OpenWrt Forum Archive

Topic: Create VPN specific WIFI network

The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
razorhazor
28 May 2017, 19:22

Hi

I have a working OpenVPN connection configured with OpenWrt and I would like to only route traffic from a new WIFI SSID through the VPN tunnel and to have all traffic originating from the LAN and existing WIFI SSIDs routed through the already configured WAN network.

Is anyone able to help me understand how to write the FW rules?

I can see alot of guides showing how to route all wan traffic through the VPN tunnel, however I just want to selectively route traffic from one particular WIFI SSID and I can't get my head around how to do it!

Thanks
razorhazor

Post #2
mikma
28 May 2017, 20:22

Using VPN as an alternative to the WAN makes it a dual WAN setup, and you may want to have a look at mwan3.

But mwan3 may not be necessary since openwrt supports IP rules. I currently use neither mwan3 or plain IP rules, but I know it's easy to lock you out  with IP rules requiring a restart in failsafe mode. Therefore make sure that failsafe mode is working and that you have a backup of the config.

https://wiki.openwrt.org/doc/uci/network#ip_rules

Post #3
golialive
29 May 2017, 11:11

Hey there.

I don't think "multiwan" is the path you want to follow, since you don't want to pass "general traffic" (originating from any device of your network and maybe even the router itself) through the VPN tunnel and apply failover of load balancing to it. Unless you want to do something in that area, multiwan is just to huge of a monster to configure.

But "ip rules" using a secondary routing table is the way to go, just as mikma suggested.

https://forum.openwrt.org/viewtopic.php … 42#p244242
That's what I did a couple of years ago. My example doesn't create a secondary wifi for VPN traffic but only forces a single IP (that I configured statically in my DHCP server) of my default range. But it's enough for an example. Of course it's perfectly fine for you to set up a dedicated VLAN with its own IP range and a distinct wifi SSID on top of that.

The first code section (dealing with "ip route" and "ip rule") is necessarily created on a command line level (startup script). At least I don't know about a UCI way of doing this.

The second code section (with the "iptables") is pretty much the same as the link mikma gave you. So you can skip the command line section and add it to UCI instead, just as the link tells you.

Regards,
Stephan.

The discussion might have continued from here.