I'd like some help setting up router as wireless AP that's only routed through NordVPN. I'm trying to build a WiFi network that my devices can connect to, circumventing geoblocking, by appearing in a foreign country. My goal is very similar to what's mentioned in this post, but I'm new to OpenWRT so I'm trying to wrap my head around everything.
My setup is as follows:
- ISP provided router (Arris) - 192.168.0.1
- Regular WiFi router, routed through ISP (eero) - 192.168.0.4
- OpenWRT WiFi router, routed through VPN (TP-Link TL-WA901ND v5) - 192.168.0.5
I managed to build a custom image to squeeze in 4MB flash with openvpn-openssl
and ip-full
but excluding ppp, IPv6 and LuCi. I followed NordVPN instructions found here but I can't get it to work properly. I feel like I'm almost there, but I'm missing something.
The OpenWRT WiFi router is hooked up through it's only Ethernet port to the ISP router, so its working as it's uplink interface. By configuring this interface (eth0
) as type='bridge'
I was able to get internet connectivity through the WiFi, but it's not being routed through the VPN. If I remove the type='bridge'
setting, I can connect to the WiFi network but have no internet connection whatsoever.
Could anyone take a look at this and help me find a solution? Following is my configuration and openvpn logs. Thanks in advance!
uci export openvpn
package openvpn
config openvpn 'custom_config'
option enabled '0'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option enabled '0'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh1024.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option compress 'lzo'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option enabled '0'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option compress 'lzo'
option verb '3'
config openvpn 'nordvpn'
option config '/etc/openvpn/us5247.nordvpn.com.tcp.ovpn'
option enabled '1'
uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0'
option proto 'dhcp'
option peerdns '0'
list dns '103.86.96.100'
list dns '103.86.99.100'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
uci export wireless
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/qca956x_wmac'
option htmode 'HT20'
option country 'US'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'VT-VPN'
option encryption 'psk2'
option key 'pichilin.19'
uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
ifconfig
eth0 Link encap:Ethernet HWaddr 0C:80:63:EB:7D:A1
inet addr:192.168.0.5 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:636 errors:0 dropped:96 overruns:0 frame:0
TX packets:342 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:109394 (106.8 KiB) TX bytes:52927 (51.6 KiB)
Interrupt:4
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:3731 (3.6 KiB) TX bytes:3731 (3.6 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.7.3.2 P-t-P:10.7.3.2 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:30 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2280 (2.2 KiB) TX bytes:2432 (2.3 KiB)
wlan0 Link encap:Ethernet HWaddr 0C:80:63:EB:7D:A0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
cat /tmp/openvpn-status.log
OpenVPN STATISTICS
Updated,Sun May 2 18:38:53 2021
TUN/TAP read bytes,912
TUN/TAP write bytes,836
TCP/UDP read bytes,7376
TCP/UDP write bytes,3172
Auth read bytes,836
pre-compress bytes,0
post-compress bytes,0
pre-decompress bytes,0
post-decompress bytes,0
END
cat /tmp/openvpn.log
Sun May 2 15:39:28 2021 OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sun May 2 15:39:28 2021 library versions: OpenSSL 1.0.2u 20 Dec 2019, LZO 2.10
Sun May 2 15:39:28 2021 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun May 2 15:39:28 2021 NOTE: --fast-io is disabled since we are not using UDP
Sun May 2 15:39:28 2021 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun May 2 15:39:28 2021 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun May 2 15:39:28 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]107.158.155.90:443
Sun May 2 15:39:28 2021 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun May 2 15:39:28 2021 Attempting to establish TCP connection with [AF_INET]107.158.155.90:443 [nonblock]
Sun May 2 15:39:28 2021 TCP: connect to [AF_INET]107.158.155.90:443 failed: Network unreachable
Sun May 2 15:39:28 2021 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Sun May 2 15:39:28 2021 Restart pause, 5 second(s)
Sun May 2 15:39:33 2021 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun May 2 15:39:33 2021 NOTE: --fast-io is disabled since we are not using UDP
Sun May 2 15:39:33 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]107.158.155.90:443
Sun May 2 15:39:33 2021 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun May 2 15:39:33 2021 Attempting to establish TCP connection with [AF_INET]107.158.155.90:443 [nonblock]
Sun May 2 18:36:52 2021 TCP connection established with [AF_INET]107.158.155.90:443
Sun May 2 18:36:52 2021 TCP_CLIENT link local: (not bound)
Sun May 2 18:36:52 2021 TCP_CLIENT link remote: [AF_INET]107.158.155.90:443
Sun May 2 18:36:52 2021 Server poll timeout, restarting
Sun May 2 18:36:52 2021 SIGUSR1[soft,server_poll] received, process restarting
Sun May 2 18:36:52 2021 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun May 2 18:36:52 2021 NOTE: --fast-io is disabled since we are not using UDP
Sun May 2 18:36:52 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]107.158.155.90:443
Sun May 2 18:36:52 2021 Socket Buffers: R=[87380->87380] S=[16384->16384]
Sun May 2 18:36:52 2021 Attempting to establish TCP connection with [AF_INET]107.158.155.90:443 [nonblock]
Sun May 2 18:36:53 2021 TCP connection established with [AF_INET]107.158.155.90:443
Sun May 2 18:36:53 2021 TCP_CLIENT link local: (not bound)
Sun May 2 18:36:53 2021 TCP_CLIENT link remote: [AF_INET]107.158.155.90:443
Sun May 2 18:36:53 2021 TLS: Initial packet from [AF_INET]107.158.155.90:443, sid=b6898580 0d48cbf1
Sun May 2 18:36:53 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun May 2 18:36:53 2021 VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Sun May 2 18:36:53 2021 VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA5
Sun May 2 18:36:53 2021 VERIFY KU OK
Sun May 2 18:36:53 2021 Validating certificate extended key usage
Sun May 2 18:36:53 2021 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun May 2 18:36:53 2021 VERIFY EKU OK
Sun May 2 18:36:53 2021 VERIFY OK: depth=0, CN=us5247.nordvpn.com
Sun May 2 18:36:53 2021 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun May 2 18:36:53 2021 [us5247.nordvpn.com] Peer Connection Initiated with [AF_INET]107.158.155.90:443
Sun May 2 18:36:54 2021 SENT CONTROL [us5247.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Sun May 2 18:36:54 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.3.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.3.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sun May 2 18:36:54 2021 OPTIONS IMPORT: timers and/or timeouts modified
Sun May 2 18:36:54 2021 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Sun May 2 18:36:54 2021 OPTIONS IMPORT: compression parms modified
Sun May 2 18:36:54 2021 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sun May 2 18:36:54 2021 Socket Buffers: R=[221248->327680] S=[44800->327680]
Sun May 2 18:36:54 2021 OPTIONS IMPORT: --ifconfig/up options modified
Sun May 2 18:36:54 2021 OPTIONS IMPORT: route options modified
Sun May 2 18:36:54 2021 OPTIONS IMPORT: route-related options modified
Sun May 2 18:36:54 2021 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun May 2 18:36:54 2021 OPTIONS IMPORT: peer-id set
Sun May 2 18:36:54 2021 OPTIONS IMPORT: adjusting link_mtu to 1659
Sun May 2 18:36:54 2021 OPTIONS IMPORT: data channel crypto options modified
Sun May 2 18:36:54 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun May 2 18:36:54 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun May 2 18:36:54 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun May 2 18:36:54 2021 TUN/TAP device tun0 opened
Sun May 2 18:36:54 2021 TUN/TAP TX queue length set to 100
Sun May 2 18:36:54 2021 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun May 2 18:36:54 2021 /sbin/ifconfig tun0 10.7.3.2 netmask 255.255.255.0 mtu 1500 broadcast 10.7.3.255
Sun May 2 18:36:54 2021 /sbin/route add -net 107.158.155.90 netmask 255.255.255.255 gw 192.168.0.1
Sun May 2 18:36:54 2021 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.7.3.1
Sun May 2 18:36:54 2021 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.7.3.1
Sun May 2 18:36:54 2021 Initialization Sequence Completed