I have a ISP ADSL modem/router (wifi turned off, on 192.168.1.0 network) connected via ETH cable to the main Deco M5 which is providing Gateway / DHCP / LAN and wifi to house on 192.168.2.0 network.
I want to use openwrt VPN somehow to make all devices go through this VPN (to NordVPN servers) to internet.
I was thinking could I put some sort of openwrt VPN bridge/proxy between main DECO M5 and modem/router to allow this?
I do not believe the DECO M5 allows any VPN client itself, and if it does, it is only the pptp /l2tp that can be configured in the M5.
I am thinking maybe I can use a raspberry pi, or the plusnet hub one old router(if I can modify it).
You can use any OpenWrt capable device, regardless of having one or more ports to act as a VPN endpoint and use it as a gateway for the lan hosts that need to go through the VPN.
The details of the setup depend on your preference. Is it going to be all lan hosts using VPN or a subset of them? In the first case you can advertise the OpenWrt as a default gateway. In the second you can selectively advertise it as default gateway to only the necessary lan hosts with option 3 in DHCP.
i got openwrt on the old plusnet hub one, and could apparently put openwrt on the DECO M5, but I have no idea yet how to configure openwrt as a gateway/bridge/AP, or which of these is the proper config to use.
Thanks.
If it is a gateway, it is more or less a default setup.
If it is a bridge, you don't use the wan interface, adapt the lan IP, and disable DHCP server on the OpenWrt or the ISP router.
The dotted line is what I want to put in between the ADSL modem and the DECO M5.
Apologies if you have already told me, but I am as dumb as a bunch of rocks.
The OpenWRT something will have NORDVPN wireguard openwrt package installed, and hopefully will allow me exceptions where certain websites like the UK National lottery do not go through the VPN.
Maybe I can experiment and test by leaving the current in place and doing the bit top right of the diagram. Its just figuring out how to configure openwrt to let me do this.
Got the router working as a gateway using wan port as the upstream? via the switch to the deco on 192.168.2.1 network. my laptop is connected on lan port 1 on 192.168.3.135(dhcp client) and the openwrt is 192.168.3.1.
I can get to the internet now and am loading/reading wireguard client docs now.
Thanks for your help.
Typical that I have further issues.
I got the OpenVPN tunnel working, but PBR is not. NationalLottery still tells me I am outside the UK.
I have tried forward/wan/lan as the option in the PBR config in the PIC.
I am not at all sure what that service error is about either, in the 3rd pic.
The PBR configuration is more or less fine, the worrying part is the one with PBR service error. If you are sure that National Lottery uses only one IPv4 address, then it is fine. Otherwise you can use the domain name as destination and look if there are other addresses involved, e.g inside the page code CSS etc.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export pbr; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
Thank you for helping me.
Slight adjustment to PBR local network.
login as: root
BusyBox v1.35.0 (2023-04-27 20:28:15 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 22.03.5, r20134-5f15225c1e
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:~# ubus call system board; \
> uci export network; uci export pbr; \
> uci export dhcp; uci export firewall; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resol
v.*/*
{
"kernel": "5.10.176",
"hostname": "OpenWrt",
"system": "xRX200 rev 1.2",
"model": "BT Home Hub 5A",
"board_name": "bt,homehub-v5a",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "lantiq/xrx200",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd59:6415:f4d6::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '--:--:--:--:--:--'
config device
option name 'lan2'
option macaddr '--:--:--:--:--:--'
config device
option name 'lan3'
option macaddr '--:--:--:--:--:--'
config device
option name 'lan4'
option macaddr '--:--:--:--:--:--'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.3.1'
option gateway '192.168.2.1'
config device
option name 'dsl0'
option macaddr '--:--:--:--:--:--'
config interface 'wan'
option proto 'dhcp'
option device 'wan'
config interface 'wan6'
option device '@wan'
option proto 'dhcpv6'
config interface 'nordvpntun'
option proto 'none'
option device 'tun0'
package pbr
config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option enabled '1'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
config policy
option name 'NationaLotteryByPassVPN'
option dest_addr '194.246.78.128'
option src_addr '192.168.3.0/24'
option interface 'wan'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
list server '103.86.96.100'
list server '103.86.99.100'
option noresolv '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.2.211/24 brd 192.168.2.255 scope global wan
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan
valid_lft forever preferred_lft forever
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
inet 10.7.0.2/24 scope global tun0
valid_lft forever preferred_lft forever
192.168.3.0/24 dev br-lan table pbr_lan proto kernel scope link src 192.168.3.1
default via 192.168.2.1 dev wan table pbr_wan
192.168.3.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.3.1
default via 10.7.0.2 dev tun0 table pbr_nordvpntun
192.168.3.0/24 dev br-lan table pbr_nordvpntun proto kernel scope link src 192.168.3.1
0.0.0.0/1 via 10.7.0.1 dev tun0
default via 192.168.2.1 dev wan proto static src 192.168.2.211
10.7.0.0/24 dev tun0 proto kernel scope link src 10.7.0.2
87.249.139.14 via 192.168.2.1 dev wan
128.0.0.0/1 via 10.7.0.1 dev tun0
192.168.2.0/24 dev wan proto kernel scope link src 192.168.2.211
192.168.3.0/24 dev br-lan proto kernel scope link src 192.168.3.1
broadcast 10.7.0.0 dev tun0 table local proto kernel scope link src 10.7.0.2
local 10.7.0.2 dev tun0 table local proto kernel scope host src 10.7.0.2
broadcast 10.7.0.255 dev tun0 table local proto kernel scope link src 10.7.0.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.2.0 dev wan table local proto kernel scope link src 192.168.2.211
local 192.168.2.211 dev wan table local proto kernel scope host src 192.168.2.211
broadcast 192.168.2.255 dev wan table local proto kernel scope link src 192.168.2.211
broadcast 192.168.3.0 dev br-lan table local proto kernel scope link src 192.168.3.1
local 192.168.3.1 dev br-lan table local proto kernel scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-lan table local proto kernel scope link src 192.168.3.1
0: from all lookup local
30000: from all fwmark 0x10000/0xff0000 lookup pbr_lan
30001: from all fwmark 0x20000/0xff0000 lookup pbr_wan
30002: from all fwmark 0x30000/0xff0000 lookup pbr_nordvpntun
32766: from all lookup main
32767: from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 state UNKNOWN qlen 1000
inet6 fe80::419:4aff:fe36:5061/64 scope link
valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::419:4aff:fe36:5061/64 scope link
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fd59:6415:f4d6::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::7a65:59ff:febb:d358/64 scope link
valid_lft forever preferred_lft forever
17: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 500
inet6 fe80::f089:b127:1526:e18/64 scope link stable-privacy
valid_lft forever preferred_lft forever
fd59:6415:f4d6::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd59:6415:f4d6::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd59:6415:f4d6:: dev br-lan table local proto kernel metric 0 pref medium
local fd59:6415:f4d6::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
local fe80::419:4aff:fe36:5061 dev eth0 table local proto kernel metric 0 pref medium
local fe80::419:4aff:fe36:5061 dev wan table local proto kernel metric 0 pref medium
local fe80::7a65:59ff:febb:d358 dev br-lan table local proto kernel metric 0 pref medium
local fe80::f089:b127:1526:e18 dev tun0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tun0 table local proto kernel metric 256 pref medium
0: from all lookup local
32766: from all lookup main
lrwxrwxrwx 1 root root 16 Apr 27 2023 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx 1 root root 35 Jan 5 13:02 /tmp/resolv.conf -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r-- 1 root root 0 Jan 5 14:18 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 0 Jan 5 14:18 resolv.conf.auto
==> /etc/resolv.conf <==
==> /tmp/resolv.conf <==
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
root@OpenWrt:~#
Its never easy.
root@OpenWrt:/tmp# opkg install dnsmasq-full --cache /tmp/
Installing dnsmasq-full (2.86-16) to root...
Copying /tmp//dnsmasq-full_2.86-16_mips_24kc.ipk.
Configuring dnsmasq-full.
uci: Entry not found
udhcpc: started, v1.35.0
udhcpc: broadcasting discover
udhcpc: no lease, failing
Collected errors:
* resolve_conffiles: Existing conffile /etc/config/dhcp is different from the conffile in the new package. The new conffile will be placed at /etc/config/dhcp-opkg.
root@OpenWrt:/tmp# rm -f /tmp/dnsmasq-full*.ipk
Today, I modified the .Turkey ovpn file with this line.
Section 10.1.2
Restarted everything,.
Deleted existing PBRs
Testing:
Added new PBR for dnsleaktest to go via Turkey TUN, and it does.
Everything else now seems to go via WAN.
Now to see if I can make it do the complete inverse of that. Everything goes through TUN except for anythng I stipulate in the PBR.
I still dont know what dnsmasq does, but one time earlier this morning I had a new TAB across the top for ipset. I cannot get that tab to come back, even if I make the resolver in PBR dnsmasq ipset.
So I have tested dnsleaktest and whatismyipaddress in PBR going through the TUN andand National-Lottery.co.uk goes through the WAN, and it seems to work, but I have to make sure that the TUN is enabled and started or I dont get to either site at all.
So instead of trying to make everything by default go through the TUN other than what I say in the PBR, which was my original plan, if only there was some way that openwrt recognsed the requested destination domain and then enabled and started one of the open vpn policies automatically-that I preselected to be started for that respective destination domain. Although I can see that this would make the openeing of that domain website quite slow, because it would have to stop that openvpn policy before starting up another one for a different website.
Trendy - Since I can get single domains via the vpn, I'm going to leave it at that. I really only wanted to experiment and maybe get a device in front of my smart tv that apps on my tv go thru certain domains via vpn.
Thanks for all your help. I might come back to this in future if I feel like I miss the frustration trying to make it work.
dnsmasq support for pbr does exactly what you want, resolves the domains you added in the pbr and adds them in the ipset to be treated accordingly.
I am not sure what doesn't work for you now, could you explain it in detail?
