Configuring DD-WRT on the Linksys WRT1900ACS for Multiple WiFi SSID and VPN Setup

14 Jan 2017 by rayheffer

For as long as I can remember I have never really had what you would call a ‘typical’ home network. Back in the early 2000s I had a Cisco home lab which included two Cisco 2610 routers that a friend gave me. I ended up using these to create a home DMZ for my WiFi network, which was still WEP in those days so I was a little paranoid about security. While this was great for my study, I was also able to use it for real world purposes. One application was my car. That’s right, in 2004 I had a WiFi connected car. This was before I had kids, so I decided to install a Shuttle XPC in the back of my Honda Accord Type-R], with a touch screen in the front console with full-screen Winamp for my MP3 collection. I won a few trophies at the UK sound-off competitions back then. All good fun.

For the past few years I have been using a Draytek Vigor 2925n. My original intent for purchasing this when I lived in England, was to do something about my slow internet speed. I wasn’t able to get cable, so my internet was limited to VDSL2 technology (BT Infinity in my case). Due to the distance from the cabinet (DSLAM) being over 1.1 kilometers, I was lucky to get 11Mbps download speed and 1.5Mbps upload. Using the 2925n I was able to load-balance across these connections to double my speed. Kind of. It’s not true bonded DSL, so each connection can only use one of the DSL lines, but it still helped a lot. It was also useful for bypassing certain geo-restrictions (ahem, Netflix), since it was easy enough to create another SSID which was tied to a VPN service.

Home networking has already come far, even for the average family home, and the number of connected devices for a typical home is now exceeding a dozen devices all connected at once. My kids have an iPad each, then there is the Xbox One, Smart TV, two phones, Chromecast, Amazon Fire TV, Echo Dot, Philips Hue Smart Hub and TP-Link smart plugs all over the house.

I have since moved to America, and the number of devices connected to my WiFi as I write this is 19. I still use a separate WiFi SSID that is connected to a UK VPN (my needs are now reversed), but I found the Draytek was starting to suffer. While it supported 5Ghz WiFi, my wife kept complaining that her iPhone’s internet connection dropped at times or the Xbox One would suddenly lose connectivity while she was watching a TV show. I noticed the CPU load of the Draytek 2925n was getting high, and it just wasn’t able to cope with this new onslaught of connectivity madness and multiple client VPN connections.

Today I received a new box from Amazon to solve these problems. A Linksys WRT1900ACS V2. Out of the box the administration interface is very basic, and the features don’t even meet my needs. More on that in a moment. However, I didn’t make the purchase for the basic Linksys firmware. The hardware specifications are far better able to cope with my requirements, with a Marvell Armada 1.6Ghz dual-core embedded CPU, 512MB RAM, and excellent wireless networking capabilities including four antennas.

Having used Tomato firmware in the past, I decided to try something similar and use DD-WRT. For reference, I’m using DD-WRT v3.0-r30796 std (10/25/16) and in very little time I have 2.4Ghz and 5Ghz wireless networking, a separate SSID for my UK VPN and more importantly it isn’t even breaking a sweat.

If you want to do something similar then I hope my guide here is useful.

Configuring the Linksys WRT1900ACS From Scratch

Before going gung-ho and installing the DD-WRT firmware, I recommend you setup the router and test its basic functionality first. At least you can be certain it is working and there are no hardware issues. After doing a Speedtest I was blown away with the performance on 5Ghz with no noticeable difference compared to my wired (CAT5e) connections.

Step 1: Installing the DD-WRT Firmware

  1. Navigate to the DD-WRT website and go to the Router Database.
  2. Type in your model number, in my case it’s WRT1900ACS and select the appropriate version.
  3. Download the factory-to-ddwrt.bin file.
  4. Navigate to the Linksys administration UI (http://192.168.1.1) and perform a firmware upgrade using the new downloaded firmware.

Once the firmware installation is complete, you can connect to the router using the default SSID ‘dd-wrt’. It has no wireless security, so don’t leave it like this for long.

