Wifi with VPN and without VPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
DD-WRT Novice

Joined: 13 Sep 2020
Posts: 2

PostPosted: Sun Sep 13, 2020 18:35    Post subject: Wifi with VPN and without VPN Reply with quote
I have a linksys WRT3200ACM router with DD-WRT firmware.

I have VPN from Nordvpn
Can I make 3 wifi

1. Wifi (3pac wifi) with VPN access to sonos, chromcast, nas server etc. (I have today)

2. Wifi (3pac wifi guest) guest wifi without access to sonos, chromcast etc. With vpn

Wifi (3pac wifi wovpn)
WiFi without VPN and access to Sonos etc.

Firmware: DD-WRT v3.0-r40559 (08/06/19)

Joined: 18 Mar 2014
Posts: 10056
Location: Netherlands

PostPosted: Wed Sep 16, 2020 16:02    Post subject: Reply with quote
You can all do that but not with that build, that is an old an crappy build.

See the forum guidelines, link in my signature at the bottom of this post, where to download and other helpful pointers.

You need Policy Based Routing, link also in my signature

Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Last edited by egc on Thu Sep 17, 2020 14:13; edited 1 time in total

Joined: 04 Aug 2018
Posts: 1348
Location: Appalachian mountains, USA

PostPosted: Wed Sep 16, 2020 17:07    Post subject: Reply with quote
Since no one seems to be replying and I need something to do while I slowly build my caffeine level, let me be a complete fool and try to whip out a basic guide to get you moving. I don't claim my proofreading is perfect, and certainly there are many possible dd-wrt configurations that would require changing something from the basic setup here. But I hope this will get you started in the right direction and that others can step in and help you tailor it if needed. With that said, here is my basic how-to on getting VAPs going (I have four VAPs here) with routed through the VPN client and some bypassing it (which I do here also). Could be that I've left out something important. Hope not.
  1. 40559 is not a great build. Ignore the router database. It is not well maintained. Get a recent build. The very latest ones are having wifi issues on the Linksys/Marvell routers (like the 3200). I'd try 44213, the last one before the iffy wifi driver changes, and if that presents serious problems, fall back to 44048, which seems to have lots of fans. See the "Cliff Notes" sticky post at the top of the Marvell forum for important details of handing flashing and setup. The Cliff Notes are your basic guide.

  2. You can easily have multiple guest networks. The topic to research is Virtual Access Points (VAPs). There is a lot of old info out there, so be careful. Here's my quick version.

    First, note that you are creating it for one wifi band. If you want both wifi bands, create two guest networks with separate SSIDs. Combining both bands into one network with a shared SSID might be tempting, but if you bridge VAP A and VAP B together, there will be no way to keep clients of A and clients of B from seeing each other and interacting. That violates the idea of a guest network. So, here's how you create one VAP.

    In the Wireless/BasicSettings page you need to Add Virtual AP, check Advanced Settings, check AP Isolation so that clients cannot see each other, check Unbridged for Network Configuration, and check Masquerade/NAT so your clients can reach the internet. If you will have only one guest network (VAP), check Net Isolation so that clients on the main and guest networks cannot see each other. If you will have more than one guest network, leave it unchecked and use the firewall tweak discussed below instead. I like checking "Forced DNS Redirection" so that clients are strongly encouraged ("forced" is not actually possible) to use dd-wrt's DNS system.

    If your router IP is (the default), try entering 192.168.X.1 as both Optional DNS Target and IP Address, with X some small number not equal to 1. Use a different X for each VAP. Don't give the VAP the same IP that your modem uses for dd-wrt's WAN connection (usually not a problem, but it can happen). Most people use X=2 for the first VAP, X=3 for the second, etc. Note the name of the virtual interface, likely ath0.1 or ath1.1, that you have created. Save and Apply.

    Move to the Wireless Security subtab and give the VAP a Security Mode of WPA, a Network Authentication type of "WPA2 Personal," and a WPA Algorithms choice of "CCMP-128 (AES)." Put the password in as WPA Shared Key, Save and Apply. At this stage you should be able to connect to the VAP wifi, but you won't yet have internet on it.

    On the Setup>BasicSettings page, at the bottom, I'm assuming you have these three checked:

    Use DNSMasq for DNS
    Forced DNS Redirection

    I'm not saying the below won't work otherwise, only that I'm too lazy to think the matter through.

