Setup Express VPN on a DrayTek Vigor 2860 router

After many hours of trial and error, I have successfully configured my DrayTek Vigor 2860 router to connect to Express VPN, allowing me to tunnel either all of my internet traffic, or just individual physical ports on the router, over Express VPN.

This guide is unique as the setup also passes the ‘DNS Leak Test’. Other manual router configurations that I have found fail the ‘DNS Leak Test’ which means that although your downloaded content may be encrypted and hidden from your Internet Service Provider (ISP), your DNS requests (the initial webpage lookup requests) are not, meaning that your ISP is still able to see what webpage lookups you are performing.

ExpressVPN DNS Leak Test
ExpressVPN DNS Leak Test
https://www.expressvpn.com/dns-leak-test

Full Disclosure

  • I am not sponsored, paid by, endorsing, or otherwise encouraged by the vendors to use their products.
  • If you find this guide useful and intend to use ExpressVPN, please consider using this referal link as we will both get 30 days free added to our subscriptions. ExpressVPN Refer a Friend
  • The VPN protocol used is PPTP. It is one of the least secure VPN protocols, but despite many evenings I’ve been unable to get L2TP with IPSec to work. OpenVPN would be the preferred option but unfortunately DrayTek does not support it.

Lets get started

Getting your ExpressVPN config options

Log into your ExpressVPN account and navigate to the set up section. https://www.expressvpn.com/setup. Click on the “Manual Config” icon I’ve highlighted in Orange and then the “PPTP & L2TP-IPSec” button I’ve highlighted in green.

ExpressVPN Manual Config
ExpressVPN Manual Config

Make a note of your:

  • Username – highlighted in red.
  • Password – highlighted in blue.
  • The VPN server you wish to connect to – highlighted in purple. In this example I’ll be using the one located in Amsterdam, Netherlands – nl1-ubuntu-l2tp.expressprovider.com

Configuring your DrayTek Vigor Router

The firmware used is 3.8.5_BT, Build Date/Time Aug 11 2017 17:38:40

This tutorial assumes the your DrayTek router is already configured to connect to your ISP and working without issue.

VPN and Remote Access – Remote Access Control
  1. Log into your router and select the “VPN and Remote Access” menu.
  2. Select the “Remote Access Control” sub-menu.
  3. Ensure “Enable PPTP VPN Service” is ticked.
DrayTek Remote Access Control
DrayTek Remote Access Control
VPN and Remote Access – LAN to LAN
  1. Select the “VPN and Remote Access” menu.
  2. Select the “LAN to LAN” sub-menu.
  3. Click on an empty Profile, i.e. index 1 and this will take you through to the config screen you can see below. Name your VPN profile. I called mine ExpressVPN.
DrayTek LAN to LAN Configuration
DrayTek LAN to LAN Configuration
  1. Tick “Enable this profile”.
  2. Select the DrayTek port that is connected to your ISP. i.e. if using a ASDL/VDSL service such as ‘BT Infinity(UK)’ then this is likely to be WAN1. If using a modem in passthrough mode connected via ethernet cable to your DrayTek (for example Virgin Media UK) then this is likely to be WAN2. If using a mobile/cell phone dongle connected to the USB port, then it’s likely to be WAN3 or WAN4.
  3. Call Direction – Select “Dial-Out”.
  4. Tick “Always on”.
  5. Select “PPTP”.
  6. Enter the VPN server you wish to connect to. You will have gotten this from the ExpressVPN Manual Config screen. This example uses nl1-ubuntu-l2tp.expressprovider.com
  7. Enter your Username that you got from the ExpressVPN Manual Config screen.
  8. Enter your password that you got from the ExpressVPN Manual Config screen.
  9. VJ Compression – Select “On”.
  10. Assuming that your home network is not on 10.x.x.x (My home network is on 192.168.x.x.), then enter 10.0.0.0 as the remote network IP. This is to fix the DNS leak issue.
  11. Enter a remote network mask of 255.0.0.0.
  12. Select “NAT” for “From first subnet to remote network, you have to do”.
  13. If you wish for ALL your internet traffic to be routed over the VPN then tick this box. If you only want to route individual physical ports over the VPN then leave this unchecked (I’ll cover that scenario later in this tutorial).
Configure your LAN to prevent DNS leakage

Click on the “Lan” menu and then the “General Setup” sub-menu.
Click on “Details Page” for the LAN that you’re configuring to use the VPN. In this example it is LAN 1 [192.168.1.1].

DrayTek LAN General Setup
DrayTek LAN General Setup

Within the details page, enter a Primary IP Address for the DNS server (highlighted in red) of 10.0.0.1

DrayTek LAN General Setup Details Page
DrayTek LAN General Setup Details Page

Your router will probably want to reboot itself at this point. If not, it might be a good idea to reboot it anyway.

Check it is working

Once your router has rebooted, log back in and check the VPN status. It should look something like this:

DrayTek LAN to LAN Status
DrayTek LAN to LAN Status

DrayTek LAN to LAN Connection Management
DrayTek LAN to LAN Connection Management

Then lastly, check that you are indeed using the Public IP address of the VPN and that you don’t have any DNS leakage issues:

Your browser screens should look something like this:

ExpressVPN what is my ip
ExpressVPN what is my ip
https://www.expressvpn.com/what-is-my-ip

ExpressVPN DNS Leak Test
ExpressVPN DNS Leak Test
https://www.expressvpn.com/dns-leak-test

Configuring the VPN to only be active on specified physical ports on your DrayTek router.

If you don’t want to tunnel all your internet traffic through the VPN, then you may wish to set up the VPN on just one physical port. In this example I configure LAN 3 (192.168.3.x) to be the network that uses the VPN and have this active on port 3. Whilst all other ports (1, 2, 4, 5 & 6) will be configured to use LAN 1 (192.168.1.x) and will NOT use the VPN but instead go out through my ISP.

Enable LAN 3 to be on physical port 3
  • Select the “LAN” menu
  • Select the “VLAN” sub-menu
  • Tick “Enable”
  • Un-tick P3 for VLAN0
  • Tick P3 for VLAN3
  • Select “LAN 3” in the drop down box for the row titled VLAN3
  • Click the OK button to save the settings
DrayTek LAN VLAN
DrayTek LAN VLAN
Configure LAN 3

DrayTek LAN General Setup LAN3
DrayTek LAN General Setup LAN3

Enable the configuration and enter 10.0.0.1 as the primary IP Address for the DNS Server IP (As highlighted in the diagram below)
DrayTek LAN General Setup Details Page LAN3
DrayTek LAN General Setup Details Page LAN3

Edit LAN 1 to remove the VPN DNS as this LAN is no longer going out via the VPN

Remove the entry that we previously entered – highlighted in red.
****** NOTE ****** This is LAN 1 which was configured in the early part of this guide, and NOT LAN 3 which was configured in the image directy above.

DrayTek LAN General Setup Details Page LAN1 Defaults
DrayTek LAN General Setup Details Page LAN1 Defaults

VPN and Remote Access – LAN to LAN
  • Untick the “Change default route to this VPN tunnel ( Only active if one single WAN is up )” which we previously ticked in step 16 when the VPN was first configured above. Highlighted in YELLOW.
  • Change the “Local Network IP” to 192.168.3.1 – highlighted in YELLOW
DrayTek LAN to LAN
DrayTek LAN to LAN
Configure the Routing Policy for LAN 3
  • Select the “Load-Balance/Route Policy” menu.
  • Select the “General Setup” sub-menu
  • Click on an empty rule – in this example, index 1
  • Tick the “Enable” box
  • Give the policy a comment, in this example “LAN3 routed over VPN”
  • Criteria – Change Source to “IP Range” and enter the IP range of the network you want routed over the VPN – in this example it is 192.168.3.0 to 192.168.3.255
  • Send via if Criteria Matched – Select Interface, “VPN” and failover to “VPN”
  • Click the OK button to save the policy
DrayTek LAN3 Routing
DrayTek LAN3 Routing

Your router will probably want to reboot itself at this point. If not, it might be a good idea to reboot it anyway as it never hurts to ensure you’ve got a fresh config!

