Connect a secondary VPN DD-WRT router to a non VPN router

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
leaf27
DD-WRT Novice


Joined: 16 Sep 2021
Posts: 38

PostPosted: Thu Sep 16, 2021 20:42    Post subject: Connect a secondary VPN DD-WRT router to a non VPN router Reply with quote
I would like to use a Netgear R7800 router with VPN attached to a Linksys primary router. On the Netgear secondary router, I disabled DHCP, set Advanced Routing to "router", and changed the Netgear IP to 192.168.1.2 and left the Linksys at 192.168.1.1 and internet works fine on the Netgear secondary router. I would like to set up a single specific (no hopping) VPN server on the Netgear secondary. There is no VPN on the primary router. ProtonVPN has basic instructions and want a "Static DNS 1" put in. With the DHCP server disabled, I cannot put the listed DNS setting in. Are there other methods to do this with a cascaded router setup?

DD-WRT version v3.0-r34900m
Sponsor
d33b0_n4p41m
DD-WRT User


Joined: 10 Sep 2021
Posts: 133

PostPosted: Thu Sep 16, 2021 21:35    Post subject: Reply with quote
I'm sure you meant VPN client if you are trying to connect to ProtonVPN.

https://protonvpn.com/support/vpn-router-ddwrt/

Also, there are stickies in this area of the forum specifically for stetting up OpenVPN...

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

_________________
An old man said, “Erasers are made for those who make mistakes.” A youth replied, “Erasers are made for those who are willing to correct their mistakes!” Attitude matters! ~ Anonymous
----------
“You are always a student, never a master. You have to keep moving forward.” ~ Conrad Hall
----------
“Life is about moving on, accepting changes and looking forward to what makes you stronger and more complete.” ~ Anonymous
leaf27
DD-WRT Novice


Joined: 16 Sep 2021
Posts: 38

PostPosted: Thu Sep 16, 2021 22:01    Post subject: Reply with quote
Thanks for the reply. The instructions do say "Client" and I meant to say that I needed to set up the details in order to use a specific server. I did everything according to the ProtonVPN instructions, but DHCP server normally is disabled so the router can be connected to the primary router. The ability to add the "Static DNS" is then greyed out. The ProtonVPN instructions do not cover this cascade scenario. ProtonVPN told me that they had not tried this scenario and did not have any instructions to give me. I'll keep looking around the board, but if someone has a direct link to the info I need, then I'm open to it. Thanks.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Sep 16, 2021 22:01    Post subject: Reply with quote
Beware, if you establish the OpenVPN client on a secondary, bridged router, it will be inaccessible to the rest of the clients on the 192.168.1.x network unless you change their default gateway to point to the LAN ip of the secondary router. While it can be done, it requires a primary router that lets you make such changes to the DHCP server for those clients. And such capabilities are rare for OEM/stock firmware. Or else you'd have to make the secondary router handle DHCP for the network.

That's why for most ppl it's a lot easier to daisy-chain the secondary router, WAN to LAN, wrt the primary router. So each router ends up managing its own local IP network. And now those behind the secondary router are automatically routed over the OpenVPN client once it's connected. Just a lot simpler.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
leaf27
DD-WRT Novice


Joined: 16 Sep 2021
Posts: 38

PostPosted: Thu Sep 16, 2021 22:51    Post subject: Reply with quote
Thanks eibgrad. I will remember that. This primary OEM router has to stay put and cannot be reconfigured. VPN is not wanted on the primary router. Your suggestion would have been easier.

d33b0_n4p41m: Thanks again for the links. It said in one not to use the Static DNS given but to use another trusted DNS or 9.9.9.9. I would still need DHCP enabled to do that under normal setup. I still don't see a way to do that while disabled.

I'll keep reading.

Thanks to all so far, I'm still open to new methods.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Sep 16, 2021 23:40    Post subject: Reply with quote
the eibgrad advise is more convenient, i use my VPN routers behind the main in gateway mode, instead of WAP/switch mode...its more secure and easy to run...as well DNSmasq can be forced to use your DNS of choice and you can blend it inside the VPN channel with this OpenVPN command Wink
pull-filter ignore "dhcp-option DNS"

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Sep 17, 2021 11:47    Post subject: Reply with quote
I run a vpn client on a wap but it is easier in default gateway mode as @eibgrad already said.

Important is to keep the router in gateway mode router mode break things.

If you use an unbridged VAP on the wap it will use the vpn.

Instructions how to setup a vpn are in my signature at the bottom.
Those include instructions for proton.

EDIT:
I saw you were using a very old build if you still do, then you should upgrade first (reset to defaults after upgrading and put settings in manually).
These old builds have security issues.

Forum guidelines (link also in my signature) will show you how and where to update (and lots of other useful pointers)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
leaf27
DD-WRT Novice


Joined: 16 Sep 2021
Posts: 38

PostPosted: Fri Sep 17, 2021 15:22    Post subject: Reply with quote
egc: Thanks for your message. I'll begin an update of the router firmware and read the information in your links. Thanks.
leaf27
DD-WRT Novice


Joined: 16 Sep 2021
Posts: 38

PostPosted: Sat Sep 18, 2021 19:13    Post subject: Reply with quote
Alozaros: Thanks for your input, too. I can try that as well and see how it works for me. Thanks.
leaf27
DD-WRT Novice


Joined: 16 Sep 2021
Posts: 38

PostPosted: Sun Sep 19, 2021 3:24    Post subject: Reply with quote
egc: I've been going over the documentation for installing DD-WRT. On page 4, subsequent flashes, is it okay to just upgrade my existing DD-WRT installation with the stable version .bin file?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Sep 19, 2021 7:30    Post subject: Reply with quote
leaf27 wrote:
egc: I've been going over the documentation for installing DD-WRT. On page 4, subsequent flashes, is it okay to just upgrade my existing DD-WRT installation with the stable version .bin file?


