wireless router as hotspot and VPN security

[travistee]

I want to use a TP-Link TL-WR940N wireless router as a hotspot for other devices to connect to. I am told it can connect to my cell phone hotspot as an initial source, and then also be a hotspot itself.

My question is about security. If I were to connect it to a public wifi and then use it as a hotspot with a different password would someone on the public wifi be able to access this device's hotspot. In other words, do I need a VPN with this if they can't get into the same hotspot from this device?

If I use my cell phone hotspot as a source I would expect this device to have the same level of security as my phone hotspot.
If I use a public wifi as a source I don't know if someone on the public wifi will be able to know that this device is on the same wifi, or access this device's hotspot

 

[anotherdrew]

I want to use a TP-Link TL-WR940N wireless router as a hotspot for other devices to connect to. I am told it can connect to my cell phone hotspot as an initial source, and then also be a hotspot itself.

My question is about security. If I were to connect it to a public wifi and then use it as a hotspot with a different password would someone on the public wifi be able to access this device's hotspot. In other words, do I need a VPN with this if they can't get into the same hotspot from this device?

If I use my cell phone hotspot as a source I would expect this device to have the same level of security as my phone hotspot.
If I use a public wifi as a source I don't know if someone on the public wifi will be able to know that this device is on the same wifi, or access this device's hotspot

What your talking about is setting up this router as a repeater (range extender). In that case, the router does not do any of the security. It just repeats the signal it receives (think of it like a dumb box). If you extended an open, unencrypted network, then the traffic will be unencrypted and passwords will not be required to connect.

How I think you want to use the router is as an access point. From looking at the manual, access point mode is only available if the router is connected to an Ethernet network.

 

[travistee]

I had another TP-Link range extender and it did have a password capability. It was an old 850RE. I believe this one does also work as a repeater.
If its on a public wifi can someone still see the traffic on it before it gets to the repeater if I have a password set for it?
TP-Link told me it can use a wireless source, including a cell phone hotspot. It is then supposed to be able to act as it's own hotspot separate from the wireless hotspot it is connecting to. IF it works in the second method as a wireless access point and the source is from a public wifi, can the traffic connected to device hotspot be seen on the original wifi? I assume that if the source is the cell phone hotspot it will have the same security as the cell phone hotspot.

I talked to TP-Link.. They say it can use a cell phone hotspot as a source but it is not recommended, may not be reliable. They say to use an ethernet connection because it is the right way to do it. But it will work as an access point or repeater under those conditions

 

[anotherdrew]

If its on a public wifi can someone still see the traffic on it before it gets to the repeater if I have a password set for it?

Yes, the data between your device and the router would be encrypted (they can see it, but not understand it), but the data between the router and access point providing the open (no password required) network would not be encrypted and easy to read.

TP-Link told me it can use a wireless source, including a cell phone hotspot. It is then supposed to be able to act as it's own hotspot separate from the wireless hotspot it is connecting to. IF it works in the second method as a wireless access point and the source is from a public wifi, can the traffic connected to device hotspot be seen on the original wifi? I assume that if the source is the cell phone hotspot it will have the same security as the cell phone hotspot.

If the router worked as an access point connected to a public WiFi (from the manual I'm not sure it will), then you can hide the devices behind the router, but not the traffic between the router and the public WiFi (everything going out to the internet).

 

[travistee]

Like I said. TP-Link will not say that it will work without a wired source. But that is CYA. It will work but they don't want responsibility for it.
So , on a public WIFI it doesn't give you any security.
On a cell phone hotspot, it has the same security as the cell phone hotspot.
If it works that's good. I think it will because I tried it on one of their other routers even though they told me it would not. The manual is based on their position that they will not take responsibility for saying it will work with a wireless source. So if it works thats good and if it doesn't so at least it may work sometimes.
I want it to be able to connect to the public wifi for a device that doesn't need security, and to the cell phone hotspot for things that do need security. So no guarantees from TP-Link since their official position is that it does not do that.

 

[bill001g]

It is all going to depend if you are using the same radio to connect to the wifi source as the end clients. When you use the same radio it will use the same security/encryption as the wifi source. The main issue you find running a repeater that functions this way is that the main source must support a function called WDS. This feature is considered a security exposure by some so many devices do not enable it. So if the main router does not support WDS you can not use a repeater with it. Many mobile broadband hotspots do not have this feature....lot of discussion as why but it is something many phone based hotspot do not have.

The other form of repeater which I doubt your router supports is where different radios are used. In most cases one radio is hooked virtually to the wan port and the other acts as LAN as normal. This gets around the single mac address restriction when you can not use WDS.

Now if you can load third party firmware like dd-wrt to your router it does have the mode to run a radio on the wan port.

You now adding you want to connect to both sources at the same time for different traffic is a huge addition problem. Lets say you did it by putting 2 wifi nics in your machine so we can ignore the repeater issue. How does your computer know what traffic needs "security". To tell it you are going to have to key in large lists of ip addresses telling which connection to use. Even if you had a router doing this it is the same issue to get that list somehow.

 

[travistee]

This is a TP-Link example of a router that does have WDS.

https://www.youtube.com/watch?v=TbldEEVXTFg

I don't know what the one I ordered has. I'll find out when I get it. It's hard to get the info I need from them.
So I'll post what I find out when it gets delivered. I think there is a way to do what I want but I'm not sure which device I need yet.

The device I have that doesn't need security has to have an ethernet connection.

 

[bill001g]

That is only half the problem and is the easy part. It is the devices you have no real control over. If they do not use WDS then it does not matter if your router has the feature. The cellphone may or may not have the feature and most you can do nothing unless you are willing to root the phone and replace the OS.

It likely doesn't matter because it seems what you are really trying to do is connect to multiple radio sources at the same time. You are not going to accomplish that with any standard router. It is more of a hardware restriction that you need different radio chips to talk to different sources. You would need some device with more radio chips than the common routers have to even think to start this project.

 

[travistee]

After looking into this more I can see that the cell phone hotspot as a source for the repeater or access point is not a good idea. Some repeaters can see the cell phone as a wifi source and some don't even recognize it as a choice in the available networks.

So now the problem has changed.
If I have to have a ethernet connection to the wifi source that will not work for me. I need a wireless solution to this.

Some repeaters don't allow a password different than the source wifi password. This will not work for me either.

Now I'm looking for a repeater or access point that does not require any ethernet connection and can have a different SSID and password than the source wifi.

 

[bill001g]

Most of the third party firmwares have that option BUT you will in effect lose a radio. A radio must be dedicated to the main connection and the second radio used to provide lan services. So if you can say use the 2.4g to connect to the source and the 5g to your end devices it will work.

 

[anotherdrew]

I have seen some expensive boxes that can do this. If you are looking to do on the cheap, maybe try a 2 box solution ...
https://www.amazon.com/TP-Link-Wireless-Portable-Travel-Router/dp/B00TQEX8BO/ref=pd_lpo_vtph_147_tr_t_2?_encoding=UTF8&psc=1&refRID=E7P7GFW2ER9APH51SA7Z in client mode, Ethernet cable connects to WAN port of https://www.amazon.com/TP-Link-N300-Wireless-Wi-Fi-Router-TL-WR841N/dp/B001FWYGJS/ref=sr_1_10?s=pc&ie=UTF8&qid=1535655866&sr=1-10&keywords=wifi+router

I grabbed the 2 boxes at random ... you would want to pick ones that had the features you want.

 

[travistee]

I didn't think of that solution.
I could get two of the N300 travel router.
The first one connects to the wifi as a repeater.
The second one connects to the first on by ethernet as an access point.

Then the only problem I have would be to find a router/repeater that can have a SSID and password different than the original source.

Anybody know of a router than can solve the SSID and password problem.

 

[anotherdrew]

I would actually set the 2nd N300 as a router rather than as a access point.