Setup Express VPN on a DrayTek Vigor 2860 router

After many hours of trial and error, I have successfully configured my DrayTek Vigor 2860 router to connect to Express VPN, allowing me to tunnel either all of my internet traffic, or just individual physical ports on the router, over Express VPN.

This guide is unique as the setup also passes the ‘DNS Leak Test’. Other manual router configurations that I have found fail the ‘DNS Leak Test’ which means that although your downloaded content may be encrypted and hidden from your Internet Service Provider (ISP), your DNS requests (the initial webpage lookup requests) are not, meaning that your ISP is still able to see what webpage lookups you are performing.

ExpressVPN DNS Leak Test
ExpressVPN DNS Leak Test

Full Disclosure

  • I am not sponsored, paid by, endorsing, or otherwise encouraged by the vendors to use their products.
  • If you find this guide useful and intend to use ExpressVPN, please consider using this referal link as we will both get 30 days free added to our subscriptions. ExpressVPN Refer a Friend
  • The VPN protocol used is PPTP. It is one of the least secure VPN protocols, but despite many evenings I’ve been unable to get L2TP with IPSec to work. OpenVPN would be the preferred option but unfortunately DrayTek does not support it.

Lets get started

Getting your ExpressVPN config options

Log into your ExpressVPN account and navigate to the set up section. Click on the “Manual Config” icon I’ve highlighted in Orange and then the “PPTP & L2TP-IPSec” button I’ve highlighted in green.

ExpressVPN Manual Config
ExpressVPN Manual Config

Make a note of your:

  • Username – highlighted in red.
  • Password – highlighted in blue.
  • The VPN server you wish to connect to – highlighted in purple. In this example I’ll be using the one located in Amsterdam, Netherlands –

Configuring your DrayTek Vigor Router

The firmware used is 3.8.5_BT, Build Date/Time Aug 11 2017 17:38:40

This tutorial assumes the your DrayTek router is already configured to connect to your ISP and working without issue.

VPN and Remote Access – Remote Access Control
  1. Log into your router and select the “VPN and Remote Access” menu.
  2. Select the “Remote Access Control” sub-menu.
  3. Ensure “Enable PPTP VPN Service” is ticked.
DrayTek Remote Access Control
DrayTek Remote Access Control
VPN and Remote Access – LAN to LAN
  1. Select the “VPN and Remote Access” menu.
  2. Select the “LAN to LAN” sub-menu.
  3. Click on an empty Profile, i.e. index 1 and this will take you through to the config screen you can see below. Name your VPN profile. I called mine ExpressVPN.
DrayTek LAN to LAN Configuration
DrayTek LAN to LAN Configuration
  1. Tick “Enable this profile”.
  2. Select the DrayTek port that is connected to your ISP. i.e. if using a ASDL/VDSL service such as ‘BT Infinity(UK)’ then this is likely to be WAN1. If using a modem in passthrough mode connected via ethernet cable to your DrayTek (for example Virgin Media UK) then this is likely to be WAN2. If using a mobile/cell phone dongle connected to the USB port, then it’s likely to be WAN3 or WAN4.
  3. Call Direction – Select “Dial-Out”.
  4. Tick “Always on”.
  5. Select “PPTP”.
  6. Enter the VPN server you wish to connect to. You will have gotten this from the ExpressVPN Manual Config screen. This example uses
  7. Enter your Username that you got from the ExpressVPN Manual Config screen.
  8. Enter your password that you got from the ExpressVPN Manual Config screen.
  9. VJ Compression – Select “On”.
  10. Assuming that your home network is not on 10.x.x.x (My home network is on 192.168.x.x.), then enter as the remote network IP. This is to fix the DNS leak issue.
  11. Enter a remote network mask of
  12. Select “NAT” for “From first subnet to remote network, you have to do”.
  13. If you wish for ALL your internet traffic to be routed over the VPN then tick this box. If you only want to route individual physical ports over the VPN then leave this unchecked (I’ll cover that scenario later in this tutorial).
Configure your LAN to prevent DNS leakage

Click on the “Lan” menu and then the “General Setup” sub-menu.
Click on “Details Page” for the LAN that you’re configuring to use the VPN. In this example it is LAN 1 [].

DrayTek LAN General Setup
DrayTek LAN General Setup

Within the details page, enter a Primary IP Address for the DNS server (highlighted in red) of

DrayTek LAN General Setup Details Page
DrayTek LAN General Setup Details Page

Your router will probably want to reboot itself at this point. If not, it might be a good idea to reboot it anyway.

Check it is working

Once your router has rebooted, log back in and check the VPN status. It should look something like this:

DrayTek LAN to LAN Status
DrayTek LAN to LAN Status

DrayTek LAN to LAN Connection Management
DrayTek LAN to LAN Connection Management

Then lastly, check that you are indeed using the Public IP address of the VPN and that you don’t have any DNS leakage issues:

Your browser screens should look something like this:

ExpressVPN what is my ip
ExpressVPN what is my ip

ExpressVPN DNS Leak Test
ExpressVPN DNS Leak Test

Configuring the VPN to only be active on specified physical ports on your DrayTek router.

