VPN on second router and routes

Hi there,
I have configured a router with openvpn client, to connect to vpn at work, but it is not the main router.
The main router has mwan3 configured, its something like...


I want part of the network to be able to use the vpn router, but part of the network has to use the main router. This is possible? Or I have to create a second lan, behind the vpn router, so I can do this?

I can configure the vpn to run on the main router (both are openwrt), but I use a client certificate to connect to the vpn, and I think it's dangerous to leave my certificate on the router connected to the internet. If there is a safe option to use my certificate in the main router, I could use that instead.

Any ideas?


as you already have WAN#1 and WAN#2, you are familiar with routing decision, maybe PBR or similar
Maybe the best way is to make separate network for VPN router, this way, all of your LAN devices could have GW pointing on main OWRT and from there you will allow/deny passing traffic to VPN

Sorry, my english is poor, I didn't understand.

A separate network for VPN router, but my lan devices pointing to main OWRT?

At the moment I have static routes configured on main router, so my devices can see the vpn, but I don't want ALL devices to see it.