OpenVPN in Dumb AP


I very new to openwrt and so far i love the all functionality it provides. I recently got my router OpenWRT as a Dumb AP, because i can't ditch the ISP router. I have a paid VPN and i follow the guide for instalation ( [OpenWrt Wiki] OpenVPN client using LuCI. I did everything but my IP is showing... I have some difficult doing the firewall since in point 5 it says to undo what we have done in the firewall and make some changes... Can someone help me? My dumb AP as a Static IP with gateway adress and dns adress same as ISP.

The problem here is that your devices are all using the ISP router as the gateway to the internet, which means that they aren't going to be tunneled through the VPN. You need to tell your client devices to use the OpenWrt device as the gateway in order to have the traffic go through the tunnel.

You can see if your setup generally works by setting a client device with manual/static IP information... you need to populate the IP, subnet mask, dns, and router/gateway. To do this properly, you will want to set the IP to an address within your network, but outside the DHCP pool to avoid conflicts. Subnet mask will be the same as you see currently. Gateway/router will be the IP of the OpenWrt device, and the DNS could be the same OpenWrt address, a public DNS like, or a DNS server from the VPN service.

Give that a shot as a test. If it works, you know the OpenWrt side of things is working, and you just have to make some other modifications to how your network operates with respect to the DHCP server.

1 Like

So, if I understand it correctly I need to ser static ip for my decides connected to the Openwrt device. Use the subnet the same as the router from isp. And use the gateway of my openwrt device. DNS of a public like Google or from the vpn provider.

Im going to try.

Correct. If that works, there are ways to do this without static IP, but it depends on the ISP router's capabilities in terms of user configuration options.

It would probably make more sense to switch the OpenWrt device from dumb-AP to non-NAT router, meaning all devices apart from phone/ TV(?) connected behind the OpenWrt router and configuring a static route to the OpenWrt device.

1 Like

I think so too. But the problem is that I cant find any tutorial to do that (yup, im not a programmer) ... So I had to take the easy route and choose the dumb ap...

I would turn off the DHCP server in the home router and let OpenWrt serve DHCP. With default settings, OpenWrt will advertise itself as the gateway to the Internet*, so your endpoint devices on the LAN will go via VPN by default.

Another approach would be to install routes in the home router so that access to the Internet bounces back to the OpenWrt box**. This would be a set of routes just like OpenVPN sets up in the OpenWrt box, including the very important exception that the VPN server machine is to be reached directly on the "real" Internet.

* something that would break the network if it were running on a plain dumb AP, but now it is exactly what you do want.

** An advantage here is that it is impossible for an endpoint to intentionally or unintentionally avoid the VPN by configuring itself with a different gateway.

I agree with all of these things, but I suggested testing with the static IP method (on a client system) first so that the VPN functionality can be validated first.

The ability to disable the ISP router's DHCP server and/or set static routes entirely depends on what features are exposed to the user.

When you VPN the whole house, NAT isn't an issue, so you could just use the ISP router as a source of Internet. Even if you can't configure it at all, go ahead and double-NAT to OpenWrt and like @psherman said, put all users on the LAN side of OpenWrt running as a regular router.

So today i did that. I used Static Leases to set static IP adresses for my devices. The only thing here is that they use the IP adress given by the ISP router and not what i assigned to them...

This was not what I was suggesting (and it won't work at the moment for a reason I'll explain in a moment).

The place for you to set a static IP (for the purpose of testing that the VPN is working properly) would be on a computer directly in the network settings. There is an option for the settings > network configuration to use DHCP or configure a static/manually assigned IP address. You want to enter the information in when you change it to static/manually assigned on a computer or mobile device on your network.

Getting back to this... it won't work because one of the key parts of using a dumb AP is to disable the DHCP server on your OpenWrt router. This means that it isn't going to issue any DHCP leases to any of your devices... your ISP router is handling this function. You can re-enable the DHCP server on your OpenWrt device, but you must disable the one in the ISP's router -- you can only have a single DHCP server on your network, otherwise you'll have all sorts of issues.

1 Like

Already set static ip on my devices and it's working now. Thank you very much pssherman!!

On last question, is it possible without have to assign static ip? Because some devices dont have that option namely the Firestick.

Yes, but this gets a bit more complex in terms of how you want to manage your network.

The easiest way to handle this would be to simply have the DHCP server advertise the OpenWrt device as the gateway (and possibly also DNS). To achieve this, you can either:

  • change the gateway that is advertised from the ISP router's DHCP server -- this may or many not be possible.
  • disable the DHCP server on the ISP router and then enable it on the OpenWrt router (you would have previously disabled the DHCP server on the dumb AP, but now you will re-enable it). By default, it should advertise itself as the gateway and DNS server when it issues DHCP leases. This assumes that your ISP router's DHCP server can be disabled.