Posted: Sat Jul 05, 2025 20:13 Post subject: OpenVPN Server Behind ISP Gateway
I recently changed to a new ISP, with one trade off being that I now have to use their equipment.
With the previous ISP, the setup was no more complex than connecting a cable modem to a router that was running DD-WRT. This router also operated an OpenVPN Server, thanks to the fantastic guidance of @egc here via the guide that has been maintained here in the forum.
After moving to the new ISP, the cable modem and DD-WRT router are now no longer in use. The new ISP supplied their own gateway to use.
The path of least resistance seemed to be:
1) Place the new ISP's gateway into IP Passthrough mode.
2) Connect the the ISP gateway via an Ethernet cable to one of the LAN ports on the DD-WRT router.
While functional, the tradeoff here is that I lose anywhere from 200-300Mbps on speed tests.
I then reverted devices back to their prior settings to approach in a different manner, staging as follows:
1) Update the DD-WRT router to disable being a DHCP Server.
2) Set the internal network address of the DD-WRT router to be 192.168.1.253, since the new ISP's gateway uses an internal address of 192.168.1.254
3) Connect the new ISP's gateway via Ethernet to one of the LAN ports on the DD-WRT router.
4) In the new ISP's gateway, add a port-forward for TCP/UDP 1194 to point to the DD-WRT router's internal address set in step 2 above.
I have a smartphone with the OpenVPN client that I had used with the original ISP, a cable modem, and the same DD-WRT router. From out in the world away from home, this is able to connect to the OpenVPN Server that is running on the DD-WRT router.
However, after connecting to the OpenVPN Server, I am cannot navigate to any destinations whether internal or external.
I also explored this approach:
1) Change the DD-WRT router's value for Connection Type. Previously it was set to "Automatic Configuration - DHCP" but now will be "Static IP." I designated it to have a WAN IP address of 192.168.1.253, and a value for Gateway of 192.168.1.254 (the IP address of the new ISP's gateway)
2) Connect the new ISP's gateway via Ethernet to the WAN port on the DD-WRT router.
3) In the new ISP's gateway, add a port-forward for TCP/UDP 1194 to point to the DD-WRT router's WAN IP address that had been set in step 1 above.
The outcome here is that I am not able to communicate with the DD-WRT router at all, whether home or away. Even having remote access to the web ui on port 8080 did not allow me to access the DD-WRT router in this setup. At this point, I had to factory reset it and restore a backup that was made from before this effort so I have a renewed start-over point.
Has anyone been down this path before with any successful outcomes? I feel like this could be one of those situations of being "too deep in the forest to see the trees," so there may very well be some easy toggle that I am simply overlooking.
Any thoughts or leads would be greatly appreciated!
If you put the ISP device in IP passthrough (bridge) mode, you use the default gateway config of your DD-WRT router's WAN is connected to the LAN ethernet port of the ISP device so the WAN gets the public IP. That should've been given somewhere in the ISP's device instructions...
Thank you for reviewing the challenge at hand.
While I omitted as much on my original post, I can say that I had also tried the approach you had mentioned one of the days last week. This is when I had identified a speed reduction.
Leaving nothing to chance, since you kindly provided your feedback here, I went ahead and re-staged things as follows:
1) Restore the DD-WRT router from a backup that was made prior to the ISP change.
2) Set the new ISP's gateway device to use IP Passthrough.
3) Connect an Ethernet cable from the ISP's gateway device to the WAN port of the DD-WRT router.
4) Confirm that all devices on the home network are receiving their IP addresses via DHCP from the DD-WRT router.
As had been the case previously, subsequent speed tests vary between having around a 300Mbps reduction.
Since I previously had found that speeds were significantly lower when setting IP Passthrough to be enabled on the new ISP's gateway, and then allowing my DD-WRT router to resume being, well, my router, I want to instead pursue this outcome:
1) the new ISP's gateway device will be used as my router, going forward (this will let me retain the speed performance)
2) the DD-WRT router will be a device on the home network that does nothing else other than operates as an OpenVPN Server (this will allow me to remotely access devices on my home network when away, as I have been prior to the ISP change)
I haven't dug into why the slower speeds would be happening, or if that's something to be expected. The DD-WRT router is a Linksys WRT32x, so its ports should be able to perform at 1Gbps. I am not using WiFi at this time, just for one less facet to be any distraction.
For what it is worth, I am also using an Apple TV with the Speedtest.net app. That should hopefully reduce any concerns/considerations with things like drivers or any number of other factors that would stem from testing via a computer.
But the outcomes at present are that I will reliably have speed tests at over 900+ Mbps when testing on the Apple TV that has a hard-wired connection to the new ISP's gateway device, but the same testing drops to 600-700Mbps when introducing the DD-WRT router into the chain.
