Help setting up dedicated VPN WiFi router

I'd like some help setting up router as wireless AP that's only routed through NordVPN.

I'm a complete noob when it comes to OpenWRT but have a little knowledge in using other more basic factory firmware, so please try to keep advice or instructions pitched at this level for now. I'm trying to bring myself up to speed with this amazing firmware option.

Essentially, my setup at home is a cable modem running into the WAN port of my ISP supplied router (10.2.1.1; Router1). I've connected a LAN output into the WAN input of the Linksys WRT1200ac (Router2) that I intend to use for the Nord VPN client. I'm trying to build a WiFi network that my devices can connect to, circumventing geoblocking, by appearing in a foreign country. The Linksys router is still at 192.168.1.1 - I'm not looking for it to communicate with devices connected to the 10.2.1.* network, only for devices connected to the VPN WiFi to access the WAN through the VPN tunnel.

I'm trying to follow the NordVPN instructions found at: [https://nordvpn.com/tutorials/openwrt/openvpn/](http://Tutorial - OpenVPN | NordVPN)

What I've done:

• I installed openvpn-openssl, ip-full and luci-app-openvpn packages from the software tab.

• I downloaded a configuraion file for a USA-based UDP NordVPN server (*.ovpn)

• I setup a new VPN connection from the OpenWRT OpenVPN tab, using the *.ovpn config file and called it "nordvpn"

• I added my login details on separate lines in the bottom window to create the auth file and added the location of the authfile to the "auth-user-pass" config line

I skipped over Step 3, because the above procedure should have already taken care on this step, right?

I the added a new network interface by connecting to the router via SSH and typing:

uci set network.nordvpntun=interface
uci set network.nordvpntun.proto='none'
uci set network.nordvpntun.ifname='tun0'
uci commit network

then added firewall rules:

uci add firewall zone
uci set firewall.@zone[-1].name='vpnfirewall'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].network='nordvpntun'
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='vpnfirewall'
uci commit firewall

then configured DNS servers:

uci set network.wan.peerdns='0'
uci del network.wan.dns
uci add_list network.wan.dns='103.86.96.100'
uci add_list network.wan.dns='103.86.99.100'
uci commit

I can access WAN when connected to the router via LAN cable until I enable nordvpn, then the WAN is inaccessible.

How do I complete the setup to have all traffic flow through the VPN tunnel (both LAN and WiFi)? How would if be configured for just WiFi traffic with LAN going direct through ISP only?

How do I se the WiFi network up? If I try to connect, devices aren't receiving IP addresses, so clearly I have no idea what I'm doing with the DHCP on Router2.

Thanks for helping me with what must be some quite basic questions for you guys!

First check the logs to confirm that the VPN client is successful making the connection and opening the tunnel.

Then you need a new network and firewall zone for the VPN users. You can't use lan, it has to continue to go to the Internet directly through your main router.

UCI command are difficult to read. You may have to post contents of /etc/config/network & firewall files.

Have you configured your DNS servers within the LAN interface?

Get it working with ethernet connection to primary router first.

See the alternate tutorial guide at bottom of page where it describes an openvpn router behind a primary router. (I've had nordvpn working)
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

Thank you for using my manual.

Please, give initially output of
logread -e openvpn
after restart of router.

Please, give also added sections to /etc/config/network, /etc/config/firewall

However they were problems with autostart in current configuration, please, read manual on AirVPN: https://airvpn.org/forums/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/ Kill-Switch was already updated.

Hi ulmwind, thanks for providing the instruction manual.

