In this article, we offer you a guide for setting up a dual-router configuration that consists of a dedicated VPN router which is set up behind a primary router.
These instructions will work for any VPN-enabled router firmware, including Tomato, ASUSWRT, and DD-WRT. We’ll be making use of a configuration referred to as LAN-to-WAN cascading, in which each router is on a separate subnet.
This setup is popular with home networks for a number of reasons, including:
- It allows users to switch devices to or from the VPN simply by switching networks
- It offers access to both VPN and non-VPN connections
- It provides the added security of a VPN (double NAT)
- It connects non-VPN-supported devices such as Chromecast, Fire Stick, PS4 and Xbox
- A VPN router. Any router with a processor that handles VPN computations will do. The router should also support VPN firmware such as ASUSWRT, DD-WRT or Tomato. For more information on the best VPN routers, read our reviews on the same.
- A second router. This will serve as the non-VPN (primary) router. A mid-range router that can cover all devices in your home will do. For good speeds, it should ideally support AC wireless. However, the CPU need not be as fast as that of VPN routers.
- Powerful, reliable VPN provider. Should support OpenVPN protocol. Our top recommendations include ExpressVPN, NordVPN, Private Internet Access, and IPVanish.
- Ethernet cable. This will connect the two routers for the dual-router configuration.
Part 1: Configuring the primary router
The setup process for the main router is minimal because the only thing that this router does is transmit encrypted traffic from the VPN router. Therefore, any VPN that supports ‘VPN pass-through’ will do.
In most cases, people prefer to use the router that their ISP offers. In fact, some ISPs and cable TV providers, such as Verizon Fios) require their users to install only their routers, otherwise the service will not function properly.
Step 1: Check the router’s gateway/subnet
All devices, including the routers, on your home network have local IP addresses that are linked to their location on the network. IP addresses typically start with 192.168…, with your router serving as the gateway, typically located at 192.168.a.1. ‘a’ in this case is the subnet of your router.
It is imperative that we assign a different subnet to each router so that they in turn do not assign identical IP addresses to the devices on your home network. Start by determining the subnet of your primary router using the following steps.
- Connect to the Internet using the router
- Open the Start menu and run exe
- Type ‘ipconfig’ and hit Enter
- Identify the line saying ‘Default Gateway…….’ This is your router’s IP address
- The second last set of numbers, ‘a’, is the subnet (192.168.a.1)
‘Default Gateway’ refers to the router’s local IP address. In most consumer routers, the default gateway is 192.168.1.1. However, there’s no reason to worry if yours isn’t. The most important thing is to make note of the IP address.
Step 2: Enable VPN pass-through
Most routers have a setting for allowing or blocking VPN traffic. It’s usually on by default but check anyway by logging into the router’s control panel by typing its local IP address into the browser address bar. Here, you’ll find all the required settings under the NAT or Firewall settings.
Once you’re here, enable VPN pass-through.
Part 2: Configuring the VPN router
The purpose of this section is to change the subnet of the VPN routers so that it doesn’t conflict with that of the primary router. Additionally, we need to enable DHCP in order for the VPN router to assign IP addresses to devices in its network. Lastly, you’ll need to set up the VPN connection, if you haven’t already done so.
Therefore, the steps are as follows:
- Change VPN router subnet
- Enable DCHP
- Specify DNS servers
- Link primary and VPN routers
- Test the setup
- Set up the VPN connection
Step 1: Change VPN router subnet
- Power on the VPN router. It need not be connected to the Internet and should NOT be connected to the primary router through the Ethernet cable.
- Connect to the Wi-Fi network of your VPN or connect to your computer via Ethernet.
- Log into you’re the routers control panel by typing its local IP addresses into the browser’s address bar. (Use the ‘ipconfig’ cmd command above to determine the IP address)
- Go to the routers IP address settings and change the subnet to make it different from that of the primary router. For example, if the primary router’s subnet was 192.168.1.1, make the VPN router’s subnet to be 192.168.2.1.
- For ASUS/ASUSWRT routers, go to Advanced Settings > LAN > LAN IP. The subnet number can be any number between 1 and 255.
- For DD-WRT routers, go to Setup > Basic Setup > Network Setup (section) > Router IP.
Step 2 and 3: Enable DHCP and specify DNS
We enable DHCP so that the VPN router assigns IP addresses to devices in its subnet. We specify a DNS just in case one is not provided by the VPN provider. DHCP and DNS settings are typically near each other, often in the same screen as the IP address settings.
If your VPN provider has its own DNS servers, the IP addresses for them will usually be listed on their website’s support pages. Otherwise you can use Google DNS (126.96.36.199 & 188.8.131.52), OpenDNS (184.108.40.206 & 220.127.116.11) or ComodoDNS (18.104.22.168 & 22.214.171.124).
Step 4: Link primary and VPN routers
Connect the routers using an Ethernet cable, making sure that you’ve plugged into the correct ports. For the primary router, any open LAN ports should do whereas the WAN port is used for the VPN router.
Step 5: Test the setup
Check to ensure that both routers are powered on and the Ethernet cable connection is made using the correct ports, i.e. VPN WAN > Primary LAN and Primary WAN > Modem. Connect to the Wi-Fi network of your VPN router and open any website. If it loads, congratulations. You have successfully setup a dual-router connection.
In case the website fails to load, try the following troubleshooting tips:
- Disable the VPN on your VPN router
- Double-check the DNS server configuration
- Double-check the router subnets
- Try flushing the DNS on your computer
- Open cmd.exe
- Type ipconfig/flushdnsand press Enter
- Type ipconfig/registerdnsand press Enter
- Type ipconfig/releaseand press Enter
- Type ipconfig/renewand press Enter
- Manually specify the DNS server
- Restart the router
Part 3: Setup the DNS connection
The exact instruction depends on the firmware that your router is running. Here are the OpenVPN client configuration instructions for Tomato, DDWRT and ASUSWRT-Merlin/ASUSWRT.
Alternatively, you can use an L2TP/IPSec or PPTP VPN protocol. If you haven’t yet identified a VPN provider, read our reviews for the best providers.