Hi, I’ve been searching through the forums and following tutorials but I’m not yet able to figure out what I need to do. I’m not experienced with networking so please forgive me.
My goal is to have this router to sit between my Smart TV and network to route (ideally just some traffic) to a VPN. Here's a diagram for what I'm trying to achieve:
I have a raspberry Pi 4 with OpenWRT installed. I have an additional USB gigabit ethernet adapter attached with all the drivers installed.
I want to connect the TV via network cable to one of the router’s NIC and the other NIC to my network. I have a VPN (Mullvad) which I have configured via WireGuard.
I have set the gateway metrics to favour the VPN over the WAN.
Here's a view of the current interfaces I've setup:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdaf:cd5b:d240::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.178.88'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.178.1'
option device 'br-lan'
list dns '192.168.178.1'
option metric '20'
config interface 'wan'
option proto 'dhcp'
option device 'eth0'
option metric '20'
config interface 'mullvad'
option proto 'wireguard'
option private_key 'xxxx'
list addresses 'xxxx'
list addresses 'xxxx'
list dns '100.64.0.5'
option metric '10'
config wireguard_mullvad
option description 'UK LON 001'
option public_key 'xxxx'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host 'xxxx'
option endpoint_port '51820'
option private_key 'xxxx'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth0'
option reqaddress 'try'
option reqprefix 'auto'
option metric '20'
config wireguard_mullvad
option description 'UK LON 002'
option public_key 'xxxx'
option private_key 'xxxx'
option endpoint_host 'xxxx'
option endpoint_port '51820'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
I don’t know how to setup the other (usb) NIC so that I can access the router. I have tried connecting to the wireless network on the OpenWRT router but this just passes the traffic onto the main home router.
Thanks for your reply. According to the GUI the peer is already enabled:
Where else do I need to enable it?
Do you mean I should disable one of the two peers?
I was hoping that the VPN would be able to connect to another peer in case on was offline. Does it not work this way?
It does not need to be on the Wan; as a matter of fact it was on the Lan-bridge (along with the wifi) on the first boot.
I do not know why your diagram shows wan traffic going to an unmanaged switch.
Someone needs to detangle your setup and I lack the skills to fix messed up configs; I can tell you that if you start over leave eth0 in the lan-bridge and add the usb ethernet as eth1 in the wan and use it for the wan.
Okay, the thing is you have some diagram issues that cannot be correct and it is very confusing. e.g. you are not getting your WiFi laptop connected to the lan with an unmanaged switch.
And it looks like you are mixing your Vlan traffic and lan traffic with one cable using unmanaged switches? Which can be done (from what I understand, but the mtu of the vlan is going to have a MTU of 1504 and lan traffic is going to have a MTU of 1500) but it is something that would require a high skillset.
If this is how you are imaging it you are over complicating the network and that must be frustrating for you.
Yeah the diagram is incorrect - I've fixed this. I'm testing using my laptop instead of going directly for the TV (for now) as I have more flexibility with the laptop to run diagnostics.
Here's a better view. I am connecting the laptop first via the WIFI on the OpenWRT Pi to see if it routes my traffic through the VPN (it does not). I do have full internet through the WIFI though. The wireless config is using the lan interface.
I had previously removed the eth1 as it was just not connecting anything. I've restarted with a refresh install now. So do I set it up just the same as the existing wan?
I've just added the 2nd USB NIC back but I can get no connection.
While I'm testing I'm trying to connect my laptop via eth1 and the router (OpenWRT) is using eth0 to connect to the switch which is connected to the modem/router.
What am I getting wrong here?
Lets deal whit the obvious issues first:
You have a wireless device and an ethernet device bridged in the br-lan that you renamed wan. But they are not a part of the wan, thus you have two br-lan interfaces
Why?
You are trying to set up the Pi as a switch bridging eth0, wifi, and the usb ethernet to lan You want eth1 on the lan-bridge to get internet to the TV.
You want to configure the Pi as a 'dumb' access point: no DHCP no WAN. I assume the only real reason you are not using another unmanaged switch is for the WiFi the Pi offers.
Vlans are to separate different lans. e.g. if you had security cameras and you did not want their traffic available to everyone at the office or guests visiting you or to keep marketing and sales separated from each other but still able to get to the internet or to isolate IoT devices because they are not very secure and if hacked it would give an entry point to the whole network.
What are you trying to wall off from your lan?.
In order to use VLAN I would need a managed router - is that correct?
I thought having an additional NIC on the pi would mean I don't need a VLAN. Is this wrong?
Apologies for my current router configuration, I've followed multiple guides which sound similiar to what I want but ended up not being the case. So you can assume everything I've setup so far is experimental and probably wrong.
My first goal here is to route traffic from my TV to a VPN. These connections would be via wired ethernet adapter (I don't intend to use the OpenWRT WIFI. I'm just using this at the moment to see if I connect via the WIFI if it routes me through the VPN).
Ideally I would like to filter the requests by IP to either the VPN or non VPN routes but this can come later. Is this difficult with the current setup? For example, I want to route all all requests except for Youtube requests through the VPN.
Does what I want to do make sense?
So I imagined (for my initial tests) that eth1 (USB NIC) will be connected directly to the TV.
eth0 will connect to the main modem/router (via a switch). It will use the VPN (when available) to connect and send all data and fallback in the event of the VPN being down to the main router for internet.
I'm not the best networking person here; I'm probably 3rd from the bottom.
I generally get involved when people use a Pi, use LuCl or trying to understand radios.
I do not understand why you want that configuration but now that it is clear there may be an easier way to isolate YouTube traffic.
There are, at least, tens of YT videos on vlans. Don't be discouraged if it takes a couple to understand and start with short ones with a lot of views; to avoid the droning on some IT videos.
So, I cannot meet your needs but you can learn some of it and come back with a more knowledgeable question.
Essentially, I want to remove geo blocking for some content by using a VPN. The reason why I don't want to send Youtube content to the VPN is if you do that, you can't cast videos to the TV as they are not on the same network anymore.
If filtering traffic by IP doesn't work I can always turn the VPN on/off depending on what I want.
So I just want the pi to route incoming requests through to a vpn unless it's down - then via the main router.
Yes. re-flash the image for the pi. This will bridge the ethernet to the WiFi in a br-lan
Set the dongle up as a device first and then add it to an interface called wan. Network/interfaces/devices add device. Back out and add an interface called wan and select eth1
Set up your VPN in the pi. All traffic from the pi will be on the vpn.
