Bridged OpenVPN: access devices connected to OpenWrt router vpn client

Cauchy · August 3, 2022, 8:22am

Hello!
I want to setup bridged OpenVPN on OpenWRT router (TP-Link Archer C7 v5) client to be able to access devices connected to this router from another OpenVPN client, as on this schema:

For now, OpenVPN server is working well, my PC client and router client can see each other, but I am having trouble configuring router so that I will be able to access devices connected to it from my PC client. Now I am testing with another PC, but in perspective I want to access Siemens PLC connected to that router.

I tried creating bridges from tap interface to LAN on my router but it didn’t help unfortunately, maybe I was setting them up wrong as well... I also tried to assign separate LAN ports to the tap bridge as in this one tutorial https://coderazzi.net/howto/openwrt/tl841n/openvpn-bridge.htm but it didn’t work.

I am new to OpenWRT/VPN/networking stuff, so it is kind of hard for me to understand what steps I should do as there are not so many tutorials on this one case. Even tried to assign OpenWRT router LAN IP to the same subnet 192.168.8.X as OpenVPN server, didn’t help as well (got more problems with that one). Tried to play with firewall settings as well. Please don’t be angry at me if I say something stupid because I am still a noob trying to get it.

My configurations: (PS I set up routed OpenVPN previously on this OpenWRT router so it may have leftover configurations for tun interface as well)

Server config

port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.8.4 255.255.255.0 192.168.8.50 192.168.8.100
client-to-client
keepalive 10 120
tls-auth ta.key 0 # This file is secret
key-direction 0
cipher AES-256-CBC # AES
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

OpenWRT router client config

client
dev tap0
proto udp
remote (server ip) 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
dhcp-option DNS (server ip)
comp-lzo
verb 3
cipher AES-256-CBC
auth SHA256
key-direction 1
(keys here)

Will be grateful for any help!

Cauchy · August 3, 2022, 8:23am

router /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd2:90c8:5cc7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'
        option ipaddr '192.168.1.1'

config device
        option name 'eth0.2'
        option macaddr 'e8:48:b8:7f:6f:61'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'OVPN'
        option proto 'none'
        option device 'tap0'

config device
        option name 'br0'
        option type 'bridge'
        list ports 'eth0.1'
        list ports 'tap0'

Router: ip address show; ip route show table all

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether e8:48:b8:7f:6f:60 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ea48:b8ff:fe7f:6f60/64 scope link
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e8:48:b8:7f:6f:60 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdd2:90c8:5cc7::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::ea48:b8ff:fe7f:6f60/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether e8:48:b8:7f:6f:60 brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e8:48:b8:7f:6f:61 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.131/24 brd 192.168.0.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::ea48:b8ff:fe7f:6f61/64 scope link
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e8:48:b8:7f:6f:60 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ea48:b8ff:fe7f:6f60/64 scope link
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e8:48:b8:7f:6f:5f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ea48:b8ff:fe7f:6f5f/64 scope link
       valid_lft forever preferred_lft forever
11: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 26:91:6f:08:93:df brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2491:6fff:fe08:93df/64 scope link
       valid_lft forever preferred_lft forever
12: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 76:0b:17:3a:58:9d brd ff:ff:ff:ff:ff:ff
    inet 192.168.8.52/24 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fe80::740b:17ff:fe3a:589d/64 scope link
       valid_lft forever preferred_lft forever
default via 192.168.0.1 dev eth0.2 proto static src 192.168.0.131
192.168.0.0/24 dev eth0.2 proto kernel scope link src 192.168.0.131
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.8.0/24 dev tap0 proto kernel scope link src 192.168.8.52
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth0.2 table local proto kernel scope link src 192.168.0.131
local 192.168.0.131 dev eth0.2 table local proto kernel scope host src 192.168.0.131
broadcast 192.168.0.255 dev eth0.2 table local proto kernel scope link src 192.168.0.131
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.8.0 dev tap0 table local proto kernel scope link src 192.168.8.52
local 192.168.8.52 dev tap0 table local proto kernel scope host src 192.168.8.52
broadcast 192.168.8.255 dev tap0 table local proto kernel scope link src 192.168.8.52
fdd2:90c8:5cc7::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdd2:90c8:5cc7::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev br0 proto kernel metric 256 pref medium
fe80::/64 dev tap0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fdd2:90c8:5cc7:: dev br-lan table local proto kernel metric 0 pref medium
local fdd2:90c8:5cc7::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br0 table local proto kernel metric 0 pref medium
anycast fe80:: dev tap0 table local proto kernel metric 0 pref medium
local fe80::2491:6fff:fe08:93df dev br0 table local proto kernel metric 0 pref medium
local fe80::740b:17ff:fe3a:589d dev tap0 table local proto kernel metric 0 pref medium
local fe80::ea48:b8ff:fe7f:6f5f dev wlan0 table local proto kernel metric 0 pref medium
local fe80::ea48:b8ff:fe7f:6f60 dev eth0 table local proto kernel metric 0 pref medium
local fe80::ea48:b8ff:fe7f:6f60 dev br-lan table local proto kernel metric 0 pref medium
local fe80::ea48:b8ff:fe7f:6f60 dev wlan1 table local proto kernel metric 0 pref medium
local fe80::ea48:b8ff:fe7f:6f61 dev eth0.2 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev eth0.2 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wlan1 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wlan0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tap0 table local proto kernel metric 256 pref medium

Router: ip rule show; iptables-save -c

*nat
:PREROUTING ACCEPT [249:62028]
:INPUT ACCEPT [3:328]
:OUTPUT ACCEPT [36:2736]
:POSTROUTING ACCEPT [0:0]
:postrouting_VPN_FW_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_VPN_FW_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_VPN_FW_postrouting - [0:0]
:zone_VPN_FW_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[249:62028] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[0:0] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[235:59296] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[14:2732] -A PREROUTING -i tap0 -m comment --comment "!fw3" -j zone_VPN_FW_prerouting
[36:2736] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[36:2736] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o tap0 -m comment --comment "!fw3" -j zone_VPN_FW_postrouting
[0:0] -A zone_VPN_FW_postrouting -m comment --comment "!fw3: Custom VPN_FW postrouting rule chain" -j postrouting_VPN_FW_rule
[0:0] -A zone_VPN_FW_postrouting -m comment --comment "!fw3" -j MASQUERADE
[14:2732] -A zone_VPN_FW_prerouting -m comment --comment "!fw3: Custom VPN_FW prerouting rule chain" -j prerouting_VPN_FW_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[36:2736] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[36:2736] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[235:59296] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT

*mangle
:PREROUTING ACCEPT [624:110712]
:INPUT ACCEPT [412:54694]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [516:97404]
:POSTROUTING ACCEPT [516:97404]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tap0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone VPN_FW MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i tap0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone VPN_FW MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_VPN_FW_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_VPN_FW_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_VPN_FW_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_VPN_FW_dest_ACCEPT - [0:0]
:zone_VPN_FW_forward - [0:0]
:zone_VPN_FW_input - [0:0]
:zone_VPN_FW_output - [0:0]
:zone_VPN_FW_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[418:55237] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[380:49195] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:52] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[36:5746] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[2:296] -A INPUT -i tap0 -m comment --comment "!fw3" -j zone_VPN_FW_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tap0 -m comment --comment "!fw3" -j zone_VPN_FW_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[533:102354] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[497:99618] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[36:2736] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tap0 -m comment --comment "!fw3" -j zone_VPN_FW_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[34:5682] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1:52] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_VPN_FW_dest_ACCEPT -o tap0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_VPN_FW_dest_ACCEPT -o tap0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_VPN_FW_forward -m comment --comment "!fw3: Custom VPN_FW forwarding rule chain" -j forwarding_VPN_FW_rule
[0:0] -A zone_VPN_FW_forward -p udp -m comment --comment "!fw3: Test" -j zone_lan_dest_ACCEPT
[0:0] -A zone_VPN_FW_forward -m comment --comment "!fw3: Zone VPN_FW to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_VPN_FW_forward -m comment --comment "!fw3: Zone VPN_FW to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_VPN_FW_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_VPN_FW_forward -m comment --comment "!fw3" -j zone_VPN_FW_dest_ACCEPT
[2:296] -A zone_VPN_FW_input -m comment --comment "!fw3: Custom VPN_FW input rule chain" -j input_VPN_FW_rule
[1:244] -A zone_VPN_FW_input -p udp -m comment --comment "!fw3: Allow-Luci-from-VPN" -j ACCEPT
[0:0] -A zone_VPN_FW_input -p udp -m udp --dport 22 -m comment --comment "!fw3: Allow-SSH-from-VPN" -j ACCEPT
[0:0] -A zone_VPN_FW_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1:52] -A zone_VPN_FW_input -m comment --comment "!fw3" -j zone_VPN_FW_src_ACCEPT
[0:0] -A zone_VPN_FW_output -m comment --comment "!fw3: Custom VPN_FW output rule chain" -j output_VPN_FW_rule
[0:0] -A zone_VPN_FW_output -m comment --comment "!fw3" -j zone_VPN_FW_dest_ACCEPT
[1:52] -A zone_VPN_FW_src_ACCEPT -i tap0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to VPN_FW forwarding policy" -j zone_VPN_FW_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[36:2736] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[36:5746] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[2:64] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[34:5682] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[36:2736] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[36:2736] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[34:5682] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject

Cauchy · August 3, 2022, 8:25am

PS deleted all the @ because it didnt let me post with them

Router: uci show network; uci show firewall; uci show openvpn


network.loopback=interface

network.loopback.device='lo'

network.loopback.proto='static'

network.loopback.ipaddr='127.0.0.1'

network.loopback.netmask='255.0.0.0'

network.globals=globals

network.globals.ula_prefix='fdd2:90c8:5cc7::/48'

network.device[0]=device

network.device[0].name='br-lan'

network.device[0].type='bridge'

network.device[0].ports='eth0.1'

network.lan=interface

network.lan.proto='static'

network.lan.netmask='255.255.255.0'

network.lan.ip6assign='60'

network.lan.device='br-lan'

network.lan.ipaddr='192.168.1.1'

network.device[1]=device

network.device[1].name='eth0.2'

network.device[1].macaddr='e8:48:b8:7f:6f:61'

network.wan=interface

network.wan.device='eth0.2'

network.wan.proto='dhcp'

network.wan6=interface

network.wan6.device='eth0.2'

network.wan6.proto='dhcpv6'

network.switch[0]=switch

network.switch[0].name='switch0'

network.switch[0].reset='1'

network.switch[0].enable_vlan='1'

network.switch_vlan[0]=switch_vlan

network.switch_vlan[0].device='switch0'

network.switch_vlan[0].vlan='1'

network.switch_vlan[0].ports='2 3 4 5 0t'

network.switch_vlan[1]=switch_vlan

network.switch_vlan[1].device='switch0'

network.switch_vlan[1].vlan='2'

network.switch_vlan[1].ports='1 0t'

network.OVPN=interface

network.OVPN.proto='none'

network.OVPN.device='tap0'

network.device[2]=device

network.device[2].name='br0'

network.device[2].type='bridge'

network.device[2].ports='eth0.1' 'tap0'

firewall.defaults[0]=defaults

firewall.defaults[0].input='ACCEPT'

firewall.defaults[0].output='ACCEPT'

firewall.defaults[0].forward='REJECT'

firewall.defaults[0].synflood_protect='1'

firewall.lan=zone

firewall.lan.name='lan'

firewall.lan.input='ACCEPT'

firewall.lan.output='ACCEPT'

firewall.lan.forward='ACCEPT'

firewall.lan.network='lan'

firewall.wan=zone

firewall.wan.name='wan'

firewall.wan.input='REJECT'

firewall.wan.output='ACCEPT'

firewall.wan.forward='REJECT'

firewall.wan.masq='1'

firewall.wan.mtu_fix='1'

firewall.wan.network='wan' 'wan6'

firewall.forwarding[0]=forwarding

firewall.forwarding[0].src='lan'

firewall.forwarding[0].dest='wan'

firewall.rule[0]=rule

firewall.rule[0].name='Allow-DHCP-Renew'

firewall.rule[0].src='wan'

firewall.rule[0].proto='udp'

firewall.rule[0].dest_port='68'

firewall.rule[0].target='ACCEPT'

firewall.rule[0].family='ipv4'

firewall.rule[1]=rule

firewall.rule[1].name='Allow-Ping'

firewall.rule[1].src='wan'

firewall.rule[1].proto='icmp'

firewall.rule[1].icmp_type='echo-request'

firewall.rule[1].family='ipv4'

firewall.rule[1].target='ACCEPT'

firewall.rule[2]=rule

firewall.rule[2].name='Allow-IGMP'

firewall.rule[2].src='wan'

firewall.rule[2].proto='igmp'

firewall.rule[2].family='ipv4'

firewall.rule[2].target='ACCEPT'

firewall.rule[3]=rule

firewall.rule[3].name='Allow-DHCPv6'

firewall.rule[3].src='wan'

firewall.rule[3].proto='udp'

firewall.rule[3].src_ip='fc00::/6'

firewall.rule[3].dest_ip='fc00::/6'

firewall.rule[3].dest_port='546'

firewall.rule[3].family='ipv6'

firewall.rule[3].target='ACCEPT'

firewall.rule[4]=rule

firewall.rule[4].name='Allow-MLD'

firewall.rule[4].src='wan'

firewall.rule[4].proto='icmp'

firewall.rule[4].src_ip='fe80::/10'

firewall.rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'

firewall.rule[4].family='ipv6'

firewall.rule[4].target='ACCEPT'

firewall.rule[5]=rule

firewall.rule[5].name='Allow-ICMPv6-Input'

firewall.rule[5].src='wan'

firewall.rule[5].proto='icmp'

firewall.rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'

firewall.rule[5].limit='1000/sec'

firewall.rule[5].family='ipv6'

firewall.rule[5].target='ACCEPT'

firewall.rule[6]=rule

firewall.rule[6].name='Allow-ICMPv6-Forward'

firewall.rule[6].src='wan'

firewall.rule[6].dest='*'

firewall.rule[6].proto='icmp'

firewall.rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'

firewall.rule[6].limit='1000/sec'

firewall.rule[6].family='ipv6'

firewall.rule[6].target='ACCEPT'

firewall.rule[7]=rule

firewall.rule[7].name='Allow-IPSec-ESP'

firewall.rule[7].src='wan'

firewall.rule[7].dest='lan'

firewall.rule[7].proto='esp'

firewall.rule[7].target='ACCEPT'

firewall.rule[8]=rule

firewall.rule[8].name='Allow-ISAKMP'

firewall.rule[8].src='wan'

firewall.rule[8].dest='lan'

firewall.rule[8].dest_port='500'

firewall.rule[8].proto='udp'

firewall.rule[8].target='ACCEPT'

firewall.rule[9]=rule

firewall.rule[9].name='Support-UDP-Traceroute'

firewall.rule[9].src='wan'

firewall.rule[9].dest_port='33434:33689'

firewall.rule[9].proto='udp'

firewall.rule[9].family='ipv4'

firewall.rule[9].target='REJECT'

firewall.rule[9].enabled='0'

firewall.include[0]=include

firewall.include[0].path='/etc/firewall.user'

firewall.zone[2]=zone

firewall.zone[2].name='VPN_FW'

firewall.zone[2].output='ACCEPT'

firewall.zone[2].masq='1'

firewall.zone[2].mtu_fix='1'

firewall.zone[2].input='ACCEPT'

firewall.zone[2].forward='ACCEPT'

firewall.zone[2].network='OVPN'

firewall.forwarding[1]=forwarding

firewall.forwarding[1].src='VPN_FW'

firewall.forwarding[1].dest='lan'

firewall.forwarding[2]=forwarding

firewall.forwarding[2].src='VPN_FW'

firewall.forwarding[2].dest='wan'

firewall.forwarding[3]=forwarding

firewall.forwarding[3].src='lan'

firewall.forwarding[3].dest='VPN_FW'

