Connect to LEDE RPi3 by Wire, and to ISP router by WiFi

This my first time using OpenSource firmware for routers

I have rassberry pi 3 and I was thinking about making it my default way to connect to internet through VPN

but I tried to connect from my PC to LEDE by Wire, and from LEDE to ISP router by WiFi
and in the end to Internet

I succeed to connect from LEDE to ISP router by WiFi easily, but when it's come to connect from my PC to LEDE by wire I couldn't

I changed gateway default address to 192.168.2.1
I made bridge between lan + wwan
and I tried this too
https://lede-project.org/docs/user-guide/relay_configuration

and I was trying all night without any progress

my idea is to make LEDE is my way to connect to VPN (OpenVPN) + Kill switch
I know there is many way to connect directly from PC to ISP router with VPN+Kill switch
however leak occurs!!
and i'm trying to make LEDE connect to internet ONLY and ONLY through VPN

I hope you guys get my problem and idea

and thank you for this creative project

@passwd -

There may be a few different ways to do this, but I would do it in a certain way. First, if you can simply run the VPN client on your PC, it might be the easiest option (assuming the PC is the only device that needs to go through the VPN). But, if you want to use a hardware solution like the RPi, that is absolutely possible.

For the RPi to work, I would recommend using it like a router. This means your PC will likely be double-NAT'd which can be an issue from time to time, but is typically not a big deal. By default, your PC will not be reachable by other devices on your network since it will be behind the NAT/firewall, and your PC will probably not be able to access any local network resources when you have the VPN tunnel running and you are blocking traffic from escaping through any means other than the VPN.

That said, I think you probably want to go back to defaults on the RPi config and then set it up to function as a router. Set the wifi interface as the WAN and the ethernet port as LAN. Make sure that you are using a different network address space than the main ISP router -- that is to say that the LAN IP and subnet mask on the RPi must not overlap the main LAN.

Next, make sure your PC is only using ethernet for connectivity to the internet -- it is much easier to manage the traffic if you can guarantee everything is going through a single network interface. Test the internet connectivity (in general) -- it should be working normally. Run a traceroute so you can see where the traffic goes (should be PC > RPi > main router > ISP > ... > target address).

Next, install and configure your VPN client. Make sure you setup a network interface for the VPN as well as an associated firewall zone and that you allow forwarding from LAN > VPN. Also, make sure that all traffic is set to be directed through the VPN -- if you're using OpenVPN, you'll want a 'redirect gateway def1' directive in your client side config file.

Start the VPN and ensure that it is working. You can test with a traceroute again -- you should see it skip your main router and ISP (and a bunch of other stuff) and emerge from the VPN provider's IP.

Stop the VPN. Run traceroute and observe that you should see stuff flowing through your ISP again.

To prevent traffic from flowing out when the VPN is down, you'll remove the forwarding rule from LAN > WAN. (you can remove this or set it to reject or drop). Now, you should not be able to access anything outside the RPi's LAN (which is in theory just your PC and the RPi itself). Start the VPN and you should have internet access again.

If you want to be able to access LAN resources that are not part of the RPi's network, you may need to set some special firewall rules and/or routing tables to get that to work. But if you're really just looking for VPN protected internet access, this should be all you need.

I also forgot to mention -- do not bridge the WAN and LAN interfaces on the RPi if you want to prevent packets from leaking... keep them separate so that the LEDE routing and firewall features handle all of the traffic direction through the RPi's interfaces.

I think you should break this into 2 projects

• Getting the PI3 running as an ap or client
• Getting VPN running on the PI

Need to understand the pi3 config out of the box. LEDE default image I expect would have the 1 Ethernet port as WAN and wireless disabled.

