You need to connect to a VPN, but you cannot install a VPN client. How can you solve this problem?
In software engineering adding just another layer of indirection is always the answer. Instead of making a VPN connection on the device you can make it on the router and share WiFi which gives you a private internet connection.
Sounds easy enough, but what do you need to make it happen?
- Router needs to use WiFi as its WAN interface. In other words we can connect to any WiFI network and use it as a internet source. Why? We do not always have an physical access to the access point, where we can plug in an RJ-45 cable.
- Router must be able to talk OpenVPN or WireGuard protocols. Most VPN providers don’t allow L2TP/PPTP, because security reasons.
- We cannot change anything on the Access Point WiFi as we don’t have admin rights.
Architecture of the solution looks like this:
Internet <----> Access Point (AP) <--WiFi--> VPN Router (VP) <--VPN-enabled WiFi--> Any Device
Picking a router
What I did is a somewhat exotic solution and doing this on a stock firmware is not possible according to my 30 minute research. I needed a router that can be flashed with OpenWRT and preferably under 100$. I live in Poland and needed it ASAP, so I browsed through the websites of local electronics stores. I sorted by price, went one by one and checked OpenWRT compatibility. The lucky winner is: Asus RT-AX53U which I bought here for roughly $60.
Just to be double sure, I tried to make this work on stock firmware once I got the router. As a base case I plugged in the device to my home router via WAN port and tried to configure VPN. So skipping the WiFi connection entirely. This has been disqualified as it required setting up port forwarding on the root AP and as per 3., we assume we do not have access to configure the root AP.
Configuring VPN on a access point network (OpenWRT)
- Connecting to client Wi-Fi network
- How to use Wi-Fi as WAN connection
- How to set up Proton VPN on OpenWRT routers
- OpenWRT firmware version:
OpenWrt 22.03.3 r20028-43d71ad93e
- Router using an existing WiFi (2.4GHz) network as internet provider (wireless WAN)
- Exposing a new WiFi (5GHz) network with transparent VPN connection (clients do not know that it is using VPN)
- Connecting to the ProtonVPN via OpenVPN on the router
Router configuration starts with factory defaults of OpenWRT.
My router is connected to the computer on
LAN1 port via cable. Default OpenWRT configuration does not have WiFI enabled.
- Log into the router (
http://192.168.1.1) with username:
root, and an empty password.
- Set the root password in
System -> Administration -> Router Password
note: It is used to change the configuration of the router, set it wisely.
- Change the default network from
Network -> Interfaces.
note: Most of the default router networks are
192.168.1.0/24, this router may receive WAN access from such network. We change it to avoid IP address conflicts. It can be changed to whatever you prefer, just make it kind of non-default.
- Change IPv4 address to
Save & Applyand
Apply with revert after connectivity loss.
After saving, you’ll need to connect to the web interface on
192.168.169.1again and re-login to double confirm your changes. If you fail to do that, router will revert configuration back to
Connecting to the Internet (via 2.4GHz interface)
Network -> Wirelessand remove the 2.4 GHz network, it is the one under
MediaTek MT7915E 802.11axbgn. We will use it as a WWAN.
Scanon 2.4GHz interface (
radio0) and connect to your provider network (
- Enter network password in
WPA passphrase field, leave everything else as default and click
- You will be presented with confirmation screen. In the
Networkfield. It will connect WAN and LAN, so you will also have VPN on LAN ports.
- Go to
Advaned Settingsand set appropriate
Country Codeto be compliant with local regulations. .
Save, there should be around
20 UNSAVED CHANGES. Click
Save & Applyand wait. .
- Your router is now connected to the WiFi and exposes Internet via LAN!
Exposing a new WiFi (via 5GHz interface)
- Go to
Network -> Wireless. Click
- After a while, the router will expose the 5GHz network, but its not secure. Click
Editand change its name (I changed it to
Pizza), then go to
Wireless Securityand set the encryption to
WPA2-PSKand set a good password (
key) for your new WiFi network. . .
Save and Apply.
- Your router now exposes a secure 5Ghz WiFi!
Connecting to ProtonVPN
- Install OpenWRT OpenVPN extensions. Go to
System -> Softwareand click
Update lists. After updating lists install 2 packages:
- Go to the homepage of OpenWrt web configuration. There is a new tab (
VPN). Go to
VPN -> OpenVPN.
- Log in into your Proton VPN account and download OpenVPN configurations for your desired country.
- Upload your configuration in the
OVPN configuration file uploadsection by selecting a conf file, setting the instance name and clicking
- After uploading a new OpenVPN instance will show up (in my case it is
- Find line
auth-user-passand set it to accordingly (e.g.
/etc/openvpn/Poland.auth). In the field below specify your ProtonVPN username and password (ProtonVPN -> Account -> OpenVPN / IKEv2 Username).
Saveand go back to
VPN -> OpenVPN. Click
Enabledto yes, then
Save & Applyand
- At this point, the VPN is set up and your router can use it. However, the devices in the LAN of your router won’t be able to access the Internet anymore. To do this, you need to set the VPN network interface as public by assigning a VPN interface to WAN zone.
- Go to
Network -> Firewalland select
wan => rejectsection.
Advanced Settings, then in the
Covered devicesfield, select
Save & Applyand wait.
- Voila! You now have a WiFi and LAN ports secured by VPN. You can test it on a site like ipleak.net.
- How do I start over the configuration?
- Factory reset OpenWRT by going into `System -> Backup / Flash Firmware -> Perform reset.
- OR Turn off the router; turn it on; press Reset button for 10 seconds and wait for a few minutes.
- How can I change my Access Point network?
- Repeat the steps from connecting to the internet section without step 0.