The Apple TV2 doesn't support VPN. One solution is to use a router with VPN support. Our small router bought for less than 20 €, doesn't support OpenVPN, due to its 4 Mbytes flash memory, but supports the PPTP protocol. It is not the best protocol in term of security, but it is faster because of less CPU usage for encryption.
Installation overview
What I want to do is to connect the ATV to the WR703N by Wifi. The WR703N will be attached to the router by ethernet cable, to get internet access. The WR703N router will be configured with a VPN service.
Zone Configuration for the WR703N
I don't know if my approach is the correct one, but it works. I have configured, additionally to the existing zones (Lan & Wan) a new zone called Vpn. These areas do not communicate with each other. I will allow traffic with the OpenWRT firewall.
Wan area will receive an interface with static address without DHCP and will be attached to the router via ethernet cable. The area Vpn will host a PPTP interface. We will assign a static interface and a wireless interface both bridged (ATV will communicate by wifi) to the Lan zone.
At the beginning of my tests, I left DHCP distribution on the Lan static interface. It works but the router and vpn tunnel were unstable. I suspect DHCP of the main router enter sometime in conflict with this one.
Installation of the pptp package.
Two methods:
By LuCI
Go to tab "Software" in the "System"menu
Click on update
Once updated, please lookup
ppp-mod-pptp
and click on "install"
By ssh
Copy these two lines one after the other followed by enter
opkg update
opkg install ppp-mod-pptp
Three zones configuration and their interfaces
In the "Physical Settings" tab, check that the adapter is eth0 and disable the bridge between interfaces.
Vpn Zone
Add a PPTP interface in the Vpn zone.
In "General Setup" fill out the vpn parameters from your supplier.
Go to the "Firewall Setting" tab to assign this interface to the Vpn zone.
I have done my test with a free Vpn service. Once the configuration was working, I switched to a paid service, to get benefit of a quality vpn tunnel.
If the data and passwords are correct you can see data transmissions RX and TX. The firewall is not yet configured, so do not expect any internet traffic.
Lan Zone
Create a static interface (optionally with DHCP distribution). I called it "virt". This AP will be out of the main net. We will assign a static address with a range out of the main router address eg. 192.168.2.1. Netmask should be 255.255.255.0
I start with DHCP distribution. After some test I left the checkbox checked to disable it. I have assigned a static IP to my ATV. The connection is much more stable now.
In the "Physical Settings" tab check the "create a bridge..." to insure direct traffic communication between the "virt" interface and wifi.
Go to Wifi and assign this interface to Lan zone.
Once finished, click on Network, you should have something like this:
Firewall configuration
In General Settings set Input, Output and Forward to "Reject" (by default, no traffic go in, neither out of the router. No traffic between zones).
Now we can configure each zone:
We have to set the Lan zone to communicate only with Vpn zone and the Vpn only with the Wan zone. In that way we ensure that all the Wifi traffic will go through the VPN tunnel.
For security reasons, I set "reject" traffic from Wan to the other zones.
I left Wan input to "accept" in order to access the router from ethernet port.
Really important, check Masquerading and MSS clamping. Without this, no packets will go out and reach the main router
In Traffic Rules tab verify that the existing rules are correctly declared.
Default setting is set to receive traffic from Lan and to send it to the Wan zone. Leave it as it is.
We should open, for both Lan and vpn zones, port 53 for TCP, UDP and ports 67-68 for the UDP protocol.
Also do not forget to open port 1723 for PPTP. I have done nothing for the GRE protocol.
Troubleshot
-
The WR703N reboot randomly.Using an 1A Power supply the issue has gone. -
Each time I make changes with LuCI and save them, the WR703N is rebooting.Disabling DHCP in the WR703N and with the 1A Power supply, the router is more stable.
Comments
Thank you for sharing this
Thank you for sharing this guide, finally I successfully connect my router to ExpressVPN.