How To Asus Dual-Router Setup with one dedicated VPN-Router 2021

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Kingslayer

New Around Here
This tutorial will teach you how to set up a dual-router configuration with a dedicated VPN router behind another router (the primary router). This will work with any VPN-enabled router firmware, including DD-WRT, ASUSWRT (including Merlin), and Tomato.
We will be using what is known as LAN-to-WAN router cascading, where each router is on a separate subnet.

This is an incredibly popular home network setup because it allows you:
  • to access VPN and Non-VPN connections,
  • to switch devices to/from the VPN simply by switching networks,
  • to connect devices like an Xbox, a PS4, a fire stick, or a Chromecast to a VPN, and
  • to apply/add more insulation of VPN network (double NAT = greater security).
Visualizing the setup two-router setup

Below is a diagram of the home network structure we are going to create. Traffic is encrypted by the VPN router and flows through the primary router to the modem/internet. All devices connected to the #2 (VPN) Router will use the VPN tunnel.
All devices connected to the #1 (primary) Router will use your normal internet connection.
Floatchart.png


Part 1: Setup the Primary Router

There is only minimal setup required on the main router because it is not actually doing anything besides passing on the already-encrypted traffic from the VPN router.
You can use virtually any router in the world if it supports “VPN-Passthrough” (which most modern routers do).
In my setup there are 2 routers an Asus RT-AC68U White (Router #1) and a second Asus RT-AC68U Black (Router #2). Both run the asuswrt-merlin firmware. And BOTH are configured as Routers.

Asuswrt-Merlin Link: https://www.asuswrt-merlin.net/

Log into your first Router (for Asus users 192.168.1.1) and Enable VPN-Passthrough. On Asus may vary between different firmware’s: Click on „WAN“, then „NAT Passthrough“ and enable these options. (Picture 1)

The primary router 192.168.1.1 for simplicity. The second router can be given the IP of 192.168.1.2 on your static manual assignment. This will show up as the WAN IP on the second router as well.
Go to LAN then DHCP-Server and set a manually assigned Ip for your Router #2. (Picture 2)

The second router will then be given its own built in IP's from a pool of IP's let us call this 192.168.2.1 The only downside to this is that all devices on 192.168.2.1 will be able to communicate to 192.168.1.1,
but none of the devices on 192.168.1.1 will be able to talk to devices on 192.168.2.1. You can resolve this issue with static route on router 1. For this, go to LAN then Route and enter your Route (Depends which Subnets you use). (Picture 3)
Router#1.png

This was all the Setup you need to do on Router #1. Now, of too Router #2.

Part 2: Setup the Secondary Router

In this section, we will change the subnet of the VPN router, so that it does not overlap with the primary router. We also need to enable DHCP,
so the VPN router hands out IP addresses to devices that connect to it. Go to LAN and then LAN IP and set the IP of the router. (Picture 4)

After that, click on DHCP Server and set the IP-Range that the Secondary Router gives. (Picture 5)

After that, you need to configure the DNS-Server, and this varies for the VPN-Provider you use. Just check their website - I really recommend AirVPN. Their DNS is “10.4.0.1” Secondary does not matter just use OpenDNS or something. (Picture 6)

Almost done. Now we just need to setup the VPN. You need a .opvn Profile. I am here using AirVPN config generator. And I turned IPV6 off because I have disabled it on my router.
The Last step is just uploading the .opvn to your Router #2. I did not enable any options just upload and turn on. (Picture 7)

Router#2.png


Cable Setup is very easy just connect LAN* on Router #1 with WAN of Router #2 and select "Automatic IP" for the WAN-type of Router #2.
Routers.png


Proof: I am not in Germany nor the Netherlands and I can ping devices from Subnet 192.168.1.xxx

Proof.png


I hope this helps and I'am sorry if there is any ****ty english. :)
 

vpnwifi

New Around Here
Nice tutorial Kingslayer. I hope you don't mind if I ask some questions.

- I don't have a modem and 2 routers but instead I have my ISP's default modemrouter + an Asus RT-AC66U as a VPN router. I would use the ISP's modemrouter wifi as regular wifi and the Asus router wifi as VPN wifi. Should this set-up be able to work?
- My ISP's modemrouter (zte h369a) doesn't have VPN passthrough settings anywhere in the menu. Does this mean this set-up will not work?
- Is port forwarding required to be set-up for using the second router as a VPN client (not a VPN server)?

The reason I am asking this is I tried to follow your tutorial with my ISP's default modemrouter + a Asus RT-AC66U as a VPN router. I do have a working connection through both (modem) router 1 and (vpn) router 2, but using VPN router wifi I still get my home IP address and 90Mbps speedtest, indicating no VPN is used instead of ~20Mbps.
 
Last edited:

Kingslayer

New Around Here
Nice tutorial Kingslayer. I hope you don't mind if I ask some questions.

