BT Home Hub 5A as dumb access point: is it possible to use Openvpn?

Hi guys!

I have BT Home Hub 5A running OpenWrt 19.07.4 r11208-ce6496d796, configured as dumb access point.

I have a Mullvad account and I'm trying to use it on this BT, but:

• if I "script-security 2" and "up /etc/openvpn/update-resolv-conf", "down /etc/openvpn/update-resolv-conf" commands, openvpn gives me in system log:"WARNING: Failed running command (--up/--down): could not execute external program";

• if I remove these commands, it starts correctly, but I have always the main IP, even after following the guide from Openwrt: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

Can you please help me?

Thanks in advance for the reply!

Most likely the script named update-resolv-conf does not exist (it is not in a default OpenWrt install) or the file is not marked executable.

A dumb AP has only one network, the LAN, and it is a layer 2 bridge, meaning it doesn't route anything. So the VPN can't redirect the routing.

Create a separate new network for the VPN users then route that into the VPN tunnel.

I copied it to /etc/openvpn/ and used chmod +x on it, but it doesn't work.

I've fixed resolv-conf issue in this way: DNS leak with OpenVPN

Can you please help me to create a separate network for VPN? I can't do it by myself.

Roll back to the routing mode and repeat the client how-to.

Thanks. I'll try it, but I have to avoid this: BT Home Hub 5A as client over Ethernet

Done.

Openvpn status is:"Initialization Sequence Completed", but still can't obtain Openvpn to hide my IP.

Post the output:

uci show network; uci show firewall; uci show dhcp

uci show network

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd14:467e:3add::/48'
network.atm=atm-bridge
network.atm.vpi='1'
network.atm.vci='32'
network.atm.encaps='llc'
network.atm.payload='bridged'
network.atm.nameprefix='dsl'
network.dsl=dsl
network.dsl.annex='a'
network.dsl.tone='av'
network.dsl.ds_snr_offset='0'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.1.99'
network.lan.gateway='192.168.1.1'
network.lan.dns='192.168.1.1'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr=''
network.wan=interface
network.wan.ifname='dsl0'
network.wan.proto='pppoe'
network.wan.username='username'
network.wan.password='password'
network.wan.ipv6='1'
network.wan_dsl0_dev=device
network.wan_dsl0_dev.name='dsl0'
network.wan_dsl0_dev.macaddr=''
network.wan6=interface
network.wan6.ifname='@wan'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 4 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 6t'
network.tun0=interface
network.tun0.ifname='tun0'
network.tun0.proto='none'
network.tun0.auto='0'

uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 tun0'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

uci show dhcp

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'

Looks line.

Then check the log, status and runtime config:

/etc/init.d/log restart; /etc/init.d/openvpn restart; sleep 10; \
logread -e openvpn; netstat -l -n -p | grep -e openvpn; pgrep -f -a openvpn; \
ip address show; ip route show table all type unicast; \
ip rule show; iptables-save; head -n -0 /etc/resolv.* /tmp/resolv.*

You can copy-paste it altogether.