Here is the output of the openvpn log as requested:

root@OpenWrt:~# logread -e openvpn
Wed Feb  5 10:07:42 2020 daemon.notice openvpn(nordvpn)[2918]: OpenVPN 2.4.7 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Feb  5 10:07:42 2020 daemon.notice openvpn(nordvpn)[2918]: library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Wed Feb  5 10:07:42 2020 daemon.warn openvpn(nordvpn)[2918]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Wed Feb  5 10:07:42 2020 daemon.notice openvpn(nordvpn)[2918]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Feb  5 10:07:42 2020 daemon.notice openvpn(nordvpn)[2918]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Feb  5 10:07:42 2020 daemon.notice openvpn(nordvpn)[2918]: TCP/UDP: Preserving recently used remote address: [AF_INET]198.8.81.82:1194
Wed Feb  5 10:07:42 2020 daemon.notice openvpn(nordvpn)[2918]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Wed Feb  5 10:07:42 2020 daemon.notice openvpn(nordvpn)[2918]: UDP link local: (not bound)
Wed Feb  5 10:07:42 2020 daemon.notice openvpn(nordvpn)[2918]: UDP link remote: [AF_INET]198.8.81.82:1194
Wed Feb  5 10:07:42 2020 daemon.notice openvpn(nordvpn)[2918]: TLS: Initial packet from [AF_INET]198.8.81.82:1194, sid=bde8aba6 f9eeaf58
Wed Feb  5 10:07:42 2020 daemon.warn openvpn(nordvpn)[2918]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Feb  5 10:07:43 2020 daemon.notice openvpn(nordvpn)[2918]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Wed Feb  5 10:07:43 2020 daemon.notice openvpn(nordvpn)[2918]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4
Wed Feb  5 10:07:43 2020 daemon.notice openvpn(nordvpn)[2918]: VERIFY KU OK
Wed Feb  5 10:07:43 2020 daemon.notice openvpn(nordvpn)[2918]: Validating certificate extended key usage
Wed Feb  5 10:07:43 2020 daemon.notice openvpn(nordvpn)[2918]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Feb  5 10:07:43 2020 daemon.notice openvpn(nordvpn)[2918]: VERIFY EKU OK
Wed Feb  5 10:07:43 2020 daemon.notice openvpn(nordvpn)[2918]: VERIFY OK: depth=0, CN=us4512.nordvpn.com
Wed Feb  5 10:07:43 2020 daemon.notice openvpn(nordvpn)[2918]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed Feb  5 10:07:43 2020 daemon.notice openvpn(nordvpn)[2918]: [us4512.nordvpn.com] Peer Connection Initiated with [AF_INET]198.8.81.82:1194
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: SENT CONTROL [us4512.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.1.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.1.48 255.255.255.0,peer-id 43,cipher AES-256-GCM'
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: OPTIONS IMPORT: timers and/or timeouts modified
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: OPTIONS IMPORT: explicit notify parm(s) modified
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: OPTIONS IMPORT: compression parms modified
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: OPTIONS IMPORT: --ifconfig/up options modified
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: OPTIONS IMPORT: route options modified
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: OPTIONS IMPORT: route-related options modified
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: OPTIONS IMPORT: peer-id set
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: OPTIONS IMPORT: adjusting link_mtu to 1657
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: OPTIONS IMPORT: data channel crypto options modified
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: TUN/TAP device tun0 opened
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: TUN/TAP TX queue length set to 100
Wed Feb  5 10:07:44 2020 daemon.notice openvpn(nordvpn)[2918]: /sbin/ifconfig tun0 10.8.1.48 netmask 255.255.255.0 mtu 1500 broadcast 10.8.1.255
Wed Feb  5 10:07:45 2020 daemon.notice openvpn(nordvpn)[2918]: /sbin/route add -net 198.8.81.82 netmask 255.255.255.255 gw 10.2.1.1
Wed Feb  5 10:07:45 2020 daemon.notice openvpn(nordvpn)[2918]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
Wed Feb  5 10:07:45 2020 daemon.notice openvpn(nordvpn)[2918]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
Wed Feb  5 10:07:45 2020 daemon.notice openvpn(nordvpn)[2918]: Initialization Sequence Completed

I'm sorry for my ineptitude, but how do I provide the added sections to /etc/config/network, /etc/config/firewall that you requested?

Is this it?

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd8:55b2:543d::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '103.86.96.100'
        list dns '103.86.99.100'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option type 'bridge'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'nordvpntun'
        option proto 'none'
        option ifname 'tun0'
        option type 'bridge'

OpenVPN is connected, but traffic's not being routed through it yet.

• by any chance did you install some kind of vpn-bnr or mwan?

• also post the /etc/config/firewall relevant section for the vpn ( need to verify the forwarding stanza )

Hi wulfy,

I'm sorry I don't know what either of those are. I haven't installed anything other than the directions in ulmwind's tutorial above.

Here's the contents of /etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'nordvpntun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

thanks

firewall is ok...

hmmmm.... those are contradictory... they wouldn't break a working vpn but the fact that they don't match sort of makes everything questionable... ?

please confirm you have not added any kill switch scripts?

if so we can test stuff one by one... starting with a wired client off router2 LAN ... you said there is no dhcp? you'd need that before anything else...

That was an oversight that I corrected last night. New etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd8:55b2:543d::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '103.86.96.100'
        list dns '103.86.99.100'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'
        option type 'bridge'
        list dns '103.86.96.100'
        list dns '103.86.99.100'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'nordvpntun'
        option proto 'none'
        option type 'bridge'
        option ifname 'tun0'

I haven't added any scripts at all.
LAN client off Router2 is working fine (I'm typing from it right now).

OK, yes, VPN-connection is established successfully.

Firewall and network are OK, for additional Kill-Switch you can comment section

and comment line in wan section

There is no need to specify 'bridge' type for tun0.

Everything should work, please, remove dns from lan, they should be added in dhcp-config as list dhcp_option '6,8.8.8.8,8.8.4.4':

Remove also from wan section

Why have you inserted bridge everywhere?

I'm sorry ulmwind, I honestly don't know how I can edit these files to add the #. I've worked out how to read them, but not edit via SSH. As I said, I'm pretty green

I have no idea! It might've happened when I was looking through settings when things weren't working, but certainly didn't deliberately insert it.

I've made the changes other than commenting out the two sections.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd8:55b2:543d::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'nordvpntun'
        option proto 'none'
        option ifname 'tun0'

Success! Thanks so far.
Now, how do I get the VPN accessible via WiFi?
I worked out that all the bridge settings were from me trying to attachnetowk interfaces to WiFi...

You should study basic commands of 'vi' editor. You can leave dns servers in wan section, I've written only about lan section concerning dns. However interface lan should be of type 'bridge'. Please, make changes and provide /etc/config/wireless, omitting key information, replace key by something like '***'

To sum up, please, treat sections and interfaces independently, you are going to treat them in common: or insert bridge everywhere, or remove bridge everywhere.

Thanks. I've changed the LAN interface back to bridge and added the DNS servers to the WAN interface.

root@OpenWrt:~# cat  /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'AU'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option macaddr 'c2:56:27:b9:79:**'
        option key '*******************************'
        option encryption 'psk2'
        option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option htmode 'HT20'
        option country 'AU'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt'
        option macaddr 'c2:56:27:b9:79:**'
        option wpa_disable_eapol_key_retries '1'
        option key '*******************************'
        option encryption 'psk2'

I'm starting to get my head around this, but it's so much more complex than dealing with factory firmware and DD-WRT.

Thank you for being so patient with me.

In iface section you should specify network, where to assign interface:
option 'network' 'lan'

Awesome, thanks so much. The final bit was nice and easy.

Thankyou, dd-wrt is a alot easier... on the flipside... once you get a grip on the basics, you do gain alot more adaptability... and the learning curve loses much if it's angle... ( single subnet vpn pbr in dd-wrt is as simple as entering the subnet/mask, but most other things get hacky compared to openwrt if you deviate from single instances and default basic options ), forum support for is also alot better with openwrt ( cause and effect? )

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.