Hi! First a bit of context:
I have an openwrt router configured to act as a simple ethernet switch connected to the isp router in a different room via an ethernet cable. On top of ipv4 and ipv6 there is a non-routable protocol running on the lan for music studio apps (no sub-nets). The ISP router cannot be flashed with openwrt nor can it be bridged since we would loose the home phone service. The ISP provides a /64 ipv6 prefix with SLAAC.
The current working configuration has no interface defined except for the managment backdoor using a low powered wifi access dedicated just for that purpose. Here is the working "base" config (only pertinent stuff):
dhcp.admin=dhcp
dhcp.admin.interface='admin'
dhcp.admin.start='10'
dhcp.admin.limit='20'
dhcp.admin.leasetime='12h'
firewall.@zone[0]=zone
firewall.@zone[0].name='admin'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='REJECT'
firewall.@zone[0].network='admin'
network.globals=globals
network.globals.ula_prefix='fddd:aaaa:bbbb::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0.1'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@device[1]=device
network.@device[1].name='eth0'
network.@device[1].ipv6='1'
network.@device[2]=device
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='2'
network.@switch_vlan[0].ports='0t 3 2 1'
network.@switch_vlan[0].vid='1'
network.admin=interface
network.admin.proto='static'
network.admin.device='phy0-ap0'
network.admin.ipaddr='192.168.111.1'
network.admin.netmask='255.255.255.0'
network.admin.defaultroute='0'
network.admin.delegate='0'
network.admin.type='bridge'
My goal is to add an openvpn server to access local ressources as well as the internet. The server itself would use ipv4 to connect but would transmit ipv4 and ipv6 inside the tunnel.
I made an experimental configuration but so far I am only able to connect to the server and ping only "self" and the openvpn server (in ipv4). I used this openvpn server guide to install but I modified the firewall and a few other directives obviously. Here are the new configurations I added:
dhcp.lan6=dhcp
dhcp.lan6.interface='lan6'
dhcp.lan6.ignore='1'
dhcp.lan6.ra='relay'
dhcp.lan6.dhcpv6='relay'
dhcp.lan6.ndp='relay'
dhcp.lan6.ndproxy_slave='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='admin'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='REJECT'
firewall.@zone[0].network='admin'
firewall.@zone[1]=zone
firewall.@zone[1].name='lan'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].network='lan' 'lan6'
firewall.@zone[2]=zone
firewall.@zone[2].name='ovpn'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].network='ovpn'
firewall.@zone[2].masq='1'
firewall.@zone[2].masq6='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='ovpn'
firewall.@forwarding[0].dest='lan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='ovpn'
network.globals=globals
network.globals.ula_prefix='fddd:aaaa:bbbb::/48'
network.@device[2]=device
network.@device[2].name='tun0'
network.@device[2].macaddr='EE:95:6E:4A:6A:6A'
network.@device[2].ipv6='1'
network.lan=interface
network.lan.proto='dhcp'
network.lan.device='br-lan'
network.lan6=interface
network.lan6.proto='dhcpv6'
network.lan6.device='@lan'
network.lan6.reqaddress='try'
network.lan6.reqprefix='auto'
network.lan6.force_link='1'
network.ovpn=interface
network.ovpn.proto='none'
network.ovpn.device='tun0'
[server.conf]
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.9.0 255.255.255.0
server-ipv6 fddd:aaaa:bbbb:1111::/64
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.37.1"
push "dhcp-option DOMAIN vpn"
push "redirect-gateway def1 ipv6"
push "persist-tun"
push "persist-key"
...
I then have two questions:
- What am missing in this configuration?
- Is there an even better way to do it knowing I want to keep the switch functionality the way it is?
Thanks in advance for your insights.