as i heard that openwrt is a good OS for routers, especially as VPN client.
eg for AP or even for AP+sta
i was thinking, due to the tons of online services now backlisting "anonymous services providers", as most and most of commercial EU services.
i was thinking a new feature : a way to the user/device/LanIP to get either through direct internet, or through VPN, without going to ssh/admin on the router.
here is the thing : the goal is that IP N.N.1.23 device, as a linux laptop, android or ios device, behind a owrt router, might be able, regarding how owrt is configured, to choose going to the vpn or directly to the internet, depending on a specific protocol?
i was thinking :
case1: attribute each IP to a owrt's router linux username
then allow a specific SSH's user environnment to enable or disable going to router's vpn or DC
case2: or most pratcical and simple : router's webpage detects the LAN IP, and with a simple button permits to enable or disable the computer going through the vpn.
in fact, the first case would be to low space storage router (eg 4MB) to avoid getting a webserver just for this. But for correct sized, using a kind of web page for each IP might be good.
the feature is, Mr&Mrs Martin have their four children
in holidays, they use the internet connection of their neightbors
because of legal issues, they have their own router. But it's not their internet connection : they're enjoying AP+STA mode.
means the sta connect to another router they're allowed to (eg airbnb, cousin address, public shop's wifi access)
the thing is :
they dont know what their teenagers do online.
for safer reasons, they know they are not on their internet access
so the father took the initiative of putting a VPN client into his openwrt's router.
it works well.
all traffic goes through a dedicated connection, to be sure in case of a problem with maybe lawsuit issues, the original owner/subscriber of the internet connection will not be concerned.
that's the first thing.
but there it is :
by default all lan devices (computers/phone/tab/etc) goes through the VPN for reasons explained previously. But. There is a but, if no, no topic But, most and most commercial websites asks to avoid anonymous services. Eg mother's favourite online's sales websites blocks VPN incoming connections ; same for her bank's, asking by text to "use national connection, not anonymous services" by blocking login access.
That means, at a moment, without having to ssh into the router each time, to get by exception, traffic of a lan ip going temporarly, for few minutes only, direcrly on the internet, without going to the VPN, meanwhile all others (or few others) lan ip still goes only through VPN.
that is the main idea : using a webpage to temporarly disable the VPN direct access for that lan ip only, or using an android app to configure it...
With PBR I route all DHCP acquired leases via the WAN (start 64 for 64 address, PBR 192.168.x.64/26
Everything else thus goes via the VPN.
On my laptop (when using ethernet) I have a windows utility (there are several e.g. NetSetMan or Free IP switcher) to switch my IP address and thus switch from WAN to VPN very easily.
For Wireless clients I have a guest wifi with SSID VPN which is routed via the VPN and normal wifi via the WAN, easy to switch wifi on your laptop/phone by switching wifi.
But, most and most commercial websites asks to avoid anonymous services. Eg mother's favourite online's sales websites blocks VPN incoming connections ; same for her bank's, asking by text to "use national connection, not anonymous services" by blocking login access.