2 x OpenWrt with VPN

I have been running Openwrt installed on an old BT Home hub which was routed through my stock Plusnet Home Hub. In order to make it work I had add the Openwrt router to the DMZ zone within the firewall settings of the stock Plusnet firewall.

Recently I flashed the stock Plusnet main router with Openwrt, connected directed to my ISP all works fine. However when I connect to the BT Openwrt to use as a VPN I am no longer able to browse the net.

Do I need to add a firewall rule to enable traffic.

Also to conifrm - I have a network cable plugged to the red WAN port on the Openwrt/BT router running to a yellow LAN port on the main ISP router - that is correct isn't it?

Thanks in advance.

... An update, on the router running the OpenVPN under diagnostics when I run the ping test I see 5 packets transmitted and 5 received 0% packet loss and the traceroute looks.

So it looks like the router is able to reach the WAN of my main ISP router. But any clients connected to the router cannot resolve any web pages.

Can you describe what you are trying to do with each router? It sounds like you're trying to set up a VPN between the two, is that correct? There is no functional benefit to this type of configuration if the devices are directly connected to each other (except the educational value), unless there is some way that a hostile/untrusted party could gain access to the network between the two devices.

EDIT: If you're setting up a road-warrior type VPN and need to test locally before you try using the VPN remotely, that makes sense.

In short I want to setup a wireless access point that uses the VPN as and when I need it, for educational purposes I'd like to use the two modems.

As mentioned I had this working previously when my ISP router was running stock Plusnet firmare (albeit with a DMZ enabled zone for Openwrt).

Just recently I replaced the ISP modem with another of the same type and flashed it to run OpenWRT. But since doing so I can no longer connect to the network when connected to the OpenWRT/OpenVPN aceess point.

I've just switched the ISP router out for the previously working stock router but this setup is no longer working, I m beggining to wonder if the issue is not with my vpn provider.

Try to add following line to /etc/firewall.user:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

10.0.0.0/24 - replace with openvpn internal server address (same address in the openvpn config file)
- o eth0 - replace with the output wan interface (wan interface)

Then do

/etc/init.d firewall reload

Thanks - that should be added to the firewall rules of the access point right? Not the ISP router.

I added:

iptables -t nat -A POSTROUTING -s 10.0.0.2 -o eth0.2 -j MASQUERADE

also tried:

iptables -t nat -A POSTROUTING -s 10.0.0.2/24 -o eth0.2 -j MASQUERADE

Neither worked unfortunately. I've tried another VPN and the problem persists, under diagnostics the ping and traceroute work.

Do you have a separate SSID for the wifi that should route through the VPN?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Yes I have a separate SSID for the wifi and the LAN is on a separate subnet mask, details as requested:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf1:fc79:bf15::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '********'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config device 'wan_dsl0_dev'
        option name 'dsl0'
        option macaddr '********'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'tun0'
        option ifname 'tun0'
        option proto 'none'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '*****'
        option encryption 'psk2'
        option key '*****'
        option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT20'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '*****'
        option encryption 'psk2'
        option key '*******'
        option wpa_disable_eapol_key_retries '1'
        option disabled '1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option network 'tun0'
        option name 'vpn_zone'
        option mtu_fix '1'
        option masq '1'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option dest 'vpn_zone'
        option src 'lan'

It's official I am an idiot, my vpn password had failed - hence why my connection was not working.

Strange that within openvpn the service said it had started and there isn't anything to indicate in the UI that the auth failed, the behaviour is exactly the same as a successful connection. It was only the logs which revealed the issue.

Problem solved.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.