- I don't have a modem and 2 routers but instead I have my ISP's default modemrouter + an Asus RT-AC66U as a VPN router. I would use the ISP's modemrouter wifi as regular wifi and the Asus router wifi as VPN wifi. Should this set-up be able to work?
- My ISP's modemrouter (zte h369a) doesn't have VPN passthrough settings anywhere in the menu. Does this mean this set-up will not work?
- Is port forwarding required to be set-up for using the second router as a VPN client (not a VPN server)?

The reason I am asking this is I tried to follow your tutorial with my ISP's default modemrouter + a Asus RT-AC66U as a VPN router. I do have a working connection through both (modem) router 1 and (vpn) router 2, but using VPN router wifi I still get my home IP address and 90Mbps speedtest, indicating no VPN is used instead of ~20Mbps.
Hello well thanks. :)

If your Main Router doesn't support VPN passthrough this setup will not work. Because its a double-NAT environment.
If you use my Setup there is no Port-forwarding needet.

Yeah because the VPN just can't connect sadly. Maybe there is some workaround with hacking your main modem and run OPEN-WRT or smth. but i would recommend buy a used Asus that runs Rmerlin. you can get that for like 30-50€ here in Austria. Other than that i sadly cant help you.
 

vpnwifi

New Around Here
Thanks again for your post. This forum post implies that if the ISP modem has static routes ability, it should be able to work.

But anyway, you'd say my set-up would work if I would buy another Asus RT-AC66U?

Lastly, did you put your ISP modem in bridge mode? And if my ISP would have that option restricted (can't check right now because I don't have access to the modem now), would it work if I would point DMZ and DHCP to router 1?

Thanks for your help.
 

Kingslayer

New Around Here
Thanks again for your post. This forum post implies that if the ISP modem has static routes ability, it should be able to work.

But anyway, you'd say my set-up would work if I would buy another Asus RT-AC66U?

Lastly, did you put your ISP modem in bridge mode? And if my ISP would have that option restricted (can't check right now because I don't have access to the modem now), would it work if I would point DMZ and DHCP to router 1?

Thanks for your help.
Yeah i think you could get it working but i can't help you with it.

Yes it would work.

Yeah i did put my Router from my ISP some Huawei **** device in Single-User Mode you find lots of tutorials on how to do this online and configured my Main-Asus Router to use PPPOE and give them my User and Password that you get from your ISP.

For My Router shipped from "A1" a Austrian Telecom Company.
I need to login with Master-User found it on some Forum. (This will be different for every Router and every Telecom Company) you will need to search for yours.

User: Telek0m
Password: Austria&Eur0

After that you just go to Management and put it in Single-User Mode.
I hope this helps.
 

vpnwifi

New Around Here
Unfortunately my ISP's master user credentials are not public since the ISP is quite new and not widely used.

On the bright side... I can borrow a Sitecom WLR8100 from my parents, which I could use as a 1st router since it supports VPN passthrough. Although I don't fully understand all the tutorials online that are related to this, I do see a lot of people using pointing DHCP and DMZ on their ISP modem to their 1st router as an alternative to using bridge mode. I hope this will suffice, will try it tonight
 

eibgrad

Very Senior Member
Thanks for the tutorial. Very nice. However, I still don't see the need for VPN passthrough on the *primary* router. As you yourself stated, the primary router is simply passing through encrypted traffic. It doesn't know VPN traffic from any other kind of traffic. It's transparency is what makes the two-router configuration so appealing; it works with virtually *any* primary router, OEM/stock or third-party firmware. If what you say was true, then presumably the OpenVPN client on my primary router would require my *ISP* support VPN passthrough on his router. Or else I'm misunderstanding what *you* mean by VPN passthrough.
 

Kingslayer

New Around Here
Thanks for the tutorial. Very nice. However, I still don't see the need for VPN passthrough on the *primary* router. As you yourself stated, the primary router is simply passing through encrypted traffic. It doesn't know VPN traffic from any other kind of traffic. It's transparency is what makes the two-router configuration so appealing; it works with virtually *any* primary router, OEM/stock or third-party firmware. If what you say was true, then presumably the OpenVPN client on my primary router would require my *ISP* support VPN passthrough on his router. Or else I'm misunderstanding what *you* mean by VPN passthrough.
I don't think it works like that as you see user vpnwifi has a problem with primary ISP-Router. But I will try tommorw and let you know.
 

eibgrad

Very Senior Member
My networking knowledge is very little so there's a big chance I did something else wrong along the way. I did read a lot of tutorials on this matter (second router for openvpn) and multiple posts indicated that static routing is necessary when using an ISP modemrouter with an OpenVPN router (for example this post https://www.snbforums.com/threads/vpn-router-behind-isp-router.43196/)

Static routing is an entirely different issue from VPN passthrough. When using a second "VPN" router w/ Merlin (or most any other third-party firmware), you have the option to either keep NAT enabled over the WAN of that router (which makes adding static routes to the primary router unnecessary), or disabling NAT (which then *requires* static routes on the primary router). In most instances, esp. when combining devices from your ISP w/ your own, you're better off using NAT since many times the ISP's modem+router does NOT support static routes! Granted, the latter creates a double-NAT situation for clients of the VPN router, but imo the negative consequences of that are often overblown, and regardless, you may have no other option.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top