Tue Sep 29 01:21:53 2020 daemon.err openvpn(mullvad)[4312]: event_wait : Interrupted system call (code=4)
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: /sbin/route del -net 185.213.155.137 netmask 255.255.255.255
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: delete_route_ipv6(::/2)
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: /sbin/route -A inet6 del ::/2 dev tun0
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: delete_route_ipv6(4000::/2)
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: /sbin/route -A inet6 del 4000::/2 dev tun0
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: delete_route_ipv6(8000::/2)
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: /sbin/route -A inet6 del 8000::/2 dev tun0
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: delete_route_ipv6(c000::/2)
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: /sbin/route -A inet6 del c000::/2 dev tun0
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: Closing TUN/TAP interface
Tue Sep 29 01:21:53 2020 daemon.notice openvpn(mullvad)[4312]: /sbin/ifconfig tun0 0.0.0.0
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4312]: /sbin/ifconfig tun0 del fdda:d0d0:cafe:1195::1000/64
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4312]: /etc/openvpn/downdns tun0 1500 1552 10.9.0.2 255.255.0.0 init
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4312]: SIGTERM[hard,] received, process exiting
Tue Sep 29 01:21:54 2020 daemon.warn openvpn(mullvad)[4497]: Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: OpenVPN 2.4.7 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Tue Sep 29 01:21:54 2020 daemon.warn openvpn(mullvad)[4497]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: TCP/UDP: Preserving recently used remote address: [AF_INET]185.213.155.137:1195
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: UDP link local: (not bound)
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: UDP link remote: [AF_INET]185.213.155.137:1195
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: TLS: Initial packet from [AF_INET]185.213.155.137:1195, sid=4de6aa64 467205f8
Tue Sep 29 01:21:54 2020 daemon.warn openvpn(mullvad)[4497]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2, emailAddress=security@mullvad.net
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Intermediate CA v3, emailAddress=security@mullvad.net
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: VERIFY KU OK
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: Validating certificate extended key usage
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: VERIFY EKU OK
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=de-fra-007.mullvad.net, emailAddress=security@mullvad.net
Tue Sep 29 01:21:54 2020 daemon.warn openvpn(mullvad)[4497]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
Tue Sep 29 01:21:54 2020 daemon.warn openvpn(mullvad)[4497]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA
Tue Sep 29 01:21:54 2020 daemon.notice openvpn(mullvad)[4497]: [de-fra-007.mullvad.net] Peer Connection Initiated with [AF_INET]185.213.155.137:1195
Tue Sep 29 01:21:55 2020 daemon.notice openvpn(mullvad)[4497]: SENT CONTROL [de-fra-007.mullvad.net]: 'PUSH_REQUEST' (status=1)
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: SENT CONTROL [de-fra-007.mullvad.net]: 'PUSH_REQUEST' (status=1)
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.9.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.9.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:1195::1004/64 fdda:d0d0:cafe:1195::,ifconfig 10.9.0.6 255.255.0.0,peer-id 4,cipher AES-256-GCM'
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: OPTIONS IMPORT: compression parms modified
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: OPTIONS IMPORT: --socket-flags option modified
Tue Sep 29 01:22:00 2020 daemon.warn openvpn(mullvad)[4497]: NOTE: setsockopt TCP_NODELAY=1 failed
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: OPTIONS IMPORT: --ifconfig/up options modified
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: OPTIONS IMPORT: route options modified
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: OPTIONS IMPORT: route-related options modified
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: OPTIONS IMPORT: peer-id set
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: OPTIONS IMPORT: data channel crypto options modified
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: GDG6: remote_host_ipv6=n/a
Tue Sep 29 01:22:00 2020 daemon.warn openvpn(mullvad)[4497]: GDG6: NLMSG_ERROR: error Permission denied
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: TUN/TAP device tun0 opened
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: TUN/TAP TX queue length set to 100
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: /sbin/ifconfig tun0 10.9.0.6 netmask 255.255.0.0 mtu 1500 broadcast 10.9.255.255
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: /sbin/ifconfig tun0 add fdda:d0d0:cafe:1195::1004/64
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: /etc/openvpn/updns tun0 1500 1552 10.9.0.6 255.255.0.0 init
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: /sbin/route add -net 185.213.155.137 netmask 255.255.255.255 gw 192.168.1.1
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.9.0.1
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.9.0.1
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: add_route_ipv6(::/2 -> fdda:d0d0:cafe:1195:: metric -1) dev tun0
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: /sbin/route -A inet6 add ::/2 dev tun0
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: add_route_ipv6(4000::/2 -> fdda:d0d0:cafe:1195:: metric -1) dev tun0
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: /sbin/route -A inet6 add 4000::/2 dev tun0
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: add_route_ipv6(8000::/2 -> fdda:d0d0:cafe:1195:: metric -1) dev tun0
Tue Sep 29 01:22:00 2020 daemon.notice openvpn(mullvad)[4497]: /sbin/route -A inet6 add 8000::/2 dev tun0
Tue Sep 29 01:22:01 2020 daemon.notice openvpn(mullvad)[4497]: add_route_ipv6(c000::/2 -> fdda:d0d0:cafe:1195:: metric -1) dev tun0
Tue Sep 29 01:22:01 2020 daemon.notice openvpn(mullvad)[4497]: /sbin/route -A inet6 add c000::/2 dev tun0
Tue Sep 29 01:22:01 2020 daemon.notice openvpn(mullvad)[4497]: Initialization Sequence Completed
udp        0      0 0.0.0.0:57164           0.0.0.0:*                           4497/openvpn
4497 /usr/sbin/openvpn --syslog openvpn(mullvad) --status /var/run/openvpn.mullvad.status --cd /etc/openvpn --config /etc/openvpn/mullvad.ovpn
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 22:0d:8e:d0:66:70 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::200d:8eff:fed0:6670/64 scope link
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether c8:91:f9:16:bf:a2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.99/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd14:467e:3add::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::ca91:f9ff:fe16:bfa2/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c8:91:f9:16:bf:a2 brd ff:ff:ff:ff:ff:ff
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c8:91:f9:16:bf:a5 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ca91:f9ff:fe16:bfa5/64 scope link
       valid_lft forever preferred_lft forever
12: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether c8:91:f9:16:bf:a4 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ca91:f9ff:fe16:bfa4/64 scope link
       valid_lft forever preferred_lft forever
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534]
    inet 10.9.0.6/16 brd 10.9.255.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fdda:d0d0:cafe:1195::1004/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::8483:f76c:d768:5ea6/64 scope link
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev br-lan
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.8.3 on Tue Sep 29 01:22:04 2020
*nat
:PREROUTING ACCEPT [993:278545]
:INPUT ACCEPT [135:10936]
:OUTPUT ACCEPT [245:21090]
:POSTROUTING ACCEPT [157:14693]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i dsl0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o dsl0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Tue Sep 29 01:22:04 2020
# Generated by iptables-save v1.8.3 on Tue Sep 29 01:22:04 2020
*mangle
:PREROUTING ACCEPT [12566:7100645]
:INPUT ACCEPT [7006:3785523]
:FORWARD ACCEPT [4769:3058782]
:OUTPUT ACCEPT [6608:2206956]
:POSTROUTING ACCEPT [11134:5252933]
-A FORWARD -o dsl0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i dsl0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue Sep 29 01:22:04 2020
# Generated by iptables-save v1.8.3 on Tue Sep 29 01:22:04 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i dsl0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i dsl0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o dsl0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o dsl0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o dsl0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o dsl0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i dsl0 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue Sep 29 01:22:04 2020
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
nameserver 10.9.0.1



