Implementing vpn cascading with 2 openwrt devices

Hi there all!
I've already broke my brain how to implement such scheme. Maybe it is not possible at all. Anyway, will be very appreciated for any help.

Well, i have:

  1. two OpenVPN servers on two dfifferent VPS (fully accessamble for me).
  2. two Openwrt routers

What i'm trying to achieve is to connect these two openwrt routers in the following way:

  • Router#1 connects to VPS1 OpenVPN Server and uses this tunnel to provide internet connection to Router#2 that is in Router1# LAN subnet.
  • Router#2 uses Router#1 as WAN (default gateway). Also Router#2 connects to VPS2 OpenVPN Server and uses this tunnel to provide internet connection to Router#2 LAN clients.

I would like to understand if it is really possible to implement VPN cascading? All that I achieved is that when i check my current external ip from Router#2 terminal, for example with curl, i see that i'm using the correct IP of the VPS OpenVPN server#2. Also i can ping, f.e., from Router#2. But when i'm trying for example to make something like opkg update - nothing works, i see only errors like "unable to download packages" or "check you internet connection". When im trying to connect to the internet from Router#2 LAN client i also can't neither browsing nor anything else, only can ping the default gateway of the client (which is Router#2).

I've tried vpn policy routing on Router#1 to route only the LAN subnet traffic (where Router#2 sits) through VPN#1 tunnel but no success. The result is the same. Is it worth to keep trying imoplement such scheme? If yes, could somebopdy tell me where is the issue? I suppose with routing but i have no idea which routes should be added and where. I've thought that it is enough to use vpn policy based routing to achieve what i want but... Help please! I've lost all hope to make the working scheme in the last 2 weeks. Thank you in advance.

When you see this kind of message, check from OpenWrt:


If there's an error, post the error message.


Hi vgaetera, thank you for reply.

Find below the output of traceroute (from router#2 command line):

traceroute to (, 30 hops max, 38 byte packets
1 ( 153.524 ms 157.782 ms 159.454 ms
2 (xxx.yyy.zzz.1) 159.473 ms 158.293 ms 158.692 ms
3 (xxx2.yyy2.zzz2.1) 159.359 ms 157.734 ms 159.458 ms
4 (xxx3.yyy3.zzz3.5) 159.471 ms (xxx3.yyy3.zzz3.1) 157.921 ms 157.998 ms
5 (xxx4.yyy4.zzz4.245) 159.790 ms 157.874 ms (xxx4.yyy4.zzz4.21) 159.751 ms
6 ( 158.053 ms ( 98.887 ms ( 116.417 ms
7 * * *
8 ( 173.547 ms ( 193.550 ms 98.677 ms

traceroute to (, 30 hops max, 38 byte packets
1 ( 95.867 ms 129.067 ms 159.710 ms
2 (xxx.yyy.zzz.1) 103.422 ms 134.198 ms 159.654 ms
3 (xxx2.yyy2.zzz2.1) 159.814 ms 157.971 ms 159.581 m
4 (xxx3.yyy3.zzz3.5) 160.843 ms (xxx3.yyy3.zzz3.1) 156.983 ms 157.990 ms
5 (xxx4.yyy4.zzz4.245) 159.660 ms 143.293 ms (xxx4.yyy4.zzz4.21) 159.775 ms
6 ( 156.448 ms 156.467 ms 159.407 ms
7 * * *
8 * * *
9 * * *
10 ( 196.399 ms 153.904 ms 159.785 ms

I've replaced some related to my vps is with xxx...xxx4, yyy...yyy4, zzz...zzz5 (i think this is not important. 2nd second hop - (xxx.yyy.zzz.1) - is my VPS2 server gateway and it is completely the same that i see @ip link of my vps2 server).

1 Like

Please folks, help somebody! Im trying to achieve this for about a month and nop results :sleepy: Really have no clue where is the issue... Please, help! :sleepy: :sleepy: