I want to setup bridged OpenVPN on OpenWRT router (TP-Link Archer C7 v5) client to be able to access devices connected to this router from another OpenVPN client, as on this schema:
For now, OpenVPN server is working well, my PC client and router client can see each other, but I am having trouble configuring router so that I will be able to access devices connected to it from my PC client. Now I am testing with another PC, but in perspective I want to access Siemens PLC connected to that router.
I tried creating bridges from tap interface to LAN on my router but it didn’t help unfortunately, maybe I was setting them up wrong as well... I also tried to assign separate LAN ports to the tap bridge as in this one tutorial https://coderazzi.net/howto/openwrt/tl841n/openvpn-bridge.htm but it didn’t work.
I am new to OpenWRT/VPN/networking stuff, so it is kind of hard for me to understand what steps I should do as there are not so many tutorials on this one case. Even tried to assign OpenWRT router LAN IP to the same subnet 192.168.8.X as OpenVPN server, didn’t help as well (got more problems with that one). Tried to play with firewall settings as well. Please don’t be angry at me if I say something stupid because I am still a noob trying to get it.
My configurations: (PS I set up routed OpenVPN previously on this OpenWRT router so it may have leftover configurations for tun interface as well)
server-bridge 192.168.8.4 255.255.255.0 192.168.8.50 192.168.8.100
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC # AES
OpenWRT router client config
remote (server ip) 1194
dhcp-option DNS (server ip)
Will be grateful for any help!
PS deleted all the @ because it didnt let me post with them
Router: uci show network; uci show firewall; uci show openvpn
network.switch_vlan.ports='2 3 4 5 0t'
firewall.rule.icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.rule.icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.rule.icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
Please use the "Preformatted text
</>" button for logs, scripts, configs and general console output.
Please edit your post accordingly. Thank you!
However you cannot bridge these 2 networks since they are using different IP addresses.
Thank you, I formatted my posts
You mean that I cannot bridge networks with IP 192.168.8.52 and 192.168.1.1 right? Does it mean that if I change my router LAN IP to 192.168.8.X it may work apparently?
Right and it is a necessary step to take before it will be able to work. I have not checked if the rest of the configuration if all correct.
I changed my router LAN IP to 192.168.8.101, but I cant access it from openvpn now before that I could see all my devices that are connected to openvpn in the routes arp table of the router, now it has only tap ip and ip of connected to it pc (which is 192.168.8.150 now).
OpenWrt already has an IP in 192.168.8.X subnet in tap interface. OpenVPN server doesn't know about the .101 which you assigned to the lan interface. So, you'll have to use that IP on the bridge interface. Also you'll need to fix the DHCP server to allocate addresses which are not offered by OpenVPN server. Maybe the OpenVPN server will need to be configured about the existence of the lan hosts in case they are not reachable.
OpenWrt already has an IP in 192.168.8.X subnet in tap interface. OpenVPN server doesn't know about the .101 which you assigned to the lan interface. So, you'll have to use that IP on the bridge interface.
Sorry I dont really get this one. Let me double check please
My OpenWrt router LAN has to be 192.168.8.X right? So I assigned it to 192.168.8.101
It also has tap interface at 192.168.8.52 - I can acces my router from another OpenVPN client by this address.
And I need a bridge between LAN 192.168.8.101 and tap 192.168.8.52, am I right? And after that I need to configure my server and let him know about LAN hosts of this router, like 192.168.8.150, right?
But after I changed my LAN to 192.168.8.101, my other vpn client cannot get access to router by 192.168.8.52, and I dont understand the reason why.. and what should I do about it. Is there possibly some conflict between lan and tap being in the same subnet..?
Also you'll need to fix the DHCP server to allocate addresses which are not offered by OpenVPN server.
I didnt understand this one You mean allocate addresses of my router hosts or my new router LAN? Sorry if my questions are stupid... I am very new to networking...
You cannot have 2 interfaces having IP addresses in the same network. What you can do is to bridge them (you have already done that from what I see in br0) and then use a single IP from 192.168.8.X on the br0 interface.
Although it would be easier if you omitted the br0 configuration part and added the tap0 here:
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
list ports 'tap0'
after all this is what you want to achieve. This way you can configure the IP on the br-lan directly as you did.
Both the router and the OpenVPN server are allocating IPs to the clients. Just make sure that they don't overlap. By default the dhcp pool of lan interface is from .100-249 . If OpenVPN server doesn't allocate in there you're good.
Thank you very much! Now I think I understood I will try this out and come back later with the results.
Thank you so much!!! Now it's working!