STATIC ROUTE: vpn, dmz and intranet

Dear all,

I've a router running openwrt. I have a local network and a dmz with a webserver. I'm away from home and I'm stadying new features for when I return

I thought to start using a VPN.

My idea (I can't consider my self IT expert but I try to be intuitive) is to:

  • use the VPN connection as the default gateway of the intranet, router address
  • use the wlan GW only for the DMZ (I use DDNS and I think it won't works over vpn connections) router address

the routing howto shows how to route via VPN a single IP. What about routing a subnet?

IS it possible?
Does it make sense?
Any VPN service to suggest?


while your desired setup is not clear to me, i'm sure the vpn-pbr package and openvpn will satisfy your requirements.

what seems to trip people up, is the fundamentals around wlan and choosing the right underlying config for the policies to sit on top of.

basically, if you want to pbr "wlan" it needs to be isolated on L3. providing this exists, then try it and can come back with any specific issues you may have...

"DMZ" is ambiguous in the consumer router world because it has two meanings. The traditional "locked down subnet with specific one to one nat entries" and the simplified "NAT everything to somewhere"...


Thanks wulfy23 for ur time.

In the DMZ as I said I have we server and a Nas to work as cloud. This is an isolated network where I basically NAT port HTTP, HTTPS and SSH

For the intranet the concept is to bridge/route all the subnet via the VPN.

I'll take a look at the vpn-pbr how-to

Thanks a lot

I'll revert as soon as I'll have the chance of putting my hands around the router


1 Like

Apologies, if I had to clarify... and I am clear and understand your use of the formal definitions of DMZ and intranet.

The only real challenge ( vpn-pbr aside ) comes is when internal/remote-internal hosts attempt to access the dmz hosts over normal wan ( via dns )...

Someone implementing this for the first time will find that the traffic gets pumped into the VPN, which breaks things.

Depending on your desired traffic flows, this can be handled at a dns level and/or ip policy / mark level.

ciao @anon50098793,

I'm finally home and I'm already stack by the VPN setups.

At the moment my intention is to have 2 VPN

  1. VPN, tun with external server to be used by the LAN
  2. VPN, Tap to internal server

I'm going over this 2 tutorials:
OpenVPN basic
OpenVPN client

but not successfully. Do you have any hint? so far I've created 2 directories under /etc/openvpn where to store all relative files....

I've created 2 virtual interfaces to relate to the services

I keep digging around and work on these and help welcome. After this I'll be able to work on routing


I managed to setup the commercial VPN.
I'm now confused how to setup the firewall.

My first choice based on a guess is to forward the intranet traffic over VPN in input and output but in one post I've seen:
Out via VPN
In via Wan

Which is correct or most appropriate?

After the intranet will b surfing tunnelled via VPN I'll move on about DMZ settings


To minimize firewall setup, consider the VPN network as public and assign the VPN interface to WAN zone, otherwise perform the following:

ciao @vgaetera,

I created a firewall zone called VPN but still not really succesfull.
If I use the following config
LAN, -dest WAN&VPN, all accepted no masq no mss
WAN, -source LAN, input reject, output accept, forward reject, masq and mss
VPN, -source LAN, all accept, masq no mss

the intranet has internet and if I do traceroute to the first hop is always the PPPOE address and not the VPN IP

if I change LAN -dest VPN (remove dest wan) the router has internet but not the intranet

can't get my head around this issue...
Is it a problem or pre/postrouting? of Static route? NIC metric?

If I can support with the copy of some files please advise


To start the the reason why I hadn't internet after connecting to VPN it was just matter of latency from connection and new routing table.

The solution is VPN POLICY ROUTING. There is a dedicated thread.
After the packages are installed it is really straight forward to set rules.

Thank you all for helps

1 Like