Tutorial Asus Dual-Router Setup with one dedicated VPN-Router 2021

[Kingslayer]

This tutorial will teach you how to set up a dual-router configuration with a dedicated VPN router behind another router (the primary router). This will work with any VPN-enabled router firmware, including DD-WRT, ASUSWRT (including Merlin), and Tomato.
We will be using what is known as LAN-to-WAN router cascading, where each router is on a separate subnet.

This is an incredibly popular home network setup because it allows you:

• to access VPN and Non-VPN connections,
• to switch devices to/from the VPN simply by switching networks,
• to connect devices like an Xbox, a PS4, a fire stick, or a Chromecast to a VPN, and
• to apply/add more insulation of VPN network (double NAT = greater security).

Visualizing the setup two-router setup

Below is a diagram of the home network structure we are going to create. Traffic is encrypted by the VPN router and flows through the primary router to the modem/internet. All devices connected to the #2 (VPN) Router will use the VPN tunnel.
All devices connected to the #1 (primary) Router will use your normal internet connection.

Part 1: Setup the Primary Router

There is only minimal setup required on the main router because it is not actually doing anything besides passing on the already-encrypted traffic from the VPN router.
You can use virtually any router in the world if it supports “VPN-Passthrough” (which most modern routers do).
In my setup there are 2 routers an Asus RT-AC68U White (Router #1) and a second Asus RT-AC68U Black (Router #2). Both run the asuswrt-merlin firmware. And BOTH are configured as Routers.

Asuswrt-Merlin Link: https://www.asuswrt-merlin.net/

Log into your first Router (for Asus users 192.168.1.1) and Enable VPN-Passthrough. On Asus may vary between different firmware’s: Click on „WAN“, then „NAT Passthrough“ and enable these options. (Picture 1)

The primary router 192.168.1.1 for simplicity. The second router can be given the IP of 192.168.1.2 on your static manual assignment. This will show up as the WAN IP on the second router as well.
Go to LAN then DHCP-Server and set a manually assigned Ip for your Router #2. (Picture 2)

The second router will then be given its own built in IP's from a pool of IP's let us call this 192.168.2.1 The only downside to this is that all devices on 192.168.2.1 will be able to communicate to 192.168.1.1,
but none of the devices on 192.168.1.1 will be able to talk to devices on 192.168.2.1. You can resolve this issue with static route on router 1. For this, go to LAN then Route and enter your Route (Depends which Subnets you use). (Picture 3)

This was all the Setup you need to do on Router #1. Now, of too Router #2.

Part 2: Setup the Secondary Router

In this section, we will change the subnet of the VPN router, so that it does not overlap with the primary router. We also need to enable DHCP,
so the VPN router hands out IP addresses to devices that connect to it. Go to LAN and then LAN IP and set the IP of the router. (Picture 4)

After that, click on DHCP Server and set the IP-Range that the Secondary Router gives. (Picture 5)

After that, you need to configure the DNS-Server, and this varies for the VPN-Provider you use. Just check their website - I really recommend AirVPN. Their DNS is “10.4.0.1” Secondary does not matter just use OpenDNS or something. (Picture 6)

Almost done. Now we just need to setup the VPN. You need a .opvn Profile. I am here using AirVPN config generator. And I turned IPV6 off because I have disabled it on my router.
The Last step is just uploading the .opvn to your Router #2. I did not enable any options just upload and turn on. (Picture 7)

Cable Setup is very easy just connect LAN* on Router #1 with WAN of Router #2 and select "Automatic IP" for the WAN-type of Router #2.

Proof: I am not in Germany nor the Netherlands and I can ping devices from Subnet 192.168.1.xxx

I hope this helps and I'am sorry if there is any ****ty english.

 

[vpnwifi]

Nice tutorial Kingslayer. I hope you don't mind if I ask some questions.

- I don't have a modem and 2 routers but instead I have my ISP's default modemrouter + an Asus RT-AC66U as a VPN router. I would use the ISP's modemrouter wifi as regular wifi and the Asus router wifi as VPN wifi. Should this set-up be able to work?
- My ISP's modemrouter (zte h369a) doesn't have VPN passthrough settings anywhere in the menu. Does this mean this set-up will not work?
- Is port forwarding required to be set-up for using the second router as a VPN client (not a VPN server)?

The reason I am asking this is I tried to follow your tutorial with my ISP's default modemrouter + a Asus RT-AC66U as a VPN router. I do have a working connection through both (modem) router 1 and (vpn) router 2, but using VPN router wifi I still get my home IP address and 90Mbps speedtest, indicating no VPN is used instead of ~20Mbps.

 

[Kingslayer]

Nice tutorial Kingslayer. I hope you don't mind if I ask some questions.

- I don't have a modem and 2 routers but instead I have my ISP's default modemrouter + an Asus RT-AC66U as a VPN router. I would use the ISP's modemrouter wifi as regular wifi and the Asus router wifi as VPN wifi. Should this set-up be able to work?
- My ISP's modemrouter (zte h369a) doesn't have VPN passthrough settings anywhere in the menu. Does this mean this set-up will not work?
- Is port forwarding required to be set-up for using the second router as a VPN client (not a VPN server)?

The reason I am asking this is I tried to follow your tutorial with my ISP's default modemrouter + a Asus RT-AC66U as a VPN router. I do have a working connection through both (modem) router 1 and (vpn) router 2, but using VPN router wifi I still get my home IP address and 90Mbps speedtest, indicating no VPN is used instead of ~20Mbps.

Hello well thanks.

If your Main Router doesn't support VPN passthrough this setup will not work. Because its a double-NAT environment.
If you use my Setup there is no Port-forwarding needet.

Yeah because the VPN just can't connect sadly. Maybe there is some workaround with hacking your main modem and run OPEN-WRT or smth. but i would recommend buy a used Asus that runs Rmerlin. you can get that for like 30-50€ here in Austria. Other than that i sadly cant help you.

 

[vpnwifi]

Thanks again for your post. This forum post implies that if the ISP modem has static routes ability, it should be able to work.

But anyway, you'd say my set-up would work if I would buy another Asus RT-AC66U?

Lastly, did you put your ISP modem in bridge mode? And if my ISP would have that option restricted (can't check right now because I don't have access to the modem now), would it work if I would point DMZ and DHCP to router 1?

Thanks for your help.

 

[Kingslayer]

Thanks again for your post. This forum post implies that if the ISP modem has static routes ability, it should be able to work.

But anyway, you'd say my set-up would work if I would buy another Asus RT-AC66U?

Lastly, did you put your ISP modem in bridge mode? And if my ISP would have that option restricted (can't check right now because I don't have access to the modem now), would it work if I would point DMZ and DHCP to router 1?

Thanks for your help.

Yeah i think you could get it working but i can't help you with it.

Yes it would work.

Yeah i did put my Router from my ISP some Huawei **** device in Single-User Mode you find lots of tutorials on how to do this online and configured my Main-Asus Router to use PPPOE and give them my User and Password that you get from your ISP.

For My Router shipped from "A1" a Austrian Telecom Company.
I need to login with Master-User found it on some Forum. (This will be different for every Router and every Telecom Company) you will need to search for yours.

User: Telek0m
Password: Austria&Eur0

After that you just go to Management and put it in Single-User Mode.
I hope this helps.

 

[vpnwifi]

Unfortunately my ISP's master user credentials are not public since the ISP is quite new and not widely used.

On the bright side... I can borrow a Sitecom WLR8100 from my parents, which I could use as a 1st router since it supports VPN passthrough. Although I don't fully understand all the tutorials online that are related to this, I do see a lot of people using pointing DHCP and DMZ on their ISP modem to their 1st router as an alternative to using bridge mode. I hope this will suffice, will try it tonight

 

[eibgrad]

Thanks for the tutorial. Very nice. However, I still don't see the need for VPN passthrough on the *primary* router. As you yourself stated, the primary router is simply passing through encrypted traffic. It doesn't know VPN traffic from any other kind of traffic. It's transparency is what makes the two-router configuration so appealing; it works with virtually *any* primary router, OEM/stock or third-party firmware. If what you say was true, then presumably the OpenVPN client on my primary router would require my *ISP* support VPN passthrough on his router. Or else I'm misunderstanding what *you* mean by VPN passthrough.

 

[Kingslayer]

Thanks for the tutorial. Very nice. However, I still don't see the need for VPN passthrough on the *primary* router. As you yourself stated, the primary router is simply passing through encrypted traffic. It doesn't know VPN traffic from any other kind of traffic. It's transparency is what makes the two-router configuration so appealing; it works with virtually *any* primary router, OEM/stock or third-party firmware. If what you say was true, then presumably the OpenVPN client on my primary router would require my *ISP* support VPN passthrough on his router. Or else I'm misunderstanding what *you* mean by VPN passthrough.

I don't think it works like that as you see user vpnwifi has a problem with primary ISP-Router. But I will try tommorw and let you know.

 

[vpnwifi]

My networking knowledge is very little so there's a big chance I did something else wrong along the way. I did read a lot of tutorials on this matter (second router for openvpn) and multiple posts indicated that static routing is necessary when using an ISP modemrouter with an OpenVPN router (for example this post https://www.snbforums.com/threads/vpn-router-behind-isp-router.43196/)

 

[eibgrad]

My networking knowledge is very little so there's a big chance I did something else wrong along the way. I did read a lot of tutorials on this matter (second router for openvpn) and multiple posts indicated that static routing is necessary when using an ISP modemrouter with an OpenVPN router (for example this post https://www.snbforums.com/threads/vpn-router-behind-isp-router.43196/)

Static routing is an entirely different issue from VPN passthrough. When using a second "VPN" router w/ Merlin (or most any other third-party firmware), you have the option to either keep NAT enabled over the WAN of that router (which makes adding static routes to the primary router unnecessary), or disabling NAT (which then *requires* static routes on the primary router). In most instances, esp. when combining devices from your ISP w/ your own, you're better off using NAT since many times the ISP's modem+router does NOT support static routes! Granted, the latter creates a double-NAT situation for clients of the VPN router, but imo the negative consequences of that are often overblown, and regardless, you may have no other option.

 

[Agossi]

I have done the setup described in this guide.

My Setup is:

INTERNET <-> CABLE - FritzBox 6340 - LAN <-> WAN - ASUS Ax86U - LAN2 (VPN Policy for Tenda) <-> WAN - Tenda AC8 (VPN dedicated) - LAN (Clients)

The issue I have is that my speeds are only 30-40 Mbit/s connected to the Tenda (wired). It is also slow even if the VPN is completely deactivated and the Tenda runs either in AP or Router mode.

If the Tenda is directly connected to the FritzBox I get my 100Mbits as expected.

Is there something I am missing to get also the full speeds for the (third router Tenda).

If I connect to the ASUS directly and activate VPN there I also get full 100 Mbits, so the ASUS performance is not the issue.


Please help and give some advice were I can look to improve the speeds.

 

[eibgrad]

I have done the setup described in this guide.

My Setup is:

INTERNET <-> CABLE - FritzBox 6340 - LAN <-> WAN - ASUS Ax86U - LAN2 (VPN Policy for Tenda) <-> WAN - Tenda AC8 (VPN dedicated) - LAN (Clients)

The issue I have is that my speeds are only 30-40 Mbit/s connected to the Tenda (wired). It is also slow even if the VPN is completely deactivated and the Tenda runs either in AP or Router mode.

If the Tenda is directly connected to the FritzBox I get my 100Mbits as expected.

Is there something I am missing to get also the full speeds for the (third router Tenda).

If I connect to the ASUS directly and activate VPN there I also get full 100 Mbits, so the ASUS performance is not the issue.


Please help and give some advice were I can look to improve the speeds.

What happens if you connect the Tenda to the ASUS, LAN to LAN? Does the performance return? I know this is NOT your intention, and will place the clients on the private network, but I want to verify that the issue is limited to the WAN of the Tenda, and not just the switch in general.

P.S. Be sure to disable the Tenda's DHCP server when you test LAN to LAN!

 

[Agossi]

Hi,

I have tried it with the tenda configured as access point so it acts like lan to lan. Same bad performance is returned.

If I connect the tenda either in WAN or AP mode directly to the Fritzbox it has full performance.

Any further steps I can try?

Many thanks in advance

 

[eibgrad]

Is there a way to tell whether the Tenda is connected @ 1000Mbps (Gigabit) vs. the older 100Mbps (Fast Ethernet)? Either visually on the ports, or in its GUI. I'm asking because no one gets 100% efficiency w/ either, so 100Mbps or anything very close to it would likely require a Gigabit connection. But that assumes the devices actually connected at that speed. Sometimes that doesn't happen. Then again, I'd expect better than 30-40Mbps even for Fast Ethernet.

 

[Agossi]

The tenda was connected with cat6 lan kabel to the gigabit ports.

I had my old glinet Crete AR750 around and just tried it out what this little thing could achieve with it's 100mbit ports.


There I can get speeds around 50-70 Mbit so it's for sure the crappy tenda.

I will check how it goes with the AR750 until I pay again for a next router.


I will keep you updated

 

[Trebor]

My isp uses Pppoe. When I passthrough on the first router (currently can’t manually do this due to isp router firmware so changing router) should I be using pppoe in the VPN router also?

Currently it is working but my VPN router is on DCHP and no idea if isp router is passing through?

(Also VPN router uses the VPN’s own firmware as it just makes changing server/smart DNS easier for now)

Thanks

 

[GDavid]

Is the OP the Author of the VPNuni article posted in 2017?

 

[abir1909]

How do I point main router devices (Unifi 192.168.50.x ) to my ASUS VPN router (192.168.1.x)?
I was only able to get vpn on the devices connected to the ASUS router.
my ASUS is behind the Unifi pro router.
Thanks

 

[abir1909]

Static routing is an entirely different issue from VPN passthrough. When using a second "VPN" router w/ Merlin (or most any other third-party firmware), you have the option to either keep NAT enabled over the WAN of that router (which makes adding static routes to the primary router unnecessary), or disabling NAT (which then *requires* static routes on the primary router). In most instances, esp. when combining devices from your ISP w/ your own, you're better off using NAT since many times the ISP's modem+router does NOT support static routes! Granted, the latter creates a double-NAT situation for clients of the VPN router, but imo the negative consequences of that are often overblown, and regardless, you may have no other option.

Hi, I am a little confused! I have main router UDM and “vpn router” AX86U. Is it better to keep NAT enabled or disable? Both routers has static route configuration. Thanks

 

[L&LD]

@eibgrad hasn't been seen on the forums here since September 21, 2022.

Maybe somebody else can answer.