After many hours of trial and error, I have successfully configured my DrayTek Vigor 2860 router to connect to Express VPN, allowing me to tunnel either all of my internet traffic, or just individual physical ports on the router, over Express VPN.
This guide is unique as the setup also passes the ‘DNS Leak Test’. Other manual router configurations that I have found fail the ‘DNS Leak Test’ which means that although your downloaded content may be encrypted and hidden from your Internet Service Provider (ISP), your DNS requests (the initial webpage lookup requests) are not, meaning that your ISP is still able to see what webpage lookups you are performing.
- I am not sponsored, paid by, endorsing, or otherwise encouraged by the vendors to use their products.
- If you find this guide useful and intend to use ExpressVPN, please consider using this referal link as we will both get 30 days free added to our subscriptions. ExpressVPN Refer a Friend
- The VPN protocol used is PPTP. It is one of the least secure VPN protocols, but despite many evenings I’ve been unable to get L2TP with IPSec to work. OpenVPN would be the preferred option but unfortunately DrayTek does not support it.
Lets get started
Getting your ExpressVPN config options
Log into your ExpressVPN account and navigate to the set up section. https://www.expressvpn.com/setup. Click on the “Manual Config” icon I’ve highlighted in Orange and then the “PPTP & L2TP-IPSec” button I’ve highlighted in green.
Make a note of your:
- Username – highlighted in red.
- Password – highlighted in blue.
- The VPN server you wish to connect to – highlighted in purple. In this example I’ll be using the one located in Amsterdam, Netherlands – nl1-ubuntu-l2tp.expressprovider.com
Configuring your DrayTek Vigor Router
The firmware used is 3.8.5_BT, Build Date/Time Aug 11 2017 17:38:40
This tutorial assumes the your DrayTek router is already configured to connect to your ISP and working without issue.
VPN and Remote Access – Remote Access Control
- Log into your router and select the “VPN and Remote Access” menu.
- Select the “Remote Access Control” sub-menu.
- Ensure “Enable PPTP VPN Service” is ticked.
VPN and Remote Access – LAN to LAN
- Select the “VPN and Remote Access” menu.
- Select the “LAN to LAN” sub-menu.
- Click on an empty Profile, i.e. index 1 and this will take you through to the config screen you can see below. Name your VPN profile. I called mine ExpressVPN.
- Tick “Enable this profile”.
- Select the DrayTek port that is connected to your ISP. i.e. if using a ASDL/VDSL service such as ‘BT Infinity(UK)’ then this is likely to be WAN1. If using a modem in passthrough mode connected via ethernet cable to your DrayTek (for example Virgin Media UK) then this is likely to be WAN2. If using a mobile/cell phone dongle connected to the USB port, then it’s likely to be WAN3 or WAN4.
- Call Direction – Select “Dial-Out”.
- Tick “Always on”.
- Select “PPTP”.
- Enter the VPN server you wish to connect to. You will have gotten this from the ExpressVPN Manual Config screen. This example uses nl1-ubuntu-l2tp.expressprovider.com
- Enter your Username that you got from the ExpressVPN Manual Config screen.
- Enter your password that you got from the ExpressVPN Manual Config screen.
- VJ Compression – Select “On”.
- Assuming that your home network is not on 10.x.x.x (My home network is on 192.168.x.x.), then enter 10.0.0.0 as the remote network IP. This is to fix the DNS leak issue.
- Enter a remote network mask of 255.0.0.0.
- Select “NAT” for “From first subnet to remote network, you have to do”.
- If you wish for ALL your internet traffic to be routed over the VPN then tick this box. If you only want to route individual physical ports over the VPN then leave this unchecked (I’ll cover that scenario later in this tutorial).
Configure your LAN to prevent DNS leakage
Click on the “Lan” menu and then the “General Setup” sub-menu.
Click on “Details Page” for the LAN that you’re configuring to use the VPN. In this example it is LAN 1 [192.168.1.1].
Within the details page, enter a Primary IP Address for the DNS server (highlighted in red) of 10.0.0.1
Your router will probably want to reboot itself at this point. If not, it might be a good idea to reboot it anyway.
Check it is working
Once your router has rebooted, log back in and check the VPN status. It should look something like this:
Then lastly, check that you are indeed using the Public IP address of the VPN and that you don’t have any DNS leakage issues:
Your browser screens should look something like this:
Configuring the VPN to only be active on specified physical ports on your DrayTek router.
If you don’t want to tunnel all your internet traffic through the VPN, then you may wish to set up the VPN on just one physical port. In this example I configure LAN 3 (192.168.3.x) to be the network that uses the VPN and have this active on port 3. Whilst all other ports (1, 2, 4, 5 & 6) will be configured to use LAN 1 (192.168.1.x) and will NOT use the VPN but instead go out through my ISP.
Enable LAN 3 to be on physical port 3
- Select the “LAN” menu
- Select the “VLAN” sub-menu
- Tick “Enable”
- Un-tick P3 for VLAN0
- Tick P3 for VLAN3
- Select “LAN 3” in the drop down box for the row titled VLAN3
- Click the OK button to save the settings
Configure LAN 3
Enable the configuration and enter 10.0.0.1 as the primary IP Address for the DNS Server IP (As highlighted in the diagram below)
Edit LAN 1 to remove the VPN DNS as this LAN is no longer going out via the VPN
Remove the entry that we previously entered – highlighted in red.
****** NOTE ****** This is LAN 1 which was configured in the early part of this guide, and NOT LAN 3 which was configured in the image directy above.
VPN and Remote Access – LAN to LAN
- Untick the “Change default route to this VPN tunnel ( Only active if one single WAN is up )” which we previously ticked in step 16 when the VPN was first configured above. Highlighted in YELLOW.
- Change the “Local Network IP” to 192.168.3.1 – highlighted in YELLOW
Configure the Routing Policy for LAN 3
- Select the “Load-Balance/Route Policy” menu.
- Select the “General Setup” sub-menu
- Click on an empty rule – in this example, index 1
- Tick the “Enable” box
- Give the policy a comment, in this example “LAN3 routed over VPN”
- Criteria – Change Source to “IP Range” and enter the IP range of the network you want routed over the VPN – in this example it is 192.168.3.0 to 192.168.3.255
- Send via if Criteria Matched – Select Interface, “VPN” and failover to “VPN”
- Click the OK button to save the policy
Your router will probably want to reboot itself at this point. If not, it might be a good idea to reboot it anyway as it never hurts to ensure you’ve got a fresh config!
As before, test the VPN is operational and that you don’t have any DNS leakage by plugging a device into port 3 and checking the VPN is operational, and then plugging a device into any of the other ports to ensure they go out through your ISP and not the VPN tunnel.