OpenWrt as a VPN HotSpot


I'm going around in circles here and I find so many posts on the matter that either conflict each other or have images of a gui version very different to the current latest. Having spent about 2 days on this already I have admitted I need some advice.

So I have a mesh in my house, and have bought a Homehub-5 OpenWrt router to compliment it as a "VPN AP Hotspot".

The Homehub is connected to my existing WiFi for internet access on the 5ghz band. I have followed this guide ( and set the 2ghz for client use.
So I now have a working 'repeater' but one which has its own IP range and broadcasts on its own (appended _VPN) SSID.
Clients connecting to this AP get an IP address in the new range, they have internet access using this new SSID AP. All good so far.

However. What I want is to have OpenVPN to manage a VPN connection to surfshark. I want all clients using this AP to only be able to access 'internet' via the VPN tunnel.
As it stands, while I have installed the VPN requirements and have an active connection using my surfshark config, my clients are still routing out via the core network and exposing my actual external IP.

I seem to need to replace the routes or rules somehow to ensure that routing to the internet from this new AP is ONLY possible via the VPN connection. But as I said, having tried a few similar guides I find myself unabe to get this to work properly.

I would very much appreciate any guidance.

Thank you in advance!

Appreciate this may be a tiresome topic. But if anyone has a working method to follow that isn't based on an old gui I would very much appreciate it.

this is pretty much how things work out of the box with most provider client configs. no route or rule required. ( redirect gateway + openvpn on the ap )

@anon50098793 Thanks for the reply.
My clients are all routing out via my standard ISP and not via the VPN. I can't figure out why.

Set up the router as a regular wifi client of your main network. You don't need a relay configuration. Remove the ethernet or dsl from the wan network physical setting and substitute a wifi client.

To see if OpenVPN has set up routes, check the routing table. Network-->Routes or run route on the CLI.

1 Like

Hey Mike, thanks for the reply. I'll give this a go, but will this leak to the core network ISP if the VPN goes down? I'm looking to make the VPN hotspot stop external traffic when the tunnel drops.


Rather than let the VPN take over the router entirely, I prefer to set up a separate network and firewall zone for the VPN users, and another zone for the VPN tunnel, and directly forward users into that tunnel. If the VPN is down they won't get any Internet at all.

I dont mind so much since the router will only be used for VPN use. I'm setting it up as a secure router, so anything that connects to it will be connecting over the tunnel.

That said, I have no issues with how this is achieved. Would it be easier to set up zones for this purpose?

FYI I have now reset my router config. I'm connected as a client to my core WiFi mesh. I have the 2.4ghz radio broadcasting as a new SSID (WiFiName_VPN).

I have just set up the VPN again, but as of now if I start the vpn tunnel, I get no internet from the wwlan. If i stop it again, I get out via my core ISP.

I'm assuming I need to tweak something.

Appreciate the help, i've been trying to self learn on this router but i'm admitting to needing a bit of direction!

fwiw, did you review this openvpn setup guide for HH5A?

1 Like

Bill you are a legend! not only does this guide show me how to configure everything I need, it has screenshots of a LuCi that is not an old version!

Thank you so much. Having followed about 8 guides on this topic, this guide was the exact one I needed.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.