cancel
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

how can I set my primary vodafone router to allow connection to a secondary VPN router

asturchisum
3: Seeker
3: Seeker

I would like to access a private VPN service from a secondary router. I got the secondary router configured but it is not capable to establish the private connection. I believe I might require to configure primary vodafone router to allow it (i.e.  passthrough). I have not been able to findout setups in the vodafone router or tutorials about how to do it. HELP

24 REPLIES 24

My primary vodafone router is Huawei hhg2500 and the secondary that I want to use for my VPN router is the asus rt-ac51u

I got it set with automatic IP to allow DHCP

Jayach
16: Advanced member
16: Advanced member

@asturchisum

If you could give us a little more details about why you want to do this we may be able to suggest better ways of achieving it. For instance if you only have one device and wish to keep private browsing separate from work then you could use one browser for work and a second one with a  VPN extension for personal use.

The router you are trying to use is probably a bit underpowered to run a VPN successfully.

Jayach
16: Advanced member
16: Advanced member

@asturchisum wrote:

1- I would like to have the two routers, vodafone router to connect to work servers and asus VPN router for private activities. Would that be possible?


I'm a little confused. How are you connecting the Vodafone router to work servers? Surely it would need a VPN client to do that, and it doesn't have one.  Most people use a browser to connect to their work services or have client software supplied by their employer, but it would run on the device not the router.

Forgive me if I'm missing something here, I'm no great expert on VPN's.

Anonymous
Not applicable

I can see what it trying to be done, and how it's trying to be done.  This is never going to be optimal in several different ways.  Again the best bet is to search on "Double NAT and VPN".  It's going to involve using port forwarding to punch through the internet-facing router, and probably also reducing MTU on packets in the double-NATed router.

 

*I could jump to conclusions more on the why, but if I were right, then the added delay and possible fragmentation may make the whole exercise moot!  If this is just one device that you really want to have access via the VPN, then I'd either be running a client on that specific device or setting up a device as a gateway the individual device could be connected to (yes I've been criticized for this approach previously but it would work!).

Hi Keith,

thanks for your answer, it would be to connect one or two devices to the VPN router. If having two devices connected at the same time would be problematic it could be just one device at a time... is this possible?

 

Keith you mentioned if this is just one device that you really want to have access via the VPN, then I'd either be: -running a client on that specific device

-or setting up a device as a gateway the individual device could be connected to

 

.... one of this deices have a special operative system that do not allow to install the NordVPN directly on its software therefore it is being recommended to connect through the secondary asus VPN router. Then, I could get other devices connected to the VPN router from time to time although only one device connected at the time to avoid some of the mentioned problems. How could I get this done ?

Jayach
16: Advanced member
16: Advanced member

After reading your posts I thought I'd do a little experiment. I'm not using the Vodafone router but I am using a Technicolor which is the same hardware. I don't have an Asus router but I do have a GL-MT300N-V2 which can run a VPN client.

I connected a LAN output from the main router to the WAN input of the secondary and allowed it to get its WAN IP from the main by DHCP.

The secondary has to have its LAN on a different subnet, the GL defaults to 192.168.8.x so that is O.K. It is therefore double NATing but it doesn't seem to matter.

Then following the instructions on the Nord website I configured the OpenVPN client.

My instructions were here: https://support.nordvpn.com/Connectivity/Router/1047409122/GL-iNet-setup-with-NordVPN.htm

Yours I think will be here: https://support.nordvpn.com/Connectivity/Router/1047410562/How-to-configure-your-Asus-router-running...

or here if using Merlin: https://support.nordvpn.com/Connectivity/Router/1047410642/AsusWRT-Merlin-setup-with-NordVPN.htm

And that was it, if I connect to the GL-MT300N-V2 I go out via the VPN, if I connect to the Technicolor I go out without it.

The speed over the VPN is drastically reduced but that is, I believe, because the GL-MT300N-V2 is far too low powered to run a VPN properly.

I didn't need to port forward and there is no fragmentation with an MTU of 1500.

So I think you should be able to do what you want, it may just need a little "trial and error".

Note: I originally bought the GL-MT300N-V2 with the intention of running the VPN, but all the reviews said it was too under powered to be of any real use so I never tried. Your query convinced me to have a go and I'm glad I did

So thank you.

 

Hi, I was aware of these setups and I have tried many times.

3 unsuccessful weekends therefore I have decided to document my setups to try to create a manual that might be helpful for others... if we manage to make it work

 

I would be pleased to hear from the experts where could it be the problem. See attached word file with screenshots for both primary vodafone router (huawai hhg2500) and secondary VPNrouter asus RT AC51U

Anonymous
Not applicable

I'd love to be able to point you to a nice straight forward page that describes the problems with Double NAT, but I can't really find that page.

 

In part, it comes down to the fact that NAT is a bodge from the outset.  NAT allows multiple local IPs to sit behind a single Internet IP address.  A significant part of the NAT uses the "identification" field of the packet header to figure out where to route packets.  But when you Double NAT, the identification field is initially set by the secondary router, and that data is discarded and replaced by the primary router before the packet is shot out onto the internet.  When the data flows back, the primary router knows to send that data to the secondary router, but that original "identification" field has been lost, and so the secondary router will not always route the packet to the correct recipient!  

 

**There is FAR MORE to it, and I'm sure someone will poke holes in this - please if you can do better please just do it!

Hi,

I am hearing by Nord that the firmware of the Asus router AC51U is not good enough for support OpenVPN current requirements as it requires to be above 2.4.x and this asus is just 2.3.x ... I will try to get a better one like an asus AC66UB1 and see how it goes

Jayach
16: Advanced member
16: Advanced member

I will state that I am no VPN expert and up until my earlier experiment I had never tried to add VPN to a router and had just used VPN clients on individual devices.

Sill before I saw your last comment I had added some thoughts to your document so will add it here.

I'm not an ASUS router expert either but can you not just update the firmware on your current router? (Although as I said earlier I think it will struggle to run a VPN successfully.)