Error bypassing VPN on Flint 2 and Velica

(see image for diagram of current network setup)

I need specific devices on the Velica wireless network to bypass the VPN on the Flint 2 for specific websites. Ideally they would still use the custom DNS.

This would mean only certain devices on the network should be allowed to bypass the VPN for specific websites.

In this case, let’s say a phone, laptop, and TV need to connect to Netflix using a specific IP address assigned by ISP 2. The desktop would still use the VPN.

I tried doing this with ‘VPN Policy Base on the Target Domain or IP’ on the
Flint 2, but each device still reported using the IP address of the VPN. Clearing DNS cache and restarting all devices didn’t work. ‘Block Non-VPN Traffic’ is turned off.

The clients in the Velica network are not displayed in Flint 2, of course. Not sure if there’s any way to change that (but would be useful to).

Flint 2 is on firmware v4.5.4
Velica is on firmware v3.216

Help would very much be appreciated - I’ve been trying to figure this out for hours!


This does not work. For using VPN policies based on domain they have to use the DNS server on the Flint2.

Will the Velica run as a bridge or as a router (so new network for the Wi-Fi connected devices)?

Thank you, that’s very helpful to know. I’ve made the modifications.

As far as I know, it’s only possible to use Velica as a router. That’s how it’s currently set up. Connected by DHCP to the Flint 2.

All I need from the Flint 2 is its ability to run a high-speed VPN connection, create policies based on that (meaning it would have to see all clients connected to Velica), and to utilise both ISP connections. The rest can be handled by the main Velica hub.

If that’s the case this could be difficult. At least it would explain why you don’t see clients on the Flint2, guess NAT is active on the Velica.

In that case client based VPN will not work since the MAC address will never reach the Flint2.

Unfortunately I don’t know much about the Velica, so I am not aware what you could modify to get it work. If there is some access point mode instead of routing, this would be worth a try.

As @alzhao said:

Without being more specific, I’m assuming that means there are no other ‘modes’ to choose from. Nothing indicates Velica can be used as anything other than a router, and I have all sorts of errors when I assign Flint2 and Velica the same LAN address.

What do you think my options are for all devices being able to bypass VPN for specific websites?

I’m not sure what the issue here is. I don’t understand why the websites are still reporting I’m using a VPN. I’m using custom DNS on Velica instead of Flint2 now, but it wasn’t working when custom DNS was on Flint2 either.

Can’t the Velica just be run as a bridge/AP/Mesh-mode & let the Flint v2 do all the heavy lifting? Off the cuff I’d think it’d be along the lines of ensuring only the Flint v2 handles DHCP & DNS.

NVM; bridging not GL supported. Ouch.

That would’ve been ideal, but you’re right, it’s not supported. I think I’m going to try flashing one of the BL2200 Velica routers with OpenWrt and see if I can turn on AP mode with fast roaming. Then link them all together manually.

Always open to suggestions, and I’d definitely like to hear other ideas.

I got nuffin ATM but please let us know how flashing vanilla OWRT goes; be aware there may be some hit to preformace depending on how deep the Velica uses closed source SDKs.

update -

No success with flashing vanilla OWRT. I tried several methods, but bricked the device each time.