VPN on Dumb Access Point

Hey all, need to ask a question re. VPN on dumb access point, not sure if what I want to do is actually ok/possible…

I have a network already of 3 Linksys WRT3200ACM routers all with OpenWRT…

The first router is connected to my ISP modem, and I have VPNs from ExpressVPN installed on it that work great.

The other 2 routers are Dumb Access Points connect via Ethernet in a chain (so 1 connected via Ethernet to the first router, and then the third is connected via Ethernet to the second router.

I have just added yesterday a new Linksys WRT3200ACM as a fourth dumb access point, connected via Ethernet to the third router.

I want to have a different VPN connection on this fourth router, that would be different from the connection on the first router connected to the modem. I.e. I would like the first router to connect to the USA and the fourth one connected to UK.

I have now installed OpenVPN and configured an OVPN from express vpn on the fourth router.

However no matter what I do, the VPN from the first router connected to the modem, is overriding the VPN I setup on the fourth one. The internet continues to work just fine on it, just it still says I am in New York (what the first router is connected to right now) no matter what I change on the settings on the fourth router.

Is it even possible to do what I want to do with different vpn connections? And if so, what am I doing wrong? Hope this made sense/didn’t ramble…not sure how to explain it well :slight_smile:

you need to use pbr to exclude the ip of the 4th router from the first routers tunnel... (or something like that... assuming the clients are getting the right gateways downstream from the 4th router... you say it's a dumb ap so they typically don't run dhcp... which means they would be typically pointed towards the first router... where do clients get their gateway/dns from downstream from the 4th router? what are they set to?)


With a dumbAP you don't have any control over the traffic of the clients. Everything goes to the default gateway, which, in your case, is the 1st router. All traffic manipulations should be configured there.


Thanks for your help! Ok i added a policy to vpn policy routing, but it doesn’t seem to have made a difference…wondering if i configured it wrong? I’ve pasted below the config file for VPN PBR, the router i am trying to exclude is IP

config policy
	option name 'Plex Local Server'
	option interface 'wan'
	option src_port '32400'

config policy
	option name 'VPN Router'
	option src_addr ''
	option interface 'tun0'

config policy
	option name 'Plex Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com'

config vpn-policy-routing 'config'
	option verbosity '2'
	option src_ipset '0'
	option ipv6_enabled '0'
	list supported_interface ''
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option iprule_enabled '0'
	option webui_chain_column '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option webui_enable_column '1'
	option dest_ipset '0'
	option webui_show_ignore_target '0'
	option enabled '1'
	option resolver_ipset 'dnsmasq.ipset'
	option webui_protocol_column '1'
	option strict_enforcement '1'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'
1 Like

we will need to see a network map/diagram and be given a detailed explanation of what subnetworks and ip ranges are given to clients...


Forgive the awful pencil drawing but this is the map of what I have right now…and what I want to do:

  • Router no 1 connected to modem to have a vpn in USA

  • access points 3 & 4 ( & 94) to have vpn in UK

1 Like

cheers... 1 subnet...

do you want the VPN(uk) for routerAP's 3 and 4 to;

  • be started at the edge (router1) or
  • from a separate client within the network? or on those clients themselves?

  • most people will initiate multiple vpns at the edge router
  • assuming it has enough horsepower, this is the most flexible option as you can change things from a central place

  • it's also possible to have the vpn's (uk) on those clients themselves or via a separate internal host... ( which is what I assumed you were trying to do when I read the top post )

Thanks so much for your help! So if possible I would like to start the UK VPN on Access point 3, but it’s also ok if I have to start it from the first router…access points 3 and 4 are in a different part of our building, so it would be nice to keep it separated a bit but no problem if it can only be done from router 1…as long as the router 1 and access point 2 can have a different VPN from access points 3 and 4…

You either have to use routed AP or use vlans to separate the traffic from each dumbAP back on the main router.