Configuring Raspberry Pi 3 B+ with OpenVPN

droodaplays · January 22, 2024, 8:19am

Hello, I'm trying to set up a secure access point using my Raspberry Pi B+ with 1 condition - it needs to connect to an existing router via ethernet and give out VPN secured wifi to devices. All guides that I've seen so far seem to only connect the Pi to the router via wifi and then either have a secondary usb wifi dongle give out VPN wifi or the ethernet giving out VPN internet.
I assume the difference is somewhere in the configuration of the interfaces and the firewall as I need the eth0 to be the input and wlan0 to be the output.

For reference here's the guide I've been following:

frollic · January 22, 2024, 8:33am

didn't watch the video, but you need to have the eth0 in the wan firewall zone, instead of the USB wifi.

droodaplays · January 22, 2024, 6:01pm

Here are my files on the working version from the guide i.e. it's getting internet over wifi from a router and sending VPN over ethernet, can you help steering me in the direction of what I need to change here because I changed the firewall zones around a few times and never managed to get it to work in the opposite direction (internet coming from ETH and sent over WIFI)
Network file

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd2:db78:89f9::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.60'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option force_link '1'

config interface 'wwan'
        option proto 'dhcp'

config interface 'vpnclient'
        option proto 'none'
        option device 'tun0'

wireless file

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option channel 'auto'
        option band '2g'
        option htmode 'HT20'
        option disabled '0'
        option short_gi_40 '0'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key '***********'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'sta'
        option network 'wwan'
        option ssid '*************'
        option encryption 'psk2'
        option key '**************'

Firewall file


config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Can also link screenshots of the GUI if that's easier.

mk24 · January 22, 2024, 6:09pm

This wireless file is using the Pi's onboard wifi chip, not a USB adapter. That is OK though it does not have very high performance.

The instructions below assume continuing to use the onboard chip. A USB adapter can be added later if you want to.

First remove the STA wifi and confirm that the AP attached to LAN comes up. Connect your PC to this AP and log into OpenWrt again. Optimize the wifi (for what it is) by setting your country code and using a 5 GHz channel, assuming all your potential clients support 5 GHz.

Then remove eth0 from the br-lan and add it to the wan network (which you can leave named wwan even though it isn't wireless any more, or rename it to wan.) Plug the Ethernet cable into your upstream network. The PC remains only on the Pi wifi at this point.

At this point the PC should have Internet through regular lan->wan routing. This is the starting point that most instructions for a "whole house" VPN client assume.

LilRedDog · January 22, 2024, 6:32pm

I'd do all that configuring through eth0, just in case the wifi or encryption goes bonkers. Then move eth0 to wwan (wan) but I don't do VPN through the router, I do it by device.

@droodaplays Set the country code in the wifi; just to avoid issues. Don't know how you got 'cell density' without but... ...meh.

LilRedDog · January 22, 2024, 6:40pm

Don't, you'd flame Chuck and get banned from YouTube.

droodaplays · January 22, 2024, 7:27pm

Yeah, using the onboard chip was intentional, I don't think I have a USB wifi dongle that has working drivers, at least the list of drivers downloaded in that guide linked in the OP doesn't cover it.
Removed the STA wifi and brought up the AP, which is working fine and letting me log into the device via WIFI.
Anyway, sorry for being so stupid, but how exactly do you "remove eth0 from the br-lan"? Trying to do it via the GUI in the Network -> Interface tab and there just seems no option to do anything like that. There's also br-lan in the Network -> Devices tab, is that where I need to remove it from? There's eth0 in there in the Bridge ports.

P.S. Am I supposed to enter the router gateway and set it as DNS somewhere as well, or should it automatically work with those settings?

mk24 · January 22, 2024, 7:30pm

Yes that is where you would remove it. br-lan will be initially empty but the wifi AP will add itself outside of the network configuration process (because the Network option for the AP is lan).

Leave wan as proto dhcp and the gateway and dns will be automatically installed from the upstream network.

LilRedDog · January 22, 2024, 7:48pm

List them and see if the community knows.

Its what the forum is for.

droodaplays · January 22, 2024, 7:55pm

It's a TP-LINK model TL-WN725N

droodaplays · January 22, 2024, 7:58pm

Thanks, I think it's working now. Seems like my PI also had some issues with the ETH port not booting up properly and causing those changes not to take hold unless an HDMI cable was plugged in (I think i read it had to do with grounding and some voltages being off unless it was grounded that way)

LilRedDog · January 22, 2024, 8:13pm

Has an OpenWrt driver

Give it a shot and then, if positive, post in here

droodaplays · January 22, 2024, 8:20pm

Seems like the eth to wifi route is working, however the VPN still refuses to work, upon starting the OpenVPN from a config file that used to work in the wifi to eth config i get no connection, the router also fails to ping servers (if that's of any relevance), should I have changed the 'tun0' interface in some way now that wifi is the incoming signal rather than the eth?

LilRedDog · January 22, 2024, 8:53pm

Did you set the country?

Filling it in resolves so many issues.

droodaplays · January 22, 2024, 9:34pm

You mean the country code in the wireless interface advanced settings. Changing that didn't have any effect.

LilRedDog · January 22, 2024, 9:36pm

Just none that affected your current situation.
Keep it all the same. It is important.

system · February 1, 2024, 9:36pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.