The FWA router is from the Internet provider without OpenVPN.
The Asus RT-AC66U_B1 is intended as the VPN router (according to specialist retailers)
Questions:
1. in WEB mode (standard) OpenVPN can be configured, but then the Asus modem has no Internet connection
2. in AP mode (according to the right scheme), but then the VPN setting is missing
How must Router FWA be set and which mode must be selected in the Asus?
View attachment 61652
While the title of your post says VPN server your diagram makes me wonder if you really want to run a VPN client on your ASUS router so all your attached devices can connect using a commerial VPN client. If that is the case you need to run your ASUS router in a double NAT setup which is easy. I have pasted some instructions below.
If you really mean a VPN server then you are going to have to do port forwards on your FWA router to your ASUS router.
How to double NAT two routers:
Why would you want to do this?
* Increased security.
* The second router is behind the first connected from a LAN port on the first router to the WAN
port on the second router. This means that devices on the LAN of the second router can
access devices on the first router but not vice versa.
* If you connect both wireless and wired IoT devices to the first router and they are
compromised they can’t access you more secure devices which you have connected to the
second router.
* Same goes if you need to segregate personal and business uses of an Internet connection.
Put the less secure use/devices on the first router and what you want to keep more secure
on the second router.
* Having two routers gives you more Wi-Fi radios to divide up traffic. (Having an AP will
accomplish the same thing but just not with the security.)
* Your ISP/Modem router can’t be put in a bridge mode.
Why would you not want to do this?
* If you have the ability to create VLANs you would not need two routers to segregate traffic. It
is more complicated if you want to segregate both wireless and wired clients using VLANs.
VLANs are not possible using the ASUS standard or Merlin’s modified OS through the GUI. It is
fairly easy to create VLANs through the GUI on ASUS routers if you flash them with Tomato.
* Double NATing makes port forwarding more complicated as the port first has to be forwarded
from the first router to the second router and then to the device on the second router’s LAN.
* Setting up DNS to work on the second router will be difficult if not impossible depending on
the second router’s OS.
* Setting up a VPN server will probably be impossible on the second router. However you can
with no problem run one or more VPN clients on the second router if that is something you
want to do.
Myths about double NAT.
* It slows your connection down. If both routers have gigabit LAN & WAN ports I doubt you will
see a measurable difference in speeds.
* You need to put the second router in the first router’s DMZ. Not necessary.
* Double NATing is bad because that is what everybody says. Try it and see for yourself. If
some of the advantages are beneficial to your network’s security and functionality then go for
it. If you are proficient at writing scripts and modifying IP tables on your router do that
instead.
How to double NAT a router:
* On the first router(router 1 ) nothing needs to be changed unless you want to. This is the
router where you want to connect your less secure devices either wired or wireless. I would
suggest that on your first router you set up one or more guest networks and restrict them to
Internet access only. (Block Intranet). The advantage of having one or more guest networks
is that if a device connected by Wi-Fi gets hacked it can’t easily affect other devices on this
router’s LAN. For the purpose of this example assume router 1’s LAN IP is 192.168.1.1 and the
DHCP pool it assigns IPs from is 192.168.1.100 -192.168.1.150.
* Plug one end of an Ethernet cable on to any LAN port on router 1. For now leave the other
end unplugged.
* On router2 plug a second Ethernet cable in a LAN port and go to the administrative screens
and make the following changes:
o BACK UP THE SETTINGS ON ROUTER2 in case you want to revert it to the setup you
had before double NATing the router.
o On the WAN setup tell the router to get its WAN IP using automatic or DHCP. It will
then be assigned a WAN IP by the first router in the range 192.168.1.100 – 150.
o On the LAN setup pick another subnet for this router to use. For this example I picked
the subnet 192.168.75.0/24. Give router2 the LAN IP of 192.168.75.1 and set the
DHCP range to 192.168.75.100 192.168.75.150.
o While you are in settings be sure to use different radio channels than router1.
o Change the SSID and passwords for the radios on router2.
o Save all the changes.
* Unplug the power to router2.
* Connect the cable from the LAN port on router1 to the WAN port on router2.
* Power up router2 and after it reboots run ipconfig on the computer connected to router2 and
it should have an IP in the DHCP range of router2. If it doesn’t reboot the computer
connected to router2 to force it to get a new IP.
* If it still doesn’t have an IP in the correct range then the simplest course of action is to do a
factory reset on router2 and repeat the steps of the setup listed above in case there was some
weird setting interfering with changing the subnet.
* Once you have router2 up and running as a router double NATed behind router1 you can
fiddle with any of the other settings, such as static IPs , VPN Clients, QOS, etc. because now
router2 is fully functional and the only difference between it and router1 is router2 has a
private IP instead of a public IPV4 or IPV6 address.