User Tools

Site Tools


VPN Client & Server Simultaneously

This article provides instructions on overcoming routing issues when running VPN server and client on the router at the same time.

Why would you want a VPN server on your router?

The VPN server running on your router can provide a secure connection to your home network while you're away. If you need to access the router itself or any of your home network devices from afar, the VPN server is a great solution.

Why would you want a VPN client on your router?

You may want to run a VPN client on your router to encrypt your connection to the internet and prevent your ISP from snooping on your traffic and DNS requests (which in some countries is now legal for ISPs to monetize) as well as meddling with DNS requests or HTTP traffic. In order to use a VPN client on your router, you would need to obtain credentials to a corresponding VPN server. Your connection to the VPN server is encrypted, preventing your ISP from snooping/meddling on your traffic. A wide variety of commercial VPN providers exist. Once you install/run a VPN client on your router, it's best to route all your traffic via a VPN tunnel.

What is the issue with running both VPN server and client at the same time?

If you use the VPN client on your router which sends all traffic by default over VPN tunnel, you might have a problem setting up the VPN server on the same router (because the VPN server will receive the traffic on WAN gateway, but will send it out via VPN tunnel which your remote device wouldn't expect). This article helps you overcome this issue.


  1. Install VPN Policy Routing package (and optionally luci-app-vpn-policy-routing). Enable the vpn-policy-service service from Web UI or uci command/config file.
  2. Run the following in the command line:
    if [ -s /etc/config/vpn-policy-routing ]; then
      uci set vpn-policy-routing.config.output_chain_enabled='1'
      uci add_list vpn-policy-routing.config.ignored_interface='vpnserver'
      uci add vpn-policy-routing policy
      uci set vpn-policy-routing.@policy[-1]=policy
      uci set vpn-policy-routing.@policy[-1].comment='VPN Server'
      uci set vpn-policy-routing.@policy[-1].interface='wan'
      uci set vpn-policy-routing.@policy[-1].local_ports='<port_for_incoming_connections_to_your_VPN_server>'
      uci commit vpn-policy-routing
  3. Create another firewall forwarding (in the code below replace the vpnclient with the firewall zone for your VPN client, refer to the tail of /etc/config/firewall):
    uci add firewall forwarding
    uci set firewall.@forwarding[-1].src='vpnserver'
    uci set firewall.@forwarding[-1].dest='vpnclient'
    uci commit firewall
  4. Restart/reload the service:
    service vpn-policy-routing reload
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/vpn/server_client.txt · Last modified: 2019/08/26 15:21 by vgaetera