DumbAP and OpenVPN

luluhoc · December 2, 2018, 1:55pm

Hello,
I'm trying to set up DumbAP with OpenVPN but I can't get it working.
I have followed this guides:
https://openwrt.org/docs/guide-user/network/wifi/dumbap
and this one without firewall instructions as the firewall is suppose to be disabled in DumbAP.
https://nordvpn.com/tutorials/openwrt/openvpn/
I've made a diagram to show my network.
Untitled%20Diagram

I've managed to get working internet and local network(to access NAS(PLEX, Radarr etc.)) but I can't get OpenVPN working so it will pass all the traffic through VPN.
As on Diagram I want to connect Apple TV with ethernet to DumbAP with VPN.

mk24 · December 2, 2018, 2:09pm

You want the dumb AP machine to run OpenVPN in client mode, as a client of a third party service?

That is straightforward. After you get OpenVPN to connect to the service, it will start up a "tap" interface which is your end of the VPN tunnel. You then need to set up a new separate network in the dumb AP/VPN client machine for VPN users such as the Apple TV. Use VLANs in the Ethernet switch so that different Ethernet ports can serve different networks. Then just like a main router forwarding to the Internet, you use two firewall zones with Masquerade enabled on the destination zone, so the Apple TV will NAT into the VPN tunnel, and come out at the remote server's end.

So you do need a firewall running on that machine for the VPN users, but LAN users of the dumb AP do not pass through the firewall since they are all on the LAN network.

0xCrypt · December 7, 2018, 10:30am

@braian87b made two really useful github post for your needs:

How to setup a Dumb AP, Wired backbone for OpenWRT / LEDE
https://gist.github.com/braian87b/bba9da3a7ac23c35b7f1eecafecdd47d/raw/de0db95c802958c524be466f16156347ac6f9790/dumb-ap-wired-link.sh)
https://gist.github.com/braian87b/bba9da3a7ac23c35b7f1eecafecdd47d
https://openwrt.org/docs/guide-user/network/wifi/dumbap
Setting an OpenWrt Based Router as OpenVPN Client
https://github.com/StreisandEffect/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client
Setting an OpenWrt / LEDE Based Router as OpenVPN Client
https://gist.github.com/braian87b/64440dec125d2b2f0ddc600c490988db

In the the last two links the DNS script is kinda messed up, here's the correct version
https://forum.archive.openwrt.org/viewtopic.php?id=26746&p=1#p118310

DNS leak with OpenVPN

The solution is to create two scripts: /etc/openvpn/updns :

#!/bin/sh
mv /tmp/resolv.conf.auto /tmp/resolv.conf.auto.hold
echo $foreign_option_1 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' > /tmp/resolv.conf.auto
echo $foreign_option_2 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto
echo $foreign_option_3 | sed -e 's/dhcp-option DOMAIN/domain/g' -e 's/dhcp-option DNS/nameserver/g' >> /tmp/resolv.conf.auto

and /etc/openvpn/downdns :

#!/bin/sh
mv /tmp/resolv.conf.auto.hold /tmp/resolv.conf.auto

And add them to .ovpn files with this:

script-security 2 system
up "/etc/openvpn/updns"
down "/etc/openvpn/downdns"

in my .ovpn config I used
script-security 2

stredwizard · October 30, 2019, 7:14pm

apologies for resurrecting an old thread, this is almost exactly the setup I need, im using a bthome hub 5 and i've followed the guide to setup the dumb AP and have gotten openvpn working and the traceroute confirms when ssh'd into openwrt the VPN is up, I would like to connect devices by wifi and ethernet ports to the AP for VPN.

Below are the configs I thought relevant, I did have this device running as my main router with VPN, but it crashed recently and I cant bring myself to spend a lot of cash on an OEM bells and whistles router.

firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'
        option network 'wan wan6'

network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc9:0c96:0fe6::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.253'
        option gateway '192.168.1.254'
        option dns '8.8.8.8'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '44:e9:dd:5b:18:12'

config interface 'wan'
        option ifname 'dsl0'
        option proto 'pppoe'
        option username 'username'
        option password 'password'
        option ipv6 '1'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr '44:e9:dd:5b:18:13'
        
config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'
        option vid '2'

config interface 'torguardvpn'
        option proto 'none'
        option ifname 'tun0'
        option auto '1'

more config output

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether da:8b:08:d8:9b:91 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::d88b:8ff:fed8:9b91/64 scope link
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 44:e9:dd:5b:18:15 brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 44:e9:dd:5b:18:12 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.253/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdc9:c96:fe6::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::46e9:ddff:fe5b:1812/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 44:e9:dd:5b:18:12 brd ff:ff:ff:ff:ff:ff
7: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 44:e9:dd:5b:18:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::46e9:ddff:fe5b:1814/64 scope link
       valid_lft forever preferred_lft forever
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534]
    inet 10.9.0.14 peer 10.9.0.13/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::9dfd:741a:977f:2d3a/64 scope link
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.9.0.13 dev tun0
default via 192.168.1.254 dev br-lan
10.9.0.1 via 10.9.0.13 dev tun0
10.9.0.13 dev tun0 scope link  src 10.9.0.14
88.202.177.238 via 192.168.1.254 dev br-lan
128.0.0.0/1 via 10.9.0.13 dev tun0
192.168.1.0/24 dev br-lan scope link  src 192.168.1.253
root@OpenWrt:/etc/config# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdc9:0c96:0fe6::/48'
network.atm=atm-bridge
network.atm.vpi='1'
network.atm.vci='32'
network.atm.encaps='llc'
network.atm.payload='bridged'
network.atm.nameprefix='dsl'
network.dsl=dsl
network.dsl.annex='a'
network.dsl.tone='av'
network.dsl.ds_snr_offset='0'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.1.253'
network.lan.gateway='192.168.1.254'
network.lan.dns='8.8.8.8'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='44:e9:dd:5b:18:12'
network.wan=interface
network.wan.ifname='dsl0'
network.wan.proto='pppoe'
network.wan.username='username'
network.wan.password='password'
network.wan.ipv6='1'
network.wan_dev=device
network.wan_dev.name='dsl0'
network.wan_dev.macaddr='44:e9:dd:5b:18:13'
network.wan6=interface
network.wan6.ifname='@wan'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[0].ports='0 1 2 4 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 6t'
network.@switch_vlan[1].vid='2'
network.torguardvpn=interface
network.torguardvpn.proto='none'
network.torguardvpn.ifname='tun0'
network.torguardvpn.auto='1'
root@OpenWrt:/etc/config# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='REJECT'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.device='tun0'
firewall.wan.network='wan wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpn'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].masq='1'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].network='torguardvpn'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='lan'
firewall.@forwarding[0].src='vpn'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='vpn'
firewall.@forwarding[1].src='lan'