Route AP or specific devices through VPN server? pbr / policy based routing?

RollingStar · April 4, 2026, 6:09am

I have some devices I only want to reach the internet via VPN (e.g. Mullvad). I can run software on those devices to put them onto a VPN, but it’s cumbersome. It depends on the quality of the client to ensure traffic doesn’t go over my plain Internet connection.

Can I have an AP that routes all traffic it gets through the VPN?

Preferably, my topology would be:

[ISP modem] - [router] - [switch] - [normal AP]
................................. \ [VPN AP + sub-router]

I want a clean design where the client devices don’t have to care about the VPN. The wifi AP / sub-router should enforce VPN and just not connect if the VPN is unreachable.

I found pbr / policy based routing. Is that the best way to do this? Is Openwrt a good tool for the job? I’ve been running Openwrt about 6 years.

egc · April 4, 2026, 6:23am

If you want to run WireGuard on the AP and not on your main router then it could be be done in the following way:

Setup WireGuard on the AP and make a Guest wifi on the AP. All clients connected to the Guest wifi on this AP will automatically use WireGuard, clients connected to the regular wifi will not use WireGuard.

So you do not need PBR to do that

See:
for setting up a guest wifi on a bridged AP

For setting up a WireGuard client how I do it:
WireGuard Client Setup Guide

There is a paragraph with special settings for running WireGuard on a Bridged AP