[junipergrower]

Greetings fellow dd-wrt-ers,

I am trying to set-up dd-wrt to enable both VPN and direct connections on both WiFi and Ethernet ports.

I currently have dd-wrt installed on a Netgeart R7000 4-port WiFi router.

The version of dd-wrt that I have installed is: Firmware: DD-WRT v3.0-r41813 std (12/29/19)

My final goal is to have the following set-up

Wifi:
2Gz Access Point - Direct connection
5Gz Access Point - Direct connection
5Gz Virtual Access Point - VPN Connection

Ethernet:
Port 1 - Direct connection
Port 2 - VPN connection
Port 3 - VPN connection
Port 4 - VPN connection

Currently by using the tutorial [https://medium.com/@libertylocked/dd-wrt-tricks-dedicated-wireless-virtual-access-point-for-openvpn-the-easy-way-6399fca14916] I have managed to set-up the WiFi component as documented above.

It's important to note that I am using Policy Based Routing to obtain the desired result on WiFi. I assume that I will need to do something similar to get this working on my Ethernet ports, however, I am now stuck as to how to proceed to achieve a similar set-up for the Ethernet ports.

Any thoughts or advice would be greatly appreciated.

Thanks,

junipergrower

Notes:
Edited to add dd-wrt version.

[kernel-panic69]

Please state which release number you have flashed.

Installation Wiki

Where Do I Download Firmware?

Firmware FAQ

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2019/

https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2020/

Latest build release thread (Broadcom): 04/20/2020 - r42954

[junipergrower]

[egc]

See the policy based routing guide in my signature at the bottom of this post.

If you have any question left ( I cannot imagine ) please ask

For ethernet ports via VPN you have to use VLANS, set the ports you want to use the VPN on a separate VLAN, create a bridge and attach that VLAN and the VAP to that bridge and then place the IP range of that bridge under PBR and bob's your uncle

But why not use IP based routing, it is easier, just hand out static leases to the clients you want to use the VPN and place that under PBR

[junipergrower]

[junipergrower]

@egc

Would it be simpler to have the entire router utilizing the VPN client and then set-up a single WiFI VAP that bypassed the VPN?

Any ideas on how I would do that?

In the meantime I'm looking into your first set of PBR suggestions. Thanks again.

[egc]

[junipergrower]

Thanks again. But unless I misunderstood you, I think I need to do the opposite of what you described.

I can place the entire network (WiFi and Network Ports) behind a VPN using dd-wrt's built in OpenVPN client. I then want to add a single additional WiFi VAP that would allow devices connected to it to directly access the Internet and bypass the VPN. Said another way, only the VAP would not be behind the VPN, but all other ports and WiFi points would be behind the VPN. I want the default for all access points to be behind the VPN with the single exception of the newly created WiFi VAP.

Is this possible?

Thanks again for your help and patience. I really appreciate it. While my general IT and tech skills are ok-good, my networking skills are very noobish.

[egc]

[junipergrower]

I'm almost there. But I'm missing one item. In Summary

1) Enable VPN client which sets all APs to VPN [done]
2) Create new VAP for WiFi with IP range 192.168.22.1 and subnet mask 255.255.255.0 [done]
3) Enable PBR in VPN Client with 192.168.22.1/24 [fail]

When I get to step 3, all my connections no longer work.

If I understand PBR correctly, it is telling the VPN to only route packets that fit the PBR criteria.

If this is correct, then my problem is that I need the inverse of this i.e. route all packets via VPN except those in the range 192.168.22.1/24 (which is the IP range of the new VAP).

Thank you for hanging in there. I feel that I am so close, I just need to crack the last element which is to allow devices connecting to the VAP to bypass the VPN.

Can you please take one more go at helping a slow student

[egc]

[junipergrower]

@egc

Thank you. Thank you. Thank you!!

Your last post was the missing item I needed to get everything up and working flawlessly.

Thank you for sticking with all my questions.

Have a super weekend!

Kind regards

junipergrower

[paultranemail]

can you do the policy routing on the ethernet like you do in wifi

Like this :
Port 1 - Direct connection
Port 2 - VPN connection
Port 3 - VPN connection
Port 4 - VPN connection

[student13]

I do have a solution that does not require firmware mod.

Exressvpn allows you to download linux based software " as a line code" , ie it basically runs in the background. If you ever disconnect from teh vpn server it blocks your connection.

[junipergrower]

Hi, I have not tried that specific configuration. What I ended-up with instead was VPN on everything (Wifi & Ethernet) that's part of the base IP range (192.168.1.1/24) and then created a separate Wireless VAP with it's own UP range. That ended-up sorting out my problem, but as the router currently stands, all the Ports are linked to the VPN and I can only get direct ISP access by accessing the seperate WiFi VAP.

Do you mind if I ask what your use case is?

As an aside, the router seems to need around 2-4 minutes after booting before everything works. I'm not sure why this is.

However for now I am happy that I've managed to get my entire network behind a VPN but still have access to a direct Internet connection if the need arises e.g. certain apps such as Netflix or software (perhaps games) where low latency is critical.

In order to get the set-up you are looking for, I would try the following:

- Create a bridge for your new direct IP range.
- Use "Setup > Switch Config" and move your specific port to the newly created bridge.
- You will also likely have to create an additional DHCP via "Setup > Networking > DHCPD".

Hopefully these pointers propel you in the right direction. At the end of the day I dropped the need for direct ISP access via Ethernet as I was able to get what I needed done by having a WiFi VAP available.

Have a go and good luck.

As an aside, and I know that this is obvious but it took me a while to figure it out, make sure you have a backup of your working system before you start messing around. I needed to factory reset my router numerous times on my journey of discovery and being able to quickly get back to a working state was a life saver.