2 wifi network with VPN configuration

Hello everyone, i have a little problem and I wish someone would give me help
I have a TD-W8970 with openWRT 18.06. i would like create 2 wifi network
wifi1 -> for navigate without vpn
wifi2 -> for navigate with vpn

I have openVPN correctly installed and with wifi2 i can navigate on internet. the problem is with wifi1. with the my actual configuration i can't navigate.

Here my configuration.. can someone tell me where i wrong?
Network


config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6d:2980:e639::/48'

config atm-bridge 'atm'
        option payload 'bridged'
        option nameprefix 'dsl'
        option vci '35'
        option vpi '8'
        option encaps 'vc'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config interface 'wan'
        option ifname 'dsl0'
        option proto 'pppoe'
        option username 'username'
        option password 'password'
        option ipv6 '1'
        option peerdns '0'
        list dns '103.86.96.100'
        list dns '103.86.99.100'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr 'e8:94:f6:5e:0d:8d'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 2 4 5 6t'

config interface 'lan_prot'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'ovpn'
        option proto 'none'
        option ifname 'tun0'

config interface 'lan_unprot'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

Firewall


config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'lan_prot'
        option input 'ACCEPT'
        option network 'lan_prot'

config zone
        option output 'ACCEPT'
        option name 'lan_unp'
        option input 'ACCEPT'
        option network 'lan_unprot'
        option forward 'REJECT'

config zone 'openvpn'
        option forward 'REJECT'
        option network 'ovpn'
        option output 'ACCEPT'
        option name 'ovpnfw'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'LanProt-DNS'
        option src 'lan_prot'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option name 'LanProt-DHCP'
        option src 'lan_prot'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option name 'LanUnProt-DHCP'

config forwarding
        option dest 'wan'
        option src 'ovpnfw'

config forwarding
        option dest 'ovpnfw'
        option src 'lan_prot'

config forwarding
        option dest 'wan'
        option src 'lan_unprot'

config forwarding
        option dest 'wan'
        option src 'lan_unp'

dhcp


config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option noresolv '0'
        list server '103.86.96.100'
        list server '103.86.99.100'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan_prot'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'lan_prot'

config dhcp 'lan_unprot'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'lan_unprot'

Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'HT20'
        option country 'US'
        option legacy_rates '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk-mixed'
        option key '1234678912345678'
        option ssid 'GiGaNet_Prot'
        option network 'lan_prot'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk-mixed'
        option key '1234678912345678'
        option ssid 'GiGaNet_Unp'
        option network 'lan_unprot'

There is only one "default" route in a standard Linux routing table and routing is primarily done by destination address. You need to be able to specify the desired route by topology (which interface the packet came in) or source address. In the OpenWrt community, this is often called "policy-based routing"

https://forum.openwrt.org/search?q=policy-based%20routing

Some technical details at https://openwrt.org/docs/guide-user/network/ip_rules

1 Like

Vpn client on seperate wifi network, no vpn on the other - #6 by vgaetera

2 Likes

Thanks for the advice. I used "VPN Policy-Based Routing" and this is my configuration:

All seems to work but i have a strange problem and i don't found the solution.
With both network i can navigate but if i choose the network without vpn, i can't open some site.. An example is netflix. I have access from vpn network and no access from network without vpn.

I tried a ping or tracerout:

ping netflix.com

Esecuzione di Ping netflix.com [192.145.127.194] con 32 byte di dati:
Risposta da 192.145.127.194: byte=32 durata=60ms TTL=52
Risposta da 192.145.127.194: byte=32 durata=52ms TTL=52
Risposta da 192.145.127.194: byte=32 durata=51ms TTL=52

Statistiche Ping per 192.145.127.194:
    Pacchetti: Trasmessi = 3, Ricevuti = 3,
    Persi = 0 (0% persi),
Tempo approssimativo percorsi andata/ritorno in millisecondi:
    Minimo = 51ms, Massimo =  60ms, Medio =  54ms
tracert netflix.com

Traccia instradamento verso netflix.com [192.145.127.194]
su un massimo di 30 punti di passaggio:

  1     1 ms     1 ms     1 ms  OpenWrt.lan [192.168.2.1]
  2     *        *        *     Richiesta scaduta.
  3    24 ms    24 ms    24 ms  172.17.152.122
  4    27 ms    27 ms    27 ms  172.17.154.0
  5    33 ms    33 ms    34 ms  172.19.184.124
  6    38 ms    36 ms    38 ms  172.19.177.48
  7    55 ms    51 ms    52 ms  172.19.177.4
  8    48 ms    49 ms    49 ms  etrunk49.milano50.mil.seabone.net [195.22.205.116]
  9    47 ms    47 ms    49 ms  ae10.milano58.mil.seabone.net [195.22.208.117]
 10    53 ms    60 ms    56 ms  no-description-configured.milano58.mil.seabone.net [93.186.128.99]
 11    84 ms    89 ms    75 ms  xe-0-0-44-0.agg2.mil1.it.m247.com [77.243.185.143]
 12    55 ms    53 ms    54 ms  vlan2906.as06.mil1.it.m247.com [212.103.51.9]
 13    52 ms    52 ms    55 ms  192.145.127.194

But from browser i don't receive data.. what can i check?

Did you have access to this site without VPN-configuration?

Yes, Without the vpn configuration and VPN Policy-Based Routing configuration I have access. Also with the vpn configuration I have access to Netflix (Netflix is only a real example).
Only if I connect the Pc to network “unprotect” (i mean ”lan_unprotect”, the interface without vpn) I haven’t access

Maybe i found the problem but no the solution.. The problem would seem in dns. If i set the dns on devices, all work fine. I have some wrong configuration but i don't found the mistake.. Can someone help me? My current configuration:

Network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6d:2980:e639::/48'

config atm-bridge 'atm'
        option payload 'bridged'
        option nameprefix 'dsl'
        option vci '35'
        option vpi '8'
        option encaps 'vc'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config interface 'wan'
        option ifname 'dsl0'
        option proto 'pppoe'
        option username 'username'
        option password 'password'
        option ipv6 '1'
        option peerdns '0'
        option dns '8.8.8.8 8.8.4.4'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr 'e8:94:f6:5e:0d:8d'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 2 4 5 6t'

config interface 'lan_prot'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        option ifname 'eth0.1'
        option dns '103.86.96.100 103.86.99.100'

config interface 'ovpn'
        option proto 'none'
        option ifname 'tun0'

config interface 'lan_unprot'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option dns '8.8.8.8 8.8.4.4'

Firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'lan_prot'
        option input 'ACCEPT'
        option network 'lan_prot'

config zone
        option output 'ACCEPT'
        option name 'lan_unp'
        option input 'ACCEPT'
        option network 'lan_unprot'
        option forward 'ACCEPT'

config zone 'openvpn'
        option forward 'REJECT'
        option network 'ovpn'
        option output 'ACCEPT'
        option name 'ovpnfw'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'LanProt-DNS'
        option src 'lan_prot'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option name 'LanProt-DHCP'
        option src 'lan_prot'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'LanUnProt-DNS'
        option src 'lan_unp'

config rule
        option enabled '1'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option name 'LanUnProt-DHCP'
        option src 'lan_unp'

config forwarding
        option dest 'wan'
        option src 'ovpnfw'

config forwarding
        option dest 'ovpnfw'
        option src 'lan_prot'

config forwarding
        option dest 'wan'
        option src 'lan_unprot'

config forwarding
        option dest 'wan'
        option src 'lan_unp'

vpn-policy-routing

config vpn-policy-routing 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option ipv6_enabled '0'
        list supported_interface ''
        list ignored_interface 'vpnserver'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option iprule_enabled '0'
        option webui_enable_column '0'
        option webui_protocol_column '0'
        option webui_chain_column '0'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'

config policy
        option comment 'lan_unprotect'
        option src_addr '192.168.2.0/24'
        option interface 'wan'

config policy
        option comment 'lan_protect'
        option interface 'ovpn'
        option src_addr '192.168.1.0/24'

How do you want to specify DNS?

  1. DNS could be specified in WAN settings, you can also push DNS from VPN-provider.
  2. DNS could be specified in DHCP settings.
  3. Universal approach is to use public DNS, e.g. Google's one.
  4. You can also add specific route for your ISP's DNS.

thank you very much for helping. I tried:
google dns in WAN settings -> not work
google dns in interface -> not work
google dns in devices (pc for example) -> work fine

I don't know what else check

I know this is an old thread. The following website might be helpful for others that want to set up two wifi signals. It's worked for me.

https://www.underthereign.com/index.php/it-related-information/openwrt-openvpn-one-router-two-signals

Cheers!