So you're saying that the devices connected via wifi are not using the tunnel, but the ethernet connected ones do?
I'm not seeing any reason for that behavior, but I can suggest the following:
- move the VPN into a separate zone. Remove it from the wan zone, create a new zone. Remove lan > wan forwarding (this won't be obvious, but is removed from the below config) and enable lan > vpn forwarding. Your config should look like this:
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list device 'tun0'
config forwarding
option src 'lan'
option dest 'vpn'
With this, your config will only allow the lan clients to egress via the VPN tunnel... they will not be able to egress via the wan.
- Check to make sure that your SSID is unique and that your devices only have a single active connection to the network we're talking about here (the secondary router)... any other connections (wifi or wired, like to your main upstream network) could obviously have the effect of accidentally bypassing the VPN.