2 routers with the 2nd behind having a VPN not working

[Dafod]

I originally posted in the asuswrt Merlin sub-forum but I believe it was the wrong forum. Here is my problem:

1. I am trying to get around geoblocking and have a VPN I can use that removes this problem. The only issue is that I have only connected with my iPad and iPhone's clients. It works with both L2TP and PPTP. I have had it running with both protocols with the iPad w/o issue.

But, I am yet to set it up on my home network with my Apple TV as I cannot get even a basic 2 router setup working. My details are:

Router 1 = Asus N66U with asuswrt-Merlin
Router 2 = Netgear WNDR3700 with DD-wrt

I have planned to use PPTP client on Router 2.

Router 1 = 192.168.1.1
Router 2 WAN is DHCP (but static from router 1 @ 192.16.1.38)
LAN is 192.168.2.1

Even before enabling the VPN client on Router 2 I am unable to surf the net with a win 7 PC that is wired to a LAN port.

It's unclear to me what checks I need to make (probably in asuswrt on Router 1) to ensure I am not stuffing stuff up. I have even put Router 2's IP in DMZ on Router 1 with no change. In Router 2 I can see I am assigned ip 192.168.1.38 but that's it. My PC gets an ip from Router 2 but nothing passes through. I have actually also tried the VPN client on router 2 but it gets nowhere.

Any help on troubleshooting would be much appreciated?

Justin

 

[System Error Message]

you're doing it wrong. The only case where you use vpn behind router is if you are running a vpn server otherwise use the main router for vpn for simplicity in setting up the routing part.

you dont need any sort of port forwarding or dmz, enable vpn passthrough on router 1.

You can still use router 2 as vpn client if you plan to connect to router 2 with the device you want to use the vpn with, the problem comes if you want to isolate router 2 from LAN or not. If you do its a simple matter of plugging in WAN of router 2 to LAN of router 1 and make it act as its own router, but routing everything through vpn. Otherwise set up the vpn client on router 1 and configure the routing on what gets routed through where.

Many or if not all consumer routers will not attempt to connect to internet for any service via the LAN port despite routing and gateway definitions and wont bridge between WAN and LAN. This is a major weakness for even asus routers unless you set them up as AP mode and lose all the functionality you are trying to use.

 

[sfx2000]

you're doing it wrong.

yes... indeed...

 

[Dafod]

Hi, I am a little bit confused and I probably didn't explain it well enough.

My setup is : Router 1 >-General LAN. Router 2 (VPN) >- Apple TV

Network setup is :

Router 1 (192.168.1.1) - Switch 1 - Switch 2 - Router 2/VPN (192.168.2.1) - Apple TV

Running off Switch 1 & Switch 2 is about 30 wireless clients through 5 wifi access points.


Under my general LAN (Router 1's sub-net) is 99.9% of everything. I only have Router 2 for the VPN and Apple TV on its sub-net. The cost and speed of the VPN means I only want it for streaming where I am geoblocked.

I have Router 1 with VPN passthrough enabled. I am only attempting to connect with a PC behind Router 2 to try and trouble shoot why the VPN client in DD-WRT is not connecting. I actually don't care if the Apple TV is totally isolated from my general LAN. I only tried DMZ as I was getting desperate.

So the WAN of router 2 is connected to LAN of router 1 but when I attempt to connect the VPN client it just doesn't connect. So, we come back to the truth of the matter is that I have spent 3-4 days and countless hours trying different configurations to allow it to connect without success.

It was unclear what you were suggesting in your post.

1. I don't want to setup the VPN client on router 1 because I don't need everything behind the VPN and in addition the client on asuswrt-Merlin doesn't work with my VPN service - tried it, and it claims (in the logs) that it's pedantic or something about wanting encryption (even when setting is off).
2. I thought I had to create another sub-net with the VPN router so I didn't double NAT.

If am doing something wrong in my setup I am happy to change but it's unclear (to my understanding) what you are suggesting in your post.

 

[Cake]

Can your Asus N66U do openvpn? If you don't have luck with your dd-wrt, I suggest running openvpn client on your first edge router (N66U), Then selective route 192.16.1.38 to use it. Now your DD-WRT can just switch/route on its subnet. I think its better though to run openvpn on your second router like your trying to do. If your AC66U is using trendmicro, then I believe they get a copy of everywhere you go. -err kinda defeats the vpn. You know for safety.

Correct me if I am wrong. lol (nobody has corrected me yet on my outrageous claim )

edit: nevermind- I didn't read all of your last post. New suggestion get a different vpn provider.
edit #2: I should mention that I did (before my router broke) have a vpn going through another vpn (encapsulated). Had to change the mtu a little, but worked very well. So it might be operator error or a city vpn. rofl

 

[Dafod]

I have actually got PPTP to work on my Asus N66U, but not the DDWRT router. Funny you mention openvpn as the client does have selective routing built in. I did see a post for doing selective routing with PPTP by inserting a script in Jfff but reading over it I haven't figured it out yet. Thinking I might setup OpenVPN server on AWS though as this might be easier.

 

[Cake]

The newer versions of RMerlin has selective routing built into the GUI (not 100% sure about your model). Just select the ip address and tell it what vpn# to use, or to use the WAN. But be careful! I believe the latest version will neuter your wifi power. Might be happier with a couple small version numbers back. That IMO is one of the best features RMerlin has added.
edit: sorry my reading comprehension skills are poor. Oh PPTP got it!

 

[Dafod]

Thanks Cake. Actually picked up a 2nd hand AC68u to use as my primary and put the N66u as a client and running its own sub-lan just for the AppleTV and PPTP VPN. Its working well. I was unable to get the DDWRT VPN client to work (had too many configuration options for me)


Sent from my iPhone using Tapatalk

 

[System Error Message]

If you're trying to get a device behind vpn its best to use vpn on the device itself unless it is incapable or processing power is too weak (normally tv boxes have better CPUs than broadcom ARM)

The approach can be done for multiple devices to share a vpn connection if you plan to route all traffic of specific devices through vpn and rest through normal internet. The router should be configured as a normal client/PC using WAN port to LAN but the IP subnets of the main LAN and your 2nd router's LAN must be different.

 

[Dafod]

SEM, an Apple TV doesn't have a VPN client.
I put a second router with VPN withits own subnet as the PPTP client doesn't have selective routing in the GUI. Whilst I saw you could put together a script to achieve this I made a call on time / money and went with getting a 2nd hand router. Only issue is cost of AWS VPN (even on "free tier").


Sent from my iPhone using Tapatalk

 

[System Error Message]

SEM, an Apple TV doesn't have a VPN client.
I put a second router with VPN withits own subnet as the PPTP client doesn't have selective routing in the GUI. Whilst I saw you could put together a script to achieve this I made a call on time / money and went with getting a 2nd hand router. Only issue is cost of AWS VPN (even on "free tier").


Sent from my iPhone using Tapatalk

Than just use the advice i gave. Use different LAN subnets and connect the WAN of 2nd router to LAN of 1st router and use DHCP/dynamic IP WAN with minimal settings and default route. Than have VPN and make sure to route all internet traffic through it. With this method you are treating the router as a server rather than router, You can achieve better results with a PC or a flexible router like mikrotik. With a mikrotik routerboard with good CPU just plug 1 ethernet cable into your network, 1 to your TV. Dont switch the interface that connects to your LAN. Use DHCP server on the interface with TV, DHCP client on the interface with your LAN (but no default DNS/route), set up VPN using IP not domains and set it to be the default route, than set your DNS server to any you like and it will go through your VPN.

Consumer routers are restrictive in their functionality and what you can do with them. LAN and WAN ports are determined with a fixed setting and architecture while more advanced routers like mikrotik, high end cisco and x86 OSes are flexible in that you can have any port as WAN and LAN even both and do all sorts of routing.