If your router isn’t compatible, or you don’t have an extra router at all, you can get a Linksys WRT54G for about $25 off eBay – almost every one of this model’s hardware revision versions are compatible with DD-WRT… just double-check before you hit the Buy It Now button.
Benefits of a VPN If you don’t already know, a VPN will let a remote computer act like it is on your home or corporate network. You’ll be able to access network resources, get files off your desktop, remotely control computers, etc. It is also a nice way to share files with someone… just create a temporary username and password for them and let them connect to your VPN.
Just as a side note, I’d like to say that this tutorial is about adding a VPN router as an additional device in your network, not replacing your existing router. The device that your Internet Service Provider gave you (be it a modem or router) is staying put the way it is. Although it is a slightly more direct option to flash this device with DD-WRT instead of adding another router, this will often void warranties, support contracts, and in the case of Verizon FiOS users who also subscribe to FiOS TV/Phone, interfere with some of the available options.
Choosing and Obtaining the Appropriate Firmware There are several versions of DD-WRT. Which one do you choose? You can see a chart of available features and which build includes them here.
Most builds contain the PPTP VPN option, including Standard. The VPN version also includes OpenVPN support, which you may find useful in the future if you decide you enjoy VPN access. I recommend either Standard or VPN, but your build availability is also going to be determined by what router you have.
After deciding on a build, the next step is to obtain it from their website. There is no registration, you just type in your router model, view the compatible builds, and download the one you want. I recommend getting a STABLE version, not one of the experimental or betas. The file you download is the same kind of file you’d have if you downloaded an official firmware from the manufacturer, and you load it the same way.
Plug in your router and connect it to your computer in such a way that you can access the configuration page from a web browser. Make sure you are using a wired connection, as any wireless dropout while loading firmware could brick your router. Always remember that in almost every case you can go back to your original firmware if you choose to in the future, but honestly DD-WRT is probably better. The simplest way to do this is to do a hard reset (use a paperclip or pen to hold the reset button for about 30 seconds) back to its factory defaults and then take an Ethernet cable from one of the LAN ports and connect it directly to the network card in your computer. By default, most routers are set as DHCP servers and will give you an IP address. This will also help ensure you know the IP of your router and aren’t connecting to a different device by mistake.
Once connected, open up a browser and navigate to the router’s configuration page. Most routers default to either 192.168.1.1 or 192.168.0.1 after being reset. If you are confused, you can always check your IP settings for the default gateway. It will ask you for a username and password. On many routers, including many Linksys models, leave the username blank and type “admin” without quotes as the password. Other common variations are admin/password, administrator/password, admin/password1, etc. If all else fails, check your router’s manual or online documentation.
After logging in, you’re going to have to find the firmware update page. On a Linksys it is usually under Administration and Firmware Update, but you’re on your own here because every router is different. Again, if you are confused, consult the manual. When you find it, there is usually a “Browse” button that will let you navigate through your folders to find where you downloaded the DD-WRT firmware. Select the appropriate file, then click on the “Upgrade” button or whatever else is applicable to you. Using an incorrect file or a firmware version not meant for your router is one of the worst things you can do at this point, so be certain before you click.
Now, wait until the firmware has been completely upgraded.
Logging in to DD-WRT for the First Time Once your firmware has been successfully installed, you can access your new configuration page at the same address as before. The login has probably been changed to root/admin or root/(previous password) so be sure to remember that.
Take a little time and explore your new interface. Many things may have moved around under different headings and there may be several new options available to you. You may need to come back to some of these pages in the future, so try to get a little familiar with the layout.
Placing the DD-WRT Router on a Different Subnet In this configuration, the router providing VPN access has to be on a different subnet than your main router that connects to the internet. Subnetting can get quite complicated, but for our purposes we just need to change one of the octets in the IP addressing scheme. That sounds harder that it actually is.
If your main router’s address is 192.168.1.1 (or 192.168.1.x, where x is any number between 1 and 255), then we will use the address of 192.168.2.1 for our VPN router. Click the Setup tab and look under Network Setup. Change the value of Local IP Address to reflect our new subnet, and leave the Subnet Mask as 255.255.255.0. You may or may not need to enter values for Gateway or Local DNS, but on my setup I left them blank. Click Apply Settings.
