How To: Free Private VPN On Home Router

Being able to appear as if you're in a different country online is a common issue for expats. Several services such as Netflix, Amazon, and Hulu have region locked content, while some websites completely block access from some foreign countries. Most people pay a VPN provider to help with this issue, but that is not always ideal. This guide is designed to walk you through setting up a free private VPN on a common consumer router that will be placed in the other country.

Pros	Cons
Free No usage caps Extremely customizable setup Nearly impossible to be blocked by a content provider	Only one location No technical support Internet traffic is not anonymous Speed is limited by the upload bandwidth of the host

---

UPDATE (February 2019): Although all the instructions on this page will still work, I have found that using a Raspberry Pi for the VPN server is usually a better option. Instructions on how to use a Pi have been added below under VPN Server on Raspberry Pi.

---

The following steps are to setup SoftEther VPN running on a Linksys EA6700 with an AdvancedTomato GUI.

Table of Contents

• Router Details
• Configuration
• Flash AdvancedTomato
• Install SoftEther
• Setup VPN Server
• Connect VPN Router to Host Router
• Setup VPN Client
• Optional Configurations
• Separate Local Network
• Separate Guest Network
• VPN Server on Raspberry Pi
• Additional Resources

Router Details

Linksys EA6700 - Amazon

• Wireless AC
• CPU: 2x 800MHz
• RAM: 256MB
• Flash: 128MB

Configuration

Flash AdvancedTomato

1. Download the necessary files - https://drive.google.com/drive/folders/15Rf7KnH-kBqjTqcJ4eX0DXuKj7EYjRYS
2. Disconnect or disable internet connection(s) on computer
3. Set a static IP for the ethernet connection on the computer
• IP address = 192.168.1.100
• Subnet mask = 255.255.255.0
• Default gateway = 192.168.1.1
4. Run tftp.exe and fill in fields:
• Server = 192.168.1.1
• Password = admin
• File = FW_EA6700_1.1.40.166281_prod.img
5. Connect computer to router’s Ethernet 1 port
6. Open a PowerShell/Terminal window

ping -t 192.168.1.1

7. Plug in router power
8. Wait until the TTL from the ping command is 100
9. Click Upgrade (if there is an error, try again)
10. Click OK
11. Click Close
12. Wait until the TTL from the ping command is 64
13. Navigate browser to 192.168.1.1
14. Select both checkboxes and click Next
15. Click Login
16. Default password = admin
17. Click Sign In
18. Click Troubleshooting
19. Click Diagnostics
20. Click Restore previous firmware
21. Click Yes
22. After the router restarts, sign in again
23. Click Connectivity
24. Click Choose File and select linksys-ea6700-webflash.bin
25. Click Start
26. Click Yes
27. Click Ok
28. Wait until the TTL from the ping command is 64
29. Navigate browser to 192.168.1.1
30. All three fields = admin
31. Click Change Password
32. Services > Secure Shell > Enable
33. Click Apply Settings
34. Navigate browser to http://192.168.1.1/backup/cfe.bin and save the file in case of necessary recovery
35. Run cfe_edit.exe and open cfe.bin
36. Click on Advanced Mode and edit the values for the specific router
• et0macaddr = MAC address from the bottom of the router
• 0:macaddr = MAC address + 2
• 1:macaddr = MAC address + 4
• secret_code = WPS code on the bottom of the router below the MAC address (no hyphen)
37. Save the file
38. Open a PowerShell/Terminal window on computer

cd <the downloaded directory>
scp .\cfe.bin root@192.168.1.1:~
ssh root@192.168.1.1 "mtd -f write cfe.bin /dev/mtd0"

39. Unplug the router, hold the blue WPS button, plug in the router, and release the button when the Linksys logo starts flashing quickly
40. Repeat the last step, but press the reset button immediately after releasing the WPS button, and hold it until the TTL from the ping command is 100
41. Navigate browser to 192.168.1.1
42. Click Restore default NVRAM values.
43. Click Continue
44. Click Choose File and select tomato-EA6700-AT-ARM-3.5-140-AIO-64K.trx
45. Click Upload
46. Wait until the TTL from the ping command is 64
47. Click Continue
48. Administration > Configuration > Restore Default Configuration > Erase all data in NVRAM memory (thorough) > OK > OK
49. Wait until the TTL from the ping command is 64
50. Navigate browser to 192.168.1.1
51. Administration > Admin Access > Authorization Settings
1. Enter a unique password
2. Click Save
52. Connect ISP connection to Internet port
53. Set the ethernet connection on the computer to obtain an IP address automatically

Install SoftEther

1. Login to router
2. Administration > JFFS
1. JFFS Partition > Enable > Enable
2. JFFS Partition > Format / Erase…
3. Click Ok
4. Click Save
3. Open a PowerShell/Terminal window on computer

cd <the downloaded directory>
ssh root@192.168.1.1 "mkdir -p /jffs/etc/softether"
scp .\<vpnserver or vpnbridge> .\hamcore.se2 root@192.168.1.1:/jffs/etc/softether
ssh root@192.168.1.1 "chmod 700 /jffs/etc/softether/*"

Setup VPN Server

1. Administration > Scripts
1. Init =

modprobe tun
openvpn --mktun --dev tap_soft

2. Firewall =

iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 992 -j ACCEPT
iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp --dport 5555 -j ACCEPT
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --dport 1701 -j ACCEPT
iptables -A INPUT -p udp --dport 4500 -j ACCEPT

3. WAN Up =

brctl addif br0 tap_soft
/jffs/etc/softether/vpnserver start

4. Click Save
2. Basic Settings > Network
1. WAN Settings > DNS Server = Manual
2. WAN Settings > DNS 1 = 8.8.8.8
3. WAN Settings > DNS 2 = 1.1.1.1
4. LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
5. LAN > br0 > IP Range = 192.168.###.101-199 (### to match the IP Address)
6. Click OK
7. Wireless (2.4 GHz / eth1) > Enable Wireless > Disable
8. Wireless (5 GHz / eth2) > Enable Wireless > Disable
9. Click Save
3. Reboot router
4. Download SoftEther VPN Server Manager - http://www.softether-download.com
5. Run SoftEther VPN Server Manager
6. Click New Setting
1. Host Name = Router IP
2. Click OK
7. Click Connect
8. Enter a new password
9. Click Remote Access VPN Server
10. Click Next
11. Click Yes
12. Click OK
13. Enter a unique Dynamic DNS Hostname
14. Click Exit
15. Click Enable L2TP Server Function (L2TP over IPSec)
16. Click OK
17. Click Disable VPN Azure
18. Click OK
19. Click Create Users
20. Create a user for the client router
1. User Name = EA6700
2. Auth Type = Individual Certificate Authentication
3. Click Create Certificate
4. Click OK
5. Click OK
6. Save the file
7. Click OK
21. Click OK
22. Create as many users as wanted with User Name, Full Name, and Password
23. Click Exit
24. Click Close
25. Click Local Bridge Setting
26. Click the Virtual Hub from the dropdown
27. Click Bridge with New Tap Device
28. New Tap Device Name = soft
29. Click Create Local Bridge
30. Click OK
31. Click Exit
32. Click Exit
33. Click Exit SoftEther VPN Server Manager

Connect VPN Router to Host Router

1. Connect Internet port on VPN router to Ethernet port on host router
2. Connect computer to host router
3. Login to host router
4. Set reserved IP for VPN router in DHCP settings
5. Forward following ports to VPN router
• TCP: 443, 992, 1194, 5555
• UDP: 500, 1194, 1701, 4500

Setup VPN Client

1. Administration > Scripts
1. WAN Up =

/jffs/etc/softether/vpnbridge start

2. Click Save
2. Basic Settings > Network
1. WAN Settings > DNS Server = Manual
2. WAN Settings > DNS 1 = 8.8.8.8
3. WAN Settings > DNS 2 = 1.1.1.1
4. LAN > br0 > IP Address = 192.168.###.1 (### is a random number 2-255)
5. LAN > br0 > DHCP = Disabled
6. OK
7. Wireless (2.4 GHz / eth1) & Wireless (5 GHz / eth2)
• SSID = Any name
• Channel = Auto
• Security = WPA2 Personal
• Shared Key = Choose a password
8. Click Save
3. Reboot router
4. Download SoftEther VPN Server Manager - http://www.softether-download.com
5. Run SoftEther VPN Server Manager
6. Click New Setting
1. Host Name = Router IP
2. OK
7. Click Connect
8. Enter a new password
9. Click Next
10. Click Yes
11. Click Configure Connection Setting
1. Setting Name = VPN
2. Host Name = Dynamic DNS Hostname
3. Virtual Hub Name = VPN
4. Auth Type = Client Certificate Authentication
5. User Name = EA6700
6. Click Specify Client Certificate
7. Select the file saved when creating the user
8. Click OK
12. Click Exit
13. Click br0 under Set Local Bridge
14. Click Close
15. Click Exit
16. Click Exit SoftEther VPN Server Manager

Optional Configurations

Separate Local Network

1. Basic Settings > Network > LAN
1. Bridge = 1 (or any other unused available bridge)
2. IP Address = 192.168.###.1 (### is a random number 2-255, different than existing bridges)
3. Netmask = 255.255.255.0
4. DHCP = Enabled
5. IP Range = 192.168.###.101-199 (### to match the IP Address)
6. Click Add
7. Click Save
2. Advanced Settings > Virtual Wireless > Virtual Wireless Interfaces
1. Interface = wl0.1 (or any other unused available interface)
2. Enabled = yes
3. SSID = Name that will show up on devices
4. Bridge = LAN1 (br1) (to match bridge that was just created)
5. Click Add
6. Security = WPA2 Personal
7. Shared Key = new wireless password
8. Click Save
9. Repeat the above steps for wl1.1 interface with the exact same SSID and Shared Key
10. Click Save
3. Advanced Settings > VLAN > VLAN Setting
1. VLAN = 11 (or any other unused available VLAN)
2. VID = 11 (match VLAN)
3. Port 1-4 = Yes (for the ports that should not use the VPN; must be unselected for other VLAN)
4. Bridge = LAN1 (br1) (to match bridge that was just created)
5. Click Add
6. Click Save

Separate Guest Network

1. Basic Settings > Network > LAN
1. Bridge = 2 (or any other unused available bridge)
2. IP Address = 192.168.###.1 (### is a random number 2-255, different than existing bridges)
3. Netmask = 255.255.255.0
4. DHCP = Enabled
5. IP Range = 192.168.###.101-199 (### to match the IP Address)
6. Click Add
7. Click Save
2. Advanced Settings > Virtual Wireless > Virtual Wireless Interfaces
1. Interface = wl0.2 (or any other unused available interface)
2. Enabled = yes
3. SSID = Name that will show up on devices
4. Bridge = LAN2 (br2) (to match bridge that was just created)
5. Click Add
6. Security = WPA2 Personal
7. Shared Key = new wireless password
8. Click Save
9. Repeat the above steps for wl1.2 interface with the exact same SSID and Shared Key
10. Click Save
3. Advanced Settings > VLAN > VLAN Setting
1. VLAN = 12 (or any other unused available VLAN)
2. VID = 12 (match VLAN)
3. Bridge = LAN2 (br2) (to match bridge that was just created)
4. Click Add
5. Click Save

VPN Server on Raspberry Pi

Using a Raspberry Pi as the VPN server hardware provides more benefits (e.g. better hardware for similar cost, remote access, smaller footprint, etc.), but it is slightly more technical than using a router. The below steps are meant to replace the steps above under Flash AdvancedTomato and Install SoftEther. These steps are designed for a headless setup (no display needed), and include TeamViewer for remote access. Although most Raspberry Pi models can be used, I recommend the Pi 4, as it includes a true gigabit ethernet port. Here is one possible kit that includes all the parts you would need to create a complete Raspberry Pi setup - CanaKit

1. Download and install NOOBS to the SD card (Some SD cards come pre-installed with NOOBS) - https://www.raspberrypi.org/downloads/noobs
2. Edit the recovery.cmdline file and add silentinstall

sed -i '$s/$/ silentinstall/' recovery.cmdline

3. Add a file named ssh to the root of the SD card (the contents do not matter)
4. Insert SD card into the Pi
5. Connect an ethernet cable between the Pi and router
6. Connect the power cable to the Pi
7. The Pi will now take up to half an hour to install the operating system
8. Get the IP of the Pi from router once it is available
9. Open a PowerShell/Terminal window on computer

ssh pi@<IP of the Pi> #password = raspberry
sudo raspi-config nonint do_change_locale en_US.UTF-8
sudo raspi-config nonint do_change_timezone America/New_York
sudo raspi-config nonint do_configure_keyboard us
sudo raspi-config nonint do_wifi_country US
sudo apt update -y
sudo apt full-upgrade -y
sudo apt autoremove -y
wget https://download.teamviewer.com/download/linux/teamviewer-host_armhf.deb
sudo apt install ./teamviewer-host_armhf.deb -y
sudo teamviewer setup
curl -s https://api.github.com/repos/SoftEtherVPN/SoftEtherVPN_Stable/releases/latest |
grep "browser_download_url.*vpnserver.*linux-arm_eabi-32bit.tar.gz" |
cut -d : -f 2,3 | tr -d \" | wget -O vpnserver.tar.gz -i -
tar zxvf vpnserver.tar.gz
cd vpnserver
make
1
1
1
cd ..
sudo mv vpnserver /usr/local/
cd /usr/local/vpnserver/
sudo chmod 600 *
sudo chmod 700 vpncmd vpnserver

10. Create /etc/init.d/vpnserver with the below content

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vpnserver
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: SoftEther VPN Server
# Description:       SoftEther VPN Server
### END INIT INFO
DAEMON=/usr/local/vpnserver/vpnserver
LOCK=/var/lock/subsys/vpnserver
test -x $DAEMON || exit 0
case "$1" in
start)
$DAEMON start
touch $LOCK
;;
stop)
$DAEMON stop
rm $LOCK
;;
restart)
$DAEMON stop
sleep 3
$DAEMON start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0

11. Set the VPN server to start automatically

sudo chmod 755 /etc/init.d/vpnserver
sudo /etc/init.d/vpnserver start
sudo update-rc.d vpnserver defaults

12. Continue from step 4 under Setup VPN Server above, but skip steps 27 and 28

---

Additional Resources

• AdvancedTomato on the Linksys EA6700
• EA6700 NVRAM issue
• AdvancedTomato on EA6900
• SoftetherVPN server on Tomato router
• Softether on Raspberry Pi