WiFi6 Always on VPN with Bridge/DHCP Help Needed

I have flashed OpenWrt 21.02-rc2 on my new Ubiquiti Unifi 6 Lite Access Point and have a few questions on perhaps an impossible setup.

I would like to plug my OpenWrt AP into my home ISP router to one of the Ethernet ports on the LAN side that uses DHCP and have all Wifi connections on the Unifi AP only use the VPN via OpenVPN to connect to my VPN provider. What I am trying to setup is a secure VPN only wireless access point that routes via the dirty home ISP router.

A couple questions for the experts:

  1. Do I need to bridge the Unifi AP running OpenWrt to the ISP router? This makes it easy to connect to the same network ( and removes a routing hop, but it seems I cannot use DHCP (must disable dnsmask in OpenWrt). Is it even possible to bridge and use DHCP when you plug in the AP to auto get the network info from the ISP home router?

  2. How do I force VPN only - with no leaks - on the AP? I have read several setup instructions but each one is a bit different or out of sync with the latest OpenWrt release. OpenVPN client is up and running fine with OpenWrt and it always creates a good tun0 on boot. When I ssh in and run a traceroute the connection is using the ISP gateway address and not the VPN connection.

  3. Off topic -- I am using an Intel AX210 WiFi 6E NIC in my laptop connecting to the new Unifi 6 Lite AP using WPA3 which works fine, but it always connects as a Wifi 5 connection (802.11ac) and never as WiFi 6 which both radios support. I should get a WiFi 6 link in OpenWrt 21.02-rc2 correct? Anything special needed for this to work?


  1. "Bridge" is transparent connection, so you should have single DHCP in one subnetwork.
  2. Do you want to SEPARATELY route traffic from AP into tun0, or to route ALL traffic from LAN? However for bridge configuration first one is not possible.
  3. I do not know.

I want to route ALL traffic from OpenWrt AP over tun0 VPN. Anything that connects to the OpenWrt WiFi should only go over tun0 no leaks. Transparent bridge makes anything connecting on the AP WiFi get an address/gateway from the ISP router's DHCP server. When I connect to the AP I want to get an IP/gateway from the VPN to have a direct pipe over VPN only.

You need to switch the OpenWrt to routed mode, not bridged.

Reset to defaults. Install openvpn and setup the tunnel. Make sure that default gateway is via the tunnel. Make sure you are using the vpn dns to prevent dns leaks.

1 Like

Why routed mode? Bridge exactly suffices.

OK, got it. Maybe he wants to run OpenVPN on AP.

OK, you should just configure OpenVPN on ISP router. See my manual on AirVPN site, and configure similarly: https://airvpn.org/forums/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/

Do your want to run OpenVPN on AP, or on ISP router?

If you look at the picture on the first post, under the OpenWrt 21.02 it mentions OpenVPN client.

1 Like

Yes correct I am running OpenVPN and works great always setting up my tun0. It seems that OpenWrt 21.02 when installed on the Unifi 6 Lite is automatically setup as a bridged-lan on install. I assume it is detecting the single LAN on the AP and no WAN port so it goes into bridged mode for the AP. I would need to undo auto br-lan mode and configure the AP as a router making my single Ethernet LAN port a WAN port to the AP WiFi radios and then routing all WiFi connections over tun0.

Seems like I am trying to bang a round AP into a square router here... (since the Unifi 6 is round :wink:) My goal was simply to keep my home ISP router with its dirty open internet access for my Netflix TV, and setup the extra AP as a pure/clean/safe VPN route for work.

That is correct, this is the default on single port devices.