Hi. I think likely I have set up the router wrong, but here's the situation: 1) I set up a VPN client connection to PIA using their guide (https://www.privateinternetaccess.com/pages/client-support/tomato-vpn) 2) I know the connection works. If I ssh into the router, while the VPN client has started, I can run: wget -qO- http://ipecho.net/plain ; echo This gets my external IP address, and it's not the one provided by my ISP. So from the router, the VPN client is working. (If I stop the client, and re-run the wget command, I get a different IP address) 3) I connect to the router over wifi on my tablet. 4) My external IP on the tablet is still my ISP provided one. I conclude form this that although the *router* is operating over the VPN, anything connected to it is not routing through the VPN client. Some notable settings: Running Toastman Tomato Firmware v1.28.7483 MIPSR2-Toastman-RT K26 VPN [it's an older version, but it's small enough to fit on the router I'm using] This router is actually acting like a switch, I think. My ISP-provided modem/router combo is running the DHCP server. That device is at 192.168.2.1 So my Tomato router is running at 192.168.2.3 Under Basic > WAN I have it set to 'Disabled', and 'Use WAN Port for LAN' is enabled. Other than that, in the LAN section: Router IP Address: 192.168.2.3 Default Gateway: 192.168.2.1 DNS servers: 220.127.116.11 / 18.104.22.168 My suspicion is I haven't configured my Tomato router as a switch/repeater correctly, so connections coming into it actually immediately route to my ISP's modem/router. I actually have always set up routers this way, which always felt strange. I am trying to avoid double-NAT which is why I'm letting the ISP router do DHCP, but I may not know what I'm doing I have always thought that I need to keep the ISP router as the "main" router since it's the one connecting to the internet, but I may be totally wrong on that, Thanks for reading.