How to build a VPN router

VPNs are great for both privacy and dodging geo-blocks, but they do have limitations. For a start, not every device has a VPN client – your game console, smart TV set and media player probably don't have a VPN client app available. What's more, your VPN service provider might only accept a single connection at a time.

The solution to both these problems is setting up a dedicated VPN router. With a VPN router, any device connected to it will automatically be routed through the VPN. That includes consoles and smart TVs and anything else you connect to it. It only counts a single connection from the VPN provider's point of view, no matter how many devices you have connected to it.

Note that this is actually different from installing an out-of-the-box VPN service onto a router. We have another guide for this aptly named "How to install a VPN on your router".  

There are also providers like ExpressVPN who offer their own custom router firmware, which is arguably more user friendly than configuring OpenVPN on DD-WRT.

The plan

The best solution for most people is to put a secondary router in your home. You can leave your existing internet router in place (we'll be calling this the primary router from hereon) and connect a second router to the primary router that's dedicated to providing VPN services. We'll call this the VPN router.

When this is done any device that you connect to the primary router – either physically through a wired connection or through WiFi – will have regular internet service. Any device connected to the VPN router (again, either wirelessly or with wires) will be routed through the VPN. You can, of course, bounce devices between them as needed, just by connecting to different WiFi networks.

What do you need

To make this happen, you'll need a second broadband router, one with an Ethernet WAN port (not an ADSL or cable modem router). We'll be installing special firmware on this router that lets you set it up as a VPN client. The router needs to be supported by DD-WRT, which is the name of the firmware we'll be using.

To check if a given router is supported by DD-WRT, head to the website and click on the Router Database. Perform a search for a router model name here, and a list will come up revealing whether the router is supported or not. If it is, you're good to go.

Before you start

Before we get started on the setup, there are a couple of things you should do:

1. Make a note of your primary router's LAN IP address (that's the one you use in a browser to access the router admin console). The examples in this tutorial are going to assume it's 192.168.1.1, but depending on your router model it could be 192.168.0.1, 10.1.1.1 or really any 192.168.x.x or 10.1.x.x variation.

2. Search the Router Database for the model of router you're intending to turn into the VPN router. This is very important – each router model has unique setup instructions and a recommended DD-WRT build to download. Double click on the router model to see its page.

3. On the router page, you'll see a link to the DD-WRT Wiki page for that router. Click on it. This will take you to an instruction page for setting up the router. We'll need to keep this page open and follow its steps carefully. Give it a read through now.

4. The Wiki page should also have a link to a recommended DD-WRT build. This will be a .bin file that you need to download to your PC. This is what we'll be using to flash the router. Depending on your router, you may also need to download additional tools, like a TFTP app.

Now to plug your VPN router in. Grab an Ethernet cable and connect the WAN (internet) port on the VPN router to any LAN port on the primary router. Next, connect your PC using an Ethernet cable to a LAN port on the VPN router. And we'll start flashing.

Installing DD-WRT

The router page from the DD-WRT Wiki has the exact instructions on how to flash your router. If you're lucky, it essentially goes:

1. Perform a 30/30/30 hard reset on the router. This means, while the router is power on, press and hold the reset button for 30 seconds. Then, still holding the button, turn the power off and wait 30 more. Then (again, still holding the button) turn the power on and wait another 30.

2. Log into the router's admin page and go the firmware upgrade section (usually found under administration). Use the file option, and select the .bin file you downloaded from the DD-WRT Wiki. Click start.

3. Wait a few minutes while it updates. Then perform another hard reset.

If you're not so lucky, you may have to perform some arcane hoodoo to put the router into debug mode. Again, follow the DD-WRT Wiki instructions very carefully, or you risk ruining the router!

Setup

Hopefully the router flashed successfully. Now it's time for some basic setup tasks. The default IP address of DD-WRT is 192.168.1.1. Open your browser, and enter that IP address into the address bar. The default username is root, password admin. You should see the DD-WRT interface. 

Click on the wireless tab. You'll need to set up the wireless access point with its own unique SSIDs – just like you would a regular router. Setting up wireless allows you to quickly switch between the primary and VPN router by just changing WiFi networks.

We don't want the LAN address of the of the VPN router to conflict with that of the primary router, so we may need to change it. Under Setup->Basic setup, find the section Network Setup/Router IP. Change the IP address of the VPN router so that it doesn't conflict with the primary router.

A good way to do this is to set it so that the third of the four numbers in the IP address is different (it can be anything between 0 and 255). For example, if your primary router's IP address is 192.168.1.1, you can set the VPN router to 192.168.2.1. If the primary router is 10.1.1.5, you could set the VPN router to 10.1.2.5 and so on. Then click Save.

Setting up the router as a client

Your VPN router is plugged into a port on your primary router – which thinks it's just another device on your network. On the main Setup/Basic Setup page you can set the WAN Connection Type. The default is DHCP, which is actually fine. But if you like, you can also switch to Static IP Address, which is just like setting up a static IP address on any other device on your network:

- the WAN IP address is the local address of the VPN router (the first three numbers should be the same as your primary router, but the fourth should be different; for example, if your primary is 192.168.1.1, you could set the VPN router to to 192.168.1.20).

- the subnet mask is 255.255.255.0.

- the Gateway is the IP address of your primary router (eg. 192.168.1.1).

- The Static DNS is the DNS server addresses for your ISP.

You'll see the value of a static IP address in the final section of this article, when we talk about connecting the networks.

Whether you go static or DHCP, make a note of the WAN IP address of your VPN router. It's there at the top right of the DD-WRT interface. You may need it later.

Just to check that everything is in working order, try to access the internet while connected to the VPN router. It should work now.

