Can I setup a VPN on one wifi band only?

I have the Slate Plus (GL-A1300) travel router.

Can I setup a VPN (Open VPN Client) on one wifi band only?

For example, the 2.4Ghz band is normal internet and the 5GHz band routes traffic through the VPN.

I want to do this because I need the VPN on 90% of the time but other times I need internet access without the VPN. But going into the router settings each time to turn off the VPN is a pain. So I was hoping I could just have one band with VPN and one without, then switch between them as needed.

You might elaborate a bit on your use case.

It is common with a travel router that in some places (airports, Starbucks), you want all traffic to go down the tunnel. At secure places, like home or an Airbnb, you might want most traffic to out directly, and traffic to your office or home network to go over the tunnel. That is called split tunnelling. You can do that with two client configurations, turning on the one you want.

I believe you want the setup 2 networks within the GL-A1300. Most APs can do multiple SSID at the same time (think about normal SSID and guest network SSID). From that point of view, it is very much possible to setup 1 SSID without VPN and 1 SSID with VPN.

Stock OpenWRT can do that (as I do that on a much old AR-300M), but it requires a pretty amount of configuration. You need to setup another bridge-interface, configure DHCP on that bridge-interface, adjust firewall, adjust MWAN3’s rules/policies/routing, possibly reconfigure switch config (in case you want lan 2 to also be VPN only) and add another wlan-ap interface to both 2.4Ghz and 5GHz radio attached to the earlier.

On GL-inet’s firmware I have not tried to setup such a config recently; I do not believe GL-inet’s interface would not mangle such config sooner or later…

1 Like

@elorimer I travel while working and I use the router in my hotel and serviced apartments. Most of the time I am connected to WiFi and that is running internet through the VPN for security and to avoid traffic shaping. But sometimes I need a direct connection for better speeds or some other edge reason. That is why I wanted the second band (either 2.4GHz or 5GHz) to run without VPN and the other with the VPN. Or maybe I can emit a second WiFi signal altogether that does not run the VPN. Not sure what other details I can share about the use case, please let me know if you have more questions!

@groentjuh That does sound like a good solution. But I’m not sure how to set it up on GL-inet’s firmware. I tried enabling the guest 5GHz Guest WiFi but I’m not sure how to turn on/off the VPN just for that SSID. Doesn’t seem possible with the GL-inet settings interface but I could be wrong. The other option is to use the Stock OpenWRT as you describe but that sounds way too complex for me to figure out.

The devices in the guest wifi have a different IP-range. You can setup VPNs to only route specific IPs into the VPN connection. I would suggest you try to do that!

Solution #1: create two vpn client configurations, one with a pull-filter ignore redirect-gateway command. When you want to run direct, use that configuration; when you want everything to go through the tunnel, use the other.

Solution #2: as @groentjuh said, with 4.2.1 software, use VPN policies and either devices or subnets, so the guest wifi subnet does/does not go through the tunnel, and the other wifi does/does not go through the gateway (I’ve stuck with #1, haven’t tried #2.

Honest answer? Use 2 separate travel routers, one for VPN, one for regular network. Trying to do both on one is technically possible, but it’s not easy to configure, and there are a lot of possibilities for leaks and problems in configuration. It’s a lot easier to just have a separate VPN device. You can piggy-back them if you like but separate physical devices for the two SSIDs and configurations.