Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Thursday, September 27, 2012

Dedicated Router for VPN behind another router

Dedicated Router for VPN, repeat & print behind other router 
Basically I would like to have teh following:
- main DSL modem-Router - provided by my broadband provider
- a second router that I will install wrt-dd on.
The second router would server the function to:
- be a VPN server
- use the USB port to connect and network a printer
- also use it as a repeater (optional)
- need the two routers to be connected over air (they need to be at least a floor apart)
- did look at having it all in one router but have discounted due to cost (I do not want to flash an expensive router - also looking to do this at very low cost)
- I live in a multi-story house and the BB router from provider is on ground and my office is on second.
- I am not using a PC to do it as the power from a router is much lower than an old PC for equal functionality
- my primary reason for the VPN server is to be able to watch bbc iplayer when abroad (I travel a fair amount) as well as some protection when I am on pubic wifi & using my tablet PC

I think we are looking for the same answer(s) @wrt-noob. Simply, I would like to;
(i) keep my existing expensive Linksys simultaneous dual-N gigabit router with its native firmware (and warranty) and
(ii) have its network input VPNed with a separate feature-filled reasonably-priced network device.
So that the setup would be: The Internet line -> the new router running DD-WRT -> the cable transferring VPNed Internet -> the existing dual-band N router -> go wireless for 'home entertainment' (incl. P2P) purposes.
I love Linksys, although there are some points where they suck (such as the malfunctioning Linksys feature), and it looks to me like the options I have are:
- WRT54GL (all times favorite Linux-ready router with 16Mb RAM and 8Mb flash)
- WRT160NL (w. 32 RAM, 8 flash)
- E2100L (w. 64 RAM, 8 flash)
- E900 (w. 32 RAM, 8 flash)
I do not actually care about the additional device's wi-fi capabilities, since it will be wired to my dual N router. However, among the above-cited four alternatives, I feel like I will go either for WRT160NL (the "Former") or for E2100L (the "Latter".)
I understand that the 'L' letter means 'Linux-ready', i.e., having a native Linux-based OS running already, which means that it would be much easier to install the third party DD-WRT software.
Both devices use the same processor and the latter replaced the former. The Former has 32Mb. RAM, while the Latter has 64. (Q1: Does higher RAM really mean anything?)

To answer your question about whether or not ram matter, the short answer is YES. You want as large an NVRAM chip in there as you can get. With an 8 meg flash chip you will be quite limited as to what you can put on it.
I use this:
its got tons of RAM and I can load the largest builds available on the device.
There are extensive explanations on the web for the Former's upgrade to DD-WRT. For the Latter, there is an experimental build. (Q2: Does that mean that the Latter's version might not be a stabile one?)
If higher RAM does not mean anything at all, may be I should go with a well-recognised & cheaper model, namely WRT54GL, since it must have the most stabile DD-WRT build. 

You want simply.. your normal modem/router connected to the internet...
And another router running dd-wrt to funnel all traffic through your normal router?
Am I reading this correctly? This doesn't seem complicated, at all, and it doesn't surprise me that you haven't found anything in the forums about it. All you got to do is connect the second routers (modified with DD-WRT) WAN port... to one of the first routers switch ports.
Connect all your devices to the router running dd-wrt, and set up dd-wrt to host the services that you want from it.

But the solution that I am looking for is;
- to have all my devices to keep connected to my existing router, and
- to have an additional router solely for the VPN connection.
I will use my new VPN-specialist router solely wired and for establishing the VPN connection.
 All you would have to do to achieve that configuration would be to connect the secondary router's wan port to your primary router's switch... and then set up the second router to run dd-wrt and a vpn client. Everything will connect through just like normal.. and you would simply connect the computers you wanted to be on the VPN to your second router.
As far as hardware suggestions go... I'm kind of a snob for ASUS. I myself do not like Lynksys at all.. I've had nothing but trouble with them.
Do keep in mind if you don't want wireless, you could just simply disable it and remove the antennas...

I want my Broadbant provider provided router to just route traffic and then the cheapo one to be upstairs as vpn server & print server.

ΩVespian - I think I get what you are saying. My extra questions would be:
- I cannot connect via cable the two routers. I need to do it over wifi. Is it still possible?
- do I setup the ddns on router 1 as this is the one connected to internet
- how do I do port forwarding over wifi from router 1 to router 2 if router 2 is actually running the service?
I suggest you familiarize yourself with the wiki. it's all in there, but...

