Easy way to create an OpenVPN gateway

I have an ISP provided modem, and want to use my Netgear WNDR3700v2 as router + OpenVPN gateway.

Is it possible for me to:

  • Initiate OpenVPN connection to a VPN via router when it bootups.
  • Create a subnet in my network ( my network is 192.168.1.x, for subnet I'm thinking 192.168.8.x )
  • The subnet should be redirected to OpenVPN connection.
  • The DNS for the subnet should not be requested through my original network.
  • Create two WiFi AP, which the gateways should be and for the other
  • Set two ethernet ports to mynet, other two to subnet.

Is there an easy way to configure this? Like a firmware with OpenVPN client, etc already configured on it with the things I wanted?

Edit: It is possible for me to connect to my VPN via L2TP-IPSEC or PPPTP. So if it's easier I could use those connections ( probably would be faster than OpenVPN )

Yes to all.
It's relatively easy to do it. All the things you want are documented in the Documentation pages.

You could, however PPtP is insecure and L2TP-IPSEC will be more difficult to setup and troubleshoot, if you ask me.

I dumped all my configuration and started anew..

So, first I set it up as dumb ap, although I think this is not so good for vpn redirection because it disables firewall setup..

installed openvpn-openssl and its' luci add-on uploaded my config file & authorization so it's connected without problem.. Added a new vlan, and assigned LAN 4 to it as untagged..

Now I think I need to create a new interface ( "ovpn" ) for the new vlan, set itself as gateway, and forward all traffic to tun0 somehow... Although all physical interfaces are covered by "lan" for now. I also need to add a new wifi and connect it to the new interface..

I'm using Netgear WNDR3700v2. Could you help me about the creation of new interface and its' firewall configuration?

These are my current configurations:


config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'fd66:3381:20ea::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0 eth1'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option gateway ''
        option ip6assign '60'
        list dns ''
        list dns ''

config device 'lan_eth0_dev'
        option name 'eth0'
        option macaddr 'a2:21:b7:b0:7f:ff'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option blinkrate '2'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '5 3 2 1'

config switch_port
        option device 'switch0'
        option port '1'
        option led '6'

config switch_port
        option device 'switch0'
        option port '2'
        option led '9'

config switch_port
        option device 'switch0'
        option port '5'
        option led '2'

config switch_vlan
        option device 'switch0'
        option ports '0'
        option vlan '2'


config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ignore '1'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

/etc/config/firewall: ( it's untoched from initial but it's disabled )

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

I don't see any tun0 interface. Is the tunnel going to be attached on this router or on another?

Regarding the additional wifi for the vpn, you can follow the guest tutorial. The principal is the same. Guest users can then be routed via the vpn interface to the internet with a rule and a static route as mentioned in my previous post.

tun0 interface is created when the openvpn client connects to VPN service provider..

I don't want to assign only wifi to the tun0 though.. I also want to assign 2 of the ports to the tun0 also..

I did check the documents. While one by one they're useful, they're not explaining very well when everything comes together.

You can create a bridge consisting of the wifi and these two ports. Same principal, whatever comes ingress the vpn bridge interface will be routed out of the tunnel.

1 Like

I do know a little bit about iptables but openwrt's configuration looks so foreign to me...

The firewall system is called fw3 and configured by /etc/config/firewall; it generally makes it unnecessary to access iptables directly. When the firewall scripts run they load iptables rules into the kernel for you.

Much like you can't connect a wifi AP directly to the wan (because you only have one IP address from the ISP) you won't connect it directly to tun0 either. Those stay separate but they each have a firewall "zone" so that a forwarding and masquerade can be set up between them.

1 Like