Ssh with openvpn/nordvpn service running - how to setup?

I am using openvpn/nordvpn on my router. Now i want to be able to ssh from over the internet into my router and a server connected to it. I did port-forwarding for both to the router and to the server. If i disable openvpn on the router, this works fine. But with openvpn enabled, i cant ssh into router or server. Is understand that this is because packages are being send over the vpn, but don't know how to configure so i can leave the openvpn enabled and at the same time ssh into my router and server from over the internet.


Hello and welcome to this forum.
Did you also do the port forwarding in your modem, from WAN to inside your LAN? Which port from internet goes to ssh of your router?
Are OpenVPN and nordvpn not 2 different vpn's? Can they work together?

I don't use 'any'-vpn so setup etc. I don't know, but there's a lot of info in the wiki's:


Hi DG,
thanks for your respons.
My modem is in bridge mode to my openwrt router (asus).

I have openvpn package installed on openwrt router and from within openvpn connected to my nordvpn account. So all traffic from my router will be tunneled to the vpn server of nordvpn.

However this creates issues when ssh-ing from wan into my openwrt-router or server behind the openwrt-router. What i think happens is that traffic/packets being send back (from openwrt-router/server) to my ssh connection, are being send to/via the vpn server of nordvpn and not straight to the ip my ssh-connection is coming from. This causes error, i think.
So for ssh connections to my openwrt router and/or server behind it from wan, i want traffic/packets to NOT go through the vpn-rtunnel. Not sure what the best way to do this is; how to configure it.

Again thanks for your reply and links to the wiki's. It hasn' t helped me any further though.


You can use a combination of ip rule and ip route to get ssh access to the router when the vpn service is active.
Then from the router you could ssh into the server.
It's not perfect, but it's better than nothing.


ip rule add from "$wan_IP/32" table 101 prio 1
ip route add default via "$wan_gw" table 101

If the wan IP address is dynamic, you need to find a way to update the ip rule/route when the settings change (a script could do the job).
If the address is static, you can create the rules using uci.

uci add network rule
uci set network.@rule[-1].lookup='101'
uci set network.@rule[-1].src='$wan_IP/32'

uci add network route
uci set network.@route[-1].target=''
uci set network.@route[-1].table='101'
uci set network.@route[-1].interface='wan'
uci set network.@route[-1].gateway='$wan_gw'
uci commit network
/etc/init.d/network restart

thanks for your respons. I am trying your solution, but haven't been able to make it work. I assume your "/32" refers to the ssh port the router is listening on, no?

no, it's the netmask for the WAN IP.

Okay, i tried with the /32 netmask. I can ssh into my router, but now ALL traffic is surpassing the vpn-service on my router. If i lookup my ip in browser it shows my isp wan ip and not the one of the vpn i am using. Eventhough the vpn service is running on my router.
I still want my vpn service fully functional/working for all traffic except for the ssh connection.
Maybe i am blind for something very obvious, but enlighten me :wink:

These rules only affect incoming connections to the router itself (via the wan interface) so that the reply is returned via the same interface.

There should be no impact on outgoing traffic through the vpn service.

Please run this and test again.

/etc/init.d/network restart; sleep 5 ;\
wan_IP=$(ifstatus wan | grep \"address\"\: | awk '{ print $2 }' | sed 's/[",]//g'); \
wan_gw=$(ifstatus wan | grep \"nexthop\"\: | awk '{ print $2 }' | sed 's/[",]//g'); \
ip rule add from "$wan_IP/32" table 101 prio 1; \
ip route add default via "$wan_gw" table 101

hey pavelgl,
thanks for the quick respons again.

So first the result of your last suggestion:

Error: any valid prefix is expected rather than "/23".
Error: any valid address is expected rather than "".

(As you can see i changed the netmask from your /32 to my /23 as per info on my router)

So here is what happens:

When i configured the router like you suggested in your first respons to my question here, I can ssh into my router from wan (hotspot from phone on mobile internet). This works ok.

However, if i then use another device on my (home)network running the openwrt router, and check my ip in my browser, it gives my ip address given by my isp; not the ip belonging to the vpn service i am running on that router.

This stays like this even if i disable the ip-rule and ip-route. Only when i delete them and reboot the router, the vpn service will start working again as it is supposed to.

