Multi-tunnel VPN WiFi in OpenWrt

I got some question about some networking stuff.
Here is my situation,

ISP-A provide 5Mbps Internet Speed along with 100Mbps IX (Local Bandwidth)
ISP-B provide 50Mbps Internet Speed along with 100Mbps IX (Local Bandwidth)
ISP-C provide 100Mbps Internet Speed.

Here ISP A & B are in the same region, In that region, Government blocked most of the sites. ISP C is hosted in another country where is no internet restrictions.

The issue is, ISP - A is my primary internet connection. I use it to connect ISP - B, so I can get higher bandwidth using VPN. The problem is both ISP blocked most of the sites. So I need to connect ISP-C from ISP-A. If I use this, my connection speed capped to 5Mbps. But If setup ISP-B as a VPN wifi router and connect my android as a client, then I can connect ISP - C. This I got everything, I can get maximum internet speed as ISP-B allowed along with no restrictions.

Now my question is, How can I setup this thing in OpenWRT? I setup VPN server in each (ISP-B & ISP-C) end. I installed the SoftEther VPN and ShadowShockr. SoftEther provides L2TP, IPSec, OpenVPN, SSTP, MS-SSTP.

Right now, I'm using Raspberry Pi as hostapd with SoftEther VPN Client, I did bridge both interface so it can work like DHCP router.

It would be great If I able to setup it in OpenWRT.

I'm not sure I understand. Is this a hypothetical scenario or an actual case?

Unless this is a community or a house with very big number of users, I would just settle for 50 Mbps and keep things simple enough. (Or I would actually just change my ISP subscription form A to B.

What router do you have? You are going to need considerable CPU power.

1 Like

You can try to balance the load between VPN-interfaces:

1 Like

This is a real case.
In my country internet cost is so versatile depending on the place. Like if you stay in the city you will get 5Mbps internet for 6$/Month, also 12Mbps for 12$/Month. On the other side people living in the village has to pay 12$ for 512Kbps/Month !!!

But both users are getting a good amount of local speed, so I able to make a bypass to the high-speed server. Example, A village user rent an internet connection for 12$ (512Kbps Global, and 30Mbps Local) meantime he purchased a VPN from an ISP in the city for 12$ (12Mbps Global, 100Mbps Local). So that's a win situation. Because ISP in the village is not allowing city ISP to provide internet access thought wire, they got huge corrupted syndication.

I have made a research paper about this, and working to make an upgrade of my current project. This project might help people in Asia and Africa a lot.

For my user case, I got GL-MT300N v1. I can use any high ended OpenWRT router. Right now I'm trying to build the prototype.

1 Like

No, it's not about load balancer I guess. If you check my post, If I pass my traffic to ISP-C vpn I will not get good speed. But If I able to make ISP-A > ISP-B > ISP-C that case I will get maximum internet speed. Other word, I have to pass internet using ISP - B .

Well, I can't answer your specific question, as I haven't played enough with VPN myself, but I still suggest that you do with ISP A --> ISP B for your case. 50 Mbps is already good enough, and probably the extra speed is not worth complicating things.

That looks like a routing issue.
Disable automatic routes and add them manually.

are you saying that he only needs VPN at his end point (i.e. global VPN subscription), then force his routing to go through ISP-A (naturally), ISP-B and ISP-C before it makes its way to the VPN server?

@Hegabo, this statement makes me believe that @amanjuman has a routing issue:

Running 2 VPN-instances with automatic routing makes impossible to use nested routing and will definitely result in a race condition.

If I properly understand what he said, he was accessing connecting form a device at Location A on ISP-A to a device at Location B on ISP-B (via VPN provided by ISP-B, to unblock blocked sites), and then at the same Location B he is making another VPN tunnel to Location C.

And he wants to use OpenWrt at location B, where there is a VPN tunnel to the down stream, going to Location A, and another to the upstream going to Location C.

What I don't understand, however, is what kind of connection is provided by ISP-B. Because if we are talking about VDSL, then the upload bandwidth (which effectively be the download bandwidth of Location A) would be limited.

1 Like

Basically I got home internet connection aka ISP-A. Where I used Raspberry Pi to connect ISP-B aka A datacenter VPS.

So if I use hostapd in RPi, I can use ISP-B internet will 50Mbps speed. Now I got ISP - B internet in my Andoird, I can use any VPN app on android to connect any outside VPN outside my region. Which mean I used (ISP A > ISB- B) > Wifi > ISP-C(VPN)

My question is, I'm sitting at home, and I like to make a Wifi or Lan where I will be connected ISP-C. ISP-C connection will be passthought ISP-B and ISP-B will be initiated from ISP-A.

Ah, so a tunnel in tunnel not a tunnel after tunnel!

First tunnel will bypass bandwidth restiction.
Second tunnel will bypass firewall restiction.
Which means you can browse all site with good internet speed.

Did you look into what @vgaetera said about routing?

I think this is not what I'm looking for. He was talking about load balancer.

No, starting from here.

1 Like

How do I do that. Actually would be great if I able to get some tutorial.
I'm not that pro to work advance stuff in OpenWRT.

Setup a VPN from Openwrt to the VPS/B.
In VPS/B setup another VPN to VPS/C.
In Openwrt at home force all traffic via the tunnel with VPS/B
In VPS/B forward all traffic from one tunnel to the other.
In VPS/C masquerade and forward to Internet.
You'll need static routes everywhere. That means that VPS/C needs to know that the network you have at home is reachable via VPS/B. The same for VPS/B.

1 Like


  • Parent connection - provides the medium for the child connection.
  • Child connection - depends on the parent connection medium, but becomes a parent for every new child connection.

So, every child connection should:

  • Provide a route to its own remote gateway via the parent connection gateway and interface.
  • Override/remove default route of the parent connection.

Considering you have 3-generation tree and assuming that the 2-rd connection behaves according to the described above logic, you likely need to fix only the 3-rd connection behavior.
But, I'm afraid, there's no guide and the implementation depends on the VPN type you use, so it will likely require some scripting and debugging skills.


I able to make only that one,
Setup a VPN from Openwrt to the VPS/B.
Now I don't know how to do rest. If you can help, it would really good to me.