main_icn_My_Vodafone main_icn_Search main_icn_Chevron_right main_icn_Chevron_down main_icn_Close main_icn_Menu social-facebook social-google-plus social-linkedin social-twitter social-youtube main_icn_Community_or_Foundation main_icn_Location main_icn_Network_signal

Other broadband queries

how can I set my primary vodafone router to allow connection to a secondary VPN router

asturchisum
3: Seeker

I would like to access a private VPN service from a secondary router. I got the secondary router configured but it is not capable to establish the private connection. I believe I might require to configure primary vodafone router to allow it (i.e.  passthrough). I have not been able to findout setups in the vodafone router or tutorials about how to do it. HELP

View more options
22 REPLIES 22
asturchisum
3: Seeker

Just in case it helps the way I am trying to set the VPN router is establishing a VPN client using OpenVPN in combination ctp/udp files 

View more options
KeithAlger
16: Advanced member

The setup that you are looking for does not exist.  You might be able to find a working example by searching for "double NAT and vpn".

There are ways it may be possible, but not optimally!

View more options
asturchisum
3: Seeker

I hear what you are saying but I believe that bring us to the same point, how/where do I find vodafone primary router setups to allow a pass through / router bridge

View more options
Cynric
9: Established

.@asturchisum  This is very basic, but perhaps it may help.

 

On Vodafone THG3000

Internet -> Firewall
Allow Ping to WAN interface : OFF
Firewall : ON

Internet -> DNS & DDNS

DNS Configuration "Manually"
Domain Name Server (DNS) Address : 192.168.0.x (or whatever you local DNS may be)
Secondary DNS Address (optional) : 1.0.0.1 (I use an external here as safety net if the other hardware fails)
DDNS : OFF

Wi-Fi -> General

Wi-Fi Network : OFF
Enable Wi-Fi On/Off button on Vodafone Wi-Fi Hub : OFF

Settings -> Public Subnet

Enable : OFF

Settings -> Local Network
IPv4 Address ofVodafone Wi-Fi Hub : 192.168.1.1
DHCPv4 Server : OFF
IPv6 : OFF

IPv4 Address ofVodafone Wi-Fi Hub : 192.168.5.1
DHCPv4 Server : OFF
IPv6 : OFF

 

On secondary router/switch

Tell it not to require a login to the ISP (THG3000 does this for you)

Internet: Use STATIC address
IP Address : 192.168.1.2 (this is the address of this device)
IP Subnet Mask : 255.255.255.0
Gateway IP Address : 192.168.1.1 (the address of the THG3000 box)

Domain Name Server (DNS) Address : Manually set
Primary DNS : 192.168.0.2 (this can be the IP of the secondary box, I have a separate DNS provider on my LAN)
Secondary DNS : 1.0.0.1
Third DNS : 1.1.1.1

Wi-Fi : Setup as best suits your requirements

 

 

View more options
asturchisum
3: Seeker

Hi Cynric,

I have tried your setup in my vodafone huawei router hhg 2500 and it has just dissabled internet in the vodafone router in the middle of the process. Now, I have lost Wifi in the vodafone primary network what it was never the intention. I had created a backup router config file but I do not seem to have access to the vodafone router neither with ethernet lan cable and 192.168.1.1... HELP first to restore vodafone router config

View more options
asturchisum
3: Seeker

Hi, I have been able to solve vodafone internet by pressing router reset. Now back to main topic. I want to keep 2 roters to provide be able to connect to primary vodafone router as normal and then create a secondary VPN router.

Cynric your previously suggested setups seems to dissable the vodafone router wifi... 

View more options
Cynric
9: Established

Disable Wi-Fi, yes that is what I do on my LAN because the 2nd device provides the Wi-Fi rather than the THG3000. I am glad to hear that you were not totally stuck.

View more options
asturchisum
3: Seeker

That is not exactly what I was looking for.

1- I would like to have the two routers, vodafone router to connect to work servers and asus VPN router for private activities. Would that be possible?

2-chatting with Nord people they are asking me to config Settings / IPv4 /DHCP server enabled /Address Pool Start IP and End IP... but these fields are greyout. Any thoughts about how to edit these IPs?

View more options
Jayach
16: Advanced member

It sounds like you have the second router configured as an AP (access point). It would need to be working as a router IF you are to get it working.

What router are you using?

View more options
asturchisum
3: Seeker

My primary vodafone router is Huawei hhg2500 and the secondary that I want to use for my VPN router is the asus rt-ac51u

I got it set with automatic IP to allow DHCP

View more options
Jayach
16: Advanced member

@asturchisum wrote:

1- I would like to have the two routers, vodafone router to connect to work servers and asus VPN router for private activities. Would that be possible?


I'm a little confused. How are you connecting the Vodafone router to work servers? Surely it would need a VPN client to do that, and it doesn't have one.  Most people use a browser to connect to their work services or have client software supplied by their employer, but it would run on the device not the router.

Forgive me if I'm missing something here, I'm no great expert on VPN's.

