User Tools

Site Tools


OpenVPN Client & Server (Simultaneously)

This article provides instructions on overcoming routing issues when running OpenVPN server and OpenVPN client on the router at the same time.

Why would you want an OpenVPN Server on your router?

The OpenVPN server running on your router can provide a secure connection to your home network while you're away. If you need to access the router itself or any of your home network devices from afar, the OpenVPN server is a great solution. More information on setting up an OpenVPN server is available in the following article: OpenVPN Server Setup.

Why would you want a OpenVPN client on your router?

You may want to run an OpenVPN client on your router to encrypt your connection to the internet and prevent your Internet Service Provider (ISP) from snooping on your traffic and DNS requests (which in some countries is now legal for ISPs to monetize) as well as meddling with DNS requests or HTTP traffic. In order to use an OpenVPN client on your router, you would need to obtain credentials to a corresponding OpenVPN server. Your connection to the OpenVPN server is encrypted, preventing your ISP from snooping/meddling on your traffic. A wide variety of commercial OpenVPN providers exist. Once you install/run an OpenVPN client on your router, it's best to route all your traffic via an OpenVPN tunnel.

What is the issue with running both OpenVPN Server and OpenVPN Client at the same time?

If you use the OpenVPN client on your router which sends all traffic by default over OpenVPN tunnel, you might have a problem setting up the OpenVPN server on the same router (because the OpenVPN server will receive the traffic on WAN gateway, but will send it out via OpenVPN tunnel which your remote device wouldn't expect). This article helps you overcome this issue.


  1. Follow the OpenVPN Server setup article here to set up an OpenVPN Server.
  2. Make sure that OpenVPN client on your router is configured with nobind='1' option.
  3. Install VPN Policy Routing package (and optionally luci-app-vpn-policy-routing). Enable the vpn-policy-service service from Web UI or uci command/config file.
  4. Run the following in the command line:
    uci set openvpn.vpnserver.proto='tcp'
    uci commit openvpn
    if [ -s /etc/config/vpn-policy-routing ]; then
      uci set vpn-policy-routing.config.output_chain_enabled='1'
      uci add_list vpn-policy-routing.config.ignored_interface='vpnserver'
      uci add vpn-policy-routing policy
      uci set vpn-policy-routing.@policy[-1]=policy
      uci set vpn-policy-routing.@policy[-1].comment='OpenVPN Server'
      uci set vpn-policy-routing.@policy[-1].interface='wan'
      uci set vpn-policy-routing.@policy[-1].local_ports='1194'
      uci commit vpn-policy-routing
  5. Create another firewall forwarding (in the code below replace the vpnclient with the firewall zone for your VPN Client, refer to the tail of /etc/config/firewall):
    uci add firewall forwarding
    uci set firewall.@forwarding[-1].src='vpnserver'
    uci set firewall.@forwarding[-1].dest='vpnclient'
    uci commit firewall
  6. Restart/reload the services:
    /etc/init.d/openvpn restart
    /etc/init.d/vpn-policy-routing reload
docs/guide-user/services/vpn/openvpn/serverandclient.txt · Last modified: 2018/06/26 16:52 by jw0914