VPN Connectivity Issues

Hi, here is a brief description of my system as it now stands (with thanks to the support I got from this forum).

LAN managed by my Openwrt server

WAN_SFR is a 4G router from SFR on (WAN port)
WAN_FREE is a 4G router from free on (Converted LAN 4 port)
WAN_FBX is an ADSL router from free on (Converted LAN 3 port. Future fibre connection)

Using mwan3 I am sharing the internet connections from all three supplies to my LAN connections. In addition there are a couple of direct connections to the routers (IP telephones on, freePop [TV] box on as it needs IPv6 and I have not got that under control yet).

Everything is working fine and from my LAN I can access all four of the networks,, and to manage the various router settings.

The Openwrt server then runs an OpenVPN interface which is managed by mwan3 so that specific items on the network are forced to the VPN then shared across the three incoming internet connections. The VPN is a personal VPN on my VPS hosted in the cloud. It is managed via a webmin (and virtualmin) web interface on xxx.xxx.xxx.xxx:10000. Again this is all working fine with one exception.

If my main machine (iMac on is not routed through the VPN I can access everything including my VPS and webmin interface.

If my main machine is routed (via mwan3) to run over the VPN I can access everything except my VPS and webmin interface.

It is not a DNS issue as it does not respond to either the domain name or the IP address.

I assume it is a routing issue and also that it is something to do with the VPN configuration (so this post may be best applied to the Open VPN forum but I thought I would start here).

Can anyone advise or suggest what I should do to get this last piece of the puzzle fitted?



Have you tried to connect to VPS using tun IP?

Thanks ulmwind. takes me to the luci interface on the LAN takes me to a default apache server on my VPS takes me to webmin

So at least now aI can see them when the VPN is running. However it would be nicer to just be able to use my bookmarks based on domain names for the websites I have on that server. How do I set the VPN to allow this please?

For example I run a blog on a subdomain of the server and I cannot access that to work on. Even if I use it does not work.


I do not think, it is possible. OpenVPN modifies routing table, so you should configure routes additionally, but in this case you can lose benefits of OpenVPN connection. It is much simpler to use private IP addresses.

Sorry ulmwind, I did not understand your reference to private IP addresses.

There must be a way to allow me to access the server on which the VPN server is running when using the VPN. I am sure I used to do it and I cannot believe that serious users of VPNs come out of the VPN in order to manage the server!

I assume I need to add a static route but do not know enough about it to know how to do it.

Can anyone else offer a suggestion?


That will require three instances of the OpenVPN client, each bound to one of the ISP. The VPN server would accept multiple incoming connections and issue them unique tunnel IPs within 10.8.0.X Then use mwan3 to treat the VPN tunnels as WANs. Don't run mwan3 on the ISPs directly.

Any VPN tunnel should then have access to

Hi mk24,

That does not appear to be the case for me. When I set it upon I forced the TV to use the VPN and watched a programme. I then shut down all but one interface. Programme continued. I then added one and shut off the one I was using and the program still continued. Every one of the interfaces as I isolated them simply picked up the VPN connection and ran with it.


As mwan3 changed to drop the ISP that was down, OpenVPN client was able to re-link on a different ISP. The TV provider did not care about that, since it is linked to the VPS's IP which did not change.

When there is only one OpenVPN instance, all VPN traffic is going to go through one connection on the one ISP it is presently connected through, there is no load balancing.

Why not just work around the problem by creating two mwan3 rules.

config rule 'iMac_VPS'
        option use_policy 'wan_wan2_wan3'
        option src_ip ''
        option dest_ip '' #VPS IP address

config rule 'iMac_default'
        option use_policy 'vpn_only'
        option src_ip ''
        option dest_ip ''

Thanks mk24 (for both your responses) that makes sense for the VPN access to TV. So sharing the VPN needs a lot more work yet. Just to confirm in response to your second post the VPS is running linux, is listening correctly (I can access the server via the interface even when the VPN is running but I cannot then access other sites

However the issue at the moment for me is how to access my main server to administer it whether or not I am on the VPN.

Thanks for the rule suggestion pavelgl but not sure how to apply it. I am not sure how or where to enter the rules or how to use it or even if it solves my issue. I am usually not using the VPN on this main machine but from time to time I do if only to confirm everything is working OK. I either use mwan3 rules to force the iMac over the VPN or use an OVPN client on the machine itself. The results I get are different and as follows:

Rule Ping Ping Ping Ping Domain by IP Domain by Name
Mwan3 Load Balancing :heavy_check_mark: :heavy_check_mark: :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Mwan3 VPN :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:
Mwan3 Load Balancing plus Client VPN :heavy_check_mark: :heavy_check_mark: :heavy_check_mark:

I think the issue is that I have not set up static routes for it whereas I have for the and so I think I can resolve that.

The problem is that I can either see the local gateways but not the domain on which the VPN is running OR I can see the domain on which the VPN is running but then cannot see the local gateways (except for the default LAN

The admin interfaces of the VPS need to be listening on its wireguard interface, and if it has a firewall, those ports need to be allowed into it.

You never said what OS the VPS is running obviously if it is not OpenWrt that is outside the scope of this forum.