Step 2: Basic Setup

The first step is to get the basic setup completed so you can connect via WiFi and access the internet. Navigate to http://192.168.1.1 and you’ll be prompted to change the default username and password. Click on Setup.

WAN Setup

Your configuration may differ to what I have, but in my case I’m connecting to my cable provider router using Ethernet. My cable router/modem has DHCP and WiFi disabled, and uses the default IP address of 192.168.1.1.

WAN Connection Type
Setting Value
WAN IP Address 192.168.1.10 (This is the client IP your router will use)
Subnet Mask 255.255.255.0
Gateway 192.168.1.1 (IP address of your cable provider router)
Static DNS 1 8.8.8.8 (Google DNS 1)
Static DNS 2 8.8.4.4 (Google DNS 2)

Network Setup

This is self explanatory. In my example here I have disabled DHCP as I already have another DHCP server in my home network. If you don’t have a DHCP server then leave this enabled.

Router IP
Setting Value
Local IP Address 192.168.4.1 (This is the IP of the Linksys router, which will become your default gateway)
Subnet Mask 255.255.255.0
Network Address Server Settings (DHCP)
Setting Value
DHCP Server Disabled (See note)
Time Settings
Setting Value
NTP Client Enable
Time Zone US/Eastern
Server IP/Name pool.ntp.org

Click Apply Changes.

Note: You may now connect to the router using Ethernet. This is optional, but it does make it a little easier in the next step.

Wireless Setup

The basic wireless settings give you two default interfaces, ath0 (5Ghz) and ath1 (2.4Ghz). We’ll add a virtual interface later, for now lets just get WiFi working.

Physical Interface ath0 (5Ghz)
Setting Value
Wireless Mode AP
Wireless Network Mode Mixed
Channel Width Full (20 Mhz)
Wireless Channel Auto
Wireless Network Name (SSID) MAIN (or whatever SSID you wish)
Physical Interface ath1 (2.4Ghz)
Setting Value
Wireless Mode AP
Wireless Network Mode Mixed
Channel Width Full (20 Mhz)
Wireless Channel Auto
Wireless Network Name (SSID) MAIN5 (or whatever SSID you wish)

Click Apply Changes.

**Note: ** If you are connected using wireless and not Ethernet, you will get disconnected. Just reconnect using the new SSID.

Wireless Security

For each of the wireless interfaces (ath0 and ath1) configure your wireless security. The configuration below may differ depending on your preferences.

Wireless Security ath0
Setting Value
Security Mode WPA2 Personal
WPA Algorithms AES
WPA Shared Key (Put something needlessly long and complicated here!)
Wireless Security ath1
Setting Value
Security Mode WPA2 Personal
WPA Algorithms AES
WPA Shared Key (Put something needlessly long and complicated here!)

Click Apply Changes.

Note: You should now have wireless and internet connectivity.

Step 3: Creating Secondary Subnet and SSID for VPN

Now for the exciting part. We will create a separate SSID that uses a new subnet and connects to our VPN provider. Any devices that connect to this SSID, such as Chromecast, mobile phone or tablet computer, will receive an IP address (E.g. 192.168.2.112) and use the VPN connection. Wireless Setup, Virtual Interface

Navigate to Wireless > Basic Settings and now we will add our new SSID or virtual interface. You can choose whether the virtual interface will use ath0 (5Ghz) or ath1 (2.4Ghz) depending on your preference. I prefer 2.4Ghz since it works better with my Chromecast and has better range.

1) Click ‘Add’ virtual interface under either ath0 or ath1.

Virtual Interfaces ath1.1
Setting Value
Wireless Mode AP
Wireless Network Name (SSID) UKVPN (or whatever SSID you wish)
Wireless SSID Broadcast Enable
Check ‘Advanced Settings’
Setting Value
Network Configuration Unbridged

Click Apply Changes.