It is possible to connect the two devices together with only Wifi, this is called a client bridge and more information can be found on it, here:
If you follow the directions properly, you shouldn't have to worry about doing anything special with DNS. The routers will handle that. The second router will use the first router as its DNS server... and the first router will get its DNS information from your ISP. It will be transparent to you, just like directly connecting two routers together via a cable.
As far as the port forwarding rules go, I'd have to do a little digging into that to find out. The second router is connected as a client, but whether it is bridged or not depends upon your configuration.  

With a bridge, no port forwarding rules should be necessary on the second router.
You should only have to define them like normal on the first. The second router will connect to the first juts like any other client, and have an IP and MAC address. 
I still have a fundamental question in my mind.
My idea was to use;
- Router No. 1 for 'plain Internet-to-VPNed Internet' conversion and
- my existing Router No. 2 as it is currently serving to 10+ devices.
@wrt-noob, I think that the above set-up is the opposite of what you had suggested the other day. It must have been helpful for @Vestian though.
The thing is that I have a reasonably complicated home entertainment system including an Apple TV, an AV Receiver, a satellite receiver, a number of media players, two personal computers, network storages, tablets and other handheld devices with A/V player & remote controlling software installed on them.
So, basically, I would like to keep the existing set-up, since they are all connected to the Internet and communicating among each other through the existing network, wired and wireless, quite well. Wireless MAC filters, DHCP reservations, DNS and port forwardings are all set on my Linksys WRT610N (namely, Router No. 2). This is a simultaneously two-band running 802.11n router with 64MB RAM, 8MB Flash and Gigabit switches. It also has the 2.4 Ghz. / 5 Ghz. options, which I use to avoid/reduce any interference, etc.
In addition to the above, I also use P2P quite heavily and really care about the network's stability. Because my wife, who hates dealing with network problems, resetting the router, etc., uses the home network as well.
Router No. 1 (LAN switch out) will be wired to Router No. 2 (Internet in) and I will not use Router No. 1's wi-fi capabilities. The wired devices will all be plugged in to Router No. 2.
Router No. 1 will be set, while Router No. 2 will be set, and all other devices will take their reserved addresses starting from
The technical capabilities and specs of Asus RT-N16 is really impressive with such a competitive price (i.e., under $100.) However, although it still is an affordable option for me, for the time being, I do not want to make such an investment, if there is no return on it. Because my intention is to use it, as Router No. 1, as a pass-through (i.e., intermediary) device. I will use none of its advanced features, other than establishing PPTP, L2TP or OpenVPN-based connections with my VPN service provider.
If I need to upgrade in the future, I can buy the best at that time.
I might consider installing DD-WRT to my existing router (No. 2); however, having an intermediary device will also help me to have a more flexible network. For example, with an additional router in-between, I may have the flexibility to cancel VPN physically (i.e., simply by unplugging) or create a password-protected guest network (i.e., on 192.168.0...) without having people on my home network (i.e., on 192.168.1...)
Considering the above, does it still make sense not having an 'all times favorite' $50 router, such as WRT54GL for the intended intermediating purposes? In other words, I thought that my network's routing capabilities will be limited to those of the router immediately facing my home network (WRT610N, No. 2). Am I correct?
Or do you think that a highly capable intermediary device will increase my networks ultimate routing capabilities?
Maybe I can simply reword the main question as: "which router (i.e., either the intermediating one used for establishing the VPN connection, or the main one serving the devices on my home network) is O.K. to be the weakest (say the 'comparatively weak') link?" 


Simply put:
Unless your current router supports the set up of a client bridge... You need dd-rt to do it.
 The smallest version of dd-wrt that supports VPN services is Mini-VPN which requires a router with a 6 meg flash chip. You need to buy a router that has enough flash memory, and that means you can't get the cheapest thing you can find.
As far as VPN setup on the router.. It's pretty straight forward with the GUI. Just make sure redirect-gateway def1 is set... And all traffic will be redirected through the tunnel.


Sandy Shaw said...

Nice Article! Thanks for sharing with us.
Router fundamentals

Alan Wade said...

If you've got multiple computers or numerous devices connected to your network, and want for them to be routed through your VPN servers, you will opt to setup a VPN affiliation on your actual router. By doing therefore there ought no to tack together each device severally, as your router can mechanically connect all devices to our service. This can be particularly helpful for connecting devices with no inbuilt VPN support.

More VPN Router Detail