OpenWrt as VPN Gateway

I thought this should be pretty straightforward, but after hours and hours of tinkering and reading online, I can't seem to get it to work. Here's what I want to accomplish:

Main Router handles DHCP and is has the IP of
OpenWrt Router has a static IP of with DHCP off and connected to the Main Router via a LAN port.

The goal is to allow all clients connected to OpenWrt by default to use the Main Router's internet, but clients that set the OpenWrt Router as the gateway should have their traffic routed through the VPN client running on the OpenWrt Router.

So far I've managed to set up the OpenWrt Router as a VPN Client. The LAN interface is br-lan and I can't seem to get the traffic routed from the LAN through the VPN. Internet works for OpenWrt Router clients, as traffic seems to go through the main router.

I added an interface for tun0 but read somewhere that it may not be required.

Any suggestions of how I can get this working? Any additional information you need to know?


Trying to do similiar wg setup from one router instead of two. One interface for internet to ebay, credit cards, etc. Is it possible to have separate wifi radios for internet and vpn?

How do you know ip for clearnet site is "clear" without exposing vpn?

Trying to create another lan interface for internet only with owrt vpn wg client always on. Any tips appreciated.

Well, it seems like posting is an important step to finding the solution, even if no answers are posted in reply! I managed to get this working using ChatGPT 4 to help explain things to me while I tinkered with the settings. The problem is that I can't fully explain why it works, so if someone is interested in writing that up here for future users, that may still be helpful.

Very strange differentiation.

@ulmwind why do you say so?

I want clients to be able to choose whether they use the vpn or not and I want all clients to be able to share the same network resources such as printer etc. so I figured by letting the client choose its gateway with everything being on the same subnet accomplishes that.

Would you set it up differently?

It is impossible in current configuration, see Forwarding from VPN Clients not working - #9 by ulmwind

Maybe its me always thinking in the same categories. If there's easier ways here, feel free to correct me.

  • I'd create different networks for "with vpn" and "without vpn".
  • Both networks get individual IP ranges.
  • Both networks get individual Wifi SSIDs.
  • The password for both Wifi SSIDs can be the same.
  • The firewall zone for both networks can be the same.
  • Create a rule that routes traffic from one network through the VPN.
  • Clients can pick just by selecting one SSID or the other.

This obviously will utilize CPU for routing between your two networks on traffic that otherwise could just easily be handled by the bridge and bypass the CPU, but if your hardware is powerfull enough to handle VPN it is certainly powerfull enough to handle local routing.

1 Like

You can use the same subnet and gateway for all clients with PBR.
Just create a routing policy for specific source IPs or MACs.

Thanks for this suggestion @golialive. In my case some clients are wired only, so there is no option to select a different SSID. Having the client specify its gateway was meant to accomplish the same effect where the client makes a choice that changes the routing. How would you accomplish your suggestion without any wifi?

Thanks, @vgaetera, I guess your proposed solution is to have the router know about the rules instead of the client. My goal was the opposite, i.e. to have the client choose whether its traffic goes through the VPN or not. I guess if I am the client it may be just as easy for me to login to the router and update the routing should I need to make a change, so this is something I will keep in mind.

Those individual networks I suggested are technically vlans.

Default vlan numbering of OpenWRT is: vlan ID 1 is for LAN, vlan ID 2 is for WAN. So you can, e.g. use vlan ID 5 for your secondary, VPN routing LAN (lets call it LAN2).

Hardware LAN ports of your OpenWRT box are configured as "vlan ID 1 untagged" by default, which means only vlan ID 1 travles through that port and on their way out packages are stripped of the vlan tag so that clients only see raw IP packages but no vlan. (Just for completeness, by defalt, the WAN port of your hardware is configured almost as I explained the LAN ports but use vlan ID 2 untagged instead of vlan ID 1 untagged.)

You can of course:

  • Reconfgure a physical LAN port so that it no longer uses vlan ID 1 untagged but e.g. vlan ID 5 untagged. This makes it connected to your LAN2, not the previous LAN nework.
  • Reconfigure a physical LAN port so that it no longer uses vlan ID 1 untagged but e.g. vlan ID 1 tagged + vlan ID 5 tagged. This allows you to connect additional managed switches that, in turn, split vlan ID 1 and vlan ID 5 into indiviual untagged ports.

Both are ways to accomplish the same thing: Your users get two different cables to manually plug in and out which one they want. You can even color-code them, use e.g. green ones for your LAN and blue ones for your LAN2 network.

1 Like

A post was merged into an existing topic: Setting up Cyberghost VPN on wrt3200acm