BT Home Hub 5A as dumb access point: is it possible to use Openvpn?

Have you studied Mullvad's guide?
https://mullvad.net/en/help/running-wireguard-router/

Make sure the openwrt router LAN IP is not on same subnet as your ISP facing router. eg. use 192.168.111.1

fwiw, I've measured 36-40 mbps with wireguard on HH5A with my 55/10mb connection with my VPN provider.

Wireguard is also time sensitive. Check bottom of owrt wireguard wiki page if you discover you cannot pass data through the VPN tunnel.
https://openwrt.org/docs/guide-user/services/vpn/wireguard/client

1 Like

I'm studying it, thanks for the link!

I've followed the guide for Wireguard that @bill888 linked.

Now I have around 20Mbps in upload and download. Not bad. Do I need to try one peer per time to test different peer speed?

Were you connected to a UK peer ?

1 Like

I'm connected to a DE peer. The strange thing is that every pc connected to BT via LAN has a different download speed...obviously I'm not testing them all togheter :smiley: Some pc has 20mbps, some 36...

Ok, I'll try to check one per time. But It's possible to add more peers in Wireguard panel. I don't think that I can add more peers and test one per time. Maybe I need to use only one peer in that panel to check the effective speed of that specific peer.

Nope, you can define multiple peers within one wireguard interface. Although if you are using a single VPN provider I can't vouch for how well it'd work if you just selected 'Route allowed IPs' on all of them. You'd probably need to do your own routing, either manually or with something like VPN policy routing.

2 Likes

Now I have two PC connected via LAN to the BT, running Wireguard.

One pc has NL IP, while the other one DE IP. I only have NL peer in BT right now.

It won't. For sure something like mwan3 will be needed there.

The results will not be accurate like this. The PC is more powerful in encrypting/decrypting packets than the router.

1 Like

When I told that I have two pc connected via LAN to BT to specify that I have two different public IP showing. It seems strange to me, because I was thinking that the IP should be the same for the two computers.

Are they both using the BT as gateway?

They are both connected to BT switch, one with DHCP and another one with manual IP.

Maybe I did something wrong with the settings, I'll try to check for it.

EDIT: I used DHCP on both computers to check the speed. The one (Ubuntu 20.04) connected directly via Ethernet to BT has 20Mbps of speed, while the other one (with Win 10) connected thru 200Mbps powerlines (with 100Mbps ethernet port) has 37Mpbs of speed!

BTW, could I use 2.4Ghz WIFI with VPN and 5Ghz without? Is it possible?

It doesn't matter so much where are they connected, but which gateway are they using. If they are using the BT, then they will use the VPN, if they use the ISP router they will use the ISP.

Yes, it is possible. You'll need to create a new interface for the 2,4GHz, enable dhcp/dns, assign it to a new zone, and allow traffic from this zone to the vpn zone.

2 Likes

Do I need to create the new interface for the wifi I want to connect with or without VPN?

There is possibly a simpler solution but it may depend on how your firewall zones are configured.

If WAN port from HH5A is wired to LAN port of your ISP router, perhaps you could just bridge a wireless interface (eg. 5GHz) to the WAN interface instead of the default LAN interface?
0wan
If you don't wish wifi device to use VPN, then connect to this 5 GHz wifi network in this example.

I know the above works if you followed by openvpn client guide for HH5A.

1 Like

It worked!

Thanks a lot for the help!

The strange fact is that now they are using the same gateway (I leave everything in automatic), so it's really strange that there is this difference between the two machines!

For further troubleshooting we'll need to have a look on the configuration.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
2 Likes

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3d:8077:50f7::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.2.1/24'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'XXXXXXXX'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.99'
        option gateway '192.168.1.1'
        option macaddr 'XXXXXXXX'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option type 'bridge'

config device 'wan_dsl0_dev'
        option name 'dsl0'
        option macaddr 'XXXXXXXX'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'VPNtun0'
        option ifname 'tun0'
        option proto 'none'

config interface 'WireVPN'
        option proto 'wireguard'
        option listen_port '3886'
        option force_link '1'
        option private_key 'XXXXXXXX'
        list addresses 'XXXXXXXX'
        list addresses 'XXXXXXXX'

config wireguard_WireVPN
        option public_key 'XXXXXXXX'
        option description 'nl1'
        option persistent_keepalive '25'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host 'XXXXXXXX'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option key 'XXXXXXXX'
        option ssid 'XXXXXXXX'
        option encryption 'psk2'
        option network 'wan'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT40'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option key 'XXXXXXXX'
        option ssid 'XXXXXXXX'
        option encryption 'psk2'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        list server '10.64.0.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dhcp_option '6,10.64.0.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'VPN_zone'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'
        option network 'VPNtun0'

config zone
        option name 'WGZONE'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'
        option network 'WireVPN'

config forwarding
        option dest 'WGZONE'
        option src 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.99/24 brd 192.168.1.255 scope global br-wan
       valid_lft forever preferred_lft forever
14: WireVPN: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.66.245.207/32 brd 255.255.255.255 scope global WireVPN
       valid_lft forever preferred_lft forever
default dev WireVPN proto static scope link
192.168.1.0/24 dev br-wan proto kernel scope link src 192.168.1.99
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
193.32.249.66 via 192.168.1.1 dev br-wan proto static
local 10.66.245.207 dev WireVPN table local proto kernel scope host src 10.66.245.207
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-wan table local proto kernel scope link src 192.168.1.99
local 192.168.1.99 dev br-wan table local proto kernel scope host src 192.168.1.99
broadcast 192.168.1.255 dev br-wan table local proto kernel scope link src 192.168.1.99
broadcast 192.168.2.0 dev br-lan table local proto kernel scope link src 192.168.2.1
local 192.168.2.1 dev br-lan table local proto kernel scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.168.2.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Sep  6 16:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Sep 30 11:12 /tmp/resolv.conf
-rw-r--r--    1 root     root            54 Sep 30 11:32 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 1.1.1.1
nameserver 1.0.0.1

Seems good to me. If you connect a client on the 5GHz band SSID, then it should get dhcp settings from the ISP modem in the 192.168.1.X range and be routed via your ISP.
If you connect a client to the 2,4GHz SSID it will get a 192.168.2.X IP from the OpenWrt router and will be going via VPN.

2 Likes

Yes, this is what happens and it works really fine now!

The only thing I haven't understand yet is why two pc with automatic IP settings (one with Win 10, another one with Ubuntu), have very different speedtest speed (both have 1000mpbs LAN; the fastest one is the one connected to BT via 100mpbs powerlines!).