2 Wireless CH's. One w/ VPN One W/O VPN

Hi All,

First time user of LEDE and slowly getting my head around how it works.
First question:

Is there a way to have one wireless channel, say a 2.4ghz network strictly filter all activity through a VPN and another wireless channel, say the 5.0ghz network handle traffic in a normal manner, with no vpn.

The plan is to have 2.4 have a US based VPN or smart DNS so we can watch US Netflix from our Apple TV etc where we live in Australia, and the 5.0 just handle traffic as usual.

My thought is to create another LAN interface and link the VPN/DNS into that which then is transmitted over a 2.4 network, however with my limited info on LEDE i'm not keen on breaking the modem and having to reset and config it all again.

Thank you

  • Edit have Open VPN package installed *

Can't you change the DNS on the ATV itself ?

Yes this is not too complicated.

First configure OpenVPN to connect to your service. It is highly recommended to not use the UCI or LuCI configuration methods especially if the VPN service provides a suggested .ovpn configuration file. Instead copy that file to your router and set /etc/config/openvpn to load it.

Create two new networks, for example call them vpnuser and vpntun. The user network will be bridged to the wifi and / or wired interfaces that you want VPN users to connect to. The tunnel network is the entrance to OpenVPN.

vpnuser should have a static IP and a DHCP server. vpntun will get its IP from the VPN provider. You then need two firewall zones, can also be called vpnuser and vpntun, to forward and NAT from vpnuser to vpntun.

Finally create a wifi AP and link it to vpnuser. You can have two APs on the same band with different names if you want.

All of this will co-exist alongside the standard lan to wan non-VPN routing, which will continue working as before. Of course your vpnusers must have a separate IP range than anything else that is on the router.


Absolutely, however the issue occurs when we would like to watch something not available on US Netflix for arguments sake. That would mean changing the DNS every time, where just changing the wi-fi connection would be easier and more versatile :grinning:

1 Like


Great! I'll give it a go and reach out if I get stuck on the way

  • Add firewall rule to mark traffic by source network.
  • Add custom routing table.
  • Add network rule to use custom routing table for specific source network.
  • Add network route in the custom routing table to use specific default gateway.

EDIT - Disregard, I figured it out :slight_smile:

@nicho1s did you get this working? I'm in AU and looking to do the same thing, a bit of a networking noob though so I was hoping you could point me on the right track to set it up.

My setup differs in that I'm using WireGuard instead of OpenVPN cause I get way better throughput with it.


Use vgaetera's recipy or use policy-based routing.

1 Like

All good I did use vgaetera's advice from another forum, and thanked him for it. Setup policy routing (vpn-policy-routing package) which is working fine.

This might be a coincidence but I noticed after I set it up that the WLAN that has the policy to route via the WAN rather than the default VPN (Wireguard) is slower than the VPN WLAN. Any idea why that would be, is there just some overhead associated with the policy routing perhaps?