View more options
KeithAlger
16: Advanced member

I can see what it trying to be done, and how it's trying to be done.  This is never going to be optimal in several different ways.  Again the best bet is to search on "Double NAT and VPN".  It's going to involve using port forwarding to punch through the internet-facing router, and probably also reducing MTU on packets in the double-NATed router.

 

*I could jump to conclusions more on the why, but if I were right, then the added delay and possible fragmentation may make the whole exercise moot!  If this is just one device that you really want to have access via the VPN, then I'd either be running a client on that specific device or setting up a device as a gateway the individual device could be connected to (yes I've been criticized for this approach previously but it would work!).

View more options
Jayach
16: Advanced member

@asturchisum

If you could give us a little more details about why you want to do this we may be able to suggest better ways of achieving it. For instance if you only have one device and wish to keep private browsing separate from work then you could use one browser for work and a second one with a  VPN extension for personal use.

The router you are trying to use is probably a bit underpowered to run a VPN successfully.

View more options
asturchisum
3: Seeker

Hi Keith,

thanks for your answer, it would be to connect one or two devices to the VPN router. If having two devices connected at the same time would be problematic it could be just one device at a time... is this possible?

 

Keith you mentioned if this is just one device that you really want to have access via the VPN, then I'd either be: -running a client on that specific device

-or setting up a device as a gateway the individual device could be connected to

 

.... one of this deices have a special operative system that do not allow to install the NordVPN directly on its software therefore it is being recommended to connect through the secondary asus VPN router. Then, I could get other devices connected to the VPN router from time to time although only one device connected at the time to avoid some of the mentioned problems. How could I get this done ?

View more options
Jayach
16: Advanced member

After reading your posts I thought I'd do a little experiment. I'm not using the Vodafone router but I am using a Technicolor which is the same hardware. I don't have an Asus router but I do have a GL-MT300N-V2 which can run a VPN client.

I connected a LAN output from the main router to the WAN input of the secondary and allowed it to get its WAN IP from the main by DHCP.

The secondary has to have its LAN on a different subnet, the GL defaults to 192.168.8.x so that is O.K. It is therefore double NATing but it doesn't seem to matter.

Then following the instructions on the Nord website I configured the OpenVPN client.

My instructions were here: https://support.nordvpn.com/Connectivity/Router/1047409122/GL-iNet-setup-with-NordVPN.htm

Yours I think will be here: https://support.nordvpn.com/Connectivity/Router/1047410562/How-to-configure-your-Asus-router-running...

or here if using Merlin: https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm

And that was it, if I connect to the GL-MT300N-V2 I go out via the VPN, if I connect to the Technicolor I go out without it.

The speed over the VPN is drastically reduced but that is, I believe, because the GL-MT300N-V2 is far too low powered to run a VPN properly.

I didn't need to port forward and there is no fragmentation with an MTU of 1500.

So I think you should be able to do what you want, it may just need a little "trial and error".

Note: I originally bought the GL-MT300N-V2 with the intention of running the VPN, but all the reviews said it was too under powered to be of any real use so I never tried. Your query convinced me to have a go and I'm glad I did

So thank you.

 

View more options
asturchisum
3: Seeker

Hi, I was aware of these setups and I have tried many times.

3 unsuccessful weekends therefore I have decided to document my setups to try to create a manual that might be helpful for others... if we manage to make it work

 

I would be pleased to hear from the experts where could it be the problem. See attached word file with screenshots for both primary vodafone router (huawai hhg2500) and secondary VPNrouter asus RT AC51U

View more options
KeithAlger
16: Advanced member

I'd love to be able to point you to a nice straight forward page that describes the problems with Double NAT, but I can't really find that page.

 

In part, it comes down to the fact that NAT is a bodge from the outset.  NAT allows multiple local IPs to sit behind a single Internet IP address.  A significant part of the NAT uses the "identification" field of the packet header to figure out where to route packets.  But when you Double NAT, the identification field is initially set by the secondary router, and that data is discarded and replaced by the primary router before the packet is shot out onto the internet.  When the data flows back, the primary router knows to send that data to the secondary router, but that original "identification" field has been lost, and so the secondary router will not always route the packet to the correct recipient!  

 

**There is FAR MORE to it, and I'm sure someone will poke holes in this - please if you can do better please just do it!

View more options
asturchisum
3: Seeker

Hi,

I am hearing by Nord that the firmware of the Asus router AC51U is not good enough for support OpenVPN current requirements as it requires to be above 2.4.x and this asus is just 2.3.x ... I will try to get a better one like an asus AC66UB1 and see how it goes

View more options
Jayach
16: Advanced member

I will state that I am no VPN expert and up until my earlier experiment I had never tried to add VPN to a router and had just used VPN clients on individual devices.

Sill before I saw your last comment I had added some thoughts to your document so will add it here.

I'm not an ASUS router expert either but can you not just update the firmware on your current router? (Although as I said earlier I think it will struggle to run a VPN successfully.)