As before, test the VPN is operational and that you don’t have any DNS leakage by plugging a device into port 3 and checking the VPN is operational, and then plugging a device into any of the other ports to ensure they go out through your ISP and not the VPN tunnel.

5 thoughts on “Setup Express VPN on a DrayTek Vigor 2860 router”

  1. Thank you very much for documenting this. I haven’t tested it yet but absolutely will when I’ve setup an account with Express VPN. I have a question about the first scenario. Changing the DNS server for LAN1 wil also mean that DHCP clients will receive it as their DNS server. I’m trying to understand how that will affect the client side. Will it still be possible to add a secondary DNS server (for example those from google) under LAN1 for DHCP clients or for fixed clients or will that mean another DNS leakage? Must all DNS traffic flow through 10.0.0.1 in your scenario and have that as the only configured DNS server for LAN clients.

    1. Within the DrayTek configuration, specifying 10.0.0.1 as the DNS Primary IP Address results in the DrayTek telling any DHCP client to use the DNS IP address of 10.0.0.1. That will subsequently be routed to the ExpressVPN DNS server for resolution.

      There is no need to specify a DNS Secondary IP Address. If you do, i.e. 8.8.8.8 (Googles DNS service) and for what ever reason the Primary DNS (ExpressVPN) isn’t available, then any DNS lookup will subsequently be routed to Google for resolution – resulting in DNS Leakage. It is therefore up to you. I’d personally not specify a DNS Secondary IP address so that if for what ever reason ExpressVPN fails, then at least my DNS lookup will not be routed to Google without my knowledge.

      If a client is manually configured to use a Fixed IP Address (i.e. it is configured locally and not allocated by DHCP) then it will use whichever DNS service you specify in that configuration. I’ve checked it on my home network and can confirm that a PC configured with a fixed IP can successfully use either a public DNS service such as Google on 8.8.8.8, or ExpressVPN on 10.0.0.1.

  2. Created an Express account today and configured scenario 1 on my vigor 2525 but it isn’t working. I have the same issue as with other VPN providers I tried in the past. Once the tunnel is active, clients cannot browse the web, DNS doesn’t function. My setup deviates from the guide on two points. I use a different router and use 10.0.0.0/24 as my LAN. I therefore configured in step 13/14 a different remote network namely 172.0.0.0/8 and used 172.0.0.1 as the DNS server as opposed to 10.0.0.1 in the guide. I’ve tried a different remote network as well (192.168.1.0/24) but results in the same thing, DNS isnt working once the VPN tunnel is active. I have to disable step 16 for DNS to work but that means leakage. I’m not sure whats going wrong. I can see my DHCP clients get 172.0.0.1 as their DNS server and have configured even both primary and secondary DNS server fields under LAN1 to 172.0.0.1. Having both DNS server field occupied is done intentionally because the 2925 will automatically add a secondary DNS server to DHCP clients when only the primary DNS server field is configured under LAN1. It will then automatically add 194.109.6.66/9.99 to DHCP clients for the secondary DNS server (According to Draytek support this behavior is as designed) Anyway, I’m starting to think its something with the 2925 software firmware. Any help is very much appreciated.

    1. After investigating with John and replicating his scenario, it appears that if the home network (LAN) is configured on 10.x.x.x then whilst the VPN tunnel can be established, the DNS leakage issue cannot be fixed. Either the DrayTek router or ExpressVPN is using 10.x.x.x/16 for internal routing and as such it clashes with the home LAN configuration resulting in DNS lookups failing. When John changed his home network to 192.168.1.x/24 everything worked as intended on the Vigor 2925.

Leave a Reply

Your email address will not be published. Required fields are marked *