Yes you can simply upgrade with a recent build (see the forum guidelines how to research).

As you are coming from a really old build a reset to defaults and setting up manually is in order.
Do not restore settings from a backup file (to a different buildnumber that is)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
leaf27
DD-WRT Novice


Joined: 16 Sep 2021
Posts: 38

PostPosted: Fri Sep 24, 2021 5:03    Post subject: Reply with quote
I upgraded to DD-WRT v3.0-r47474 std (09/20/21) on my Netgear R7800 secondary router. I changed the local IP address to 192.168.1.2/24 and the start IP address is 192.168.1.100. The primary router is 192.168.1.1. The internet works fine now. All I did differently was upgrade the DD-WRT version and it worked right away.

I still cannot get the VPN going. I have tried several UDP servers and now a TCP server. I'll keep trying with the TCP servers. They are supposed to be more stable. UDP is supposed to be faster. I have used the instructions in the links here and also on ProtonVPN's website. I have set the time in the Command Box with "date YYYMMDDHHMM". I noticed in the top right corner of the DD-WRT control panel that the WAN IP is always 0.0.0.0. The DNS is 10.7.7.1 on the set up page since it is TCP and the port is 443 on the VPN set up page. The ProtonVPN DNS numbers are supposed to be secure and trusted so I have been trying them.

The log entry in the status page has a long entry. Here are the highlights.

State
Client: RECONNECTING init_instance

Network unreachable

Would it help if I pasted the entire log entry here?

I'm unable to test the secondary router directly to the internet bypassing the primary router. The primary router has been set up by the ISP to work with their internet service. Bypassing it does not work.

Thanks for any advice.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Sep 24, 2021 7:17    Post subject: Reply with quote
Sure it helps if you post a picture of the OpenVPN setup page and OpenVPN Status page (no more than 768 pixels width see the forum guidelines)

But first get your setup right.

I assume you did a full reset, after that setup the WAP according to the wiki (assuming you still want a WAP setup, if you just want default gateway mode the only thing you have to change is the routers Local IP address from 192.168.1.1 to 192.168.2.1):
https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point

One point which you should not follow is setting the router in Router mode, just leave it in Gateway mode.

So basically:
set the IP address like you did
Disable WAN
Disable DHCP (set to off)
Gateway and Local DNS should be set to the primary router (e.g. 192.168.1.1)

Then you time should work automatically.

About Protons setup see the OpenVPN Client setup guide.

Specifically note this sentence:
Quote:
Do not set the Static DNS servers like they (Proton's instructions) are doing just use for static DNS 1 something like 9.9.9.9 or another
publicly available DNS server you trust.


(Although in this case your DNS server is the primary router so you could actually just leave the DNS servers at default 0.0.0.0 but setting a private DNS server which can only be reached after the VPN is up will get you in a Catch22 situation)

If you have done a proper WAP setup (and internet and time is working) and the VPN is still not working post the pictures like discussed

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sun Sep 26, 2021 6:09; edited 4 times in total
mwbuss8
DD-WRT Guru


Joined: 23 Feb 2015
Posts: 751

PostPosted: Fri Sep 24, 2021 7:17    Post subject: Reply with quote
leaf27 wrote:
I upgraded to DD-WRT v3.0-r47474 std (09/20/21) on my Netgear R7800 secondary router. I changed the local IP address to 192.168.1.2/24 and the start IP address is 192.168.1.100. The primary router is 192.168.1.1. The internet works fine now. All I did differently was upgrade the DD-WRT version and it worked right away.

I still cannot get the VPN going. I have tried several UDP servers and now a TCP server. I'll keep trying with the TCP servers. They are supposed to be more stable. UDP is supposed to be faster. I have used the instructions in the links here and also on ProtonVPN's website. I have set the time in the Command Box with "date YYYMMDDHHMM". I noticed in the top right corner of the DD-WRT control panel that the WAN IP is always 0.0.0.0. The DNS is 10.7.7.1 on the set up page since it is TCP and the port is 443 on the VPN set up page. The ProtonVPN DNS numbers are supposed to be secure and trusted so I have been trying them.

The log entry in the status page has a long entry. Here are the highlights.

State
Client: RECONNECTING init_instance

Network unreachable

Would it help if I pasted the entire log entry here?

I'm unable to test the secondary router directly to the internet bypassing the primary router. The primary router has been set up by the ISP to work with their internet service. Bypassing it does not work.

Thanks for any advice.


Did you setup your NTP client on the basic settings page?
leaf27
DD-WRT Novice


Joined: 16 Sep 2021
Posts: 38

PostPosted: Sat Sep 25, 2021 21:17    Post subject: Reply with quote
mwbuss8: I set up NTP, but I have to reset the time at each power up cycle. I cannot be sure it is working right with my secondary router setup, though.

egc: Thanks again. I attached three .pdf files that have the router page information. The OVPN file is on the next page in this posting. I put some added commands in the configuration box to take care of a cipher error message and some MTU comments. If you would like to see the log entry without the commands I can reconfigure and upload the results. The address 192.168.2.1 does not allow me to access the secondary router at all. I had to reset and start over.


Last edited by leaf27 on Sat Sep 25, 2021 21:21; edited 1 time in total
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum