I am trying to setup my router to a third party VPN provider (ExpressVPN).

I have it connected, but it's messing with my default route when I don't want it to. It appears that the option "Change default route to this tunnel" does not work and it behaves as if it is always selected.

The result is I cannot selectively route certain devices through the VPN and also, the router/my WAN IP no longer becomes reachable from outside the location.

I followed the instructions on ExpressVPN website to setup the VPN, and it asked me to put 0.0.0.0/0 for the Remote IP. Maybe that is confusing the DrayTek router? Although, I'm pretty sure I did the same on an earlier Draytek router with a different VPN provider.

My WAN IP is 185.XXX.XXX.225 below.

Routing table when VPN not connected

* 0.0.0.0/ 0.0.0.0 via 185.XXX.XXX.225 WAN1
C 185.XXX.XXX.224/ 255.255.255.248 directly connected WAN1
C~ 192.168.1.0/ 255.255.255.0 directly connected LAN1

Routing table when VPN connected
(Change default route to this tunnel not selected)

S 0.0.0.0/ 0.0.0.0 via 10.222.0.1 VPN-1
C 10.222.0.1/ 255.255.255.255 directly connected VPN-1
C 185.XXX.XXX.224/ 255.255.255.248 directly connected WAN1
* 104.194.220.225/ 255.255.255.255 via 185.XXX.XXX.225 WAN1
C~ 192.168.1.0/ 255.255.255.0 directly connected LAN1

Routing table when VPN connected
(Change default route to this tunnel selected)

S 0.0.0.0/ 0.0.0.0 via 10.222.0.1 VPN-1
C 10.222.0.1/ 255.255.255.255 directly connected VPN-1
C 185.XXX.XXX.224/ 255.255.255.248 directly connected WAN1
* 104.194.220.231/ 255.255.255.255 via 185.XXX.XXX.225 WAN1
C~ 192.168.1.0/ 255.255.255.0 directly connected LAN1

Putting 0.0.0.0/0 for the Remote IP already means this is the "default route", and router will send all traffics via this route no matter the default router checkbox enabled or not.

To send only certain devices through the VPN, don't use default route. Instead you can try choosing the mode as "NAT" instead of Routing in the VPN Profile "TCP/IP Network Settings", and then go to Route Policy to create a rule, in which specifying your selected LAN devices to go via the VPN.

Right, I see thank you.

Well I already have it set as NAT, because my understanding was that this is how you are supposed to connect to thirdparty VPNs so that the provider doesn't have access to your own network.

So I have it with remote IP/mask as 0.0.0.0/0 and mode NAT, with "Change default route to this tunnel" *not* selected and it creates a default route for 0.0.0.0/0 that goes via the VPN.

Did you mean I should change it to Route?

oviano wrote:
I followed the instructions on ExpressVPN website to setup the VPN, and it asked me to put 0.0.0.0/0 for the Remote IP. Maybe that is confusing the DrayTek router? Although, I'm pretty sure I did the same on an earlier Draytek router with a different VPN provider.

Maybe they assume you'll want to send all your traffic via them? (Why would you?, you hardly know them :wink: )

I think I've seen some similar instructions on Draytek's site - which confused me (so I ignored 'em :wink: )

This is what I how I set up my outbound LAN-to-LAN connection (on a 2860n to a remote 2830n, so both under my control) :-

and this is the resulting routing table (abbreviated for clarity) :-

Code:

Vigor> ip route stat Codes: C - connected, S - static, R - RIP, * - default, ~ - private, B - BGP * 0.0.0.0/ 0.0.0.0 via 51.148.72.23, WAN1 C~ 192.168.100.0/ 255.255.255.0 is directly connected, LAN1 * 51.148.72.23/ 255.255.255.255 via 51.148.72.23, WAN1 S 82.x.y.z/ 255.255.255.255 via 82.w.x.z, WAN1 C~ 192.168.200.254/ 255.255.255.255 is directly connected, VPN-2 S~ 192.168.200.0/ 255.255.255.0 via 192.168.200.254, VPN-2 Vigor>

(51.148.72.23 is the ISP's Default Gateway)

Dunno if this helps at all.

So I have it with remote IP/mask as 0.0.0.0/0 and mode NAT, with "Change default route to this tunnel" *not* selected and it creates a default route for 0.0.0.0/0 that goes via the VPN.

Did you mean I should change it to Route?

=> don't use the 0.0.0.0/0 in the remote IP/mask and also don't tick the default route if you don't want to send everything to the VPN. I think their note is a bit misleading.

Since you will control the traffic with route policy, you can simply put any IP/mask which is irrelevant to your daily business in the remote IP/mask here in the VPN profile. (And yes, keep it with NAT mode).

For example, if your LAN is 192.168.1.1/24, and 192.168.10.1/24 is totally irrelevant to you and you probably won't use it, you can put it in the remote network/mask. You could also make the mask smaller so it will have less effect in the routing table (e.g., 192.168.10.1/30). And then, go to route policy to specify which LAN clients should go via the VPN tunnel.

Did you ever get this working? I think I have the same problem.

https://forum.draytek.co.uk/viewtopic.php?f=14&t=24137

I'm thinking there is either a missing part of the puzzle, or it's a straight firmware bug.