Probably also helpful to know what your main router is and it's LAN IP. Will assume you want to have the "MAIN (ISP)" router assign the IP to the PI3 and that the PI3 is going to act as a (dumb) AP, but it's easier to just set up a router behind the router (double NAT)

The later should basically require you set the PI3 LAN to some IP other than your main LAN (reboot) => reset the pi first
Enable WIFI. Here you will by default configure a WLAN client bridged to your LAN (but you will kill this in the next step)
Search and config for WISP\STAtions\APs to connect to and choose yours.
In the following config screens, the very first line has a checkbox, something about replace the existing network. You DO WANT TO DO THIS. This will remove the WLAN and add a WWAN. you will need to attach to the wan side firewall and I think create a new interface (wwan)

If you want it all on one subnet and the primary device as DHCP, I do not think you need to use relayd if you are only making wireless connect on one side. If you want the pi3 to also servee wireless clients you probably need relayd

Search the openwrt wiki for relayd, bridged mode issues, WDS. You will not find that content in LEDE. Depending on the router and pi chipsets you may be able to use WDS or some other method to link the devices.

Putting VPN on the PI3 will require you have some access to configure the ISP router as I believe you will need to set up some port forwards on that device for OpenVPN

@passwd, @RangerZ -

It is possible I misunderstood the intent of the OP in terms of how this system is going to work because some of what @RangerZ's comments suggest a different interpretation.

I am assuming the following physical setup:
Internet (ISP) > WAN port on main router > RPi 3 via wireless on LAN of ISP router (treated as WWAN at the RPi) > PC via ethernet (treated as LAN on the RPi)

And I am assuming that the RPi acts as a VPN client with a server elsewhere, setting up a VPN tunnel through that server such that all traffic for the PC is encapsulated/encryptedand the local ISP cannot snoop.

If my assumptions are correct, then I stand by my original comments. However, I really only described the broad strokes, and I agree with most of what @RangerZ said (he described some of the actual steps required). It is a good idea, as stated, to treat it as two projects -- get the RPi performing as something of a bridge device first, then get VPN running.

Based on my assumptions/description, you will be setting up the RPi with Wifi in STA mode (client) and assigning it to the WAN zone of your firewall. And the ethernet port will be assigned to the LAN firewall zone with a different IP address range relative to the ISP router's LAN. Ethernet and Wifi will need to be un-bridged.

If the RPi is acting as a VPN client, you should not need to change any configurations on the ISP router. Typically VPN clients can connect through most routers without issue (unless it is a very old router and/or has been configured not to allow VPN connections through, which is rare).

If I've got an incorrect understanding of the desired application, please describe in more detail what you are trying to do, or just follow @RangerZ's advice which is always good .

Thanks everyone
I draw what I want, to be more clear

I saw psherman post in the beginning, and I do what he wrote, and I get to internet, my problem were in subnet mask, when I changed it to something else goes online directly from my PC to Internet without any problem

I configure VPN and it's worked

I changed forwarding rule from LAN > WAN, and I changed output and input rule to reject too, and all good

BUT I can't access to luci page maybe because input rule

I will try RangerZ steps and see how it's works

I didn't expect respond so quickly, especially since the project is somewhat new
thanks, and I appreciate your effort guys.

@passwd - glad to hear things are working (at least generally). You will probably want to leave the LAN input and output rules alone so that your PC can communicate with the RPi. The only firewall rule you will need to delete/change is the LAN > WAN forwarding, and you'll want need to create the VPN zone and forwarding rule to allow LAN > VPN.

These rules should keep your PC isolated from the internet unless the OpenVPN tunnel is up and running, but still allow normal access to LuCI and ssh on your RPi.

I'm glad you got this working so fast. Impressive!

What is still not clear is the relationship you have configured between the RPi3 and the ISP router. Is the RPi3 in the same subnet as the ISP router (which pretty much answers the question) or are they different subnets.

For others, it would be helpful for you to publish your etc\config files (removing your IP, macs etc and add comments where appropriate).

I also would be very curious if you can post your performance data for the RPi3 with and without VPN running. Your ISP service specs are also relevant. It seems like most of the small travel routers run high single digits to low teens (5-15Mbps) when not constrained by ISP or Hotspot limitations. The pi is at least 2x the CPU and massively more memory. Specs on the wireless are vague, but I am guessing 2.4G 150n or so which probably runs at about 72Mbps (unless your ISP router supports WIDE and you configure same for the RPi3 wireless device).