You’ve just changed the IP address of your router, so you’ll need to reconnect to it at this new address. Type it into the address bar and use the same username and password that you did before. You may have to repair or refresh your network connection to get a new address on the new subnet… if that doesn’t works and you still can’t connect, assign yourself a static IP under the .2 subnet.
Once you reconnect, go back to the Setup tab and ensure that DHCP Server is enabled and that it is assigning appropriate addresses. Also I suggest taking this opportunity to change the WAN Connection Type to Static IP as this will make port forwarding easier in the long run. Remember, the WAN side is going to be on the same subnet as your main router, so assign it a 192.168.1.x address, a 255.255.255.0 subnet mask, and you can fill in your main router’s IP as the Gateway and DNS address. Click Apply Settings just like before.
Enabling the PPTP VPN Server Now navigate to the Services tab and VPN subheading. Under PPTP Server, click the radio button next to Enable. A few other options are going to pop up. Ensure they are all set to Enable as well.
In the Server IP box, type the LAN address of your VPN router, which in our examples is 192.168.2.1. In the Client IP(s) box, you need to type a range of DHCP addresses to assign for clients connecting to the VPN. It should be a range that does not overlap with the regular DHCP range that you just saw on the Setup page. Personally, I have mine set to 192.168.2.20-29 and that is exactly how you need to type yours.
The CHAP-Secrets is where you create your usernames and passwords. You can put as many as you want, but they all have to be on different lines and they have to follow this exact syntax:
That’s right, an asterisk goes at the end too or it won’t properly authenticate you. You don’t need to worry about PPTP Client unless you’re connecting TWO VPN routers together, which is handy if you want to tie two locations together across the internet. The rest of the settings don’t matter unless you’re using OpenVPN, which we aren’t in this example. Click Apply Settings.
Testing Locally, Hooking Up Both Routers, and Configuring Port Forwarding Go to Control Panel, Network Connections, and create a new connection. Tell the wizard that you’re connecting through a VPN. You should be able to leave all the settings at their defaults, but for IP address you need to use the LAN address of your VPN router, which is 192.168.2.1, and for username and password you need to use what you configured above. If it connects, it is time to hook everything up.
Take an Ethernet cable from a LAN port on your main router and attach it to the WAN port of your VPN router. Wait a minute, then restart your VPN router, then refresh your computer’s IP address. At this point you should be able to connect to the internet through the PC attached to your VPN router. See if you can access your main router’s configuration page. If you can’t, or you later find that you can’t see the 192.168.2.0 subnet from the 192.168.1.0 subnet, you’ll need to setup static routes between the routers and I will cover that at the end.
Access your main router’s configuration page. I can’t tell you where to go to setup port forwarding because every router is different. Consult your manual for how to do it and for the username/password if you don’t know that. You need to forward the following ports to the WAN address of your VPN router (the 192.168.1.x address):
If your router won’t pass GRE traffic, port forwarding doesn’t work, or just as an alternative, you can set the VPN router as a DMZ host, which allows all traffic to pass through.
Configuring Static Routes A Static Route tells the router where to look for certain addresses that it doesn’t already know about. If your VPN already works perfectly at this point, you really don’t need to do this. From your main router, configure a static route like this:
Destination: 192.168.2.0Gateway: 192.168.1.x (WAN address of your VPN router)Netmask: 255.255.255.0Metric: 0
Those should work and your router should have options sort of similar to that. Remember, NetBIOS names probably aren’t going to pass over subnets, so if you want to VPN in and control your computer through remote desktop, you’ll have to access it by the IP address and not the computer name. That’s just how things work unless you configure a WINS Server on one of your subnets and have your DHCP Servers assign it. It actually isn’t that hard to do and makes things a little more simple, but is beyond the scope of this tutorial.
Well, that’s it. You’re done! All you need now is to test it from a remote location. If you don’t know your internet IP address, go to
www.whatismyip.com and remember what it says. Also, you can setup a free dynamic DNS name to redirect a web address to your IP address – its easier to remember. If you have a dynamic IP address that changes every day or every few days, you can use the client at
www.no-ip.org to automatically update it for you. To complete testing, either go to a remote location yourself, or give a friend a temporary username and password. This time when you create the VPN connection, you’ll need to use your internet IP to connect. This should connect to your main router, which will forward the VPN traffic to your VPN router.