Setting up the VPN

Righty, now it's time to finally set up the VPN on the VPN router.

You'll need to head to your VPN provider's home page. It will have details and guides that you'll need to set up the VPN on the router. Most will have a guide for DD-WRT setup.

Typically you can set it up using either PPTP or OpenVPN, which are similar VPN technologies. OpenVPN is a little more secure, but it's also more difficult to set up.

Setting up PPTP primarily requires a server address provided by your VPN provider, which may include a list of servers by country, and you choose the one that your wish to appear to be from. You'll also need your VPN username and password – note that for some providers, like PIA, the PPTP username/password is distinct from the general username/password.

Now head to Services->VPN in DD-WRT and enable the PPTP Client. Enter the details supplied by the VPN provider in the box.

For OpenVPN, you'll usually have to copy and paste some scripts and certificates supplied by the VPN provider. Head to the provider's support page and look for the DD-WRT/OpenVPN setup guide. You'll need to follow it closely.

Once you've done that, reboot the router. When it starts up again, if the VPN client connected correctly, your WAN IP address should have changed. It's now your VPN IP address. Congrats! You've connected your router to the VPN.

Now that you have the VPN set up on your VPN router, you can call it a day if you like. Any device connected to the VPN router – wired or wirelessly – will automatically be connected to the VPN. Geo-blockers beware.

If you're prepared to dive into the weeds a little, however, there's more you can do. This next part is optional, but can solve a serious problem on some home networks.

Getting the networks talking to each other

With this configuration one problem that you'll face is that you have what are effectively two discrete LANs. Devices connected to the primary router may not be able to talk to devices connected to the VPN router. For most devices that isn't really a problem (they still have internet access), but if you have home servers like network attached storage devices you can run into issues.

Before you do anything, first try to connect to devices attached to the other router. In theory "upstream" connections – connecting from devices attached to the VPN router to devices attached to the primary router – should just work, so servers like NAS devices should generally be connected to the primary router. (Many NASs also have multiple Ethernet ports. Here's where you can make very good use of them, connecting one port to each router, thus giving devices attached to either access to the NAS.)

It's primarily in connecting the other way, from the primary to VPN router, that you'll run into problems.

Forwarding: VPN router

A more complete solution is to configure forwarding on both the primary and VPN routers so that data goes between them properly. This can be a little mind bending, so you need to pay close attention.

Let's start with the VPN router. We need connections from a primary router IP address to make it through the firewall. Connect to the VPN router and enter the admin interface.

Click on Administration, then on the Commands tab. In the Command Shell box, enter this line:

iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT

Then click on the Save Firewall button. (For those who are interested, iptables is a Linux command controlling firewall packet filtering rules).

This is assuming you have a 192.168.1.x address for your primary router. If it has a different address, you need to change the IP in that line to that the first three numbers are the same as your primary router – but the last number will always be 0. For example, if your primary router's LAN IP address is 192.168.5.50, the line would instead be:

iptables -I FORWARD -s 192.168.5.0/24 -j ACCEPT

One other thing you should do while connected to the VPN router: go to Administration->Management and enable the radio button for Web GUI Management. This will allow you to access the DD-WRT administration interface when you're connected to the primary router (it normally won't let you for security reasons).

Forwarding: Primary router

Now for the other side. The idea here is to get all connections to a VPN router IP addresses to be sent to the VPN router. For example, say your VPN router's IP address is 192.168.2.1. Any device connected to it will have an IP of 192.168.2.x, so we want all attempts to connect to 192.168.2.x to be forwarded to the VPN router (which now has an open firewall for such connections). We do this using a router tool called static routes.

Connect to the primary router and log onto the admin interface. You'll have to find the Static Routes section – it's usually under Advanced Routing. You have to create a new rule that will make any data destined for LAN addresses on your VPN router's network to be forwarded onto the VPN router. Follow these steps:

1. Give it a name. This is simply an identifying label for the rule. It can be anything.

2. Set the destination IP address as 192.168.2.0 (this assumes that your VPN router has an IP address of 192.168.2.x – as above, if it has a different address then the first three numbers are the same as you VPN router's admin console LAN IP address – but the last number will always be 0, which is a wildcard here. For example, if your VPN router's address is 192.168.10.50, then the number entered would be 192.168.10.0).

3. Set the subnet mask to 255.255.255.0.

4. Set the gateway IP address to the WAN IP address of the VPN router. Now this is tricky: remember how we asked you to make a note of the WAN IP address of the VPN router before it was connected to the VPN? We need that number. If you didn't make a note, then connect back to the VPN router and disable the VPN service. The WAN IP number should change to be the number we need. Remember that the WAN IP address of the VPN router is actually a LAN IP address of the primary router, since the VPN router is actually connected to a LAN port on the primary router. Confused? We told you this would be mind bending! As an extra note, if you set the VPN router up with DHCP, its address might change at times, so you'll need to modify this rule if it does.

5. Save the route.

Now that's set up, you can test it. While connected to the primary router, try to access the management console of the VPN router (this won't work unless you've enabled Web GUI on DD-WRT). Then switch around: connect to the VPN router and try to access the management console of the primary router. Hopefully it should work both ways.

Even with static routing set up, you'll still likely experience some wonkiness when you try to access devices across networks. For example, network discovery scans likely won't work across routers, so you won't be able to auto-detect media servers when using DLNA or file servers using the Network browser in Windows Explorer. To connect to them you'd have to manually Map Network Drive using the IP address of the file server. Unfortunately, unless you want to get really sophisticated and use VPN client/server technology to connect the routers or bridge the LANs with an Ethernet cable and set up a complex set of static IPs and routes (which are both possible, but beyond most users) that's just something you'll have to live with.