Custom VPN question

Freefaller · 11 Aug 2022 at 14:20

Hi all,

I'm trying to set up a VPN (so that the TV can access foreign content, or content in another language).

I have a NordVPN account and currently have it permanently on the kid's tablets. So when they access youtube kids or look for things it brings back French results which is great as they then listen to more French content which is the key here.

What I'd like to do is to allow the main lounge TV to access the same.

I'm not a guru on this stuff so please forgive me.

I've got a draytek router and have been able to set it up so that it does connect, but it's "always on" and means that the whole house gets it, which is ok, but for work purposes it's not ideal and actually causes problems as I can't access systems.

What I was hoping to do is either set up a second router (asuswrt) or a raspberry pi with a permanent vpn connection and a separate WiFi network that the TV would connect to that would then have access to the other wifi network which has the vpn enabled. This would also mean I wouldn't have to have the nord accounts permanently "on" on the tablets.

Things I've tried:

Asuswrt - can connect to the VPN, but it returns my virgin media IP, and doesn't seem to route the vpn to the devices. I think the reason is, that the router is plugged into the draytek and it's just bypassing the vpn and routing from the draytek's WAN (Virgin) rather than routing the traffic via the VPN. I think it could be a routing rule, but again I'm not enough of an expert to work it out.
Raspverry pi - managed to share the internet connection via wifi (I'm not a linux expert), but as soon as I connect to the vpn it loses the routing information, and I'm not exactly sure what the iptables command I need to fix it.

It's not an android tv so can't really launch a vpn directly from the TV (it's an LG tv - quite old now) but perhaps there's an easier way to do this? After all the tablets are already connected to the vpn via my account, but it would be "smarter" to have a second wifi network which is purely set up for the french vpn.

Perhaps I'm over-complicating it and there's any easier way of doing this?

visibleman · 11 Aug 2022 at 15:36

Freefaller said:
Perhaps I'm over-complicating it and there's any easier way of doing this?

You can use PBR (policy based routing) on the Draytek and route a device, or a range, to the VPN tunnel - So w.w.w.w to x.x.x.x use WAN(1/2/3/4), y.y.y.y to z.z.z.z use VPN. These links may help - https://www.draytek.co.uk/information/our-technology/policy-routing#how-it-works, https://www.draytek.co.uk/information/our-technology/policy-routing.

You could also setup a separate subnet + WiFi/SSID and route the entire subnet to the tunnel. That way, if a device needs VPN access, even temporary, you just connect to the "VPN" WiFi network.

Edit - You've already got a tunnel setup on the Draytek so you know what to expect but if you want line-speeds then you'll need dedicated hardware, most likely x84/64-based.

Caged · 11 Aug 2022 at 15:40

If your TV is close to the router I've found it works quite well to have the cabled interface be on your normal network and the Wi-Fi interface using the VPN, so switching between them is a case of either plugging the ethernet cable in or removing it, rather than going through the menu to change Wi-Fi networks. Of course this only works if your TV defaults to using the wired LAN without having to dig through the menus. The alternative is to grab a Fire Stick and use that only for VPN, and have your TV using the built-in apps on the non-VPN connection.

Freefaller · 11 Aug 2022 at 16:19

visibleman said:
You can use PBR (policy based routing) on the Draytek and route a device, or a range, to the VPN tunnel - So w.w.w.w to x.x.x.x use WAN(1/2/3/4), y.y.y.y to z.z.z.z use VPN. These links may help - https://www.draytek.co.uk/information/our-technology/policy-routing#how-it-works, https://www.draytek.co.uk/information/our-technology/policy-routing.

You could also setup a separate subnet + WiFi/SSID and route the entire subnet to the tunnel. That way,= if a device needs VPN access, even temporary, you just connect to the "VPN" WiFi network.

Edit - You've already got a tunnel setup on the Draytek so you know what to expect but if you want line-speeds then you'll need dedicated hardware, most likely x84/64-based.

Thanks for that - I'll take a read of it. I certainly was able to get the vpn running on the drayetk but just need to tweak it a little as you suggested. I think the policy based routing will be ideal - as I should be able to get the tv to trigger (it has a static IP (MAC binding from the draytek router)) the use of the vpn.

Caged said:
If your TV is close to the router I've found it works quite well to have the cabled interface be on your normal network and the Wi-Fi interface using the VPN, so switching between them is a case of either plugging the ethernet cable in or removing it, rather than going through the menu to change Wi-Fi networks. Of course this only works if your TV defaults to using the wired LAN without having to dig through the menus. The alternative is to grab a Fire Stick and use that only for VPN, and have your TV using the built-in apps on the non-VPN connection.

Thanks great idea (the tv is at the other end of the house, the router is in my makeshift "IT rack"

- but the firestick could be an idea as well.

Freefaller · 11 Aug 2022 at 16:31

PBR worked beautifully. @visibleman thanks a lot! Just need a few tweaks but that's a neat solution.

Firegod · 13 Aug 2022 at 08:16

Would Nord's Meshnet not help in this situation?

Freefaller · 13 Aug 2022 at 08:48

Firegod said:
Would Nord's Meshnet not help in this situation?

That's a good question. I've yet to give it a go. I'll look into it. However the policy based routing is now working beautifully on the devices that I have allocated to go out via the VPN. Meshnet does look smart though.