Posted: Tue Nov 18, 2025 3:11 Post subject: OpenVPN from "Station Bridge" mode connecting but
My LAN setup involves two DD-wrt routers. The main router is a netgear r6700. The second router, the one I'm trying to run openvpn from, is set to Station Bridge on the 2.4ghz channel. It is effectively a wireless client for a VOIP phone and nothing more.
I have run with this setup for YEARS with no real issues. Today I decided I wanted to set up an openvpn client on the secondary router so my VOIP phone can tunnel straight to the service I use.
The openvpn server is self administered and successfully works with several clients, both windows and linux, including NAT'ed VMs. I know the server is not the issue.
OK back to the dd-wrt router. The client connects successfully. I can see the logs both server side and client side showing successful cipher negotiation, route pushing, MTU setting, etc. From the logs, you'd think everything was great.
As you can see I'm adding the following additional config:
verify-x509-name xxx name
redirect-gateway def1
verb 5
ip stuff
# ip rule show
0: from all lookup local
32762: from all iif br0 lookup 16802
32763: from all iif wlan0 lookup 16801
32764: from all iif lo lookup 16800
32765: from all iif lo lookup 16800
32766: from all lookup main
32767: from all lookup default
# ip route show
0.0.0.0/1 via 10.7.1.1 dev tun1
default via 192.168.1.1 dev br0
1.1.1.1 via 10.7.1.1 dev tun1
9.9.9.9 via 10.7.1.1 dev tun1
10.7.1.0/24 dev tun1 scope link src 10.7.1.2
10.7.7.0/24 via 10.7.1.1 dev tun1
10.7.11.0/24 via 10.7.1.1 dev tun1
10.9.1.1 via 10.7.1.1 dev tun1
10.10.2.1 via 10.7.1.1 dev tun1
127.0.0.0/8 dev lo scope link
128.0.0.0/1 via 10.7.1.1 dev tun1
185.xx.xx.xx via 192.168.1.1 dev br0
192.168.1.0/24 dev br0 scope link src 192.168.1.254
To be clear, the main home router is 192.168.1.1 and this station bridged router is 192.168.1.254.
I cannot reach anything on the 10.x.x.x routes, neither ping nor any other way. I can ping and reach the rest of the internet, but none of that is actually routing through the vpn as it should be. Even 1.1.1.1 and 9.9.9.9 are not routing over the vpn, which is odd. I would have expected those would fail to ping since there are explicit routes for them through the vpn.
It feels like maybe a metric issue where the real gw is getting precedence over the vpn.
Just for laughs, here's the old-fashioned route command output:
The fact that there are two entries for 0.0.0.0 and both have the same metric feels wrong to me, but I'm not certain.
Is this all because I'm using Station Bridged mode? If so, how can I set this router up to just act like a client on my LAN but also be a working openvpn client for the VOIP phone?[/b]
Joined: 18 Mar 2014 Posts: 13880 Location: Netherlands
Posted: Tue Nov 18, 2025 14:22 Post subject:
First of all I have never done this on a Station bridge connected router, I do anything to avoid that and use a cable or MoCA or powerline adapters.
That said I did set this up on a Wireless Access Point which is similar but connected by a cable and there are instructions for that in the OpenVPN Client setup guide which might point in the right direction.
The main problem is that everything connect to this router is just bypassing the router on its way to the main router.
The easiest solution is to add an unbridged interface with lan ports/wifi, everything connected to this unbridged interface will then go through the router and thus go through the VPN.
But just setting the gateway on your phone pointing to this router should also do the trick, all described in the guide.
OpenVPN guides are a sticky (first few sticky threads) in this forum
Thanks, egc. I did download the openvpn setup guide pdf, but did not see what you're referring to.
Anyway I had a hunch it was something like that. I was surprised that even ssh'd into the router, I could not route anything from the command line either.
I'll look for what you are describing in the guides though.
So I tried to follow your guide, but I was confused by several things.