Wireless Security – Virtual Interface

Virtual Interfaces ath1.1
Setting Value
Security Mode WPA2 Personal
WPA Algorithms AES
WPA Shared Key (Put something needlessly long and complicated here!)

Click Apply Changes.

Networking Setup

Click on Setup > Networking. Our first step is to create a bridge. You will already have the default br0 and STP (Spanning Tree Protocol) is off.

Bridging

  1. Click ‘Add’ to add a new bridge and name it ‘br1’.
  2. Turn off STP.

Click Apply Changes.

  1. Under ‘Assign to Bridge’ click ‘Add’, choose ‘br1’ and select the new virtual wireless interface form the drop-down (ath1.1).
  2. Scroll down to ‘Network Configuration br1’ and enter the following.
Setting Value
Label VPN Network (Choose anything you like here)
IP Address 192.168.2.1 (Default gateway for new subnet)
Subnet Mask 255.255.255.0

Note: You shouldn’t need to change any of the other settings.

Click Apply Settings.

Your bridging table should be as follows:

br0 no eth1 ath0 ath1
br1 no ath1.1

DHCPD

  1. Click ‘Add’, choose ‘br1 – VPN Network’ and set the start range at 129.

Note: This is optional, just my preference to use a small DHCP scope. Set the DHCP range to start at .129 then it will use a 192.168.2.128/28 which provides a usable network range of 192.168.2.129 to – 192.168.2.142 (not including host & broadcast address).

Click Apply Settings.

Note: You should now have wireless and internet connectivity from the new SSID (no VPN yet) and receive an IP address in the 192.168.4.128/28 range. If you can’t connect or still get an IP address from your primary network then double check these settings.

Your bridging table should look like this:

Bridge Name STP enabled Interface
br0 no eth1 ath1
br1 no ath1.1
none no ath0
OpenVPN Setup

My VPN provider allows me to use the OpenVPN, so we will configure the OpenVPN Client and then setup policy based routing so we can route traffic coming from the new subnet to VPN, and ignore everything else so it uses our primary internet connection.

OpenVPN Client

  1. Click on Services > VPN
Setting Value
Start OpenVPN Client Enable
Server IP/Name (Obtain this from your VPN provider)
Port (Obtain this from your VPN provider)
Tunnel Device TUN
Tunnel Protocol UDP
Encryption Cipher AES-128 CBC
Hash Algorithm SHA1 (Depending on VPN provider)
User Pass Authentication Enable
Username (Obtain this from your VPN provider)
Password (Obtain this from your VPN provider)
Advanced Options Enable
TLS Cipher None (Depending on VPN provider)
LZO Compression Yes (Depending on VPN provider)
NAT Enable
Firewall Protection Enable

Your VPN provider may provide you with additional configuration.

Additional Config
persist-key
persist-tun
tls-client
remote-cert-tls server

Policy based Routing

192.168.2.128/28

Note: Add either an IP address or subnet per line in ‘Policy based Routing’. Do NOT include the IP address of the router (192.168.2.1) otherwise you will lose connectivity.

CA Cert

You will need to obtain this from your VPN provider. This will include:

—–BEGIN CERTIFICATE—–

—–END CERTIFICATE—–

Conclusion

I will be honest, the default firmware on the Linksys WRT1900ACS leaves a lot to be desired. For me it is too basic, but with the DD-WRT firmware coupled with its powerful hardware specification, makes it one of the best advanced home routers for under $200. At the time of writing this, it is selling on Amazon for $174.99 in the US and £127.99 in the UK.

By following this guide carefully, you should now be able to connect your devices to the new wireless network SSID and will be using your preferred VPN provider. I have intentionally not recommended a VPN provider in this article since a Google search will yield many results.

There are other guides out there that talk about similar configurations, but I found some of them to be out of date or just too damn complicated. Thankfully DD-WRT has improved and features like ‘policy based routing’ eliminates the need for configuring iptables or route-up / route-down scripts.

Comments are closed for this post.