Hi everyone, I'm looking for the easiest way to setup my network as following:
wifi1 <> lan1 (192.168.1.0/24) <> wan (default ethernet link)
wifi2 <> lan2 (192.168.2.0/24) <> vpn (tun0 installed and working via openvpn on the openwrt router)
So far, I have both wifis and lans working well.
But only one wan is used to pass traffic. No traffic is passed using the vpn.
I am trying to do this without mwan3.
Can anyone help me please ?
Presuming tun0 is working correctly
you just change the current or add new Wi-Fi interface to tun0
by change the network setting from LAN to tun0 under it's settings
Do you want a WiFi SSID that is connected to your VPN interface and a second one that is connected to your WAN interface? If so you want to setup PBR. See:
yes, that's the goal.
Thanks @darksky I'll tried that and come back to you if I succeed
I believe there something wrong with my openvpn settings.
Why ?
Because I tried creating two interfaces lan1 (192.168.1.0/24) and lan2 (192.168.2.0/24) and two wifi networks (wifi1 and wifi2 each linked to lan1 and lan2).
Everything working well when a client connects to wifi1 or wifi2 (dhcp and dns ok, internet access ok).
Firewall setting:
(sorry can't post snapshots because I'm a new user)
So at this point, each of my interfaces can access to wan.
Creating the vpn interface:
When I create the vpn interface using this tutorial, I lose everything even before I set the new firewall rules.
I start the openvpn service using standard command:
openvpn /etc/openvpn/openvpn.ovpn
added into:
/etc/rc.local
just before
exit 0
Creating firewall rules for vpn_zone:
Once I create the new firewall rules:
(sorry can't post snapshots because I'm a new user)
All the traffic from lan1 and lan2 is routed throught wan.
There my .ovpn (cyberghost) client profile file:
client
remote 67y-de.ct-dialup2.net 443
dev tun
proto udp
auth-user-pass /etc/openvpn/auth
resolv-retry infinite
#redirect-gateway def1
persist-key
persist-tun
nobind
cipher AES-256-CBC
ncp-disable
auth SHA256
ping 5
ping-exit 60
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
verb 4
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
I thought I should share this first before give the PBR a try.
Any guess ?
you just change the current Wi-Fi interface
by change the network setting from LAN to LAN2 under it's settings
Network>Wireless>selected interface>Edit>Interface-Configuration>General-Setup>Network>Lan2
I did and I notice that the IP received by the client changes: 192.168.1.x on lan1 and 192.168.2.y on lan2. This would mean that each wifi covers the correct interfaces.
ok if your VPN provides DHCP why are you tying to create lan2 ?
You can just attach the 2nd Wi-Fi and any LAN ports to tun0
or is there only one IP received via the vpn ?
anyway if you need to create another NAT for lan2
it's the firewall you have to setup like WAN>LAN
but TUN0>LAN2
There is only one IP address from the VPN. So I thought I would need NAT between the local network dedicaded to vpn and the tun0.
I would prefer using different network. This way when a client need to use the vpn, he will only switch from on wifi to another.
anyway if you need to create another NAT for lan2
it's the firewall you have to setup like WAN>LAN
but TUN0>LAN2
This is what I did: is that far from what you suggest ?
I'm going to guess it was not enough for you to get it going
I redid it here as a reminder "changed since DSA"
if you have LAN and Wi-Fi need to add a 2nd br-lan
under interfaces > devices
I called it br-lan2
add the interfaces you want and remove them from others if still there
under interfaces> interfaces I added lan2 with DHCP etc "you did this"
make sure you change it's firewall to lan2
then added tun1 as DHCP try Unmanaged if not working as DHCP
"tun1 is what my OpenVPN interface is called"
attach this to device tun1 and firewall tun1 "VPN_ZONE" for you
I hope this may show you the piece you may be missing
you should have a new Ipv4 upstream on your status page now