• Disable WAN (already done)
• Set Local IP Address inside scope of primary router e.g. if primary router is 192.168.1.1 set WAP as 192.168.1.2 / 24 (I'm using .254 but same thing)
• Set Gateway and Local DNS to the primary router (already done)
• DHCP server Disabled (=off and NOT set as Forwarder!) (already done)
• Leave DNSMasq on (why? Not using DNS caching or DHCP here)
• Router kept in the default Gateway mode (the wiki says Router mode but do not do that, either it does not matter (this case) or break things) (not sure where this setting is located)
• Connect LAN <> LAN (do not use the WAN port unless you really need that extra port, for most routers traffic still must use the CPU so performance is lacklustre )
Is this a setting or just talking about cabling to a LAN port?
• I do not change the Firewall settings although you do not want a firewall, the Firewall is automatically disabled as there is no WAN, but it does not hurt to follow the wiki and Disable the Firewall anyway. (already had it disabled)
I told the VOIP phone to use 192.168.1.254 as a gateway and just assigned it an unused IP in the non-DHCP range (192.168.1.10) with sub mask 255.255.255.0.
With all that, the phone is online but still not using the VPN. I then tried to use 10.7.1.2 as a GW (the VPN IP assigned to the station bridged router) and gave the phone an IP of 10.7.1.100 with sub mask of 255.0.0.0. That knocked it completely offline.
I have no idea what to try now. Obviously the issue is the routing. What must I do? Something on the Advanced Routing page?
Joined: 18 Mar 2014 Posts: 13880 Location: Netherlands
Posted: Wed Nov 19, 2025 6:53 Post subject:
retry wrote:
So I tried to follow your guide, but I was confused by several things.
• Disable WAN (already done)
• Set Local IP Address inside scope of primary router e.g. if primary router is 192.168.1.1 set WAP as 192.168.1.2 / 24 (I'm using .254 but same thing)
• Set Gateway and Local DNS to the primary router (already done)
• DHCP server Disabled (=off and NOT set as Forwarder!) (already done)
• Leave DNSMasq on (why? Not using DNS caching or DHCP here)
• Router kept in the default Gateway mode (the wiki says Router mode but do not do that, either it does not matter (this case) or break things) (not sure where this setting is located)
• Connect LAN <> LAN (do not use the WAN port unless you really need that extra port, for most routers traffic still must use the CPU so performance is lacklustre )
Is this a setting or just talking about cabling to a LAN port?
• I do not change the Firewall settings although you do not want a firewall, the Firewall is automatically disabled as there is no WAN, but it does not hurt to follow the wiki and Disable the Firewall anyway. (already had it disabled)
I told the VOIP phone to use 192.168.1.254 as a gateway and just assigned it an unused IP in the non-DHCP range (192.168.1.10) with sub mask 255.255.255.0.
With all that, the phone is online but still not using the VPN. I then tried to use 10.7.1.2 as a GW (the VPN IP assigned to the station bridged router) and gave the phone an IP of 10.7.1.100 with sub mask of 255.0.0.0. That knocked it completely offline.
I have no idea what to try now. Obviously the issue is the routing. What must I do? Something on the Advanced Routing page?
Those instructions are for a wired router not for Station bridge.
A said I will never use Station bridge so have no experience with it, but there are analogies with a wired WAP, I would try to add the the firewall rules and see if that helps. But not sure this can/will ever work on a station bridge.
alright I might take another crack at it later this week...
Meanwhile I decided to set up openvpn on my main router and have it default to not send all traffic through. Then I added a few IP/CIDR entries to the PBR box.
Oddly this didn't work right. The internal servers became accessible via the pushed routes from the openvpn server, including to local PCs. But the custom routes from the PBR box were nowhere to be found. So I added the routes manually with ip add route x.x.x.x dev tun1 . Once I did that, it started working for my local PCs too.
