dedicated VPN router behind another router (the primary router). This will work with any vpn-enabled router firmware, including DD-WRT, ASUSWRT (including Merlin), and Tomato.
We’ll be using what’s known as LAN-to-WAN router cascading, where each router is on a separate subnet.
This is an incredibly popular home network setup because:
- It gives you access VPN and Non-VPN connections
- Switch devices to/from the VPN simply by switching networks
- Connect devices like xbox, PS4, fire stick, or chromecast to a VPN
- Added insulation of VPN network (double NAT = greater security).
Visualizing the setup two-router setup
Below is a diagram of the home network structure we’re going to create. Traffic is encrypted by the VPN router, and flows through the primary router to the modem/internet. All devices connected to the #2 (VPN) router will use the VPN tunnel. All devices connected to the #1 (primary) router will use your normal internet connection.
What you’ll need for this tutorial
- A VPN-Capable Router: You can use any router with a CPU that can handle VPN math, and has (or supports) VPN-capable router firmware like Tomato, DD-WRT, or ASUSWRT (our favorite). Here’s our guide to the best VPN routers.
- A 2nd router: This will be the primary router (non-VPN). It can be any mid-range router that can comfortably handle the number of devices on your network. Ideally it should support AC wireless (for faster speeds) but it doesn’t need a fast CPU like the VPN router.
- Reliable, Fast VPN Provider: Preferably one that supports the OpenVPN protocol. We highly recommend Private Internet Access, NordVPN or IPVanish for router usage. PIA has 128-bit configs which allow for faster speeds.
- Ethernet Cable: This will be used to connect your two routers, for the dual-router setup. I love these low profile ones.
Part #1: Setup the primary router
There’s only minimal setup required on the main router, because it’s not actually doing anything besides passing on the already-encrypted traffic from the VPN router. You can use virtually any router in the world as long as it supports ‘vpn-passthrough’ (which most modern routers do).
Frequently people will use the router provided by their ISP/Internet Provider as the primary router. In fact, some cable TV/internet providers (like Verizon Fios) require you to use their router (or else your TV won’t work properly).
- Check the router’s subnet/gateway
- Check/Enable VPN-Passthrough
1. Check what subnet your router is on
Each device (including routers) on your home network has a ‘local’ IP address that identifies it’s location on your home network. Usually, IP addresses will start with 192.168.x.y and your router is the gateway, which is usually located at 192.168.x.1.
‘X’ is the subnet that your router is located on.
We’re going to need to put each router on a separate subnet so they don’t hand out the same IP address to different devices. To do that, we first have to check what the IP and subnet of your primary router is. The easiest way to do that (on windows) is:
- Connect to your router’s wireless network
- Run cmd.exe from the start menu
- Type ‘ipconfig‘ on the command line and hit ‘enter’
- Look for the line that says ‘Default Gateway……..’ That’s your router’s IP
- The second to last set of numbers (192.168.X.1) is the subnet
Most consumer routers use 192.168.1.1 as the default gateway if that IP is available on your network. Don’t worry if yours isn’t, you don’t need to change it. Just remember the IP address for later.
2. Enable VPN Passthrough
Most routers have a setting to allow/block VPN traffic flowing though it. It’s usually enabled by default, but it’s worth checking. To do this, you need to log into your router’s control panel by typing it’s local IP address into your web browser (e.g. 192.168.1.1).
You can usually find the relevant setting under Firewall or NAT settings. Below is the VPN-passthrough settings in DD-WRT firmware:
And ASUS’s ASUSWRT Firmware:
That’s it, your primary router is now properly configured.
Part #2: Set up the VPN Router
In this section, we’ll change the subnet of the VPN router so that it doesn’t overlap with the primary router. We also need enable DHCP so the VPN router hands out IP addresses to devices that connect to it. And finally, you’ll need to set up a VPN connection on your router if you haven’t already.
- Change the router subnet
- Enable DHCP
- Specify DNS Servers
- Connect VPN router to Primary router
- Test your setup
- Configure VPN Connection (if you haven’t already)
1. Change VPN router’s subnet
- Make sure your VPN router is powered on. It doesn’t need to be connected to the internet, and should NOT be connected to your primary router via ethernet cable yet.
- Connect to your VPN router’s wifi network (orrun an ethernet cable from your computer to the router)
- Log into the router’s control panel (type the router’s IP into your browser window and hit enter. If your not sure what it is, use IPconfig as in part #1 above).
