Connect Vlan 1 to Vlan 2 via VPN

Hi all,

I have previously managed to get an old router connected up to access the internet via wifi and provide that internet access via the lan ports to some hard wired PC's. I followed this guide and had no problems. https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi

I also even managed to route the traffic from the lan via VPN by following this guide https://nordvpn.com/tutorials/openwrt/openvpn/.

However, I want to do something different on a different network.

What I'm trying to achieve
I want to hardwire an openwrt router to my lan using the inbuilt wan port, and create a sub-lan on the 4 lan ports. I want to route traffic of this local lan (from the openwrt router) through a VPN so that everything connected to the lan ports on the openwrt router is behind the VPN.

What works now
I have managed to make the router a dumb AP, by putting all 5 ports on the same VLAN. I've also got the VPN running (if I kdig out from the router I get a VPN ip address returned).

I have tried putting the WAN port on its own VLAN with a separate IP address, but I couldn't manage to make the LAN talk to it.

Whats not working
The thing I cant manage to do is connect a second VLAN with the WAN port to my existing LAN, and route VLAN 1 with the LAN ports to the rest of the network.

Once I get the LAN ports to route through the WAN to the wider LAN, I'd then like to get the VPN connected.

Any help would be appreciated.
Thanks
Adam

The setup of the second router is exactly like you would to connect it directly to the Internet. You want routing, not a dumb AP. Think of the first router and the existing LAN as part of the Internet.

Thanks mk24, I guess I should have also said I have tried said that I thought I had tried that. How do I set up the interface for the WAN port? My main router for the home LAN is set to 192.168.1.1/24 (I think this is the right nomenclature for 255.255.255.0 subnet mask) and is a DHCP server.

Do I set up the WAN port interface with an IP in the range 192.168.1.x or should it be something like 192.168.2.1? What is then the gateway and subnet? How can I ensure the devices connected to the LAN get an IP address from the DHCP server so they can talk to the rest of the local network?

A

The default OpenWrt configuration for most routers with more than one Ethernet port has one of the Ethernet ports acting as WAN and the others as LAN.

You have to have the WAN and LAN in different IP ranges. This would be easiest to do by changing the LAN IP of the second router to 192.168.2.1. The default setting of the WAN being a DHCP client will have the second router obtain a 192.168.1.X address automatically from the first router.

mk24, thanks again for your help.

Here's where I'm at, I've reset the WAN and LAN ports as you described. LAN interface to 192.168.2.1 and left the WAN on DHCP (assume that means client).

The WAN port isn't showing up on my DHCP server, I can't see what IP has been assigned to it. I've tried adding in the gateway, netmask and dns manually.

I can connect to the router, via the LAN interface on 192.168.2.1. LAN DHCP server is working as it has allocated me an IP address on local machine as 192.168.2.186

Here is my /etc/config/network configuration. Problem is I can't ping out from the router to the internet.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fded:2f34:11de::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.2.1'
	option dns '8.8.8.8'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option gateway '192.168.1.1'
	option netmask '255.255.255.0'
	option dns '8.8.8.8'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '4 0 1 2 8t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '3 8t'

In case this might be a firewall issue, here is my /etc/config/firewall

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

Oh, and here is the ifconfig from the openwrt router

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 02:0D:04:01:D1:D0
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fded:2f34:11de::1/60 Scope:Global
          inet6 addr: fe80::d:4ff:fe01:d1d0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3737 errors:0 dropped:0 overruns:0 frame:0
          TX packets:644 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:712292 (695.5 KiB)  TX bytes:88448 (86.3 KiB)

eth0      Link encap:Ethernet  HWaddr 02:0D:04:01:D1:D0
          inet6 addr: fe80::d:4ff:fe01:d1d0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3752 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1341 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:780810 (762.5 KiB)  TX bytes:322406 (314.8 KiB)
          Interrupt:59

eth0.1    Link encap:Ethernet  HWaddr 02:0D:04:01:D1:D0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3737 errors:0 dropped:0 overruns:0 frame:0
          TX packets:644 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:712292 (695.5 KiB)  TX bytes:88448 (86.3 KiB)

eth0.2    Link encap:Ethernet  HWaddr 02:0D:04:01:D1:D0
          inet6 addr: fe80::d:4ff:fe01:d1d0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:684 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:227304 (221.9 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:403 errors:0 dropped:0 overruns:0 frame:0
          TX packets:403 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:33616 (32.8 KiB)  TX bytes:33616 (32.8 KiB)

Argggg. You wouldn't read about it.

The LAN port I was plugging my openwrt router's WAN port into was faulty. I noticed no orange light on the WAN port or the first router's LAN port, switched the cable and hey presto ... internet!

Yes I see 0 packets received on eth0.2 which suggests a physical disconnect from any network.

The point is that you don't need to know router 2's IP on router 1's LAN for your use case of providing a VPN secure connection to router 2's users.

If you want to access router 2 from the router 1 lan, you should set an option hostname in the wan configuration, and you will need to open ports in router 2's firewall.

ok, I have this all working well now (actually have it working on two devices).

One last issue. all devices connected to the second LAN get an IP in the range 192.168.2.x because I've set the static IP for the WAN port at 192.168.2.1.

How do I either:
a) use the DHCP server from the first LAN (192.168.1.1) to issue addresses in the range 192.168.1.x to devices on the second LAN; or
b) make both subnets visible to each other so I can see network resources on both subnets?

I have tried turning off the DHCP server on the second router but I don't get an IP address from the DHCP server on the first router and if I try setting a static IP on my PC in the 192.168.1.x range I can't connect to the network.

a) cant be done. b) you can disable nat/masquerading, but depending on the service and what you mean by "see" you may or may not need to do more.... you'd also need a route back from your edge router. for the 2 network. and possibly a rule to nat 2.x at the edge.

another option if you have a spare port... is ignore wan... set the second router in the same network as the first... with the first for gateway. then set clients for VPN to the second router as their gateway.

It may be possible using L2 tunnel or some DHCP proxy, but it likely doesn't worth the effort.

Hi wulfy23.

this option is interesting. I guess it was what I was trying to achieve in the initial post, but I thought I would have to separate the two lan's (using VLAN) and route traffic between them via vpn. I can easily switch the WAN port into the LAN vlan so all ports are lan.

Can you please explain how I would use the 4 other lan ports so their traffic is routed via the VPN for internet access?

if you've followed @mk24 's advice, then router2 needs a route to LAN1... that should be automatic.... then router1 needs a route back to LAN2....via the "WAN" ip of router2

regarding your question.... that suggestion is a same-lan-layer3- alternate-gateway setup... so 4 lan ports are irrelevant... as in that config the "router" is on the same subnet.....

it(router2) has the vpn connection.... all clients using the vpn use router2 as their default gateway... router2 has a default gateway of router1....

think of router2 as another client.... and the other ones just "go through it" to the vpn....