Hello,
I'm a OpenWrt noob and don't know much about configuring routers and networks. All I have managed to do until now was by doing research, watching/reading tutorials and a lot of trial/error. Please excuse any dumb or unnecessary questions. I tried to look everything up especially in this forum but I don't know what to look for exactly for going further with my project. Please don't hesitate to just point me to the right direction I can the research myself. Thanks!
Current Config:
ISP Router (in Bridge Mode)
1st TP-Link Archer C6 V2 EU version (Stock firmware)
2nd TP-Link Archer C6 V2 EU (flashed OpenWrt 21.02.1)
What I want to achieve:
I run the stock Archer C6 (StockRouter) without VPN and want to keep it that way.
I want the OpenWrt Archer C6 (OWRouter) running with the VPN config of my VPN service provider.
I need the OWRouter setup physically seperated from StockRouter for a few reasons.
I didn't think much of the prerequesites and just assumed this configuration might work. I configured OWRouter as a Dumb Access Point so that I can get the internet signal via LAN cable from StockRouter. When trying to setup the Wireguard config of my VPN provider they ask to change the DNS to their given adress. Of course this is not possible since OWRouter now receives the DNS from my StockRouter because I configured it as Dumb AP.
Am thinking about this completely wrong or is it just a Luci configuration problem? What do I have to do next?
Can you tell us what these reasons are? It is generally possible to use just a single router to setup VLANs and vpns to with firewall isolation and routing according to your desired paradigm. This also makes the network easier to manage. Therefore, knowing your reasons (and your objectives) will help inform the best options.
I could be wrong, but I don't think you can use wireguard (or openvpn) client on owrt device configured literally as a 'dumb access point' mode. It needs to be in default router mode.
I can't seem to find a wireguard setup guide using LuCI in the owrt wiki at the moment.
fwiw, this may help. It is similar to a number of LuCI based setup guides offered by a couple of VPN providers.
You can. But there are some caveats that make this less than ideal for most users.
If you set the device up as a router, it becomes pretty simple, and the double-NAT doesn't really matter.
But, depending on the OP's requirements/goals, it might actually be better to set it up on their main router (although they did say that they have reasons to keep the routers separate... I'd like to know why since the topology can be done a few different ways).
I want to be able to switch between one network with/without VPN quickly. So I thought it would be easiest to make 2 physical internet connections. I thought this would be the most simple solution but I guess I'm wrong here.
StockRouter needs to be at a specific location because of some logistical reasons. One of them is that WiFi connection is not good between 2 rooms for whatever reason. And some cable management issues. So I need 2 separate routers anyway.
But if there is no solution with 2 routers may I ask you how to configure the single router?
No, you're not wrong... this is one approach that you can take.
When you say "stock" -- does that mean you must keep that device running the stock firmware? since you actually have 2 identical routers, if you can use OpenWrt on the one that is currently "stock," it will open up a lot of possibilities.
If this were my configuration, I would configure the main router with OpenWrt and setup the VPN on that system. VLANs would allow you to setup multiple SSIDs and have both routers broadcast the same 2 (or more) networks. VPN Policy Based Routing will then let you to setup specific policies/rules for what traffic is sent via the VPN (such as all traffic from a given network, or certain protocols or services, etc.). I'd link the two devices together with a single "trunk" (that carries multiple networks over one cable -- the cable you already have installed), and make the second device operate in dumb AP mode.
That is just how I would do it -- it makes the first router responsible for all of the routing, rules, etc. and the second one simply operates as another AP. From the perspective of a client device, switching between the standard and VPN networks would be just as straightforward as the topology you were thinking of when you started, but it will improve coverage for both networks.
But again, this is just one approach, and YMMV in terms of what makes sense for you.
Hi Bill,
thanks for your reply. I was able to look into your pdfs for a bit. I'm not quiet sure what to look for, I don't fully understand some of the instructions or how to apply them to my case. I will try to read further this week and hopefully understand more. Thanks so much.
Cheers
Hi Peter,
thank you very much for the detailed instructions.
I don't understand every step since I never used VLAN but I can imagine what I have to do. And no I don't have to keep StockRouter on the stock firmware. I just wanted to try out OpenWrt on 1 router before possibly bricking both routers :). I will flash that second router with OpenWrt soon too.
The fixed locations of both routers also has another crucial reason unfortunately. For some reason my Thinkpad drops WIFI speed when connected to my docking station. I don't know why but I'm asuming it has to do with some signal interference. Since I don't know where to look for this problem I just connect a LAN cable to my Thinkpad.
So when the router chain is like this:
ISP Bridge Router > Main Router with configured VPN > Secondary router
Can I connect the LAN cable to my Thinkpad to Secondary Router and switch between normal and VPN internet? Or do I have to wire the LAN cable to the Main Router? Do I change "the internets" directly in Luci then?
Set up the OpenWrt router as a router (default settings) and plug the WAN port into one of the LAN ports of the stock router (which is your network's main router, since the ISP box is a bridge and doesn't route anything).
A "whole house" VPN client has to route the multiple users into the VPN tunnel. So at some level it is always working as a router. If you do this as the extension of basic lan->wan routing, nearly all the configuration instructions you find apply to that case.
You can also add "dumb AP" functionality by making the wan a bridge and adding an AP and/or some of the Ethernet ports to it. Users of that AP or VLAN will go to the stock router outside the VPN tunnel, they're in the stock router LAN, the same network as the stock router's AP.
Hi everyone,
sorry for not answering and thanks for your help. I was busy with work so I couldn't work on my project. I couldn't quiet follow your instructions because I'm too inexperienced to understand some of them. But I played around a bit and posted my experiences here if you are interested. I flashed OpenWrt on some cheap TP-Link Archer C6 v2. These are my experiences
Cheers