[Skoda Zek]

Greetings folks,

I have just purchased a WRT3200ACM on Amazon to replace my
WRT1900ACS (I know, seems like an unnecessary upgrade but
I am doing it for the better CPU to increase speed/bandwidth through my VPN provider) and I would like to flash DD-WRT instead of the ExpressVPNRouter firmware offered by ExpressVPN. Nothing Against their proprietary firmware except for the aforementioned. EVPNR locks users out of virtually all fine tuning.

Before I can flash the firmware I need to know if DD-WRT allows me to specify which devices connected to the router (ethernet & wifi) are behind the VPN and which are not. More importantly I need to know if I can set specific devices to ExpressVPN's Smart DNS service (Branded MediaStreamer) which is not behind the VPN but provides DNS / Geo Location cover.

Essentially I need to know if DD-WRT can do all the things ExpressVPNRouter firmware can do. Specify which devices are VPN or direct internet, and which devices are SmartDNS or VPN, or direct.

Thanks so very much in advance for any information provided. If DD-WRT is capable of doing all the things I need it to, ill almost certainly need some help or a guide especially if it requires fine tune tweaking. Most interface adjustable options in DD-WRT I understand and can manage but the fine tuning is alien to me.

Thanks so much in advanced. I look forward to hopefully running DD-WRT in a few days when the router arrives instead of a neutered OpenWRT Chaos Calmer w/ LuCi that EVPN provides.

[spuriousoffspring]

Yes. All the options available in the Express VPN firmware are available in DD-WRT.

The option to choose which devices use the OpenVPN tunnel is called Policy Based Routing. Very simple to use, you just enter the IP / Netmask of each device.

You can choose whatever DNS servers you want in Setup.
DD-WRT also has DNSCrypt

Take a look at the IPVanish Tutorial link in my signature. It'll give you an idea of what the setup looks like.

[AmesJainchill]

I use manually configured expressvpn with the wrt3200acm (33986 12/4/17) with no major issues (other's mileage may vary,lol). Didn't care much for evpn's custom firmware personally. Just more familiar with ddwrt from my old e4200. No problems at all getting 100mbps+ down openvpn'd on the 3200.

Policy based routing is great for specifying individual devices/nets to go through the vpn. I use firewall commands to do the inverse, that is, specifying the handful of devices I want to go around the vpn while everything else is vpn'd.

Found these example firewall commands a while ago for that which might be helpful:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter iptables -t mangle -F PREROUTING

ip route add default table 200 via $(nvram get wan_gateway)

ip rule add fwmark 1 table 200

ip route flush cache

iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.240 -j MARK --set-mark 1

iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.49 -j MARK --set-mark 1

<add additional iptables entries for more lan devices you want to bypass vpn>

[AmesJainchill]

Oh, and if your 3200 has the newer nand (I have the original version), maybe check this thread before switching..

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313921&highlight=

[Skoda Zek]

ended up getting WRT32X instead of the WRT3200ACM. Now trying to figure out how to setup policy based routing via ssh with stock venom firmware (Since there is no way to do it via the web interface)

Need to configure the VPN so that 5 of the dhcp clients are not behind vpn and use custom smartdns while the rest of the clients are behind vpn.

But I have 0 experience with any router functions via SSH

[pa3fat]

Think stock venom firmware config, you should ask Linksys support how to?

[Skoda Zek]

Ended up getting WRT32x which I now have latest DD-WRT running on, my ExpressVPN is working perfectly Except no matter what I do I cannot split the vpn. Policy Based Routing does not work, any ip I specify in PBR (ex 192.168.0.100/32 which is static) looses complete access to the WAN.

I have tried through IP Tables with a few methods including the one suggested earlier in this thread and still no go. No matter what I do it seems I am either forced to be 100% behind VPN or 100% direct

[spuriousoffspring]

Check out these tickets on Trac:
https://svn.dd-wrt.com/ticket/6161

https://svn.dd-wrt.com/ticket/6247

Also, make sure that SFE (Shortcut Forwarding Engine) is disabled. There was an issue with it affecting Policy Based Routing.

[Skoda Zek]

[Skoda Zek]

oh and now that PBR is working (yay!).

What should I enter in PBR box for 192.168.0.100-192.168.0.149 as VPN range?

Instead of adding literally each ip between 100-149 with a /32 on the end.