    Go to Setup>Networking, scroll to the bottom to the DHCPD section, and click Add to create a new DHCP server at the bottom of the list. Use the drop-down menu to select the VAP you have created. Set Start to 128 and Max to 64 rather than use the defaults for those. This will make setting up the VPN easier later on. The other defaults are fine. Save and Apply. You should now have a functioning guest network.

  3. Note that a lot of the guides out there talk about using bridges for VAPs either because the guides are old, from before the simpler unbridged option was available in dd-wrt, or because some routers/builds had trouble with unbridged VAPs for some time. Your router and a modern build are perfectly compatible with unbridged VAPs.

  4. Old guides may also suggest various iptables rules to add to the firewall for VAPs. None of these are needed in a modern setup unless you want Net Isolation for multiple VAPs. If your main network is (the default) bridge br0 with IP and your VAPs are on interface ath0.1 with IP and interface ath0.2 with IP, achieving that Net Isolation can be accomplished by putting these three firewall commands in Administration>Commands in the Firewall box (enter in Commands box and click Save Firewall):
    for i in br0 ath0.1 ath0.2; do
        iptables -I FORWARD -i $i -d -m state --state NEW -j DROP

    There are many guides to iptables online if you want to sort this out. Be sure you have a backed-up configuration before playing with the firewall, because the wrong kind of errors can lock you out of your router. And this particular firewall setup for Net Isolation is probably not universal. It works for my setup here. In the ssh/PuTTY CLI do iptables -vnL FORWARD | grep DROP to see the rules this created in the firewall (and maybe a few others as well).

  5. If you already have a working VPN setup, all you need to do is enter, in the Policy Based Routing (PBR) window in Services>VPN, the IP ranges you want on the VPN. If your VAP IP is with DHCP Start=128 and Max=64, enter You can enter multiple lines for multiple VAPs. If this notation is unfamiliar, google CIDR notation. (An IP address is four groups of 8 bits each so 32 bits total. The /26 means the first 26 bits are as given with the last 6 representing wild cards. Here 2^6 is 64.) For more on PBR, see egc's guide posted as a sticky at the top of the Advanced Networking forum.

  6. The two new builds I recommend above have a "Ignore WAN DNS" box at the top of the Setup>BasicSettings page. Check it. Those new builds also automatically use the DNS server pushed by the VPN provider.

  7. You'll likely want a VPN kill switch. Add to the Administration>Commands to the Firewall window (click Edit in that window to copy its contents to the Commands window, add material below, click Save Firewall to move it back to the Firewall window):
    WAN_IF=$(ip route | awk '/^default/{print $NF}')
    sed -n 's/\s*#.*//;/\S/p' /tmp/openvpncl/policy_ips \
    | while read pbr; do
       iptables -I FORWARD -s $1 -o $WAN_IF -j REJECT --reject-with icmp-host-prohibited
       iptables -I FORWARD -s $1 -p tcp -o $WAN_IF -j REJECT --reject-with tcp-reset
       iptables -I FORWARD -s $1 -p udp -o $WAN_IF -j REJECT

    There are many different reasonable kill switches out there. The one Nord recommends, unless they've changed it recently, uses a udp-reset in the last rule. There is no such thing as a udp-reset, and if you make such an error in an iptables command, no firewall rule is created. This kill switch automatically tailors to your PBR setup by reading the internal file where the PBR configuration is stored. Use iptables -vnL FORWARD | grep REJECT in the ssh/PuTTY CLI to see these rules (and a few others) in the firewall, to check that they went in OK.

4 Linksys WRT1900ACSv2 routers on 49081, 2 on 48141: VLANs, VAPs, NAS, client mode, OpenVPN client (AirVPN), DDNS, wireguard servers and clients (AzireVPN), three DNSCrypt DNS providers (incl Quad9) via VPN clients.

Last edited by SurprisedItWorks on Thu Oct 22, 2020 20:28; edited 1 time in total
DD-WRT Novice

Joined: 13 Sep 2020
Posts: 2

PostPosted: Thu Sep 17, 2020 14:06    Post subject: Reply with quote
I have to try, or try to downgrade the firmware to another if it is bad.

I have considered the easy solution to set up a router more in the modem also I have isolated wifi without VPN
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT


Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum