How to route WLAN to VPN while keeping LAN routed straight to WAN

Hi everyone,

I have OpenWrt 18.06.0 running on a Netgear DGND3700v1 and can quite happily have it connect to my OpenVPN (streisand) server with all traffic routed via the VPN on tun0. However, due to the router's limited processing power, speeds are pretty slow when using this method, so I'd like to have all LAN traffic bypass the VPN and go straight out of the WAN interface. This way everything connected wirelessly gets VPN by default and everything hooked up with a cable gets full speed and can run a VPN client themselves if required.

However, I have had zero luck in getting this working. I can have everything routed via VPN, everything routed via WAN without VPN, but never a combination of the two. I've followed guides concerning setting up a second routing table, I've tried WAN and LAN bridged and I've tried using the vpnbypass service, nothing has worked.

The setup I would like is to have WAN, LAN, WLAN and VPN interfaces, with WAN getting its connection via DHCP, LAN using, WLAN using and routing configured between LAN and WLAN (no bridging). I should then be able to use vpnbypass to specify as the address range to bypass the VPN. I don't need to support IPv6 in this environment, so I don't mind if it's present or not.

When I last got close to this setup everything worked except the bypass; entering an address or address range would result in clients on the range losing WAN connectivity completely.

I've definitely spent too many hours on this already, so if somebody with more experience is able to advise, I would really appreciate the help. Most tantalising are the instructions on the Streisand GitHub page for OpenWrt where it says "TODO: Add necessary code to have one WiFi Network with VPN and other without (in a few days)...". Ah, well.



Start with a basic router configuration. You want the pre-defined LAN and WAN networks to exist as if there is no VPN.

Install openvpn and configure to connect to your vpn server and create a tun0 vpn tunnel. This connection goes through LAN and forwards to WAN like any internal Internet use does.

Then create a new network and two new firewall zones.
Network: vpnuser (bridge mode. Static address and DHCP server. IP network must not overlap any of your other IPs)
Firewall zone vpnuser (attach to network vpnuser)
Firewall zone vpntun (attach to tun0. Enable masq and mtu_fix)
Set up a forwarding rule from vpnuser to vpntun
Connect wifi AP to vpnuser

Bonus: Set up switch VLANs so some of the Ethernet ports go to vpnuser while others continue go through LAN.


Thank you for your help; I've followed your advice as best as I can manage, but it's not working yet... I got the system to the point where everything worked without OpenVPN installed; both LAN and WLAN with and ranges respectively could both access the internet and communicate with one another.

After installing OpenVPN using the GitHub instructions, the WLAN connection could no longer see the internet at all and the LAN connection was automatically routed through the VPN. No matter how much tinkering this evening, I didn't manage to get the LAN to bypass the VPN, nor could I get the WLAN to access anything at all.

I've uploaded the current DHCP, firewall, network and 'streisand' config files here on GitHub's gist-it.

All suggestions gratefully received!



Okay, so I've updated the gists on GitHub with something less obviously cobbled together late at night, but I still have had no luck in getting this to work. I've basically reverted them to my vanilla no-VPN configuration - which is working perfectly right now. LAN and WLAN can ping one another, both get internet access through WAN, nothing goes through tun0.

I've also used the 'pull-filter ignore "redirect-gateway"' option in the streisand.conf which allows me to bring up and take down the tun0 interface without interfering with anything else.

@mk24 I've tried your suggestions, but I can't spot how to attach the 'vpntun' firewall rule to the tun0 interface - should I have another network configured in order to do this? I've tried doing so, but again, no traffic flows.

If someone could have a look at my config files and figure out from them how I would route the WLAN to the VPN, it'd be a massive help, because I'm going around in very slow circles with this.

Config Files on GitHub

I did try to post all the links in a nice neat list, but as a newbie I'm only allowed two links per post, so apologies!

Thanks, everyone.

Hi Andy, did you achieve this in the end? I'm looking for something similar.
I want to acchieve
Wifi-Normal -> Internet
HideMe-Wifi -> VPN
LAN -> Internet

with openvpn, using the last openwrt-19.07

Thanks in advance.

1 Like

No, I gave up and opted for a different solution.

I was able to have everything go via VPN or not, controlled simply by turning VPN on or off and changing the colour of the Internet LED as an indicator, but never managed to split WLAN through VPN and LAN direct to Internet.

In the end I opted to use the 'connect on demand' feature of .mobileconfig files under iOS to keep a VPN connection alive on my wireless devices straight to my VPN server. The bonus being that I could have an always-on VPN with no slowdowns on any network, not just via the DGND3700v1.

I also switched from Streisand to Algo as I didn't require the plethora of features provided by the former.

Sorry not to have more positive news on the OpenWrt side of things, but at least the router has been solid all this time. I'm using it right now. Not even sure it's been rebooted since my last post. :slight_smile:

Hi I exactly would to do thar
Wifi-Normal -> Internet
HideMe-Wifi -> VPN
LAN -> Internet

Did you try Sharing my VPN client router recipe
I can't do it works. let me know if you do.

this one works for me
but do not talk about dnsleaks

This type of thing is accomplished by using policy routing and the iproute2 utilty "ip" and it's associated commands ip route and ip rule along with tables defined in /etc/iproute2/rt_tables. I currently use it to route some traffic through a vpn. I do this based on destination network, but I've previously used it to bond two links together and routed through each link based on source address, which is what the OP was looking to do.

@stangri released a vpn policy routing package which is available in the packages. I've not installed it and looked at it, but it may do what you want

1 Like

can help

In such cases you need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.

I would advise to use pbr package as the easiest.