Setting up VPN client using OpenWrt as a client device

Another 2 steps forward.... I figured out that the only place the VLAN wifi wasn't working is the room with the Netgear managed switch - it was working fine on the APs connected to the unmanaged switches. I think the point that things broke is when I turned on the VLAN option and set the ports on the Netgear. I've now turned that back off off and installed the Unifi flex mini in front of it. All wifi now working again.

Problem now is that I can't see the C7 which is directly connected to the UDM - even when connected to the VPN wifi network. I have not yet set up the DHCP gateway on the UDM VLAN, so I have normal internet on the VLAN as expected. Just can't see C7 (which has a static IP of and gateway set at

Can you connect properly to the C7 when you are connected to VLAN2 (i.e. on the network)?

Cracked it.... Set the UDM port that the C7 is connected to to VLAN rather than All/Trunk and we're back in business. Dam this stuff will trip you up.

Yup... all in the details. Trunk is absolutely a workable means of connecting, but you'd have to set the C7 to expect tagged frames. Making it untagged, for your config, is probably the easiest option.

Well I'm connecting to the VLAN.
Getting served the gateway by DHCP.
Getting internet.....but not going over the VPN.
Seems like it's a firewall problem at this point? Which is weird because it was working before.
Might be time to call it a night.

do a traceroute from a client to some site on the internet (maybe or and let's see what happens.

Also verify that your VPN is up on the C7.

1 * * *
2 ( 4.894 ms 5.533 ms 4.728 ms
3 * * *
4 My ISP

So not going through after all.

Force renew the DHCP lease on the client. It probably hasn't yet picked up the new gateway assignment.

The gateway is set to so DHCP seems to work.
When I renew the lease it goes back to for about a second then changes to

Traceroute does now look better though:

  • ( 4.941 ms *
    2 ( 4.708 ms 4.717 ms 4.990 ms
    3 * * * ISP

But still not going through VPN.

Calling it a night. Thanks again for all your help. Tantalizingly close now!

You're really close now. It is hopefully now just the last bit of the config on the OpenWrt side.

When you resume, check the status of the VPN -- make sure the tunnel is up. If things are not working, please post your latest config files from the OpenWrt side (firewall and network).

Cracked it - disabled IPv6 on the C7 interfaces.

Phew! Too tired to understand what was happening but I think I'm there! Time will tell.

What a ride.


You're welcome. This was a fun one!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Just remembered... I still have to have a crack at the PBR.... Tomorrow!!

So right now, the VPN side of things are working perfectly. If I connect to my VLAN I go out over the VPN with no DNS leaks and a working kill switch. :clap:

What's not working is any communication between the two subnets. I can't even see the C7 admin panel if I'm connected to the default subnet. So is that going to be a PBR setting, or a firewall tweak, or both, or something else?

traceroute to (, 64 hops max, 52 byte packets
1 ( 10.776 ms 3.736 ms 3.995 ms
2 * * *
3 * * *

I see there is a (default) firewall setting on the UDM to allow local traffic between subnets. I'm wondering if I need the same on the C7 but I'm not sure how to implement it (and maybe I'm wrong).

This could be both PBR and firewall, depending on the current state of your config.

I'm not the right person to advise on PBR settings, but broadly speaking you want to make sure that all traffic to does not go through the tunnel and instead uses the gateway.

WRT the firewall, make sure that all LAN traffic ( can reach I can review the firewall file for this, if you'd like.

On the C7 I have one LAN interface set to a static IP of with a gateway of to access the VLAN.

Should I create a second LAN interface for the network?

No. The OpenWrt router will send all of the traffic bound for to the defined gateway (, and then the UDM will route between the networks.

The key thing is to make sure you haven't prohibited that traffic flow via the OpenWrt (or UDM) firewalls and that you are setting PBR such that traffic for that subnet bypasses the tunnel. (unless you changed anything on the UDM between yesterday and today, you should be fine on that side).

I'm going round in circles with this and don't even know where to begin on the next (and hopefully final) step.

Here's where I'm at (as I see it):

  • Problem 1: When connected to the default network (192.168.1.x)...
    • I can ping and
    • I cannot ping
  • Problem 2: When connected to the VLAN (192.168.2.x)...
    • I can ping and
    • I cannot ping

The LAN firewall settings on UDM look like this:

That seems to make sense - allowing traffic in both directions between subnets.

The firewall settings on the C7 look like this:

Works perfectly for the VPN - but zero mention of the other subnet.

Finally, the options for adding a rule in PBR looks like this (note - I didn't save or enable this setting):

My assumptions:
Problem 1 requires a firewall adjustment on the C7 to solve.
Problem 2 requires a PBR adjustment on the C7 to solve.

My questions:
Do my assumptions sound right?
What adjustment should I make to the C7 firewall?
Does the sample PBR I created above look right?
Finally, should I create a new forum thread/topic for this problem?

This probably makes sense when the VPN is running. If you disable the VPN, you should be able to access

And this makes sense for sure if the VPN is active. In this situation, any device on the network will be sending traffic to the OpenWrt router which will then send it through the tunnel. This is where VPN PBR comes in to play.

Maybe, but probably not. Lets see your /etc/config/firewall file

So I'm not really an expert here on VPN PBR, but that rule looks generally good. I think you may want to add the local addresses to that rule.

Nope - still can't.

That rule works like a charm even without your modification! And it doesn't matter if the VPN is running or not. Either way, with the rule active I can ping and with it inactive I cannot.

One down one to go.

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'nordlynx'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg0'

config forwarding
	option src 'lan'
	option dest 'nordlynx'