If you don’t want to tunnel all your internet traffic through the VPN, then you may wish to set up the VPN on just one physical port. In this example I configure LAN 3 (192.168.3.x) to be the network that uses the VPN and have this active on port 3. Whilst all other ports (1, 2, 4, 5 & 6) will be configured to use LAN 1 (192.168.1.x) and will NOT use the VPN but instead go out through my ISP.

Enable LAN 3 to be on physical port 3
  • Select the “LAN” menu
  • Select the “VLAN” sub-menu
  • Tick “Enable”
  • Un-tick P3 for VLAN0
  • Tick P3 for VLAN3
  • Select “LAN 3” in the drop down box for the row titled VLAN3
  • Click the OK button to save the settings
Configure LAN 3

DrayTek LAN General Setup LAN3
DrayTek LAN General Setup LAN3

Enable the configuration and enter as the primary IP Address for the DNS Server IP (As highlighted in the diagram below)
DrayTek LAN General Setup Details Page LAN3
DrayTek LAN General Setup Details Page LAN3

Edit LAN 1 to remove the VPN DNS as this LAN is no longer going out via the VPN

Remove the entry that we previously entered – highlighted in red.
****** NOTE ****** This is LAN 1 which was configured in the early part of this guide, and NOT LAN 3 which was configured in the image directy above.

DrayTek LAN General Setup Details Page LAN1 Defaults
DrayTek LAN General Setup Details Page LAN1 Defaults

VPN and Remote Access – LAN to LAN
  • Untick the “Change default route to this VPN tunnel ( Only active if one single WAN is up )” which we previously ticked in step 16 when the VPN was first configured above. Highlighted in YELLOW.
  • Change the “Local Network IP” to – highlighted in YELLOW
DrayTek LAN to LAN
DrayTek LAN to LAN
Configure the Routing Policy for LAN 3
  • Select the “Load-Balance/Route Policy” menu.
  • Select the “General Setup” sub-menu
  • Click on an empty rule – in this example, index 1
  • Tick the “Enable” box
  • Give the policy a comment, in this example “LAN3 routed over VPN”
  • Criteria – Change Source to “IP Range” and enter the IP range of the network you want routed over the VPN – in this example it is to
  • Send via if Criteria Matched – Select Interface, “VPN” and failover to “VPN”
  • Click the OK button to save the policy
DrayTek LAN3 Routing
DrayTek LAN3 Routing

Your router will probably want to reboot itself at this point. If not, it might be a good idea to reboot it anyway as it never hurts to ensure you’ve got a fresh config!

As before, test the VPN is operational and that you don’t have any DNS leakage by plugging a device into port 3 and checking the VPN is operational, and then plugging a device into any of the other ports to ensure they go out through your ISP and not the VPN tunnel.

9 thoughts on “Setup Express VPN on a DrayTek Vigor 2860 router”

  1. Thank you very much for documenting this. I haven’t tested it yet but absolutely will when I’ve setup an account with Express VPN. I have a question about the first scenario. Changing the DNS server for LAN1 wil also mean that DHCP clients will receive it as their DNS server. I’m trying to understand how that will affect the client side. Will it still be possible to add a secondary DNS server (for example those from google) under LAN1 for DHCP clients or for fixed clients or will that mean another DNS leakage? Must all DNS traffic flow through in your scenario and have that as the only configured DNS server for LAN clients.

    1. Within the DrayTek configuration, specifying as the DNS Primary IP Address results in the DrayTek telling any DHCP client to use the DNS IP address of That will subsequently be routed to the ExpressVPN DNS server for resolution.

      There is no need to specify a DNS Secondary IP Address. If you do, i.e. (Googles DNS service) and for what ever reason the Primary DNS (ExpressVPN) isn’t available, then any DNS lookup will subsequently be routed to Google for resolution – resulting in DNS Leakage. It is therefore up to you. I’d personally not specify a DNS Secondary IP address so that if for what ever reason ExpressVPN fails, then at least my DNS lookup will not be routed to Google without my knowledge.

      If a client is manually configured to use a Fixed IP Address (i.e. it is configured locally and not allocated by DHCP) then it will use whichever DNS service you specify in that configuration. I’ve checked it on my home network and can confirm that a PC configured with a fixed IP can successfully use either a public DNS service such as Google on, or ExpressVPN on

  2. Created an Express account today and configured scenario 1 on my vigor 2525 but it isn’t working. I have the same issue as with other VPN providers I tried in the past. Once the tunnel is active, clients cannot browse the web, DNS doesn’t function. My setup deviates from the guide on two points. I use a different router and use as my LAN. I therefore configured in step 13/14 a different remote network namely and used as the DNS server as opposed to in the guide. I’ve tried a different remote network as well ( but results in the same thing, DNS isnt working once the VPN tunnel is active. I have to disable step 16 for DNS to work but that means leakage. I’m not sure whats going wrong. I can see my DHCP clients get as their DNS server and have configured even both primary and secondary DNS server fields under LAN1 to Having both DNS server field occupied is done intentionally because the 2925 will automatically add a secondary DNS server to DHCP clients when only the primary DNS server field is configured under LAN1. It will then automatically add to DHCP clients for the secondary DNS server (According to Draytek support this behavior is as designed) Anyway, I’m starting to think its something with the 2925 software firmware. Any help is very much appreciated.