firewall.rule[10]=rule

firewall.rule[10].name='Allow-Luci-from-VPN'

firewall.rule[10].proto='udp'

firewall.rule[10].src='VPN_FW'

firewall.rule[10].target='ACCEPT'

firewall.rule[11]=rule

firewall.rule[11].name='Allow-SSH-from-VPN'

firewall.rule[11].proto='udp'

firewall.rule[11].src='VPN_FW'

firewall.rule[11].dest_port='22'

firewall.rule[11].target='ACCEPT'

firewall.rule[12]=rule

firewall.rule[12].name='Test'

firewall.rule[12].proto='udp'

firewall.rule[12].src='VPN_FW'

firewall.rule[12].dest='lan'

firewall.rule[12].target='ACCEPT'

trendy · August 3, 2022, 8:34am

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please edit your post accordingly. Thank you!

trendy · August 3, 2022, 8:38am

However you cannot bridge these 2 networks since they are using different IP addresses.

Cauchy · August 3, 2022, 8:50am

Thank you, I formatted my posts

You mean that I cannot bridge networks with IP 192.168.8.52 and 192.168.1.1 right? Does it mean that if I change my router LAN IP to 192.168.8.X it may work apparently?

trendy · August 3, 2022, 9:14am

Right and it is a necessary step to take before it will be able to work. I have not checked if the rest of the configuration if all correct.

Cauchy · August 3, 2022, 9:38am

I changed my router LAN IP to 192.168.8.101, but I cant access it from openvpn now before that I could see all my devices that are connected to openvpn in the routes arp table of the router, now it has only tap ip and ip of connected to it pc (which is 192.168.8.150 now).

trendy · August 3, 2022, 12:56pm

OpenWrt already has an IP in 192.168.8.X subnet in tap interface. OpenVPN server doesn't know about the .101 which you assigned to the lan interface. So, you'll have to use that IP on the bridge interface. Also you'll need to fix the DHCP server to allocate addresses which are not offered by OpenVPN server. Maybe the OpenVPN server will need to be configured about the existence of the lan hosts in case they are not reachable.

Cauchy · August 3, 2022, 2:40pm

OpenWrt already has an IP in 192.168.8.X subnet in tap interface. OpenVPN server doesn't know about the .101 which you assigned to the lan interface. So, you'll have to use that IP on the bridge interface.

Sorry I dont really get this one. Let me double check please
My OpenWrt router LAN has to be 192.168.8.X right? So I assigned it to 192.168.8.101
It also has tap interface at 192.168.8.52 - I can acces my router from another OpenVPN client by this address.
And I need a bridge between LAN 192.168.8.101 and tap 192.168.8.52, am I right? And after that I need to configure my server and let him know about LAN hosts of this router, like 192.168.8.150, right?

But after I changed my LAN to 192.168.8.101, my other vpn client cannot get access to router by 192.168.8.52, and I dont understand the reason why.. and what should I do about it. Is there possibly some conflict between lan and tap being in the same subnet..?

Also you'll need to fix the DHCP server to allocate addresses which are not offered by OpenVPN server.

I didnt understand this one You mean allocate addresses of my router hosts or my new router LAN? Sorry if my questions are stupid... I am very new to networking...

trendy · August 4, 2022, 6:02am

You cannot have 2 interfaces having IP addresses in the same network. What you can do is to bridge them (you have already done that from what I see in br0) and then use a single IP from 192.168.8.X on the br0 interface.
Although it would be easier if you omitted the br0 configuration part and added the tap0 here:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        list ports 'tap0'

after all this is what you want to achieve. This way you can configure the IP on the br-lan directly as you did.

Both the router and the OpenVPN server are allocating IPs to the clients. Just make sure that they don't overlap. By default the dhcp pool of lan interface is from .100-249 . If OpenVPN server doesn't allocate in there you're good.

Cauchy · August 4, 2022, 6:29am

Thank you very much! Now I think I understood I will try this out and come back later with the results.

Cauchy · August 4, 2022, 1:21pm

Thank you so much!!! Now it's working!

system · August 14, 2022, 1:21pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.