Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Hardware VPN - please help me understand...

Discussion in 'VPN' started by ChrisB1, Feb 1, 2013.

  1. ChrisB1

    ChrisB1 New Around Here

    Jan 29, 2013
    Hi everyone, I'm hoping you can help me out with a query I have with regard to getting a VPN set up at home.

    I currently have a number of wired and wireless machines at home, all linked to a Netgear R6300. This is then plugged into a modem through the WAN port. I have a dynamic IP address, and I've not yet set up a DDNS, but I shall. I'm really very happy with the whole set-up, and it does everything I want... apart from having a VPN.

    Now, is it possible to add a VPN endpoint to this set-up without buying a whole new router? I'm not interested in setting up a software VPN - I want a hardware box which can be left on at all times. I want to be able to connect to this remotely using my laptop, Android phone and iPad (not at the same time) and simply get an internal IP address with which I can use to initiate a RDP to my file server, or just navigate files on my NAS using Samba. Essentially, it will only be a VPN endpoint, and I would tunnel to it only. No need for site-to-site, no need to SSL, no need for any advance features, no need for any UTM, spam filters, firewall. No need for wireless. No need for any silly apps (like Cisco QuickVPN) to connect. No need for anything apart from a standard VPN endpoint.

    So, how on earth do I go about doing this??? I have read and read and read until my eyes are about to explode, and I still don't understand how I can set this up easily :-(
    Ultimately, what I'd like is to have a VPN box *inside* the network (ie. a client attached to the router via LAN), but I just can't see any products which do this. I must be either missing something or alternatively it cannot be done.

    As far as I can see, all of the products on offer are essentially routers, with multiple LAN ports and 1 or more WAN ports for a modem. This isn't really what I'm after, as I don't want to replace my router - I want to augment it with VPN! The routing functions are good. The firewall is good. Everything is set up just how I want it.

    Can anyone help?

    Last edited: Feb 1, 2013
  2. ChrisB1

    ChrisB1 New Around Here

    Jan 29, 2013
    I'm stabbing in the dark here, but I'm guessing that I'm probably going to have to:
    1. Disable the DHCP on my router
    2. Disable all of the router functions and somehow switch it to some sort of 'access point' mode
    3. Add a VPN gateway/router into the mix, and make that the router
    4. Plug all my hardware into the VPN gateway instead of the wireless router
    5. Run a cable from the gateway to the wireless router, so that my wireless devices can connect

    This is sort of defeating the whole point of having such a nice router in the first place, as I'll only be using it as an access point :-(

    Not only that, but as far as I can see, if I replace the router with a VPN gateway/router, throughput will drop through the floor (and that includes standard IP traffic as well as VPN traffic). My broadband is 100Mb/s and I do use bittorrent, so speed and connection restrictions would be completely unacceptable.

    I just don't understand why I can't have a VPN inside the LAN?? Software VPNs work this way, why don't hardware VPNs?
    Last edited: Feb 1, 2013
  3. thiggins

    thiggins Mr. Easy Staff Member

    May 18, 2008
    Software VPNs run on each client that you want to terminate or originate a VPN tunnel to/from. You want to terminate your tunnel at the network gateway so that you don't have to install software clients.

    As you have found out, the best way to do this is with a VPN-enabled router. The TP-LINK TL-ER6020 will handle your WAN throughput just fine and provide high VPN throghput, too. Convert your R6300 to an AP and you'll be all set.
  4. ChrisB1

    ChrisB1 New Around Here

    Jan 29, 2013
    Mr Higgins, you are a scholar and a gentleman! Thanks for your response - much appreciated.

    It does seem like a bit of a shame to disable my router, but if that's what needs to be done, then fair enough. It does also seem to be increasing the number of boxes I have (modem, router, access point instead of just modem, router/access point).

    One alternative I suppose is maybe to sell my Netgear and purchase a wireless router with VPN built-in. I could maybe purchase an Asus RT-N66U (in the hope that the firmware is in a better state than when it was originally reviewed...).

    Ultimately, I think I'll probably go with your suggestion though.

    Thanks again
  5. Pain

    Pain Occasional Visitor

    Mar 26, 2013
    OP, If you are still watching this thread, be advised that the TP-ER6020 has some issues with client vpns. It will not currently allow you to use the same subnet for your vpn clients as the LAN, making it sort of useless.

    There are other inexpensive hardware vpns, and I'm currently working my way through them to find some that are reliable, yet cheap. Seems those 2 things are mutually exclusive :)

    I don't think your netgear will support DD-WRT [third party firmware]. You could get a Linksys router like an E4200 [or other router supported by DD-WRT] and that will give you a hardware vpn solution that works great. That Linksys router is also fast enough for your internet connection. I have one and if I could have gotten it to work with a site-to-site vpn I would have used it, but I need both site-to-site and client-to-site.

    It would take some time to figure out DD-WRT though, so there will be a time investment.
  6. Samir

    Samir Very Senior Member

    Apr 1, 2013
    1. yep
    2. yep, it can't be the gateway
    3. yep, because it needs to know all the routes to route traffic properly
    4. not necessarily. You can just run a single wire from the new vpn router to the current switch/router being used as a switch
    5. not necessary if you're plugging into the existing network in step 4.

    The reason you can't have it inside the lan is that it needs a direct connection to your internet to create the tunnel.

    One way around this is to get another IP address from your service provider. And then you'd have turn off DHCP and statically assign a LAN IP to the VPN router on the same subnet as your main router, which may not work. So then you'd have to switch the new router to do the DHCP and statically assign a LAN IP to your old router.

Share This Page