DD-WRT tricks: dedicated wireless virtual Access Point for OpenVPN, the easy way

All traffic on the AP goes through VPN. Privacy for everyone.

Use cases for an AP dedicated for VPN

You may know how to set up a VPN client on your phone, your tablet, or your desktop. But you have to share WiFi with your roommates, and you don’t want to get a DMCA notice when they torrent movies. Or maybe there’s once you forgot to put on VPN, and now Facebook knows your IP address, and that IP is permanently attached to your online profile for eternity.

But you don’t want to set up VPN on your entire WiFi either. Sometimes you need your real IP for stuff like online banking, and to work with DRM systems like the one used by Netflix. (whether proxy detection in DRM hurts honest consumers is a whole different discussion)

The goal

With DD-WRT, we want to create a virtual access point (VAP) so that:

• The main APs (2.4 GHz and 5 GHz) are not routed through VPN. You get the IP address assigned by your ISP.
• The VAP runs on OpenVPN. All traffic on the VAP goes through the VPN.

My router is running DD-WRT v3.0-r35030M kongac (02/19/18)

Setting up OpenVPN Client

This step is easy. Go to Services -> VPN, and turn on OpenVPN Client. I won’t go into details here because most VPN providers provide tutorials. Just make sure you use TUN instead of TAP.

Once you get it set up, try getting your IP address from http://whatismyipaddress.com and see if your WiFi is going through VPN.

Setting up VAP and DHCP

Go to Wireless -> Basic Settings.

Typically the 2.4 Ghz physical interface is wl0 and the 5 Ghz one is wl1. Pick whatever physical interface you want to add a VAP from.

Below are my settings. I set up this VAP from 5 Ghz interface. It’s really up to you whether you want AP isolation or net isolation. Feel free to change the IP address as well. But make sure you do not bridge this VAP, and Masquerade / NAT is turned on.

Wireless -> Basic Settings

Before we set up DHCP server for the VAP, there’s a few settings you might want to check.

Go to Setup -> Basic Setup and check your DHCP settings. Here just make sure you check Use DNSMasq for DHCP, Use DNSMasq for DNS, and DHCP Authoritative. Feel free to tweak everything else.

Setup -> Basic Setup

Once this is done, go to Setup -> Networking. Scroll to bottom to see DHCP settings. Add a DHCP server for the VAP you just created. It should be either wl1.1 or wl0.1.

Here I put 128 as start, with max 50 (You can certainly put in more than 50. the actual max can be 128 if you want, so it goes from 192.168.22.128 all the way to 192.168.22.255). This way all the addresses assigned by DHCP are covered under 192.168.22.128/25, which is what we are going to use for routing policy later.

Setup -> Networking

Restart your router

Restart your router. Once it boots up, you should be able to connect to both your physical APs and your VAPs. They should all be going through VPN.

Setting up routing policy for OpenVPN client

The last step is to set up policy based routing, to force IP addresses assigned by the VAP to use your VPN as default gateway.

Go to Services -> VPN, look under OpenVPN Client. You should see Policy based Routing. Here we can simply use 192.168.22.128/25 as it covers all the IP addresses assigned by the DHCP server on our VAP wl1.1.

Services -> VPN -> OpenVPN Client

Once you apply settings and reboot your router, your main physical APs should no longer be VPN’d.

Bonus: Kill switch to disable WAN access when VPN disconnects

In case VPN drops, you’d like to disable WAN access for all clients on the VPN VAP. You can do this by going to Administration -> Commands, and put in the following

iptables -I FORWARD -s 192.168.22.128/25 -o $(nvram get wan_iface) -j DROP

Then click Save Firewall.

You can test this out by disabling your OpenVPN client, then check if your device on that VAP still has access to Internet.