[texhead]

Firstly I would love to learn how DD-WRT handles the networking and the associations between Ethernet, wireless and a VPN.



My setup:

R1. Wireless Modem Router issuing DHCP in 192.168.0.* range connected to cable network.

R2. DD-WRT on ASUS RT-AC68U (Wan to LAN on R1) with OpenVPN configured for ExpressVPN as client and this works for Ethernet and default wireless. DHCP issuing IPs in 192.168.1.* range.





My request:

1. Create second virtual wireless interface that does not go through OpenVPN.

2. Configure 1 or more Eth ports to not go through OpenVPN.



My reasons:

I want all of my network connected through the ASUS router R2 for sharing purposes.

The Hardware in the ASUS is better, especially the wireless.

I have devices that must go through the VPN and I have devices that need to bypass the OpenVPN. Both wireless and Ethernet connected devices.



Your thoughts would be appreciated, if you have any questions please ask.



Thanks

[texhead]

Sorry realised this should be in the Advanced Networking section.

[egc]

Yes it should be in the Advanced networking forum and perhaps one of the moderators wants to move it.

In the mean time first create an unbridged VAP on your Asus.
See the attached document, in that document there are also references to @mrjcd's excellent guide and to Kong's

If you got that working progress to the next step and that is Policy Based Routing.
With PBR you route clients through the OpenVPN by their IP adresses. For that fill in the IP addresses in the PBR field of the OpenVPN GUI.
Use CIDR notation: https://www.ipaddressguide.com/cidr
e.g if you want to route the single client 192.168.1.89 through the VPN just fill in 192.168.1.89/32 in the PBR field

Oh and disable SFE or use the patched SFE from @Quarksys

Check for IP, DNS and web RTC leak at www.ipleak.net

[texhead]

Thanks ecg,
Yes I have looked at this but I have a couple of questions.
I am not worried about internal security, every device should be able to share files between them.

1. Wouldn't this separate my devices so they wouldn't be able to communicate between them?

2. Is there a way to just use PBR to route packets from existing devices on the original wireless AP?

I want to keep it as simple as possible but it sounds like I have to have a separate subnet to route through the VPN.

[egc]

You must only use a separate subnet if you want the whole subnet routed through the VPN, this can be useful if you have one WIFI through the WAN and then the VAP through the VPN so when you switch wifi, you switch WAN c.q VPN.

But indeed clients can not see each other on different subnets (there are workarounds but not easy ones)

So if you do not want that then do not use unbridged VAPs
But give the clients you want to route through the VPN a static lease on the Services/Services tab and enter that IP address in the PBR field of the VPN client.
This is the easiest method.

And disable SFE otherwise PBR does not work (it is a bug, unfortunately the devs have not found the time to repair it although a patch is available)