ExpressVPN and Omada?

I had ExpressVPN for awhile and worked great, and I had it built into one of my routers so everything off of that essentially allowed me access to my location-limited subscriptions.

Is there a way for me to I corporate this similarly in my OMADA system? Because I have three EAPs and a couple switches, this would give me a great range of access if there is a way. Even if it’s its own SSID would be fine.

If avoidable, I’m not really interested in having my ExpressVPN router as a branch off my OMADA network (could have done that anytime) as it means physically changing their connections (my Smart TVs are direct connected)… but maybe that’s the only way and I turn off DHCP.

I’m not smart enough to know if I could place my ExpressVPN credentials into a port or switch and make that such a network.

Get a PoE smart switch. E.g. TL-SG2008P

Plug all your EAPs into it and an uplink to your regular router.

Setup a VLAN for the ExpressVPN router. Use ID 2 or whatever.

Configure one of the ports on the PoE smart switch to only have your new VLAN on it instead of “all”

Configure your uplink port to only have the regular LAN port profile / VLAN.

Plug your ExpressVPN router into the new VLAN port.

Setup another SSID / wireless network that has the VLAN set to 2 or whatever you used above. Now any device on the new SSID will only see the ExpressVPN router.

The ExpressVPN router could use any regular LAN port as a WAN connection.

—

That all said I personally use SmartDNSProxy so I only have to change DNS servers.

Okay, I took a stab at this, and this is my third edit, because it wasn’t so clear for a Newbie… but I would have never gotten close to anything without that help. So hopefully this additional info helps others…

NOTE that I already had a prior Router (Linksys WRT3200ACM) that I had used in the past that was configured with ExpressVPN Firmware for that router, which I recommend as it always worked great.

I’d love to learn how to incorporate ExpressVPN without the need of that router, but I haven’t found that yet.

I numbered the points from the reply above and respond after each:

1- Get a PoE smart switch. E.g. TL-SG2008P

I had the SG2210P, worked fine.

2- Plug all your EAPs into it and an uplink to your regular router.

I do have the following: ISP - ER605 - SG2210P - (3) EAP615 OC200 is plugged into switch

The uplink port (P1) on my Switch goes to my router WAN/LAN1 port (i.e next to the WAN Port on the ER605)

So 1&2 are done, and worked fine in the end.

3- Setup a VLAN for the ExpressVPN router. Use ID 2 or whatever.

This is done under the "Organization: YourControllerName**"** section in the Cloud UI, where you then go to Settings (gear in bottom left), and then Wired Networks \ LAN (which then has three ‘tabs’ at the top, but should land on “Networks” tab by default.

This is where I then created a VLAN “Interface” , an I used ID 8, (and named it ExpressVPN-VLAN8 to make it easy for future times when I see it).

It needed me to select one of the Router Port “LAN Interface” boxes, so I checked the box for LAN2 (important note for later, but it’s weird). LAN2 on ER605 is basically the last Port furthest from the WAN.

I suspect this next part might not important (???), but I set the Gateway /Subnet as 192.168.8.1/27 (which provided me a range to use later if needed), and I chose “8” to keep my VLAN “8” theme consistent (no relation mind you). I also enabled DHCP Server, which translated to a range from 192.168.8.1 - .30

Hit SAVE

I then went to that upper Tab on the same page and selected “Profile” tab, and clicked on the Eyeball for my ExpressVPN VLAN that shows there. This allowed me to select Native Network, and I chose the ExpressVPN-VLAN8 (which I’d just created). I left “Tagged Networks” as is (no selections). I really wish I could have added Images inserted here to help the explanation but don’t see a spot on this Chrome interface to do so on the Reddit site.

Now… the next Tab at the top on this same page is “Switch Settings” and you’ll proceed to next item. Simple enough, but no physical connection yet.

4- Configure one of the ports on the PoE smart switch to only have your new VLAN on that instead of “ALL”

Under that “Switch Settings” tab, you’ll see your Switch listed, and on the far right, you’ll see the Edit Pencil under “Switch Port Settings”. You need to decide which Port on the Switch you will be plugging your ExpressVPN Router into (for me it was P5 which was free), so I edited that Port, and selected the Profile: ExpressVPN-VLAN8, and renamed that port for ease of recognition in the future (P5: ExpressVPN).

5- Configure your uplink port to only have the regular LAN port profile / VLAN.

While in there, find the Port that is your UPLINK (i.e. is fed from your Router). For me that was P1, so I edited that Port’s name as well. I originally left it as ALL, but the advisement above was to select your regular management LAN (typically VLAN1 out of the box). I did change it to that, but it all still worked when I’d accidentally left it as ALL. Would like to understand what the diff is.

6- Plug your ExpressVPN router into the new VLAN port.

so… this is where it got weird for me, but it works.

I ran two cables, both from the LANs of the Linksys wrt3200acm router.

One went to that Router “LAN2” I mentioned and selected earlier in step 3. Now the weird part is, if I don’t run the cable from the LAN of my Linksys ExpressVPN Router to the ER605, it thinks I’m not in the “other country” pointed to by my ExpressVPN Router, but it seems to have not made a difference if it was in the LAN2 of the ER605, or another port (I tried LAN1 for example). So I’m not sure why that LAN2 selected checkbox did at all.

The other LAN cable went to the Switch Port5 which I’d designated for that VLAN8 in Step 4 above. Now that one is important, or you will not get to the signal at all to the EAPs which you’ll need to setup a wifi channel just for that tunneled VPN (next step).

​

7- Setup another SSID / wireless network that has the VLAN set to 2 or whatever you used above. Now any device on the new SSID will only see the ExpressVPN router.

Under Wireless Networks / WAN menu in the controller, add a new SSID, and give it a name that makes sense. Give it a Security password (if you want).

Then under the Advanced Settings, select if you want to broadcast that or not, and under VLAN, put in the one you used (8 in my case). I made no othef changes below that, but I did choose to use WPA3 under WPA.

Note that I disabled WIFI in my Linksys ExpressVPN Router just so I could rely entirely on my three EAP615s for much better coverage.

8- The ExpressVPN router could use any regular LAN port as a WAN connection.

This is what I covered in Step 6 above.

Hi, I’m trying to do the same here, but with a Netgear R7000 with the ExpressVPN firmware. One thing I don’t understand is if you aren’t supplying your ExpressVPN router with something to the WAN port, how is it getting connected to ExpressVPN? - As soon as I remove its WAN connection to a LAN from my Omada switch, it loses connection? Or am I missing something obvious here?

I have it working to some extent, but cannot access anything connected to the VPN VLAN from other vLANS, which with no ACL should work.

Also, one more thing please. What have you got as your ExpressVPN router’s IP address? - for eg: to get mine working I’ve had to set it to 192.168.1.2 - which is also what I’ve set the gateway to be on the vLAN - otherwise if I used 192.168.1.1 there’d be a conflict with the Omada, stopping the VPN working. This in turn stops Omada from ‘controlling’ the attached devices as they are only seen by the ExpressVPN router and not the omada vLANs… if that makes any sense?

Also, I’m trying this set up as I had successfully connected my ER605 via openVPN to ExpressVPN, which seems to be pretty stable, but it’s sooo slow, with a speed test of around 10Mb/s max, whereas with the Netgear R7000 with ExpressVPN firmware I am getting at least 5 times that. Now maybe 10Mb/s if fast enough, but I’d love to try and get the Netgear working seamlessly with the Omada setup.

Cheers

Sorry I was slow to respond, and i might not fully answer here due to time, but in hindsight I wasn’t as clear so perhaps I should edit the above… my ExpressVPN router’s WAN is actually plugged into my ER605 router’s LAN2, (so it’s got access to the world like my regular network), and that Port PVID was set to 8… and then the LAN of the ExpressVPN router feeds that SG2210P switch port which was configured as I’d mentioned above.

I’m really a newbie just plowing through things trying to learn from great folks like this forum.

The IP address that seems to be assigned to the ExpressVPN router is 192.168.132.1, though I’m not savvy enough to understand why… my devices all have the 192.168.4.xxx address, except for anything on the client side of my ExpressVPN router which is 192.168.8.xxx … would you know why the ExpressVPN router would show 192.168.132.1 ??