Making a Non-VPN connection aside a guest-VPN wifi


I have a router on OpenWRT 19.07.
Il configured an OpenVPN client using the 4.1-b of this tutorial :

All works well but all the trafic goes to the VPN.
I would like to have a non-VPN connection with 2 ethernet ports and a wireless network in parallel with a guest network (two ethernet ports and a dedicated wireless network).

The problem is that using the tutorial, I don't see how to disosiate wan from VPN ?

Does someone have an idea on how to ?

Sorry if I'm not clear, I'm a beginner and English is not my main language.
Thanks in advance for your help,

You would need to isolate those two ports from the rest of the lan in a new vlan. Then create a new network interface for that new vlan. Then with a little help from pbr package you can select which source will use which connection.


Thanks a lot,

I started creating VLANS and it seems to work.
pbr is exactely wat I was looking for ! I searched for days the parameter to assign the VPN to an interface...
pbr i not trivial but at least I know where to look for. Id you have a tutorial, I'm interested^^


In its readme there are a lot of examples and analytical instructions.



I read it but i can't find the VPN in the interfaces, I only have WAN and WAN6.
Do I have to rename it to tun ?
Where should I do that ?

  • in the ovpn file ? I already have a dev tun file
  • somewhere else ?

Thanks in advance,

Tun* and tap* interfaces are supported by default.
What is the output of ip -4 addr; uci export vpn-policy-routing ?



Here is the result :
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet scope host lo
valid_lft forever preferred_lft forever
6: br-VPN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet brd scope global br-VPN
valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet brd scope global br-lan
valid_lft forever preferred_lft forever
10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet brd scope global eth0.2
valid_lft forever preferred_lft forever
36: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet peer scope global tun0
valid_lft forever preferred_lft forever
package vpn-policy-routing

config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_chain_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option webui_enable_column '1'
option webui_protocol_column '1'
list supported_interface 'UVPN_FR_TORRENT'

config include
option path '/etc/'
option enabled '0'

config include
option path '/etc/'
option enabled '0'

config policy
option interface 'wan'
option src_addr ''
option src_port '0-6535'
option dest_addr ''
option dest_port '0-6535'
option name 'UVPN_FR_TORRENT'

What is this interface?

Not sure if it is a typo when you were masking the IPs but br-lan and eth0.2 seem to have the IP in the same subnet.



I made br-vpn same as there is br-lan and attached it to the VLAN linking the port I want to pass through the VPN.

Should I remove it or do it diferently ?


For sure it won't work with a tun interface. You'd need a tap interface for bridging.

This doesn't look right to route the VPN network to the WAN.

1 Like