How to use OpenWrt, SQM, and VPN on multiple connected routers?

Hi All,

I'm new to OpenWrt and planning to set up a network at my home with two routers. Here are some of the constraints on the network and some questions I have. I would really appreciate it if you could answer my questions.

  1. I'm planning to run VPN on one of the routers all the time (let's call it the VPN router) and have no VPN on the other (let's call this one the no-VPN router).
  • The no-VPN router allows me to log in to my bank account and other websites that don't allow VPNs.

  • Based on this constraint, I assume the no-VPN router should be connected directly to the modem while the WAN port of the VPN router should be connected to the LAN port of the first router. Is this assumption correct? Is it the only way to achieve 1.?

  1. I think the VPN router will perform more computations because of the VPN encryption/decryption so this router should be preferably stronger than the other. Is this conclusion valid?

  2. Which router should run SQM? I know that SQM should be deployed on the router that has a global view of all communications. Therefore, it looks like the no-VPN router should run SQM.

  • Is this assumption true?

  • If yes, how strong should this router be? Is SQM compute-intensive?

  • In this case, the users of VPN router are no longer fairly serviced, right? (Because the no-VPN router only sees one incoming/outgoing stream of data and is not able to differentiate different users)

  • If I plan to use the no-VPN router rarely, does it make more sense to set up SQM on the VPN router? Would the no-VPN router suffer from bufferbloat?

  • If yes, is it straight-forward to have both SQM and VPN on the same router? (I use Linux and terminal on a daily basis but I'm not very familiar with networking)

Thank you in advance!

This can be achieved on the same router. If that's your only reason to have 2 routers you don't really need 2.


Thank you. I have searched a little bit about that but I couldn't find an easy way of achieving it without opening the GUI or SSHing to the router. I want to make sure it's easy for all family members, young and old :smiley:

If there's anything I have missed, I would really appreciate it if you could give me a few pointers to look at.

I just found your vpnbypass and vpn-policy-routing. But I wouldn't be able to install it in the next few days. Kudos on developing such a useful package.

I have also seen people suggesting creating multiple interfaces and using VPN on one but not the other.

As I mentioned earlier, I'm a novice OpenWrt user and it takes some time for me to digest those suggestions.

Yes, to control WAN side bufferboat that is the best solution.

Note that if you use wireguard you probably should consolidate everything into one router, wireguard running on the same host as cake can tell cake about the true flow identity of each packet, allowing cake to treat tunneled packets as if they come from individual flows instead of treating the complete tunnel with all its content as a single flow.
If you stick to the dual router set-up, I would recommend to configure the primary router's SQM at least for per-IP-fairness (to guarantee at least some level of service for the tunnel traffic).


Thank you, this is very helpful.

Great, I'm in the process of installing WireGuard and SQM. Is there any configuration I should set for cake to be able to achieve what you explained?

Additionally, because I haven't found an easy solution for having and not having VPN on the same router, I was thinking of enabling WG on one band, e.g. 5.0GHZ, and disabling it on the other. Would your proposed solution still work in this case?

I believe that this is a no configuration required thing, maybe @tohojo could give a more authoritative response? Toke, could I ask, does wireguard on an openwrt router need any tweaks or configuration to transmit the packet hash to cake?

Not the most automatic solution, but clearly a simple solution (that allows disambiguation by just naming the SSIDs appropriately). I actually like that a lot.

Yes, SQM on wan should still work, and also the passing of the packet hash. BUT I have no first-hand experience in this, so I could well be "out to lunch" here.


Depending on your needs you may not even need a separate package, @vgaetera and @trendy seem to be ones of the most helpful/knowledgeable networking/vpn experts on the forum, they may provide better advise than my suggestion to use vpn-policy-routing package. Definitely easier to use VPR if you want selective routing based on domain names, but if you only want to have a single computer on the network to be behind VPN you don't really need a separate package for that.

Welcome to the forum and good luck!


Thank you all for your replies.

Yes, especially in countries with all kinds of firewalls and restrictions, it's a lot more important to get the configurations right. The VPN adds a lot to the latency and I'm hoping SQM would ameliorate the issue to some extent.
In such situations, almost all devices are behind the VPN most of the time but need to disconnect from it from time to time.

SQM cannot do miracles; if you decide to use vpn, then you are adding some more hops between your router and the server you connect to. Consequently you increase the latency in a way that SQM, or anything else, is unable to help.

My advice is that for a handful of devices always connected to vpn, a set of rules/routes for each internet connection is enough. Otherwise for more complicated scenarios and easier on/off toggle, vpn-pbr is the way.


Thank you all for your comments. They've kept me thinking, reading, and learning.

Based on your suggestions, I've decided to use a single router. Now, the solution that seems to be easily implementable for me is:

  1. Pass all default LAN traffic to a WireGuard zone
  2. Create guest SSIDs and pass their traffic to the WAN zone

What I initially had in mind for this was to follow Mullvad's tutorial for setting up WG on the router to achieve 1. Then, I could create the guest SSIDs according to this and pass their traffic to the WAN zone.
However, it looks like this solution requires Masquerading and MSS Clamping to be turned on for both zones. After doing that, I completely lose my internet connection.

There seems to be a relatively recent tutorial that achieves similar goals (i.e. VPN on the guest network instead of the main network). However, it defines a custom guest network routing (and routing table?), which I'm neither familiar with nor can get to work on my router even when I follow all the steps.

Is this custom network routing necessary?
Can I somehow enable Masquerading and MSS Clamping on both WAN and VPN WAN?

Yes, it is. You want to have two different gateways depending on the source.

They are enabled by default.


They are enabled by default.

Thank you. Can they be enabled on both WAN and the VPN WAN?

Sure, you can either add the vpn interface to the wan firewall zone, which has them already. Or create a new zone in firewall for the vpn and enable masquerade and mss clamping.


You need to disable NAT mode and host modes. So when configuring use flows nonat and make sure you don't have any of dual-srchost/dual-dsthost/triple-isolate.


Thanks! One more question, will this also work for incoming packets? I would guess not, since they will be queued/marked/dropped before being decrypted and hence before and identifier becomes available?

1 Like

moeller0 via OpenWrt Forum writes:

Thanks! One more question, will this also work for incoming packets? I
would guess not, since they will be queued/marked/dropped before being
decrypted and hence before and identifier becomes available?

Yup, exactly :slight_smile:


@maximusc that would indicate that things are slightly less rosy than I painted them....

1 Like

Thank you all for your helpful responses. Here is a summary of some of the responses, what I have done so far, and what is still left. I will share my experience here in case someone is interested in having two connections, one with a VPN and another one without a VPN.

  1. You don't necessarily need to have two routers to set up a with-VPN and a no-VPN connection (thanks to stangri for bringing this to my attention). You can simply set up something like the guest network explained here to have both options on the same router (there are other ways of achieving this goal but I found the one I shared the most understandable and easy to implement). In my case, I used the 2.4GHz radio for the no-VPN connection and the 5.0GHz radio for the with-VPN connection.

  2. You can use SQM even when you have set up a VPN connection, e.g. one based on WireGuard (according to moeller0 and tohojo's responses). I assume you can do that by

but I haven't done that yet. If you use WireGuard, you probably need to add 60 to the per packet overhead according to this post.

  1. Because you now have a with-VPN and a no-VPN connection, you probably need to have something like two SQM instances. This is something I'm still struggling with but this post and this post seem to have some good pointers on how this can be handled. Although I'm not sure if the solutions explained in these posts are compatible with tohojo's configurations summarized in 2.