Multiple VPNs on one router - possible?

I just purchased a Slate AXT1800 device. I plan to use it mainly as a repeater with VPN for geo-unblocking streaming video content. My streaming devices are set up so that they are region specific, i.e., I have one for watching US content, another for UK content, and so on.

I wondered if, instead of needing to switch between VPNs when I switch between my streaming devices, if the Slate AX can handle running more than one VPN at a time? If so, is there any way to specify that a certain device should be connected to a particular VPN? I have multiple VPN subscriptions from different providers.

Thank you in advance for any suggestions on this topic!

I don’t know if option 2. Policy Mode, would do the job. But it may be limited to only one VPN. You would need to investigate this further.

Thanks for that very helpful suggestion! I looked at 2. Policy Mode but I see that it specifies that “Only one VPN client instance can be activated.”

I wonder about 3. Route Mode. Under Customize routing rules, it says “You can manually configure routing rules for each VPN client instance.” Sounds maybe possible, but I have no idea what would be involved!

How ‘bad’ do you want this ability? It can be done but it’ll require ripping out the GL GUI firmware & have a performance hit against the GL advertised 550 Mbps WG max speed… but it can be done. I have a router running ‘pure’ OpenWrt 23.05.x w/ 4 simultaneous/active WG endpoints, domain name dependant.

GL doesn’t support this capability out of the box. You’ll be going ‘out of support’ but you could always re-flash the official firmware if you so desire to revert to stock.

1 Like

@somerset_m Here is a post on the OpenWrt forum on this exact topic.

“VPN Policy-Based Routing” is superseded by stangri’s Policy Based Routing (PBR). VPN PBR is unsupported now. Regardless it’ll end up causing massive firewall/routing conflicts if you mix it in to the GL GUI & its backend… which is why I state the need for vanilla OWRT.

Stangri also states OWRT 23.05 is required to have full compatibility w/ the package.

Thank you both for those comments! I’ll need to do some more research on this. I had hoped that maybe this capability was available through Luci or similar (I see the VPN Policy-Based Routing article mentions luci-app-vpn-policy-routing).

I’m not sure about changing the firmware to OpenWrt. I bricked a good router some years ago trying to do something similar and learned my lesson!

Unfortunately since GL uses their own private vpn software you might get into conflict with the wireguard software for vanilla OpenWrt (luci-proto-wireguard) if you plan using wireguard.

Though maybe it can be done by completely removing any setting to GL for vpn and then using the luci-proto-wireguard to set it up.

You can use stangris pbr package even if you would like to use it with GL wireguard and policy routing, for that you have to change the vpn policies in GL UI to manual routing so PBR can replace it, this is how i run it at the moment but it can also break unexpectedly :+1:, this however for your use case with multiple servers is not possible.

But for vanilla openwrts vpn, GL UI is out of the window for the vpn so are the GL vpn policies.

Edit

I wrote about servers but this also count alot about clients too :+1:

They do? I doubt it.

On the base, it’s still a normal wireguard application. You can even run it manually via SSH.
They just created an overlay for easier management.

2 Likes

If you check the configuration its different than vanilla, but the protocol is also set to unmanaged.

In vanilla openwrt wireguard peers and data are inside the network config, but in gl its in a different configuration.

The main wireguard is the same, but scripting around it as implementation is different.

1 Like

Exactly. Peer configuration isn’t quite as ‘seemless’ compared to using vanilla OpenWrt.

It’s really all Peer to Peer in WG; Client/Server is just easier for people to grasp so that convention carried over.

@somerset_m

You’re already running OpenWrt… just with the addition of a closed source SDK & a custom interface. OWRT’s LuCI interface is already running on it (GL GUI → System → Advanced Settings).

So again it’s a question of how bad do you want it?

1 Like

You make a really good point. The answer is: badly enough to do some research and tinkering but not badly enough to spend whole weekends experimenting with settings. It has occurred to me that I could achieve the same result by simply buying another couple of the entry-level canary routers and dedicating each to a different VPN.

Thanks for the wonderful responses! I’ll look into these suggestions and see if I can figure out a way forward.

2 Likes

Well now… I’d hate to see you give away more of the sweat of your brow in this wretched economy! So hear me out…

Good man; that’s all I need to hear. Why not test PBR before committing it to your Slate AX? Here’s the HOW-TO I followed to get OpenWrt virtualized into Orcale VIrtualBox. The guide mentions OWRT 19.07 but the steps apply for the current release, 23.05, too. 23.05 is required for proper PBR use.

(FYI: As of v23.05 the default firewall/routing engine changed from iptables to nftables. PBR manages the routing tables for you via its GUI… & nftables is the recommended engine for proper feature support.)

A nice thing about Vbox is the ‘snapshot’ feature… so if something goes seriously sideways it’s a couple clicks to revert it.

Then decide if you want to replicate everything ‘on the metal’ using’s @solidus1983 's vanilla build for the Slate AX.

ps/ I can tell you PBR works as expected w/ eight (8) active WG client connections. :wink: