How to: Setup VPN on an Apple Airport Extreme
If you’re a mac user or just fancy Apple hardware, than you may be currently using an Apple Airport Extreme, or Time Capsule as your router of choice. The Airport Extreme is a powerful all in one box that makes setting up a network, especially with Mac and iOS devices, a breezy, enjoyable process.
But what if you wanted to add a VPN service to your Airport? Maybe you want to secure your browsing, access geo-restricted services like Netflix, or any other reason. This is where the simplicity of the Airport’s design and software falls short. It does not provide the required platform to configure popular VPN services in order to encrypt all data flowing across the router. Although there is a VPN tab under the GUI, it only allows you to connect to a single private network point, such as connecting to a business network for work, as opposed to popular VPN encryption services. Additionally, you’re limited to unsecure PPTP/L2TP protocols, with no option to add OpenVPN.
Luckily, there’s still a way to do it, with a dual-router setup configuration. Simply put, you need to run a second third-party router dedicated for VPN, side-by-side the Airport Extreme, since it’s impossible to easily set it up on Apple’s firmware.
Wait what? Setup a VPN on my router, but why?
When it comes to new VPN users, Airport Extreme users or not often get confused with all the options and configurations possible. Since VPN services are most often suggested to be used over OpenVPN, or the provided software when available, setting up a VPN connection directly on the network router can be something new. If this is not new to you, quickly skip to the next section.
There’s mostly big advantages, and some disadvantages to watch out for;
The good thing is that you can encrypt ALL your devices at once, with one single VPN connection and account, by configuring it on your router. It will encrypt both wired LAN and Wi-Fi connection data, giving them all a single IP and country of your choice. This is a cost effective way for users that have a large number of devices. Many networks can end up having multiple management benefits from this type of setup, and it’s easy to ensure everything is encrypted at all times.
The main drawback is that you can no longer select different IP and countries for each device. Since all the traffic passes through that VPN encryption, there’s no way around it for all devices connected to the network. But there is a simple solution, that just so happens to be perfect for Airport Extreme and Time Capsule users, which is to setup a secondary router to handle all VPN connections, and the Airport can remain the open access point. This dual-router setup negates pretty much every con, and in turn makes your home or office network a powerhouse with possibilities you didn’t know existed.
The last negative that should be mentioned, is the possible loss of speed across the whole network. Many VPN connections can take some bandwidth away from your total speed, but luckily, many top providers offer blazing fast servers and shorter routes than conventional ones used by internet service providers, helping speed up the connection in some areas and applications, or at least keeping it on par with minimum speed loss. But, once again, a dual router configuration allows the best of both worlds.
How to Use a VPN Router with Apple Airport Extreme
First, let me explain that even regular home grade branded Wi-Fi routers are mostly incapable of setting up popular VPN services on them out of the box, however, users often get around this limitation by replacing the firmware to a much better option of available open-source GUIs available. However, before I delve any further into that topic, let’s just be clear that it is not possible to do this on an Apple device. They operate strictly on apple software and firmware, so this is once again where the dual-router bridging comes in;
As mentioned above, it’s not possible to flash an Airport or Time Capsule, and would not only void your expensive Apple warranty, but also remove all the apple compatible quirks offered with their software. Instead, using a second VPN capable network router behind or parallel with the Apple Airport is the way to go.
The Airport has native support for “bridging”, which allows you to turn the router portion off from the the Network tab, turning the device into a switch. This is one way of connection the Airport to a second router, while bypassing Apple’s firewall, but negates all the networking capabilities of your router.
Instead, I highly suggest you place a switch between your broadband ISP modem and your two routers. The topology goes like this;
Internet Modem –> Ethernet Switch –> Switch Port 1 –> Airport Extreme
–> Switch Port 2 –> VPN Router
With a little bit of luck, your internet provider might have updated modems with multiple LAN ports, negating the need to add a switch hub to the mix.
Connecting a second router creates a two separate networks. This adds a multitude of benefits, and creates two separate networks for you to utilize effectively.
Two Simultaneous Network Connections
Having two network routers virtually providers you two separate connections. Leaving your Airport running directly on your home ISP service, and utilizing the second router as a dedicated secure VPN gateway. This is great for both home and business use. You can have the encrypted side unlocking various online services while securing your data, and have the Apple Airport or Time Capsule on an open connection for everyday tasks. Or, using the VPN router as a secure home/small office business network. The applications are endless, but the value is that you’re not stuck having to constantly reconnect to VPN servers, instead quickly switching from one connection to another.
Extend Wireless Coverage
When Wi-Fi is a need, poor performance quickly becomes a problem. Instead of adding Wireless repeaters and extenders, this secondary router can be placed in a different location, to immediately add coverage to needed areas and rooms of the house or office. You’re also taking advantage of two different access points, reducing the load on each individual router, and facilitating setups for guest Wi-Fi connections.
Router Requirements for VPN
In order to run a VPN connection through any consumer grade router, you’re most likely going to need to “flash” the firmware to one of the follow options: DD-WRT and variant builds, or Tomato. Both are very popular options to not only open up VPN capabilities for client/server connections, but revamping and supercharging your router’s capabilities and performance. Flashing firmware is not very hard, but it’s not exactly easy either. It does come with a learning curve, and a fair share of research to ensure your selected device is compatible with a given firmware. First – let’s list the most popular VPN capable firmwares available, to better assess our options;
DD-WRT: Most popular and feature rich third-party firmware.
- Can be flashed manually on a long list of compatible devices.
- Can be purchased pre-configured from Buffalo routers.
- Can be purchased pre-configured from specialized shops: Flashrouters or Routersource.
ASUSWRT: Latest native Asus GUI firmware based off DD-WRT – stripped down for performance.
- Includes VPN service capabilities – no changes needed.
- Can be purchased on any of the latest best Asus Routers.
- Can still be flashed to improved Asuswrt-merlin or DD-WRT.
TOMATO: Second most used after DD-WRT. Just as good if not better – balanced features and performance.
- Can be flashed manually on a sizable list of compatible devices
- Can be purchased pre-configured from specialized shops: Flashrouters or Routersource.
Manually Flash Firmware
Flashing the “firmware” is the term used when talking about replacing the native GUI firmware with another one of your choice, and it sounds more complicated than it really is, but still remains a bit more advanced than just downloading software and installing it, and if done wrong, it can cause irreparable damage to the device. It should also be known that flashing a brand new router will usually be against warranty agreements and void claims. But overall, I don’t want to stress over that stuff, this isn’t an expensive iPhone and your router can do so much more with the right software running it!
For anyone that is totally new to this, I would first suggest to read more on the different third-party open-source firmware options available, such as; DD-WRT & Tomato. Either make a great choice for any home grade router, instantly turning into a secure, high-grade customizable router, comparable to commercial grade firewalls that cost hundreds to thousands of dollars. Manually flashing your device brings many benefits regarding advanced controls, easily improving Wi-Fi quality and extending the reach, better bandwidth control and of course, adding a VPN service directly on the router. This router can now be used in conjunction with your Aiport Extreme or Time Capsule, in order to provide an open and secure network simultaneously.
In the end, this may prove to be too technical for some users, but where there is a need, there’s always help and solutions around the corner. So, if technology, routers, networks and setting up advanced computer parameters are not your thing, what do you do?
Purchase a Pre-Configured Router
Flashrouters.com offer the convenient option of a professionally pre-configured device of your choice, on either DD-WRT or Tomato, and even go as far as offering you to purchase VPN integration from a few different providers along with the router itself, that way even the VPN part comes pre-configured. Now you can have the best of both worlds, routers with enhanced software can act in a dual router setup. So you can use your Airport for traditional use & the flashrouter for more advanced things such as VPN. While this option does involve the extra step of buying certain hardware it assures you that you’ll have hardware that is already configured with the custom software you need.
It may seem like a big step in price, but you’re paying for peace of mind that you’re getting the best pre-configured wireless router on the market, specifically programmed to work in conjunction with your Airport or Time Capsule, with seamless integration that allows you to switch between networks at the touch of a button. They even go thoroughly into the dual-router Aiport setup here. the The team at Flashrouters also goes above and beyond at providing stellar support over the phone, to help you with every difficulty you may face when connecting everything up at home. So if you’re not very techy, and don’t know any network technicians willing to help you out, this is by far your cheapest, yet most valuable option. If you’re feeling adventurous, I highly suggest checking our more on DD-WRT or Tomato, finding a compatible model, and going at it yourself. Either way, it’s time to get more out of your home network setup, and this is a great first step.
An alternative choice is Routersource.com. Just like Flashrouters, they offer pre-configured flashed models and specialized networking services, but instead of having DD-WRT and Tomato options, they have DD-WRT and Sabai OS. What is Sabai? Well, it’s a firmware developed specifically for VPN setups, and performs well under heavy loads. The whole firmware is designed to make OpenVPN protocol connections easy, as either client or server, and providing the best possible speeds and stability on encrypted data.
If those options are not the right ones for you, you can always opt for one of Buffalo’s 3 latest DD-WRT routers. That’s right, Buffalo now providers DD-WRT Firmware right out of the box on 3 of their most popular models. With 3 different entry level units, there should be a model to please just about every need and budget. Since the past year, Buffalo has revised these models and the second-gen routers perform better than ever.
Lastly, you can opt for an ASUS powered network using Asuswrt, or flash to DD-WRT firmware on your own – find the best models for either of these options on our best network routers for DD-WRT page.
Do Apple routers support VPN?
No AirPort routers support VPN. AirPort base stations can be used as VPN-passthrough devices but you would need a dedicated VPN server/router on your local network that can be accessed from a VPN client app on the remote device.
Can you please go through step by step on how to set up a flash router. Current set up is Airport extreme and internet provider router. Do I hook up the flash router in one of the LAN ports on the internet provider’s router, or directly to the AE?
Many thanks in advance
Hi, I want to make every device connected to wifi to be encypted by my VPN, but I don’t want two separate networks. Couldn’t I make the connection as: Modem into WAN port of VPN router. VPN router LAN port out in to the WAN port of the Airport Extreme? Wouldn’t this make all data on the apple network encrypted? I have many other apple routers in my setup to extend the network. I don’t see the point of having two separate networks; One encrypted and one not. Why would I want to use an unencrypted network? Thanks.
What if I put the 2nd VPN router in bridge mode and connected it to the AirPort Extreme. Wouldn’t I be able to have two networks that way?
What would be the need to use the open connection (standard time capsule) if a new router was purchased for VPN wouldn’t I just use that for everything negating the need for the time capsule and switch at all? What use would the non VPN network be used for?
The reasons vary, but the basic idea is to have an un-encrypted connection that would not be slowed down by a VPN. Local results and location services also require you to use an open connection. Someone that may want to be watching international sports could use the VPN router connection, while keeping an open connection for everyday work. It all depends on the individual’s needs.
Appreciate the article, as I have an ATC and finding myself needing to disconnect VPN to access the ATC or any related network activities.
Need full access to the home network, while AT THE SAME TIME, have VPN connected for internet usage.
“The applications are endless, but the value is that you’re not stuck having to constantly reconnect to VPN servers, instead quickly switching from one connection to another.”
We have here “instead quickly switching from one connection to another.” Is this referencing a manual switch between both networks, or the two running concurrently and the computer/software understands which networks to use as default (so TimeMachine and internal network are always using ATC, while any online activities always using the other router?). So no need for any manual switching.
Had two routers in the past. ISP router and ATC (on a few different providers as well). The ATC insists on being the router to manage the IP, often resulting in the double NAT errors and such. Caused lots of issues and many hours w/Apple and/or ISP for bridging (virtual pseudo bridges) and such…. and even when things were running at their smoothest there were frequent hiccups, hardware reboots needed and nothing running smoothly.
Currently ATC is the ONLY router in place…the only hardware between ISP and network (no isn hardware etc). It runs well – but lacks the VPN protection.
So if exploring the concept of adding in another piece of hardware, want to avoid the headaches and hours the past experiments imposed.
Thanks for the feedback. The ATC – ISP provided modem you speak of is what is often referred to a ‘Gateway’ which is a modem and router in one. Gateways can sometimes be truly bridged and thus disabling all network routing and firewall functions leaving a bypassed modem functioning, but this totally depends on what your ISP decided to make available with its firmware. Just like you have experienced, most ISPs choose to refuse to give the subscriber the option to solely use their own router.
This is a common problem with consumer based home internet services, but you might have options with your ISP. Ask if they offer dedicated modems instead of the gateway model. These modems are usually made available for static IP plans, and might be reserved for business accounts. In summary, ISPs suck big time.
I am following your directions – but I can only get internet through one router at a time.
Both routers are hooked to the switch as you describe, but I am trying to learn how the modem can provide two IP’s.
Even if I stagger the router boot – no go.
What am I missing please?
Hi Craig, sorry for the trouble you are running into. Some ISPs do not provide more than one IP. Technically speaking, by connecting the modem to the switch, and two routers behind the switch, both routers would get a separate IP from your ISP.
With this said, some ISPs provide only 1 IP for their own reasons, at times this can also be a static IP by default, or when requested by the subscriber at extra cost. If you are unable to get a second IP, be it to a router or computer since you can literally connect any internet capable device behind the switch, I would suggest to contact your service provider to see if that would be a possible upgrade or request they can add to your resolution service.
If you only use one IP, being that you connect modem to router and than another router with the VPN connection, it will cause what is called a double IP resolution, where your first router is providing an internal private IP to the second router. At times both routers may try to give out the same IP unless configured manually. Additionally, problems can arise where your IP behind the VPN router will not be properly protected, leaking your real IP and DNS, rendering the VPN useless.
I am interested to know if I can set up the VPN connection as described but connect to it from a remote location. For example, I have a router at work connected to a network that has an Intranet. I must be connected to the Intranet to run certain programs or visit certain services. Can I connect from my home to the network via the router at work using the VPN connection or would I also need a computer acting as a server connected to the router at work to make this a reality?
It sounds like what you want to do may be restricted in the first place, but to explain if I understood correctly. You wish to connect from work to your home computer’s network which is using a VPN server on the router at home. You would need to setup a site-to-site VPN to be able to connect to your home network as a first step. Or, alternatively you would be able to use a remote desktop application, allowing you to run your computer remotely, but obviously that has its display caveats. Additionally, your upload speed would be a determining factor of the performance of any of these types of remote setups.
However, your work firewall and router would have to allow for this. It may be restricted for you to use the office network in this manner, and would be very easy for the administrator to detect the activity if well monitored. Therefore, I would suggest to avoid it, if you are trying to do so to bypass office network restrictions, as it may very well cost you your employment.
Hi I am problems connect a dd-wrt netgear router to my Time Machine following your solution of an extra router and switch between the modem – router are you saying that you need to switches 1 between the modem and airport and then another switch netgear N300 the Airport and DD-wrt router ? At the momentiam unable to get the Airport to allocate a WAN IP address . Any advise or diagram would be appreciated.
Sorry for the late reply. No you only need one switch. The modem connects to the switch, and two network cables come out of the switch into your router and time machine separately.
Is a two port switch connected to a modem any different than the typical ethernet switches on the market? Where can we purchase the two port switch you refer too?
Many thanks Mike,
It’s just a regular ethernet switch, not a 2 port, and I don’t think those even exist. Typically start at 4 or 5 ports for the smaller switches. The topology is laid out as using port #1 and #2 but you can essentially use any available ports, and use the extra ones for additional networks if needed.
Interesting article, thanks!
My situation is as follows. I am living in China and it’s no secret Internet is heavily regulated here, to a point whereby I often must use VPN to even connect to Apple for instance, update my PS4 and so on.
In other words, a continuous VPN would be a life saver for me.
What I’m not clear on is the following. My Airport Extreme connects to the building network via LAN thru which it then sets up a PPPoE connection.
How do I set up a VPN router in this case?
I think you need to first find out if you get a public or private IP from your building’s ethernet connection. If there is an external router, this can cause issues down the line. Due to your router getting a private IP, this can cause double NAT issues where VPN servers do not properly tunnel, or services are not accessible online. You can learn more about double NAT issues online, but first you would need to verify if the Airport’s IP is private, if not, all you need to use is a switch, connect a secondary non-apple flashed or VPN compatible router and setup the VPN server directly on it.
Thanks for the guide!
What about replacing both switch and VPN router with a VPN capable switch? And then just connect your Apple router in the VPN switch.
Hello! Exactly!! My point precisely. Why add another router, when a VPN switch or device hardware could be added?
Modem >>> VPN Switch/Device >>> Time Capsule/Airport Extreme. Done. |