Using VPN on a Range of IP Addresses with DD-WRT


Using VPN and Non-VPN Devices on the Same Network In Canada, it can sometimes be difficult to access all the content that is automatically available in other countries. Services like Unblock US are great, but can often be more expensive and offer less functionality than a good VPN. However, one of the problems with a VPN is figuring out how to get it set up on all the devices in the house. It can get even more complicated when trying to set most devices in the house up on the VPN, while letting certain others access the internet directly. Here is one way to work around that problem.

Router Background

For the past year, I've been using DD-WRT on a Netgear R7000. The best part about the router is its ability to encrypt data at a half-decent rate, which allows for running a VPN directly on the router. Installation and configuration of the router was pretty straightforward, but it took a little bit of configuration to get Private Internet Access (PIA) up and running on it.

Using PIA on DD-WRT

It looks like PIA has recently updated their client support area to include detailed instructions on how to get it running with DD-WRT. I used a different set of instructions to set it up, but the "official" PIA instructions look fairly similar.

Using VPN Only for Certain Devices on the Network

One cool thing with DD-WRT is the ability to set "Policy-Based Routing" for the VPN, which allows you to select an IP address (or a range of addresses) which should go over the VPN. In this case, I have several devices that I don't want running on the VPN because either (a) they need to be able to transfer data at full bandwidth or (b) I want to keep them on a Canadian IP address.

My objective was to have any new device on the network automatically assigned an IP address that goes through the VPN, but to have a range of addresses for devices I didn't want on the VPN, for which I could assign a static IP through the router or the device itself. I ended up choosing to have everything from 192.168.X.100 to 192.168.X.199 go over VPN, and anything else to have direct internet access.

DHCP Setup

Under Setup -> Basic Setup, I set the DHCP to automatically start at 192.168.X.100, and the maximum number of users to 100. Any new clients on the network automatically get assigned addresses in this range.


Policy-Based Routing

This option is found on the same page as the VPN settings, Services -> VPN. You need to enable the OpenVPN client to see the option. If you followed one of the above guides for setting up PIA on DD-WRT, then this option is already enabled. There are two ways to approach policy-based routing: either by adding in each and every IP address, or by using a range of IP addresses. Rather than type in the IP addresses individually (192.168.X.100, 192.168.X.101, 192.168.X.102, ...), I wanted to save time and just put in the range.

Unfortunately, DD-WRT doesn't accept just putting in "192.168.X.100 - 192.168.X.199". Fortunately, brighter minds than mine came up with a system for converting a range of IP addresses into something shorter. There are a bunch of good subnet calculators available. This one does exactly what we need to do. I put in my IP range, and it converted the range to a CIDR.


Assigning Static Leases

Finally, I assigned static leases to two couple devices that I wanted permanently off VPN: a server and a PS4. I didn't bother doing it for any of the other devices in the house, since they can all easily grab their own static IP. The server itself was already grabbing that static IP address; I just didn't want another device trying to grab that address.