    1. After investigating with John and replicating his scenario, it appears that if the home network (LAN) is configured on 10.x.x.x then whilst the VPN tunnel can be established, the DNS leakage issue cannot be fixed. Either the DrayTek router or ExpressVPN is using 10.x.x.x/16 for internal routing and as such it clashes with the home LAN configuration resulting in DNS lookups failing. When John changed his home network to 192.168.1.x/24 everything worked as intended on the Vigor 2925.

  3. there is another issue with long names servers step 9 Server Ip / Hostname.
    in the latest version of firmware for 2925AC model it does not allow me to fill in the full server address.

    1. Thanks for the observation. The Vigor 2860 (firmware allows 41 characters to be entered. How many characters does your 2925AC allow?

      I have tested two workarounds which both work:

      Workaround 1 – Register your own, shorter domain name. Delete all the A-records, MX records, etc. Create just one CNAME record with host value of vpn and point it at the ExpressVPN URL i.e.
      I have tried this with a spare domain of mine,, and now when I do a nslookup on it returns the ExpressVPN IP address. The advantage of this approach is that if ExpressVPN change the IP address their URL points to, then your router will follow the change.

      Workaround 2 – Type the IP address of the VPN server into your router rather than the URL. You can look up the IP address by typing in one of these commands at a command line on your PC. ‘ping’ or ‘nslookup’. Currently the hostname resolves to and this IP address can be entered instead. It isn’t ideal because if ExpressVPN change the IP address of the server than you’re VPN will fail to connect and you’ll need to lookup and enter in the new IP address – but from my experience, it doesn’t appear that ExpressVPN change the IP addresses of their VPN servers too often. If you choose this option, then I’d also suggest you setup an email alert to warn you if the VPN disconnects so that you can investigate if you need to update the IP address. [ (1) Object Setting -> Notification Object and set up a notification profile for VPN tunnel disconnect. (2) System Maintenance -> SysLog/Mail Alert. Configure your SMTP server here. {Obviously the email will be sent out via your ISP and not over the encrypted VPN tunnel} ]

  4. Hi there,

    Hope you all can help.

    I am wanting to add a second router to to my network so I can set up Express VPN via PPTP.

    My primary router is some Generic Sky ER115 thing.

    My second router (the one thats support PPTP) is a Draytek Vigor 2110.

    – Putting them both on the same subnet and connecting LAN to LAN I can get then internet working through connecting to the second router. The problem is with this, I can’t get the VPN to work, as I believe the VPN settings only allow for LAN to WAN setting.

    – So, now I connect a cable from the LAN on router 1 to the WAN port on router 2. And I make sure they are on DIFFERENT subsets (Router 1 on 192.168.0.x Router to 192.168.1.x) With DHCP enabled on both.

    The problem is now the internet will not work when I connect to router 2. I probably doing something silly, but most guides seems to stop there and not ask for any other steps.

    Does anyone have an idea what I am doing wrong? Is there some sort of rule I need to allow for traffic to pass between the two?

    Many thanks in advance!

    1. Hi Alex,
      You should be able to get this set-up working fine.
      – Is the WAN port on your Draytek a DSL connector (i.e. it wants to be directly connected to the micro-filter and phone line)? Or is it an RJ45 that will accept an Ethernet cable for onward connection to a modem?

      If it is a DSL connector, the the only option you have is to completely remove the Sky E115 modem and use the Draytek as the modem. This is because the Draytek 2110 is a ROUTER (as well as a switch and Wireless Access Point), and you need to allow the router element to route, and as you said, the VPN is designed to be routed from the LAN port out onto the WAN port.

      If the Draytek WAN port is an RJ45 Ethernet connector, then you can use both devices, but you’ll need to connect the WAN port of the Draytek to one of the Ethernet ports on the E115. You’ll then likely have firewall issues as the Sky ER115 will have it’s own firewall and may try and block the VPN tunnel the Draytek is attempting to establish. I’d therefore recommend you place the Draytek in the DMZ of the ER115. The Draytek has as good (if not better) firewall as the ER115 so you will not be compromising your security – and you’ll be giving the Draytek a clear view of the internet. The Draytek will attempt to get an IP address for its WAN port from your E115. Ensure that you configure this in the E115 to be ‘Binded’ to it’s MAC address to ensure the Draytek is ALWAYS allocated the same IP address. Then ensure that the Draytek IP address is placed in the E115 DMZ. This will then forward all unsolicited traffic (including your solicited VPN traffic) to the Draytek without interference from the E115 firewall. Also, for the Draytek to route, it’s WAN and LAN ports will need to be on different subnets, i.e. have the E115 dishing out IP addresses on 192.168.0.x / and the LAN side of the draytek dishing out 192.168.10.x / (Avoid 10.x.x.x if you can as the Dreyteks seem to use this for internal routing and it can screw with the resolution of DNS over the VPN)

      Let us know how you get on. Good luck!

Leave a Reply

Your e-mail address will not be published. Required fields are marked *