[SOLVED] Setting up VPN with 2 routers

[kborst2020]

Hi all!

A search didn't bring up quite my situation, but I need some advice on getting a VPN setup for my internet. A couple of details that might be important: I use Expressvpn and live outside the US.

Currently our internet is cable, so we have the cable modem (which is broadcasting wifi) upstairs and a second router (TPLink) in bridge mode downstairs, also broadcasting wifi.

I checked out the cable modem and it doesn't seem to have any ability to setup a VPN. What my best solution going to be, and is there one that doesn't involve having to buy a new router or cable modem?

A couple of must haves: there must be a wifi signal broadcasting downstairs and one upstairs. There is simply no way to place a single router to service the whole house.

Alternatively: my main goal is wanting to block the Google DNS from my chromecast. Is there a way to do that if use my laptop as a mobile Hotspot?

Any help would be greatly appreciated. Thank you!

 

[bill001g]

Just blocking a DNS the ISP router may have a feature. That is likely in firewall or parental controls if it is has it.

You could brute block all traffic from your chromecast going to port 53. This would block all DNS. You could if you identify it block google dns but you would have to see if you can just block 8.8.8.8 or if it is smarter and uses other ip.

Your problem with using a vpn on a different box than the main router is how does the traffic know it is suppose to go to the vpn box rather than the main router. You would have to configure routes in the end device to make certain traffic go via a different IP. Although pc type devices it is pretty trivial to put in routes most other things it is impossible.

So you end up having to place a device in the path of all traffic. Pretty much you need to replace you main router even if you just stick another device in front. Since it looks like you are talking about outbound only vpn and are going to likely use openvpn it should be pretty easy to just put a router or vpn pc before your ISP router. It is much harder if you need incoming vpn or if you are running something like IPSEC.

Be aware VPN put quite a load on router many will cap out at 30mbps. It helps to configure traffic to bypass the vpn if it does not actually need to go to the vpn. There are routers that have hardware vpn assist but those too cap out at maybe 150-200mbps. You need a actual pc type cpu to get large vpn connection. openvpn is very cpu intensive.

 

[kborst2020]

Would there be a way to use my pc as a mobile Hotspot with the VPN turned on, block the Google dns on the laptop and have the chromecast on the Hotspot?

 

[bill001g]

Depends what you mean "use my pc as a hotspot". You of course could load one of the many linux images on it and make it into a router. Windows has very limited options. You can use stuff like ICS but that is extremely limited, I don't think you can filter traffic. You also have to be very careful what you run on the PC when you have ICS up.

Will be much simpler to find a used router for $10 that has the ability to filter traffic.

 

[kborst2020]

I wonder then if I could just use my current bridge router to filter traffic?

 

[bill001g]

You are likely going to have to the the second "bridge" as a router.

First it must have the ability to do the filtering. Second you must ensure that the chromecast connects to that device rather than the main router. And last it will cause some issues with file sharing because you now have 2 different networks.

 

[kborst2020]

Maybe I'm confusing terms. The first router, the cable modem, is broadcasting a signal upstairs. The second router that I've termed bridge is broadcasting its own unique SSID, but without dhcp enabled. Everything including the chromecast is connected to the second router as is. Will that be sufficient or would there be something else that I need to do?

 

[bill001g]

If you have attached the second router to the first via its wan port it will work. The traffic must pass lan-wan (wifi is lan) for it to be able to manipulate the traffic.

 

[kborst2020]

So just to make sure I understand properly, since you said it must pass LAN-WAN, then, assuming you mean upstream, then the second router (the one downstairs) should be plugged into the WAN port of the cable modem, correct?

 

[bill001g]

Can't actually do that since your internet modem is plugged into main router on the wan port.

You want the LAN port on the main router plugged into the WAN port on secondary router.

 

[kborst2020]

So to get it to work, I had to re-enable dhcp on the second router. First router is plugged into the wan port of the second. I set a static route for 8.8.8.8 and 8.8.4.4, used the gateway that is shown to me in the system tab of the router interface. It worked once and then I pinged the dns again and now it doesn't seem to be blocking the dns servers. I don't know what I'm doing wrong!

 

[bill001g]

I thought your purpose was to block the dns server.

You do not want any static routes. Static routes is a feature that has little to no use in a home install.

 

[kborst2020]

From what I understood, I had to add those two dns servers into the static route list in order to block them. That's what a Google search had told me. 😅

How then do I block those particular dns servers?

 

[bill001g]

Would be simpler to put a firewall rule that block all traffic to tcp and udp port 53. That will block all dns no matter the IP.

Static routes on a consumer router are really strange they can get removed if the router thinks the next hop is not available. Not sure it is very inconsistent. They way you would do it a commercial device is to point to the loopback ip or to null 0. These concepts do not exist on a consumer router. You might be able to get it to work but you would likely have to route the IP to some pc like device that is actually active.