Bridged OpenWRT, route traffic through OpenVPN for specific devices / all devices on a separate SSID

polarwong · May 23, 2024, 7:00am

Hello Community, I am sure this topic has been discusses over and over but I couldn't find any answers that matches my situation...any help would be greatly appreciated.

My ultimate goal is to have specific devices' traffic route through OpenVPN.

My current setup:

1 main 5G CPE router, handling firewall, DNS and DHCP, also AP
1 OpenWRT router bridged to the main router acting as AP and switch (i.e. nothing on the WAN port)

I have a Proxmox hypervisor running, I can spin up another OpenWRT instance if that helps, no wireless though.

Limitations/Concerns:

I really don't want to install additional network devices/routers/AP, I can totally understand that it will work in 5 minutes if I have something like a GL-iNET box connected but I really don't want to...
Main routers stays untouched
All devices should still be able to talk to each other, the OpenVPN-routed devices are optional. Great if they could talk to other devices, but it's optional.
5GHz SSID remains bridged to LAN without VPN

What I envision would be the ideal outcome:

The 2.4GHz SSID becomes the "VPN Wifi", anything connected to it will be routed through VPN, or
Devices are VPN-enabled by MAC address (on PBR maybe?)

I am completely in a lost right now, I am open to any solutions that doesn't exceed my limitations. Most tutorials, if I understand correctly, assumes there's firewall rules that forwards traffic from LAN to WAN but in my setup, the OpenWRT installation is just bridged and essentially just a switch + AP. This would be really simple if I make my main router be a modem and let OpenWRT handle everything else, but then I would have to get another AP for Wifi coverage.

Anyhow, I really don't want to touch the main router, it acts as a fallback if the OpenWRT fails and everyone in my house can still connect to the internet and I won't be yelled at. Realistically I am the only one connected to the OpenWRT router.

I have some ideas in my mind but no idea how that is done on a single OpenWRT instance, like having a separate network and DHCP on OpenWRT that is only accessible via the 2.4GHz SSID, on it the traffic goes through the VPN.

Any help would be greatly appreciated!!

pavelgl · May 23, 2024, 8:14am

Create a dedicated interface in a different IP subnet, assign it to the lan firewall zone and enable the DHCP server.
Attach the newly created interface to the 2.4 SSID.
Add list device 'tun+' to the wan firewall zone in order to masquerade the outbound traffic.
Note that the OpenWrt device itself will also use the vpn to access the internet.

polarwong · May 23, 2024, 9:01am

Hi Pavelgl, thanks for your help. I am not by the device so I can't test now but can I ask -

Add list device 'tun+' to the wan firewall zone in order to masquerade the outbound traffic.

Did you mean add to the LAN firewall zone? I don't think I have a WAN firewall zone as this router is a dumb ap, everything is just bridged together.

Note that the OpenWrt device itself will also use the vpn to access the internet.

By that do you mean only the internal traffic from OpenWRT will go through VPN, or anything connected to this AP?

Thanks a lot for your help!

egc · May 23, 2024, 9:08am

To elaborate on @pavelgl advice setup the 2.4 GHz according to the guest wifi on a dumb AP: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

Next setup the VPN, I would use WireGuard instead of OpenVPN easier to setup and much faster.

All clients of your guest wifi will automatically use the VPN.

You can place the VPN interface in the LAN zone as that is your way out (as it is bridged, I assume there is no WAN) be sure to enable Masquerade on the LAN zone

polarwong · May 24, 2024, 9:49am

Thank you egc for your elaboration. I got the Guest Wifi set up and it's working as intended, with separate DHCP. However, I am not clear on the next steps.

On VPN, the VPN I am trying to connect to is a private gaming network, all I've got is an OVPN profile, which I have no idea how to configure it with WireGuard even after some Googling...Since the traffic will be rather minimal, and there will not be any internet access going through VPN there will only be the small amount of "local" traffic, speed is not a concern.

I have the VPN interface created (Unmanaged interface with device tun0), but I am not quite sure which firewall zone and how (the accept/reject policy, device covered, etc.) to put it into. I have 1 firewall zone pre-configure which is LAN->(empty), and another one according to the guide (guest->lan).