Just a quick update.

The above kept giving issues. After some more researching and thanks to a tip from pavelgl i stumbled upon a service/package for openwrt called "pbr" (policy based routing). I followed this link for instructions:

After i installed it I had hoped to just make one policy-rule by sending the ssh traffic from/to router&server (behind the router) over the ISP-gateway instead of the default gateway (vpntunnel). Unfortunately this didn't seem to work.
I had to create a little workaround.
I first changed the default gateway to the ISP-gateway instead of the vpn-tunnel gateway. After that i made a policy rule(s) in where i send all traffic from my local network(s) through the vpn-tunnel gateway. It did require making several policy-rules.
I made a policy rule for the whole xx.xx.xx.0/24 network to be prerouted to the vpn-tunnel gateway. This works fine. Suprisingly, my router, which is in this network can be accesed from wan by ssh without issues. So the vpntunnel doensn't give issues here.

Now the ssh works as i would like....partly. I can now ssh from wan into my router, while I keep my vpn for connected devices working.
Unfortunately, ssh-ing into my server behind the router doesn' t work from wan. At least not directly.I can, however, ssh into my router and from here ssh into my server.

Satisfied for now, but...

Still curious about a few things though. Wondering why it doesn' t work when default gateway is the vpn-tunnel?

Final update. It all works as I want it to work. Let me share with whomever it interests or has the same challenge.

My ISP IP: 111.222.333.44
lan network:
On lan network:
server on (static) on lan1 physical port openwrt router.
Installed on router: openvpn

So the suggestions made above by Pavelgl unfortunately didn't work for my router. So after some searching and a tip, also from Pavelgl, i stumbled upon policy based routing; a package for openwrt from third party. With this i managed to get it working exactly how i wanted. Now i can ssh from wan into my router AND also ssh from wan directly into my server (on .8.250). At the same time all other devices attached to 192.168.8.* network have their traffic going through the vpntunnel configured on the openwrt.

Here is how i accomplished that:

First I installed openvpn (and configured it for nordvpn) by following these instructions:

This got my vpn working on my router; the result is that the vpn tunnel is now the default gateway (and not gw from ISP; 111.222.333.1))

Next, I installed pbr on my openwrt router by following these set of instructions:

(NOTE: you will need to add a custom repo to your router following instructions on GitHub/jsDelivr first before you can install the pbr package. As described in above link)

After I installed the package I was hoping I could make 1 pbr-rule by having only my server's traffic (.8.250) send over the ISP GW (111.222.333.1), but this didn't do the trick.

By reading I decided to change the default gw to the isp gw 111.222.333.1

After that I made a pbr-rule:
Name: LanthroughTun
Local addresses/devices:
Chain: prerouting
Interface: nordvpntun

(NOTE: i use .0/25 and not .0/24; i ll explain below why)

This pbr-rule now sends all of my traffic from the .8.* network through the vpntunnel-gw.

At this moment I am able to ssh from wan into my router (.8.1) without any issues.

In the pbr-rule I put in a .0/25 instead of/24: this results in following situation:
ip's from within the range - will be send over the vpntunnel-gw. Ip's in the range from .8.129-.8.256 will have their traffic go through the isp-gw 111.222.333.1. So traffic from (my server) will go through isp-gw 111.222.333.1.

My server already had a static ip, so no issues there in case of a reconnect. For the dhcp server of my lan network I made a small adjustment:
I edited the lan interface by going to the dhcp tab and edited following:
Start: 4
Limit: 120

This will take care of new devices that are connecting through my wifi to the 192.168.8.* network.They now will be assigned an ip in the range of, which is safely within the 192.168.8/025 range and hence traffic from these devices will be sent through te vpntunnel-gw

The result is now that not only i can ssh from wan into my router (.8.1), but also I can directly ssh into my server (.8.250). At the same time all other attached devices sent traffic through the vpntunnel.

I think above is a clean solution for what I was aiming for, but maybe I am overlooking something very important; security wise or otherwise. If so, please let me know.

Hope this solution can be of use to someone else.

should probably leave out/mask your public IP.

thnks frollic for your concern, but all ip's are redacted. ISP IP not my public IP

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.