Configuring a single SSID from a Dumb AP to route through OpenVPN

Howdy folks, tearing my hair out here, hopefully someone can help.

I have a situation where an ISP router cannot be replaced (even if it was, Wi-Fi wouldn't reach to where I need it), and I have a TP-Link Archer C7 on OpenWRT 19.07.7 running as a dumb AP without issues on my LAN (, my gateway is I was also able to configure NordVPN without issues but of course my devices will just go through the LAN without doing anything here. If I temporarily configure my Archer C7 back into a router (by plugging my LAN cable into the WAN port and re-enabling DHCP), then my traffic goes through the VPN, no issues.

The hard part here is configuring the following:

Access Point 1 ("Main Wi-Fi") = Normal LAN access, no VPN.
Access Point 2 ("VPN Wi-Fi") = All traffic tunneled via NordVPN.

I've followed countless guides and my head is spinning, and I can't seem to get anything to work properly. Having a dual-NAT situation works, but I still need to access my LAN so this isn't going to work for me.

What do I need to do get this to work? I was going to try to run an ethernet cable from my LAN port to the WAN port and maybe setup a guest network that goes through the WAN only, but even then I am not sure if this is the right way to go about things. Any advice would be appreciated.

Simplest thing would be to keep routing like you are, and change the wan network to be a bridge (go to Physical Settings and check the "bridge" box). That makes it possible to attach a "main" AP to the wan so it bypasses any VPN or routing. Those users will go directly out the WAN port to your main router's LAN in the usual dumb AP way.

1 Like

Thank you, this actually worked! The general premise to get this to work is as follows:

  1. If your OpenWrt router is currently configured as an AP, you will need to reconfigure it to be a router, at least temporarily. It will need to exist on a different subnet for things to work (eg., where LAN is, and your WAN port needs to be connected to your LAN.

  2. Ensure your router is configured correctly to tunnel via your VPN.

  3. Create your Wi-Fi SSIDs as desired. When you get around to configuring your Wi-Fi SSID for standard LAN access, set "wan" as the interface, rather than "lan" and save your config.

  4. We now need to configure the firewall to enable WAN bridging to function.

  5. Go to Network -> Firewall

  6. Go to Advanced Settings.

  7. Under the “Covered Devices” section, ensure that your WLAN interface (eg. “wlan1” is selected.

  8. Save and apply changes.

  9. You will now probably want to make changes to be able to remotely manage your router. To do this:

  10. Go to Network -> Firewall -> Port Forwards

  11. Port forward port 80 and port 22 to your router’s IP address.

  12. Done! You should now be able to manage your router via the WAN interface’s IP address.

  13. Your WAN interface’s IP address may change periodically. It is recommended that your primary router assign a static lease so that remote management is easier.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.