FWIW you may wish to look at this utility by Tutosoft. It will measure speed inside your LAN. While speedtest and the like are important benchmarks, your constraining factor is the wireless speed between the RPi3 and ISP router. Tutosoft LANspeed test on Windows, or iPerf on Linux will let you measure your internal constraint. Related, I try to use a ramdisk or SSD at the other end of the test to remove disk access constraints.

now I isolated my PC to VPN ONLY with these firewall zone settings

if I LAN > WAN forwarding block first, I will not be able to forwarding to VPN, so above pic is the best settings to isolate connection to VPN

and i'm getting access to LuCI and ssh without any problem

anyway, I think there is a bug in OpenVPN instances, I add another .ovpn file with same tun0, and the both refuse to stop, so I'm thinking it's running now VPN over VPN

No, I changed RPi3 subnet to 255.255.0.0 and ISP router default was 255.255.255.0
and this was problem at the beginning, I didn't changed subnet, when I did it's works 100%

my config files

my speed package is 50mb/download and 10mb/upload

TEST on SPEEDTEST.NET
directly from my PC through VPN located USA I got 40mb/10mb
with VPN located USA in RPi 3 I got 10mb/9mb
RPi 3 local gives me 30mb/14mb

but the weird thing is here, with VPN RPi 3, I don't understand, transfer speed must be below 1.3mb, unless speedtest.net is not accurate

I have TP-Link modem, I will try LEDE with it, and see difference

@passwd - The recommended network configuration difference between the ISP router and your RPi is not the subnet mask, but rather the actual network address range. So, if your primary ISP router has an IP address of 192.168.1.1 and a subnet mask of 255.255.255.0, we would typically write the network as: 192.168.1.0/24. Your RPi should be a different network (for the LAN definition) -- maybe you'd use 192.168.2.0/24 (just as an example), so you would set your RPi LAN network address as 192.168.2.1 with a subnet mask of 255.255.255.0.

Sorry, not understanding the test scenarios. One thing to be aware about speed test is watch that it's testing against the same server. sometimes it will change servers, so hover over the little arrow in the middle and choose your test server.

What is the software in the screen shot? What is it telling me?

RPi 3 LAN already 192.168.2.1
But subnet mask was 255.255.255.0
After change it to 255.255.0.0
and then got connect to internet

ISP router LAN 192.168.1.1
subnet mask 255.255.255.0
and I didn't change it

That's my settings

@passwd - strange, I wouldn't have expected that the subnet mask would have caused a problem like that.

I assume your RPi wifi connection (WAN) is requesting a DHCP lease from your ISP router, right?

I think it's DHCP

Hey there.

Could you plesae share your wifi config and network config, either as files or as screen shots? Please use proper code format if you decide to share the config files. I'm not going to download ZIP files and extract them, just to open the content in a text editor.

If you really adjusted your network in the way you described (RPi: 192.168.2.1/16, ISP: 192.168.1.1/24) then you do have overlapping ranges on the LAN sinde and on the WAN side of your network.

If that does work for you, I tend to believe you somehow bridged the WAN side and the LAN side of your network togeter, making any firewall setting on your RPi obsolete because everything is handled purely by your ISP router.
That's not the scenario you want, I guess.

Regards,
Stephan.

Here pic for wireless
(why option hwmode is 11g, in LuCI Operating frequency set to mode N)

here for for network

anything wrong? because when I check my IP address it's showing my VPN provider IP
isn't mean it's working OK?

@passwd -

Can you also post your /etc/config/firewall file as well as the results of ifconfig (run on the RPi via an ssh connection).

I would recommend removing the bridge in the lan interface description.

hwmode only selects the band to be used. 11g is 2.4 GHz and 11a is 5 GHz. It works in combination with htmode, which will activate n or ac operation if supported by the radio.

country should be set to your country code, not '00'. '00' only allows the "lowest denominator" of frequencies and power levels that will be legal anywhere in the world. Those rules may be more restrictive than your country.

here for firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option family 'ipv4'
	option network 'lan'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	option network 'wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'providervpn'
	option family 'ipv4'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option family 'ipv4'
	option network ' '
	option forward 'REJECT'
	option name 'Block_Zone'

config forwarding
	option dest 'vpn'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'Block_Zone'

config forwarding
	option dest 'Block_Zone'
	option src 'lan'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'