- Find the router’s IP address settings (often in LAN or basic setup)
- Change the router to a different subnet than the primary router (so 192.168.2.1 if primary router is 192.168.1.1)
Go to: Setup > Basic Setup > Network Setup (section) > Router IP
And if the router’s IP and subnet matches that of the primary router, change it:
For ASUSWRT/ASUS Routers:
Go to: Advanced Settings > LAN > LAN IP
You can make the subnet anything you want as long as it’s 255 or less. In general, pick a smaller number (2 or 3) so you can easily remember it for future router panel logins.
2-3. Enable DHCP and specify DNS
We need to enable DHCP so your router can hand out IP addresses to all your other connected devices on the same subnet. We’ll also manually specify a DNS server as a troubleshooting step just in case your VPN provider doesn’t have their own.
DHCP and DNS settings can usually be found near each other, and probably in the same screen where you just specified your router’s IP address.
Which DNS To use: If your VPN provider has it’s own DNS servers, you can get it’s IP addresses from their support/help documentation and use that in this step. Otherwise, you can use any public DNS provider like FreeDNS, GoogleDNS, or ComodoDNS. In our example we used GoogleDNS.
- GoogleDNS: 184.108.40.206 & 220.127.116.11
- ComodoDNS: 18.104.22.168 & 22.214.171.124
- OpenDNS: 126.96.36.199 & 188.8.131.52
Don’t worry if your router firmware only allows one DNS server (like ASUSWRT) that should be fine.
4. Connect the VPN router to the Primary router
Now that your router settings are properly configured, we need physically connect the two routers via and Ethernet cable. It’s important to make sure you plug each end into the correct port though!
Plug the ethernet cable into each router as follows:
- Primary Router: Any open LAN port
- VPN Router: WAN Port (where you’d usually connect the modem)
Note: The WAN port of the primary router should be connected to your modem (or however you get internet access).
5. Test the Two-Router setup
Make sure both routers are powered on and the ethernet cables or connected to the correct ports: VPN WAN > Primary LAN and Primary WAN > Modem.
- Connect wifi network of your VPN router.
- Try to open any web page in your browser
If the website loads properly, congratulations! You now have a properly configured two-router setup with a dedicated VPN router. If you don’t already have a VPN connection configured on your router, continue to part #3 to learn how.
If you don’t have internet connectivity right away, here are a couple things to try (on Windows machines):
- Disable the VPN on your VPN router (to make sure that’s not the issue)
- Doublecheck you have a valid DNS server configured
- Open CMD.exe and run IPconfig to make sure your computer has an IP assigned on the VPN router’s subnet (if not, your DHCP server isn’t working correctly).
- Try flushing your computer’s DNS:
- Open CMD.exe
- Type IPConfig/FlushDNS and press Enter
- Type IPConfig/RegisterDNS and press Enter
- Type IPConfig/release and press Enter
- Type IPConfig/Renew and press Enter
- If you still get a DNS error, manually specify a DNS server in your TCP/IP settings
- Reboot the router
Part #3: Set up the VPN connection
If you haven’t already done so, you need to configure your 2nd router to create a full-time VPN connection. The exact method depends on the router firmware you’re running.
Currently there are 3 main router firmwares that can connect to a VPN.
Here are the OpenVPN client setup instructions for each:
You can also use a PPTP or L2TP/IPSec VPN connection if you prefer (or if your router doesn’t support OpenVPN). Setup guides are usually available from your VPN provider’s knowledgebase.
A few extra tips:
Static Routes: Because each router is on it’s own subnet, devices on separate subnets may not be able to find each other. In my experience, devices on the VPN router can connect to some devices on the primary router (a printer for example) but not vice-versa. If you need devices to talk to each other between networks, you’ll need to build static routes, where you basically build a map or a path for a device between networks. The details of this are rather complicated, but here are tutorials for asuswrt and dd-wrt to get you started.
Speed: If you’ve never run a VPN on your router before, prepare for some speed loss. This is doubly true if your router has a single-core CPU or you’re using 256-bit AES encryption. The complex math behind VPN encryption quickly overwhelms the CPU on even high-end routers, so you’ll need to learn to be happy with 15-35mbps. If you need more bandwidth, you’ll have to run the VPN on your PC instead.
That’s it! I really hope you enjoyed this tutorial! If you still have any issues or questions, please make sure to leave a comment below. And don’t forget to follow us @vpnuniversity for the latest tutorials, reviews, and VPN deals.