What's new

How To Build a Dual Router VPN Client Solution?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Darf Nader

Occasional Visitor
I know there have been many permutations of questions regarding two-router setups in order to provide a router-base VPN tunnel that have already been posted, but I have not found a succinct guide on a holistic approach that explains the concepts as well as the general steps which would provide an over-arching solution. I was thinking of two possible approaches that would suit my needs- either by configuring the two devices as routers/gateways where one is "behind" the other, or by having one as a standard gateway and the other as a bridge, a.k.a access point.

Current Config
I presently have the my router serving as a gateway/firewall between the WAN (internet) and my private LAN and I have the secondary router behind that gateway with it's WAN address that's a static IP on "primary" LAN's subnet. This secondary router serves as the VPN Client endpoint which has what I call the "secondary" LAN which would be the LAN that would have it's internet traffic tunnel through a VPN client on the secondary router. Presently, when the VPN tunnel is up on the secondary, hosts on the LAN of the secondary router can route through the tunnel to the internet, but nothing can route from the secondary LAN to the primary LAN and vice-versa. The same is true when the VPN tunnel is down, but now there is no route to the internet as well. Also, if I ssh to the secondary router, I can ping hosts in the primary LAN, but I cannot ping anything WAN-side of the primary, as in anything in the internet. Clearly there are some routing issues (as in that routes are missing or not working as expected) and there are probably problems brought about by double-NAT.

My goal is to have a private LAN where one of the devices serves as the VPN Client. I don't necessarily need to separate private subnet if I don't need them. I am vaguely envisioning two approaches which may or may not be pipe dreams:

(a) two private subnets where the second router lies in between, and where hosts on both sides of the secondary router can connect to hosts on the other side whether the VPN tunnel is up or down on the secondary router OR

(b) have the entire private network on a single subnet but the secondary router is not a router at all but a bridge allowing traffic between the VLANSs between the LAN ports and WAN port, but when the VPN tunnel is up on the secondary, all internet-bound traffic is routed through the VPN tunnel, but local traffic on the other side of the VLAN

My Setup
I presently have two wireless routers. Presently, my primary wireless LAN router is an Asus RT-AC87U running ASUSWRT-Merlin 380.68_4 and it's WAN port connects to an Arris cable modem which provides the DHCP-assigned public address from my ISP. (I attempted various versions of DD-WRT on the RT-AC87U and I couldn't get the download speed to be anything but awful either on wired or wireless, and after much trial and error I gave up and just went with Merlin 380.68_4 which has proven to be the only firmware that has decent speeds and function.)

The secondary LAN router which presently is the VPN tunnel (client) endpoint is an Asus RT-AC68P/U B1 running Tomato 1.28 build 138. I chose this firmware solely because my VPN provider is VyprVPN and they have a native VyprVPN client that runs on tope of Tomato, but surprisingly the performance is so godawful (even when it is connected directly to the cable modem the speeds are intolerable compared to using a VPN software client or the generic OpenVPN client.

As I said, I presently have both in "gateway" mode, but this is so far not working out with routing traffic between the two LANs, because I cannot get traffic to router from the secondary LAN to the primary. I have attempted to set up static routes to explicitly route traffic between the secondary LAN to the primary, not to mention internet traffic, but I have not had any success. Only when VPN Client is engaged will any traffic route from the secondary LAN to the internet over the VPN tunnel.

Therefore, I am considering the alternative of having the second router function as a bridge instead, so that I only am dealing with a single subnet and VPN is provided when hosts connect to the SSID of the second router's (now a bridge's) wireless network or the wired LAN ports which are bridged to that same VLAN. My thought is perhaps to bring the VLANs of the WAN and LAN side of the secondary in a way that traffic routes between the two LANs (being that they are on the same subnet), but hosts on the VLAN that is the secondary's LAN can only get to the internet when the VPN tunnel is established. My knowledge of working with VLANs is even more scant than my knowledge of static routes, so I am not even sure what I am proposing is possible.
If what I am describing above, either with my existing setup or my proposed ides are too murky as described and require a diagram, please let me know and I will try to put one together. This is my first post here and I realize my description is probably a dog's breakfast, so I am open to suggestions on how to make it more coherent. Thank you!
Hi, after getting no responses, I have to assume that my question was either too long, too incomprehensible, or missing key info to get a legit response. Or, maybe I didn't wait long enough. Either way, I haven't made a post like that before so if anyone has any suggestions on how I might make a better post that will draw more input, please lay some truth on me.

Some additional info:

My Pirmary the Asus RT-AC-87U Melin (Primary Router) as follows:
WAN APP: <Public, DHCP Assigned by ISP>
Bridge IP:
LAN info (DHCP provided by primary router)
Net: LAN is
I also added the static route:
This seemed to make all the difference... or so it seemed at first!

My Secondary Router, the Asus RT-AC68P/U B1 with Tomato, has the following:
WAN: (on primary LAN, obv)
Bridge IP:
LAN info (DHCP provided by secondary router)
Net: LAN is 192,168.10.0/24

Now get this:
Using an IOS device while on the secondary LAN, VPN up or down, I can route to the primary LAN and the WAN just fine, however a MacOS machine on that is on the same LAN cannot! I have tried two macs that don't work, and two IOS devices that do. I have no idea why this is the case! Why would the same net hosts have different routes based on OS? Anyone?

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!