And yet the VOIP phone on the station bridged router did not use the vpn at all. I saw it provisioning itself with my ISP IP (the provisioning server is one of the PBR routes I ended up manually adding with ip add route). And then after that, it failed to register at the SIP server domain and was thus unusable.
So that's weird too. That station bridged router is pure voodoo.
Is there another way I can use the 2nd wifi router to wirelessly connect my phone to the internet? If I were to use the Station mode (unbridged), and have the whole thing exist on a separate LAN subnet, how does one then route it to the main router for internet access? Then there's the WDS question. The main router is a broadcom chipset, and the secondary is atheros. It seems like WDS is out of the question or at least very risky.
I really just want the least steps possible to get the phone using openvpn, ideally not forcing my entire LAN to use it. I just want syntax and steps, not theory and abstract notions.
Funny you guys mention that, because I tried it earlier tonight but failed somehow. I didn't even get around to openvpn set up. I set the secondary to Station mode (not bridged). I changed its IP to 192.162.2.1 and created a DHCP range from 192.168.2.100 -- gateway set to 192.168.1.1 .
The wifi only has the SSID to go by. It never seemed to connect properly to the main router. I also added the static route to the main router but never got it to ping. I could see the routers connected on the wlan tab.
I must have messed up a setting somewhere. Where's the guide for this? I'm frustrated with all the guesswork. While this is technically 'advanced' routing, it's also fairly standard and vanilla for using this particular mode on a secondary wifi router.
In the end I had to cable in to the secondary router to restore station bridge setup to get the phone back online.
Joined: 13 Aug 2013 Posts: 7115 Location: Romerike, Norway
Posted: Wed Nov 19, 2025 13:34 Post subject:
Your Gateway address is wrong. It must be the same sub-net as the Interface. As you have no other router connected, leave it at 0.0.0.0. The wifi connecting to the main router will have an ip 192.168.1.x and gateway 192.168.1.1.
Your Gateway address is wrong. It must be the same sub-net as the Interface. As you have no other router connected, leave it at 0.0.0.0. The wifi connecting to the main router will have an ip 192.168.1.x and gateway 192.168.1.1.
From the Station setup instructions in the wiki:
Go to Setup->Basic Setup: if needed, change Connection Type to Static IP from "Automatic Configuration - DHCP"
Static IP allows easier access remote GUI, SSH, or telnet access is enabled under Administration
If the station router requires external management, go to Setup->Basic Setup, set the WAN port protocol as needed and enter info provided by your ISP. This is the setting that is bonded to the wireless interface.
In Network Setup set the Local IP Address to a different subnet from the primary host router (e.g. 192.168.2.1)
Set the Gateway address to the primary host router gateway or internet will not work (e.g. 192.168.1.1)
The device should be in GATEWAY Advanced Routing mode, not ROUTER, or Masquerade/NAT does not happen. (hmm maybe this is the part I got wrong?)
Tried it again with the advanced routing set to Gateway. Still didn't work. There's just no assignment of any route to/from 192.168.2.x/24 happening. If it's up to me to set up static routes on both routers, the instructions are totally unclear about it.
Alright finally success. I figured out everything that was wrong. There were several factors:
1) I did have to change Advanced routing to Gateway on the Station router
2) I also had to reenable the WAN interface on the basic setup, which was disabled under Station Bridged. That made everything so clear. 192.168.1.254 there and then 192.168.2.1 on the Local Network side.
3) I added a static route on the main router so I could reach resources on 192.168.2.x (like the phone's web UI)
4) I also had to allow remote access to ssh and the web UI on the secondary router (restricted to 192.168.1.x clients) to make everything finally accessible.
I set up openvpn again and now everything is working near perfectly.
There is ONE caveat, that maybe you guys can still help me with. The phone's provisioning server is on a subdomain with the same IP as the openvpn server. So when I go there, it goes outside the vpn. Is there a way I can make it use the vpn for everything but the actual establishment of the vpn itself (i.e. all traffic that isn't 1194 udp)?
