Can OpenVPN be set on a specific wlan?
My router has two wlans; one is 2.4, the other is 5ghz. Is it possible to set OpenVPN on just the 2.4ghz wlan?
If so, how should I configure it?
What would you like to do? to bypass the VPN?
- Make a new Interface (bridge)
- Make a 2.4 SSID and add to this interface
- Setup this new interface/network to use the VPN (there are tutorials and forums threads on this step) via Policy Based Routing
1 Like
In fact, I have changed the need to this;
I need a guest network, which runs over a vpn client.
The main network will run without a vpn client.
And also, I need to set different firewall rules on these networks.
I think this could be done, but my network and openwrt knowledge is not enough to configure it. 
Is not so difficult, your router use switch or DSA to bridge ports?
I think it uses DSA; there is no switch section.
you have to modify br-lan and create a new vlan under network> interfaces> device, assign a vlan id and set all ports to off, done this save. then click on add device configuration and add a new device as bridge, give it a name and under bridge ports select the vlan-q created previously. then move to the menu item interfaces and create a new interface with static address, assign an address to the new interface (eg. 192.168.10.1), a network submask and under the item device set the bridge created before, move to the firewall tab and set a new firewall zone or assign that of the lan vpn (you can fix it later), move to the dhcp tab and assign the range of ip addresses you want, save everything and apply the changes. move to the wireless menu and create the new guest network with the parameters you prefer and under the heading network set the interface created before, save and apply. if you have done everything right you will have the new guest network working but which will always be connected to the vpn, to bypass the vpn you have to install vpn-policy-routing and luci-app-vpn-policy-routing, done this under the vpn menu you will find vpn- policy-routing and you have to set among the policies the IP address of the network you want to exclude (eg. 192.168.10.100/24) leave the rest as it is. save and apply and you should be done, check if the guest wifi network goes outside the vpn. sorry if i forgot something
thank you very much for this guidance.
I didn't understand the firewall section. I think I need to select the "allow forward" selections. But in the drop down list, wan and tun0 stay together. Don't I need a different wan which would be selected alone?
This image is what I see;
You need to separate the wan interface and the tun0 interface like this
After that forward the old Lan interface to wan and vpn and the new guest Lan only to wan
imo I'm doing something wrong;
When I try do add a firewall zone the allow forward selection has the option of wan and tun0 sticked together
I’m so sorry but I’m not successfull at this
Maybe pbr is easier. Seems it routes specific ips to WAN or TUN0. But I need to set iptables commands for these separately. Is this possible?
ok let's start from the beginning. which vpn provider do you use and what guide did you follow to configure the router?
I couldn’t find the guide, but I have installed openvpn and made configs on luci. The tun0 interface was auto created and I have uploaded my ovpn file, openvpn client connection is successful.
I have set commands for all outgoing packets by iptables mangle tables. This is ok too.
Now I need to separate the wan from the tun0 as I need a connection without vpn too, but I also need to add custom firewall commands on it.
Maybe I should draw a diagram 
Please post your /etc/config/firewall
root@OpenWrt:/etc/config# cat firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'tun0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
this configuration sounds strange to me. I have never configured the firewall using mangle chain nor bridging wan and tun interface. at this point I don't know how to help you. The only thing I can do is post my network.conf and firewall.conf file so I can see if it helps you.
thank you for all your help.
I have tried PBR and it worked
I set static ip for some clients and selected WAN for them. Now these use WAN without VPN. 