Posted: Thu Sep 16, 2021 20:42 Post subject: Connect a secondary VPN DD-WRT router to a non VPN router
I would like to use a Netgear R7800 router with VPN attached to a Linksys primary router. On the Netgear secondary router, I disabled DHCP, set Advanced Routing to "router", and changed the Netgear IP to 192.168.1.2 and left the Linksys at 192.168.1.1 and internet works fine on the Netgear secondary router. I would like to set up a single specific (no hopping) VPN server on the Netgear secondary. There is no VPN on the primary router. ProtonVPN has basic instructions and want a "Static DNS 1" put in. With the DHCP server disabled, I cannot put the listed DNS setting in. Are there other methods to do this with a cascaded router setup?
Also, there are stickies in this area of the forum specifically for stetting up OpenVPN...
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398 _________________ An old man said, “Erasers are made for those who make mistakes.” A youth replied, “Erasers are made for those who are willing to correct their mistakes!” Attitude matters! ~ Anonymous
----------
“You are always a student, never a master. You have to keep moving forward.” ~ Conrad Hall
----------
“Life is about moving on, accepting changes and looking forward to what makes you stronger and more complete.” ~ Anonymous
Thanks for the reply. The instructions do say "Client" and I meant to say that I needed to set up the details in order to use a specific server. I did everything according to the ProtonVPN instructions, but DHCP server normally is disabled so the router can be connected to the primary router. The ability to add the "Static DNS" is then greyed out. The ProtonVPN instructions do not cover this cascade scenario. ProtonVPN told me that they had not tried this scenario and did not have any instructions to give me. I'll keep looking around the board, but if someone has a direct link to the info I need, then I'm open to it. Thanks.
Beware, if you establish the OpenVPN client on a secondary, bridged router, it will be inaccessible to the rest of the clients on the 192.168.1.x network unless you change their default gateway to point to the LAN ip of the secondary router. While it can be done, it requires a primary router that lets you make such changes to the DHCP server for those clients. And such capabilities are rare for OEM/stock firmware. Or else you'd have to make the secondary router handle DHCP for the network.
Thanks eibgrad. I will remember that. This primary OEM router has to stay put and cannot be reconfigured. VPN is not wanted on the primary router. Your suggestion would have been easier.
d33b0_n4p41m: Thanks again for the links. It said in one not to use the Static DNS given but to use another trusted DNS or 9.9.9.9. I would still need DHCP enabled to do that under normal setup. I still don't see a way to do that while disabled.
I'll keep reading.
Thanks to all so far, I'm still open to new methods.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Thu Sep 16, 2021 23:40 Post subject:
the eibgrad advise is more convenient, i use my VPN routers behind the main in gateway mode, instead of WAP/switch mode...its more secure and easy to run...as well DNSmasq can be forced to use your DNS of choice and you can blend it inside the VPN channel with this OpenVPN command
pull-filter ignore "dhcp-option DNS" _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Sep 17, 2021 11:47 Post subject:
I run a vpn client on a wap but it is easier in default gateway mode as @eibgrad already said.
Important is to keep the router in gateway mode router mode break things.
If you use an unbridged VAP on the wap it will use the vpn.
Instructions how to setup a vpn are in my signature at the bottom.
Those include instructions for proton.
EDIT:
I saw you were using a very old build if you still do, then you should upgrade first (reset to defaults after upgrading and put settings in manually).
These old builds have security issues.
egc: I've been going over the documentation for installing DD-WRT. On page 4, subsequent flashes, is it okay to just upgrade my existing DD-WRT installation with the stable version .bin file?
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sun Sep 19, 2021 7:30 Post subject:
leaf27 wrote:
egc: I've been going over the documentation for installing DD-WRT. On page 4, subsequent flashes, is it okay to just upgrade my existing DD-WRT installation with the stable version .bin file?
Yes you can simply upgrade with a recent build (see the forum guidelines how to research).
I upgraded to DD-WRT v3.0-r47474 std (09/20/21) on my Netgear R7800 secondary router. I changed the local IP address to 192.168.1.2/24 and the start IP address is 192.168.1.100. The primary router is 192.168.1.1. The internet works fine now. All I did differently was upgrade the DD-WRT version and it worked right away.
I still cannot get the VPN going. I have tried several UDP servers and now a TCP server. I'll keep trying with the TCP servers. They are supposed to be more stable. UDP is supposed to be faster. I have used the instructions in the links here and also on ProtonVPN's website. I have set the time in the Command Box with "date YYYMMDDHHMM". I noticed in the top right corner of the DD-WRT control panel that the WAN IP is always 0.0.0.0. The DNS is 10.7.7.1 on the set up page since it is TCP and the port is 443 on the VPN set up page. The ProtonVPN DNS numbers are supposed to be secure and trusted so I have been trying them.
The log entry in the status page has a long entry. Here are the highlights.
State
Client: RECONNECTING init_instance
Network unreachable
Would it help if I pasted the entire log entry here?
I'm unable to test the secondary router directly to the internet bypassing the primary router. The primary router has been set up by the ISP to work with their internet service. Bypassing it does not work.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Sep 24, 2021 7:17 Post subject:
Sure it helps if you post a picture of the OpenVPN setup page and OpenVPN Status page (no more than 768 pixels width see the forum guidelines)
But first get your setup right.
I assume you did a full reset, after that setup the WAP according to the wiki (assuming you still want a WAP setup, if you just want default gateway mode the only thing you have to change is the routers Local IP address from 192.168.1.1 to 192.168.2.1):
https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point
One point which you should not follow is setting the router in Router mode, just leave it in Gateway mode.
So basically:
set the IP address like you did
Disable WAN
Disable DHCP (set to off)
Gateway and Local DNS should be set to the primary router (e.g. 192.168.1.1)
Then you time should work automatically.
About Protons setup see the OpenVPN Client setup guide.
Specifically note this sentence:
Quote:
Do not set the Static DNS servers like they (Proton's instructions) are doing just use for static DNS 1 something like 9.9.9.9 or another
publicly available DNS server you trust.
(Although in this case your DNS server is the primary router so you could actually just leave the DNS servers at default 0.0.0.0 but setting a private DNS server which can only be reached after the VPN is up will get you in a Catch22 situation)
I upgraded to DD-WRT v3.0-r47474 std (09/20/21) on my Netgear R7800 secondary router. I changed the local IP address to 192.168.1.2/24 and the start IP address is 192.168.1.100. The primary router is 192.168.1.1. The internet works fine now. All I did differently was upgrade the DD-WRT version and it worked right away.
I still cannot get the VPN going. I have tried several UDP servers and now a TCP server. I'll keep trying with the TCP servers. They are supposed to be more stable. UDP is supposed to be faster. I have used the instructions in the links here and also on ProtonVPN's website. I have set the time in the Command Box with "date YYYMMDDHHMM". I noticed in the top right corner of the DD-WRT control panel that the WAN IP is always 0.0.0.0. The DNS is 10.7.7.1 on the set up page since it is TCP and the port is 443 on the VPN set up page. The ProtonVPN DNS numbers are supposed to be secure and trusted so I have been trying them.
The log entry in the status page has a long entry. Here are the highlights.
State
Client: RECONNECTING init_instance
Network unreachable
Would it help if I pasted the entire log entry here?
I'm unable to test the secondary router directly to the internet bypassing the primary router. The primary router has been set up by the ISP to work with their internet service. Bypassing it does not work.
Thanks for any advice.
Did you setup your NTP client on the basic settings page?
mwbuss8: I set up NTP, but I have to reset the time at each power up cycle. I cannot be sure it is working right with my secondary router setup, though.
egc: Thanks again. I attached three .pdf files that have the router page information. The OVPN file is on the next page in this posting. I put some added commands in the configuration box to take care of a cipher error message and some MTU comments. If you would like to see the log entry without the commands I can reconfigure and upload the results. The address 192.168.2.1 does not allow me to access the secondary router at all. I had to reset and start over.
Last edited by leaf27 on Sat Sep 25, 2021 21:21; edited 1 time in total