==> /tmp/resolv.conf.auto.hold <==
# Interface lan
nameserver 192.168.1.1

This should change it to the routed mode:

uci set firewall.@zone[1].input="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
uci -q delete network.lan.dns
uci -q delete network.lan.gateway
uci -q delete network.lan.ifname
uci set network.lan.ipaddr="192.168.0.1"
uci rename network.wan="wan_dsl"
uci rename network.wan6="wan6_dsl"
uci -q delete network.wan
uci set network.wan="interface"
uci set network.wan.ifname="eth0.1"
uci set network.wan.proto="dhcp"
uci -q delete network.wan6
uci set network.wan6=interface
uci set network.wan6.ifname="eth0.1"
uci set network.wan6.proto="dhcpv6"
uci commit network
/etc/init.d/network restart

With these mods, I can't access to router webif anymore and still can't get the IP masked.

Also, some machines connected via ethernet to BT can't solve IP anymore.

The wired WAN interface should obtain a dynamic IP from the upstream router, and the wireless LAN interface should be accessible via 192.168.0.1.

Check the uHTTPd config/status and the current runtime config:

uci show uhttpd; logread -e uhttpd; \
netstat -l -n -p | grep -e uhttpd; pgrep -f -a uhttpd; \
ip address show; ip route show table all type unicast

Tomorrow I'll try again your last modifies (here now it's 2.26am) and see if something changes.

In the meantime, I thank you a lot for the help!

fwiw, I don't believe anyone has succeeded in configuring openvpn client on openwrt router configured as a dumb Access Point. Other users have 'tried' and 'failed' using other router models based on posts in this forum.

To get openvpn client working, it basically has to be in regular router mode, not dumb AP.

See also my openvpn client setup guide for HH5A. There is a link to it from the bottom of the original owrt wiki page you studied.
https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=279

https://www.dropbox.com/sh/c8cqmpc6cacs5n8/AAA2f8htk1uMitBckDW8Jq88a?dl=0

Maximum openvpn speed is 9 mbps via ethernet btw on HH5A.

I've done a factory reset and then followed your guide, but unfortunately I have always the same problem: Openvpn works fine, but the devices connected via LAN have the ISP IP, so I believe Openvpn doesn't affect the connected machines.

Is it possible that this happens because I have gateway and DNS set to 192.168.1.1 (main ISP router)?

My configuration is:

Main ISP router with fiber connection (DGA4132); 192.168.1.1

A DGA4132 ethernet port goes into a switch and a cable from the switch goes thru walls into BT Home Hub 5A; 192.168.1.99

BT Home Hub 5A has DNS and Gateway set to 192.168.1.1.

Yes, you need to switch off the dhcp server of the ISP router and switch on the OpenWrt dhcp server.

Ok, I performed a factory reset, changed the cable management and connections on BT and followed your guide.

Now I can use Openvpn (with Mullvad) with no issues on BT. As you say in your guide, the speed is limited to 8-9 Mbps in upload and download (while Openvpn on Ubuntu on pc is 80Mbps). But I've seen that with Wireguard protocol it seems to be way faster.

Is there a guide for Wireguard?

Which router can be used to have speed around 70-80Mbps?

Try Wireguard instead of OpenVPN. It may not get you 70-80Mbps, but it should be a decent bit higher than OpenVPN.

Is there any guide for LUCI to configure Wireguard?