Joined: 18 Mar 2014 Posts: 13690 Location: Netherlands
Posted: Sun Jul 06, 2025 6:30 Post subject:
If you are talking about the speed measured via OpenVPN then I suggest to try WireGuard which is more performant then OpenVPN but that also is not going to give you gigabit throughput on this router.
Posted: Sun Jul 06, 2025 11:08 Post subject: Re: OpenVPN Server Behind ISP Gateway
dpw95 wrote:
...
The path of least resistance seemed to be:
1) Place the new ISP's gateway into IP Passthrough mode.
2) Connect the the ISP gateway via an Ethernet cable to one of the LAN ports on the DD-WRT router.
...
Re:
-1) Place your ISP modem in bridge mode. This means all the ISP modem does, except authenticating you as a legit subscriber, is passing all the routing function to your own router. It's more than just an IP passthrough.
(Consult its user guide. If not, ask your ISP for the necessary steps. Your ISP should have NO reason not to give this info. But be prepared that they will not provide any support for your own router for obvious reason).
-2) Connect to the ISP modem via your DDWRT router's WAN port. And configure it to your desire and ability. Your VPN speed is a secondary and separate issue in this instance.
If you are talking about the speed measured via OpenVPN then I suggest to try WireGuard which is more performant then OpenVPN but that also is not going to give you gigabit throughput on this router.
If measured without OpenVPN then there is something wrong in your setup or in the current firmware.
Without OpenVPN/WireGuard this router should be able to have gigabit throughput I think but I do not have your router to check but I think @kp69 has one so I leave this to him
To confirm the use case, this would be without anything being done with OpenVPN at this stage.
I can literally run a speed test on the Apple TV while it's wired to the new ISP's gateway device, and pull over 900Mbps.
Then I can physically swap the Apple TV over to the DD-WRT router & then connect that DD-WRT router to the new ISP's gateway. Once I see that the Apple TV is online, I can rerun the same speed test (same server) within seconds or a minute of the previous test, and only pull under 700Mbps.
If I juggle back to connecting the Apple TV to the new ISP's gateway, the next speed test jumps right back up to the 900+Mbps range.
One more item to add to my list of me being behind the times is to explore if using a router that's said to be gigabit NAT supported will ultimately be the way to go, by using one of those back with the IP Passthrough approach previously tried. The ports on this WRT32x show in the web ui of DD-WRT as being full duplex and at the 1Gbps rate, but maybe some more "umph" beyond just that needs to factor into the mix.
Posted: Sun Jul 06, 2025 14:52 Post subject: Re: OpenVPN Server Behind ISP Gateway
D.F.Cruizer wrote:
dpw95 wrote:
...
The path of least resistance seemed to be:
1) Place the new ISP's gateway into IP Passthrough mode.
2) Connect the the ISP gateway via an Ethernet cable to one of the LAN ports on the DD-WRT router.
...
Re:
-1) Place your ISP modem in bridge mode. This means all the ISP modem does, except authenticating you as a legit subscriber, is passing all the routing function to your own router. It's more than just an IP passthrough.
(Consult its user guide. If not, ask your ISP for the necessary steps. Your ISP should have NO reason not to give this info. But be prepared that they will not provide any support for your own router for obvious reason).
-2) Connect to the ISP modem via your DDWRT router's WAN port. And configure it to your desire and ability. Your VPN speed is a secondary and separate issue in this instance.
Good luck.
I liked this idea that you mention about bridge mode, but a few days back, I learned that this equipment doesn't support that (grrrr).
I'll post an update if I land somewhere with this ultimately. Thank you though. It would have absolutely been a good idea to pursue.
Posted: Sun Jul 06, 2025 20:55 Post subject: Re: OpenVPN Server Behind ISP Gateway
dpw95 wrote:
...
I liked this idea that you mention about bridge mode, but a few days back, I learned that this equipment doesn't support that (grrrr)......
The ISP has no commercially justifiable reason not to allow this feature.
If I were in your shoes, I'd let them know of my needs of OpenVPN not being adequately met by their device.
Next, I'd let them know that I will not stay with them after contracted period ends as their device does not have the 'Bridge function'.
It's not rocket science. The device probably has it as a standard feature by its manufacturer. But it's likely ISP's IT staff disabled it as a quiet way to minimize ISP's support exposure. A well-known commercial practice by ISP.
Joined: 08 May 2018 Posts: 16208 Location: Texas, USA
Posted: Sun Jul 06, 2025 22:20 Post subject:
@D.F. Cruizer: it's not an ISP issue, it's a vendor / developer issue. Some ISP-provided devices' firmware call it bridge mode, others IP passthrough and the functionalities are dependent on this. There's a larger picture as well. WAN type being the key factor along with specific hardware in use. Feel free to serial dump every ISP-branded / used device and request full GPL source code and "fix" the "issue" _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... RSS feed for DD-WRT releases (2025) RSS feed for DD-WRT releases (2024) RSS feed for DD-WRT releases (2023)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