I tried to the add the VPN interface to the lan fw rule (lan->vpn), it didn't work.
I tried adding a separate rule "vpn->lan" and changed the guest rule to "guest->vpn", it did not work as well.

Could you enlighten me on what I'm missing here? Thanks a lot in advance.

egc · May 24, 2024, 10:37am

With only an OVPN profile you have to use OpenVPN.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn

polarwong · May 24, 2024, 5:42pm

I fiddled this a bit more this evening and had to factory reset everything...rough evening
Anyway, I followed the dumbap and guest wifi on dumbap guide again and here's the commands' outputs:

ubus call system board

{
        "kernel": "5.10.201",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Linksys EA6350v3",
        "board_name": "linksys,ea6350v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.6",
                "revision": "r20265-f85a79bcb4",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 22.03.6 r20265-f85a79bcb4"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd16:0883:fa5a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr '60:38:e0:9b:8c:e7'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.2'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'

config device
        option name 'eth1'
        option macaddr '60:38:e0:9b:8c:e6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.57.1'
        option netmask '255.255.255.0'

config interface 'ifvpn'
        option proto 'none'
        option device 'tun0'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option band '2g'
        option htmode 'HT20'
        option channel '12'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'dd-wrt-guest'
        option encryption 'psk2'
        option key 'KEY_REDACTED'
        option network 'guest'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'dd-wrt5'
        option encryption 'psk2'
        option key 'KEY_REDACTED'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option name 'Guest_DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Guest_DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

ip route show

default via 192.168.0.1 dev br-lan
192.168.0.0/24 dev br-lan scope link  src 192.168.0.2
192.168.57.0/24 dev br-guest scope link  src 192.168.57.1

for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done

/etc/openvpn/vpngame.ovpn
dev tun
persist-tun
persist-key
auth-nocache
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote IP_REDACTED 1194 udp4
nobind
verify-x509-name "servercert" name
remote-cert-tls server
explicit-exit-notify


<ca>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----
</key>

logread | grep openvpn

Fri May 24 17:30:01 2024 daemon.notice openvpn(vpngame)[7544]: OpenVPN 2.5.8 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri May 24 17:30:01 2024 daemon.notice openvpn(vpngame)[7544]: library versions: OpenSSL 1.1.1w  11 Sep 2023, LZO 2.10
Fri May 24 17:30:01 2024 daemon.warn openvpn(vpngame)[7544]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri May 24 17:30:01 2024 daemon.notice openvpn(vpngame)[7544]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_REDACTED:1194
Fri May 24 17:30:01 2024 daemon.notice openvpn(vpngame)[7544]: UDPv4 link local: (not bound)
Fri May 24 17:30:01 2024 daemon.notice openvpn(vpngame)[7544]: UDPv4 link remote: [AF_INET]IP_REDACTED:1194
Fri May 24 17:30:01 2024 daemon.notice openvpn(vpngame)[7544]: [servercert] Peer Connection Initiated with [AF_INET]IP_REDACTED:1194
Fri May 24 17:30:02 2024 daemon.err openvpn(vpngame)[7544]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: register-dns (2.5.8)
Fri May 24 17:30:02 2024 daemon.notice openvpn(vpngame)[7544]: TUN/TAP device tun0 opened
Fri May 24 17:30:02 2024 daemon.notice openvpn(vpngame)[7544]: net_iface_mtu_set: mtu 1500 for tun0
Fri May 24 17:30:02 2024 daemon.notice openvpn(vpngame)[7544]: net_iface_up: set tun0 up
Fri May 24 17:30:02 2024 daemon.notice openvpn(vpngame)[7544]: net_addr_v4_add: LOCAL_IP_REDACTED/24 dev tun0
Fri May 24 17:30:02 2024 daemon.notice openvpn(vpngame)[7544]: /usr/libexec/openvpn-hotplug up vpngame tun0 1500 1624 LOCAL_IP_REDACTED 255.255.255.0 init
Fri May 24 17:30:02 2024 daemon.notice openvpn(vpngame)[7544]: Initialization Sequence Completed

egc · May 24, 2024, 6:09pm

On first glance your setup looks good.

Problem is the VPN

Try this add to the openvpn config:

verb 5
pull-filter ignore "register-dns"

Reboot and show openvpn log again and ip route show