Configuring the main router to use the VPN service

sram

[H]ard|Gawd
Joined
Jul 30, 2007
Messages
1,699
Hi,

I know that it is possible to configure the main router providing internet to a house to use the VPN service the router owner subscribed for. This way, all devices connecting to the internet via the router will access the internet using specific vpn service the user is using. Say that I only want one device ( A pc for example or an ipad) to utilize the vpn connection, while all other devices use the normal connection with normal speed. Is there a way to configure this in a router ?? Meaning when the specific device connects, it connects with the vpn, any other device will connect normally.

If not by manufacturer firmware, maybe by customized firmware like dd wrt or tomato?

I presume it is not doable. One can only turn enable vpn or disable it in the router. I don't see how it can be done. But it doesn't hurt to ask.

Thanks.
 
I've been toying with this myself, but I want to do it by vlan, I want to have a vlan where all traffic routes through vpn, and the only outbound traffic allows is to the vpn server, so if any apps "leak" they won't get anywhere. I have not looked into how I'm going to accomplish this yet though, but I presume all I need is a VM acting as a gateway and it will run the vpn client and the default gateway is just set to that, instead of the router. In theory I think this should work, but I have not tried it yet so I may be overlooking something. I think the gateway VM may also have to be what does NAT/DHCP on that vlan for it to work.

What you would do in that case is have a wifi network that uses that vlan, so any device you want to use vpn you just connect it to that wifi network. Or plug into a certain jack in the wall that is setup on that vlan.
 
Assuming your VPN uses standard protocols and you're using a real router this is trivial using either something like standard IPSEC SAs or policy routing. I've got several customers that use a SSL based cloud web filtering service for some of their internal users and we use policy routes for that.
 
Any decent firewall/router can do this

How? Can you please expand? Is it what was already explained in previous posts? How should a newbie do it? I don't have the model number now but it is a new asus router. I'm trying to do this for a friend.


Any Netgear wndr3700v3 owners here? I have this router, which is pretty famous, so I think if you tell me how to do it in this router, I'll grasp the concept and will be able to do it in his router. I can even try it myself. I was actually planning to buy some vpn service for one month to try several things.

Thanks to all
 
Last edited:
I think I now understand. I have loaded tomato firmware into the router. I can see the " routing policy" tab in the openVPN client configuration. When I select it, it gives me the option to choose a range for IP addresses. I presume devices using these IP addresses will get their traffic redirected through the VPN. Others will access the internet directly. But this way, I have to bind the device MAC address to one of the IP addresses in the range.

Right?
 
In general, load the VPN service tell the firewall to route packets going to/coming from X via interface Y (VPN).
I have no idea how you do that in Tomato as I do not use it.
 
Okay, If I want to do it the simple way and assuming that I have two routers, I'll hook one router to the internet and have it setup normally and have all devices connect to it to access the internet directly. I'll hook the 2nd router having tomato and configured to run my ipvanish account to the 1st router. Any device that want to use the VPN will connect to the 2nd router. That is doable, right? But how exactly? I also tried doing it but it didn't work. I connected the two routers using LAN ports. I then connected a laptop wirelessly to the 2nd router with tomato but it accessed the internet directly without going through the VPN. This is when both routers have 192.168.1.1 as an IP address. I understand that both routers can't have the same ip address so that there is no conflict. I changed the ip address to 192.168.0.1 but I wasn't able to access the internet at all via the 2nd router which is weird !

There must be something else that I need to configure. What should I set the operating mode of the 2nd router to? It should operate more like a switch or an access point while configured to run the VPN.

Please help me with this while I'm working on the original problem. This must be easy to do for gurus like you. Please excuse my ignorance.

Many thanks.
 
Only one router is needed if you're doing this correctly. Since you lack even a basic understanding of routing. Here is a poor first step, but it will leave you in better place than now.

Understanding TCP/IP Networks 101

Even though it is against my better judgement I'm going to ask. What is it, exactly, that you are trying to accomplish?
 
Last edited:
Only one router is needed if you're doing this correctly. Since you lack even a basic understanding of routing. Here is a poor first step, but it will leave you in better place than now.

Understanding TCP/IP Networks 101

Even though it is against my better judgement I'm going to ask. What is it, exactly, that you are trying to accomplish?

Thanks Nick for your reply. I have my network + and will soon have my security +, but yes I'm a noob when it comes to routing. I'll read the link and come back.

What I want is very simple to understand and may not be simple to implement. In simple terms what I want is selective routing. Say that you have a VPN service, and you configured your router to use it. My understanding is that all devices connecting to the router to gain internet will connect through the VPN, right? With VPN, you will definitely some internet speed because of many factors. I don't want that. I only want several specific devices to connect through the VPN. Say that I only want my PS4 and apple TV through VPN so that I can have access to some contents found in video streaming sites like hulu. Other devices like my other PC's, ipads, iphones, ....etc, I want them to connect directly to the internet and not through the VPN. This way, other devices will utilize the full speed of my internet service.

Clear enough Nick? So basically I want the router configured in a way that only selected devices connect via the VPN, while others connect directly with no speed limitations.

Now, the router I have is ASUS RT-AC3200, and I have the latest tomato firmware installed on it. I know that it can be done in one router but because I have a spare that I'm not using, I thought I would use it to accomplish what I want differently.

I want to keep the main router with original settings with no VPN configured. I'll connect the 2nd router (It also has tomato) to the main router. I'll configure the 2nd router with my VPN account. Any device that I want to use the VPN will connect the the 2nd router, others will simply connect to the main router.

I hope I made it clear now

Thanks again.
 
So setup the devices you want to go over the VPN with a static IP, then force traffic from those IPs over the VPN gateway instead of the normal WAN. You'll have to lookup how to do this for your specific router, as each one is different.

And the CompTIA certs are basically a vocabulary test that look good on a entry level resume. Now that they changed it so they expire after a year makes them far less useful. You'd be better off focusing on any of the other certs like cisco or MS as they hold much more weight.
 
So setup the devices you want to go over the VPN with a static IP, then force traffic from those IPs over the VPN gateway instead of the normal WAN. You'll have to lookup how to do this for your specific router, as each one is different.

And the CompTIA certs are basically a vocabulary test that look good on a entry level resume. Now that they changed it so they expire after a year makes them far less useful. You'd be better off focusing on any of the other certs like cisco or MS as they hold much more weight.


I'll try CCNA after I get my security+. I think I'll go the two tests options. This will make it easier. But it is actually practice that makes one an expert, not certificates. Actually building a workgroup and domain network is better than reading about them.

Anyways, what you explained is actually about selective routing which I'm trying to do ultimately. I don't really have to use static IPs, as I can bind the device MAC address to an ip address residing in the range I set.

This is the closest I got. It is blocked in my area but I accessed it via the TOR browser:

Selective routing for Tomato firmware - Per source IP address

Can you please contribute to the other question I raised? How to connect two routers together?

Thanks.
 
I have my network + and will soon have my security +, but yes I'm a noob when it comes to routing.

Once again proving the utter worthlessness of those certs. If you truly want to learn basic networking go get a CCENT or at least take the Cisco ICND class. I'm sure the Cisco classes are more expensive but at least your money and more so your time will not be wasted.

My understanding is that all devices connecting to the router to gain internet will connect through the VPN, right?

This is incorrect. Please study the basic routing link I provided and feel free to use Google to find others. This is basic IP routing.


With VPN, you will definitely some internet speed because of many factors.

Yes, you will loose some speed but assuming your endpoint has sufficient bandwidth the loss should be negligible. If your endpoint is over subscribed then find a new endpoint. You will certainly gain some latency due to the additional processing and your routing will no longer be shortest path.


I know that it can be done in one router but because I have a spare that I'm not using, I thought I would use it to accomplish what I want differently.

Don't think. Do it correctly as you will simply cause yourself more grief otherwise. Short of a deliberate learning experience there is never a reason to do something the wrong way. I'm not trying to be cruel here but you are not where you need to be skill wise to be creating problems for yourself just yet. Get this working correctly and gain skills through education. Once you have the skills then by all means shoot yourself in the foot knowing full well you're doing so. It can be fun and rewarding as you will learn the symptoms of the mistakes. Shooting yourself in the foot while not realizing your doing it accomplishes nothing for you. Have a looks at GNS3. It can be a great tool for learning the basics.

I want to keep the main router with original settings with no VPN configured. I'll connect the 2nd router (It also has tomato) to the main router. I'll configure the 2nd router with my VPN account. Any device that I want to use the VPN will connect the the 2nd router, others will simply connect to the main router.

Put this idea out of your head as it will only make it more difficult for you. Use a single router with static IPs + policy routes.
 
Last edited:
Juniper had a really good tutorial but it got closed down :-/
//Danne
 
I'll try CCNA after I get my security+. I think I'll go the two tests options. This will make it easier. But it is actually practice that makes one an expert, not certificates. Actually building a workgroup and domain network is better than reading about them.

Anyways, what you explained is actually about selective routing which I'm trying to do ultimately. I don't really have to use static IPs, as I can bind the device MAC address to an ip address residing in the range I set.

This is the closest I got. It is blocked in my area but I accessed it via the TOR browser:

Selective routing for Tomato firmware - Per source IP address

Can you please contribute to the other question I raised? How to connect two routers together?

Thanks.

Selective routing is what you want if you don't want all internet connections to go over the VPN (which should only add a bit of latency unless you are using a crappy VPN service provider). The VPN tunnel is just another gateway to the internet that you want only want certain devices to use. If you set it up based on MAC, that would be the easiest/simplest solution. Tomato is fairly widely used, so your best bet is to ask on their support forums for specifics on how to set this up with their firmware.

As for adding a second router... There is zero good reason and it will just add complexity to the setup. It will be a pain to setup since the router is not directly connected to the internet with a public IP, which is needed for a VPN. Plus the devices on that router will be double NAT'd, which is just asking for problems.
 
Thanks Nick for your reply. I have my network + and will soon have my security +, but yes I'm a noob when it comes to routing. I'll read the link and come back.

What I want is very simple to understand and may not be simple to implement. In simple terms what I want is selective routing. Say that you have a VPN service, and you configured your router to use it. My understanding is that all devices connecting to the router to gain internet will connect through the VPN, right? With VPN, you will definitely some internet speed because of many factors. I don't want that. I only want several specific devices to connect through the VPN. Say that I only want my PS4 and apple TV through VPN so that I can have access to some contents found in video streaming sites like hulu. Other devices like my other PC's, ipads, iphones, ....etc, I want them to connect directly to the internet and not through the VPN. This way, other devices will utilize the full speed of my internet service.

Clear enough Nick? So basically I want the router configured in a way that only selected devices connect via the VPN, while others connect directly with no speed limitations.

Now, the router I have is ASUS RT-AC3200, and I have the latest tomato firmware installed on it. I know that it can be done in one router but because I have a spare that I'm not using, I thought I would use it to accomplish what I want differently.

I want to keep the main router with original settings with no VPN configured. I'll connect the 2nd router (It also has tomato) to the main router. I'll configure the 2nd router with my VPN account. Any device that I want to use the VPN will connect the the 2nd router, others will simply connect to the main router.

I hope I made it clear now

Thanks again.

How can I setup VPN on router? any idea
 
Back
Top