Hello Community, I am sure this topic has been discusses over and over but I couldn't find any answers that matches my situation...any help would be greatly appreciated.
My ultimate goal is to have specific devices' traffic route through OpenVPN.
My current setup:
1 main 5G CPE router, handling firewall, DNS and DHCP, also AP
1 OpenWRT router bridged to the main router acting as AP and switch (i.e. nothing on the WAN port)
I have a Proxmox hypervisor running, I can spin up another OpenWRT instance if that helps, no wireless though.
Limitations/Concerns:
I really don't want to install additional network devices/routers/AP, I can totally understand that it will work in 5 minutes if I have something like a GL-iNET box connected but I really don't want to...
Main routers stays untouched
All devices should still be able to talk to each other, the OpenVPN-routed devices are optional. Great if they could talk to other devices, but it's optional.
5GHz SSID remains bridged to LAN without VPN
What I envision would be the ideal outcome:
The 2.4GHz SSID becomes the "VPN Wifi", anything connected to it will be routed through VPN, or
Devices are VPN-enabled by MAC address (on PBR maybe?)
I am completely in a lost right now, I am open to any solutions that doesn't exceed my limitations. Most tutorials, if I understand correctly, assumes there's firewall rules that forwards traffic from LAN to WAN but in my setup, the OpenWRT installation is just bridged and essentially just a switch + AP. This would be really simple if I make my main router be a modem and let OpenWRT handle everything else, but then I would have to get another AP for Wifi coverage.
Anyhow, I really don't want to touch the main router, it acts as a fallback if the OpenWRT fails and everyone in my house can still connect to the internet and I won't be yelled at. Realistically I am the only one connected to the OpenWRT router.
I have some ideas in my mind but no idea how that is done on a single OpenWRT instance, like having a separate network and DHCP on OpenWRT that is only accessible via the 2.4GHz SSID, on it the traffic goes through the VPN.
Create a dedicated interface in a different IP subnet, assign it to the lan firewall zone and enable the DHCP server.
Attach the newly created interface to the 2.4 SSID.
Add list device 'tun+' to the wan firewall zone in order to masquerade the outbound traffic.
Note that the OpenWrt device itself will also use the vpn to access the internet.
Next setup the VPN, I would use WireGuard instead of OpenVPN easier to setup and much faster.
All clients of your guest wifi will automatically use the VPN.
You can place the VPN interface in the LAN zone as that is your way out (as it is bridged, I assume there is no WAN) be sure to enable Masquerade on the LAN zone
Thank you egc for your elaboration. I got the Guest Wifi set up and it's working as intended, with separate DHCP. However, I am not clear on the next steps.
On VPN, the VPN I am trying to connect to is a private gaming network, all I've got is an OVPN profile, which I have no idea how to configure it with WireGuard even after some Googling...Since the traffic will be rather minimal, and there will not be any internet access going through VPN there will only be the small amount of "local" traffic, speed is not a concern.
I have the VPN interface created (Unmanaged interface with device tun0), but I am not quite sure which firewall zone and how (the accept/reject policy, device covered, etc.) to put it into. I have 1 firewall zone pre-configure which is LAN->(empty), and another one according to the guide (guest->lan).
I tried to the add the VPN interface to the lan fw rule (lan->vpn), it didn't work.
I tried adding a separate rule "vpn->lan" and changed the guest rule to "guest->vpn", it did not work as well.
Could you enlighten me on what I'm missing here? Thanks a lot in advance.
With only an OVPN profile you have to use OpenVPN.
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn
I fiddled this a bit more this evening and had to factory reset everything...rough evening
Anyway, I followed the dumbap and guest wifi on dumbap guide again and here's the commands' outputs: