Help Creating Private Network with Dual Radio Repeater (Hotel Wifi - Travel Router)

@openwrt_newbie999 - Due to the very limited flash (4MB), I perform the extroot process and use a USB thumb drive to effectively increase the flash storage capacity. It is necessary to use the image builder tool to exclude LuCI and include the appropriate USB + storage drivers to get started. I have a set of scripts that performs the extroot, sets up the basic networking, and installs LuCi and all the other packages I need.

Was that for me?

Check out my config above. Haven't done anything different.

You should not have any issues getting OpenVPN on your device (8 mb I think).
There are a number of other OpenVPN pages here:
I like the "streamlined" one the best right now.

Also travelmate is a good product, but you may want to verify with dirk some of the fine points (ie radio config). I think you should make sure you understand which is radio0 and radio1 and that it maps correctly in the product. Not too many dual radio setups out there.

I also have mini-DLNA on my travel router, but with 64GB on the phone do not use it as much as with my older phone

1 Like

As much as Travelmate may make the setup process easy, since I already have a working config for my setup, I've decided to stick with it for now.

Thanks for the OpenVPN guide, will check it out.

You may also be interested in Wireguard VPN

The paradigm of a "VPN" is quite different, but I've found it to be simple and straightforward to setup from LuCI. At this time, your other endpoints must be Linux or OSX-based, but if you plan to use a travel router to connect home for example, it would work as a ad hoc point-to-point VPN when you use the travel router away.

It sets up as a its own Interface and uses shared public keys, matching private ones you setup at install. You can use your home IP or a DDNS name to set up your home router with as a static endpoint address, and setup the travel router with no fixed remote IP, so it can "roam."

It's all safe, because only you know the key, port and permitted IPs on the tunnel. You also firewall.

opkg install luci-proto-wireguard wiregard

should install the needed packages

Its a relatively new protocol. Do you trust that it is secure at this point in its development? AFAIK it has not gone any third party security audits so far.

Not any more than the protocols with so many lines of code, I can't read it all.

Travelmate is a station manager, meaning it will allow you to define a number of "Hotspots" and automaticaly login to them as you travel (Hotels, coffee shops, etc) and also address the issue of "No AP when the STAtion is not available". This should not be an issue on a dual band radio, but if you have any 2.4ghz clients it becomes relevant.

My references to config were to make you aware that, as best I know, the travelmate product needs to know what radio is acting in what role.

Ah I see,

I agree that it would make it a little more convenient for me, especially if I have 2.4 GHz clients like you mentioned or I was connecting to multiple hotspots. The latter issue of “No AP when the STAtion is not available” is a non-issue since this is dual radio. However, due to limited Flash MB I've decided I don't need it for now.

Looking on to the VPN side of things, I looked into Logan's guide mentioned above my @psherman but it lacks the ability for me to enable/disable the VPN from the UI.

I followed this guide instead to try and setup a VPN since it allows UI functionality.

But, again I ran into the problem where the guide only pertains to single band radios. Please could someone help me change the firewall settings such that I can use it with a dual band radio.

He mentions in the guide that the firewall forwarding settings should be like:

config zone
    option name 'VPN_FW'
    other options

config forwarding                               
    option dest 'VPN_FW'                    
    option src 'lan' 

Since I am using a dual band radio, I already have the following forwarding settings in my firewall:

config forwarding
    option src 'lan'
    option dest 'wan'

I tried adding two forwarding configs such that it forwarding from lan -> VPN_FW -> wan but that did not work. My non-working forwarding config looked like follows:

config forwarding
    option src 'lan'
    other dest 'VPN_FW'

config forwarding                               
    option src 'VPN_FW'                    
    option src 'wan' 

Appreciate the guidance :slight_smile:

I made a new topic for the VPN configurations because it is slightly off-topic for this. Please comment here.

Thank You Everyone in this thread for helping me achieve this!

There is a LuCI package for OpenVPN. With that in place, you will be able to select from multiple VPN configurations start/stop the tunnel.

Hey guys, sorry to revive an old topic but I had another question regarding this so I thought I should just post it here rather than creating a new topic. So far the config I posted above has been working like a charm for my purposes.

Recently, I came to a hotel and the WiFi is unencrypted but they have a captive portal for getting access to the WiFi. How can I extend this config to be able to login to the captive portal?

Thanks for the help!

@openwrt_newbie999 - In my experience (which is obviously not going to cover all cases), I've found that I can authenticate to a captive portal using the browser on my computer or mobile device, connected though my travel router. Often the captive portal page comes up once when I try to navigate to a page on the internet, and then after authenticating/agreeing, it lets all my devices connect through my router (and in turn through to the internet) without issue. Sometimes the captive portal page doesn't load, for whatever reason... in those cases, I'll bypass my router and connect to the wifi/ethernet at the location directly with one of my devices, at which point the captive portal usually comes up without an issue. I'll copy the captive portal web address, reconnect to my router, and then visit the portal page again (this time actively navigating to it).

Also, at least initially, it is important that your travel router allows traffic from LAN > WAN and that the VPN is not enabled prior to captive portal authentication/agreement (or more accurately attempting to connect). Once the captive portal auth is finished, you can enable your VPN, if desired, and you can disable the firewall forwarding rule from LAN > WAN in favor of LAN > VPN.

One last thought -- make sure that the upstream network is on a different subnet than your travel router's LAN. If they are the same, you will obviously not be able to connect since different subnets on each side of the NAT layer is absolutely necessary.

Thanks for the response.

In my case since the router is going to be connected to the hotel wifi on the 5 GHz band and then my devices are going to be connected to the router on the 2.4 GHz band to get access to the WiFi.

So are you saying when I try to use one of my 2.4 GHz devices, it will automatically direct me to the captive portal for authentication? And then once authenticated through one of those devices, it will automatically be authenticated for all devices?

Shouldn't the hotel wifi be authenticated through the router? Feel free to correct me if I am wrong.

In short, yes... the hotel captive portal will only authenticate your router’s MAC address.

All your connecting devices to your router are behind the NAT and no need to be authenticated. The hotel will not know or care what or how many devices are hiding behind the router, maybe if they start stripping out the headers of every packets, which I think they won’t bother at all.


Biggest issue would be if you get an ipv6 connection and your router isn't doing NAT. The ipv4 connection with NAT means all the packets from behind the router seem to be coming from the router itself.

I am a frequent travelller and I have never being assigned an IPv6 address at the hotels or public hotspots cos we are already under layers and layers of IPV4 private NATs. I think IPv6 is an off topic in this thread.

Will some Gurus care to comment to point me right?

In my experience, most of the time this works. From time to time, as I mentioned earlier, the captive portal doesn't automatically come up, but I described my workflow for those rare situations in that same response.

Thanks for the responses guys, unfortunately going to the authentication URL didn't work. What I ended up doing was I spoofed the MAC address on one of my devices and authenticated that device. Then I changed my router's MAC address to that of my device's MAC and then connected the router to the hotel WiFi. Now it works.

1 Like

Great & quick thinking there! Some operators are infamously known for scanning for rouge APs in the vicinity and might have blacklisted your router's first 4 pairs of MAC addresses.

Also, other possibilities...

Rebind protection (in DHCP and DNS) or Enable SYN-flood protection (in Firewall) are enabled. These might prevent the captive portal to show up. I traveled also a far bit previously and had my router to the fullest security, enabling anything I thought to be useful. Then, I encountered no captive portal or the captive portal would appear every time I used a different client through the router. Disabled the above and never had problem since.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.