Are you aware of your security while browsing the web? If not you should.
I want to show you how you can make a whole WIFI secured by tunneling the complete traffic of all connected devices through a VPN (virtual private network) of your choice.
Image via http://www.vpnsrus.com
First I would recommend you to check if your router even supports DD-WRT.
Check at their download page: https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/
And if available download, install and configure DD-WRT on your router. (not shown here)
Normally your routers IP address is set to 192.168.1.1 but I would recommend to change it to 192.168.2.1 or something else because if you also have a provider router in between it is most likely using that IP address.
As a VPN provider I prefer using Mullvad, they have many good servers for a cheap amount of money and are offering good security. You are also able to buy with bitcoins or other cryptos at their website.
Link: https://mullvad.net/
So let's start :
First you should decide if you want to secure your normal daily use wifi or if you want to test and maybe play around a little by creating a so called "virtual interface" of your wifi.
You could also decide to use your 5Ghz wifi for VPN and the 2,4GHz wifi for the rest. Many options/combinations possible.
For adding a virtual interface at dd-wrt routers go to tab: "Wireless > Basic Settings" and under "Virtual Interface" click on "Add". Leave "Wireless Mode" to AP, define a new "SSID" like MyOwnVpnWifi and leave SSID broadcast enabled.
Click on Button "Apply Settings" at the end of the page.
After that you should see the ID of your interface like ath0 or ath0.1 and so on. Mark it down.
Next we need to set up a new bridge for making a separate subnet.
Go to tab: "Setup > Networking" and under "Bridging" add a new Bridge.
Default values should be fine. Name it "br1" and assign this new bridge to your interface ID. (Don't forget to click on "Add" after assignment and check if it shows up at "Current Bridging Table".
As we now successfully set up a bridge we now need to assign it to a subnet.
For that scroll to section "Port Setup" and to the box "br1".
Set the IP Address to "192.168.3.1" if you used "192.168.2.1" for your normal network (router) like described on top.
Set the subnet mask to "255.255.255.0".
For more security I would also recommend to set the "Optional DNS Target" to a DNS provided by your VPN.
For Mullvad VPN use: "10.8.0.1"
The reason is because of DNS leaks. (More info: https://en.wikipedia.org/wiki/DNS_leak)
Now go to section "DHCPD" and add an DHCP Server assigned to "br1" with Start 100, max 50 and leasetime of 1440. You can also change it to your needs.
At the bottom of the page you should see a button "Apply Settings". Press that button now.
For some VPN providers you may have to also enable IPv6 like for Mullvad.
To do that go to "Setup > IPV6" and enable it. (Don't forget about "Apply Settings"!)
Now to the most imported part: Setting up the VPN access :D
Switch to tab "Services > VPN" and go to section "OpenVPN Client"
Enable the "OpenVpn Client"
Now configure it like your VPN provider tells you. For Mullvad VPN check the picture below:
(WARNING: Don't forget to add the CA Cert of Mullvad, its not shown in the picture.)
Check this page for the Mullvad cert: https://mullvad.net/en/guides/dd-wrt-routers-and-mullvad-vpn/
Also add following content to "Policy based Routing" to make sure your new subnet is assigned to the VPN:
192.168.3.100/30
192.168.3.104/29
192.168.3.112/28
192.168.3.128/28
192.168.3.144/30
192.168.3.148/31
192.168.3.150/32
After that click again on "Apply Settings" and you should be ready to use your VPN Wifi :D
For a last check go to tab "Status > OpenVPN" and check that you get the Status "Client: CONNECTED SUCCESS ".
If you have troubles setting it up check also tab "Status > Syslog" and check for error there.
Hope I could help as many people as possible to get the best out of their Wifi routers ;)
If I could help you please like and share. Please also let me know if I should continue with this topic or not.
Thanks