Help setup OpenWrt VPN with single port TL-WR802N

asyba · October 21, 2022, 8:39pm

Hi
I need help setting up an Access Point to connect devices through WiFI and pass through a VPN.
My goal is just to connect the Apple TV or other device for stream geolocation, I don't want that my entire network to pass through VPN.

Router with OpenWRT 22.03.2 : TL-WR802N v4

Only 2MB for installing packages.
Only 1 WAN/LAN Port, so a fresh install starts with 1 Interface LAN bridged.

VPN = OpenVPN = Express VPN

My current network:
ISP Modem Bridge Mode -> TP-Link Archer C80 as Router -> Wifi devices and wired an unmanaged Switch -> connects Xbox, PC, and OpenWRT Access Point (help here).

I did everything with the Luci web interface, I know how to connect with SSH.

I manager to create the VPN on the OpenWRT with openvpn-ssl and openvpn-luci ui.
and verified that the router is connected through the VPN

But devices connected to the wireless OpenWRT Radio are not passing through the VPN, just normal Internet.

What am I missing? I tried a lot with the firewall but no luck.
All guides talk about WAN, I don't have a WAN interface and I don't need it.

I mostly follow this guide:

I tried searching a lot of guides, youtube, but there is not much information, it's like nobody does this stuff, it's so simple but nobody records the steps lol.
Many talk about creating the VPN but they don't show how to actually link them with the wireless radio or the interfaces.

I don't care if OpenWRT is on the same subnet or not, I can start a fresh install, just help me how I can do this please.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd0:b704:78bd::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '0'

config interface 'OpenVPN'
	option proto 'none'
	option device 'tun0'
	option type 'bridge'

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/10300000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option country 'AR'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt1'
	option encryption 'psk2'
	option key 'xxxxx'
	option network 'lan'

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'
	option dynamicdhcp '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	list network 'OpenVPN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'```

asyba · October 21, 2022, 8:57pm

I just fond this

If on my device that connects to the AP, I Ignore the auto DHCP and set the Gateway manually to the OpenWRT IP and not the main router, the VPN works on the device!!

psherman · October 21, 2022, 8:58pm

Yes, that is one solution.

Or, if your intention is to only have the devices that should use the VPN connect to a unique wifi network, you can create a new network on your device and then route that network through the VPN.

asyba · October 21, 2022, 9:16pm

how I can do this " you can create a new network on your device and then route that network through the VPN."
would like to do something to avoid setting ip/gateway manually on each device client that I want to connect to the specific AP that will only be used for VPN.

psherman · October 21, 2022, 9:20pm

Create a new network first, then associate that with a the wifi radio using a different SSID than your regular network uses. You can follow the dumb AP + guest wifi tutorial as a general guideline here. In this case, the new network will belong to a new firewall zone, and that zone will only have forwarding to the VPN zone (and not to the lan zone).

asyba · October 21, 2022, 9:26pm

mmm its what I did...

what is "new network" for you? on luci I can only create interface or wireless, not option to create network.

mk24 · October 21, 2022, 9:29pm

I would first set this up as a lan->wan router by starting an AP on lan, then creating a wan network using DHCP on the Ethernet port (which will be connected to the home LAN).

Then the conventional directions can be used to set up the VPN client as if it's a whole house VPN. Except the "house" under VPN will be only the Apple TV and whatever else is connected to the WR802 wifi.

psherman · October 21, 2022, 9:29pm

New interface on a different subnet.

In the network file:

config interface 'vpnwifi'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.1'

Then in the wireless file...

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt1'
	option encryption 'psk2'
	option key 'xxxxx'
	option network 'vpnwifi'

And finally, in the firewall:

config zone 'vpnwifi'
	option name 'vpnwifi'
	list network 'vpnwifi'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'vpnwifi'
	option dest 'wan'

asyba · October 21, 2022, 9:40pm

but where do you link "lan" ??
lan is where I have the ethernet port to get internet from the router, if not the new vpnWIFI will have no internet connection

psherman · October 21, 2022, 9:41pm

Leave lan as it is and the new network will actually work. I didn’t mention that you will want to setup a dhcp server for the new network, too.

asyba · October 21, 2022, 9:42pm

is there a guide to do that?
"then creating a wan network using DHCP on the Ethernet port" if I do this I will lose connection to the OpenWRT I think
"Then the conventional directions can be used " ??? what directions?

psherman · October 21, 2022, 9:47pm

If you want to go this route, you just factory reset your router, then change the LAN IP to something that doesn't conflict with the upstream network (i.e .192.168.10.1/24). Enable wifi with a unique SSID and password. Then remove eth0 from the lan bridge and create a new wan network (typically with a simple DHCP protocol on it) and associate eth0 with the wan. Setup the VPN. Connect your devices to wifi and you'll be set.

asyba · October 21, 2022, 11:17pm

okay that is good.
but how I do that?
I factory reset, then create the ssid, then when I go to LAN set Devices unsepecific (you told me to remove eth0) but then it does't work after 90 seconds it rollback safemode.
so how I can remove eth0 from the bridge??
Note: I was try to remove connected with the Wifi to ssid

psherman · October 21, 2022, 11:23pm

Before you remove eth0 from the lan bridge, you need to be connected to the wifi. Otherwise it will rollback to prevent you from being locked out.

asyba · October 21, 2022, 11:28pm

that is for changing IP, I did that and it work.
this is for removing the bridge that is after, there is no button to Apply Unchecked

asyba · October 21, 2022, 11:29pm

also the wifi on created is linked with lan ence the bridge eht0.
if I remove eht0 from lan , it makes wifi not work, so I cannot connect to the router same on ethernet.

psherman · October 21, 2022, 11:33pm

When you remove eth0 from the lan bridge, you will be breaking the wifi internet connectivity. But you should still be able to administer the router.

Once you setup the ethernet port as a wan, you will then be able to access the internet again (provided that you have changed the subnet of the downstream network so that it doesn't conflict with the upstream network).

asyba · October 21, 2022, 11:39pm

I think I did it but now the router has no internet same devices on the wifi openwrt.

psherman · October 21, 2022, 11:40pm

let's see the config files.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

asyba · October 21, 2022, 11:48pm

root@OpenWrt:~# cat /etc/config/network



config interface 'loopback'

	option device 'lo'

	option proto 'static'

	option ipaddr '127.0.0.1'

	option netmask '255.0.0.0'



config globals 'globals'

	option ula_prefix 'fd70:13bf:2451::/48'



config device

	option name 'br-lan'

	option type 'bridge'

	list ports 'eth0'



config interface 'lan'

	option proto 'static'

	option netmask '255.255.255.0'

	option ip6assign '60'

	option ipaddr '192.168.10.1'

	option device 'wlan0'



config switch

	option name 'switch0'

	option reset '1'

	option enable_vlan '0'



config interface 'WAN'

	option proto 'dhcp'

	option device 'eth0'



root@OpenWrt:~# cat /etc/config/wireless



config wifi-device 'radio0'

	option type 'mac80211'

	option path 'platform/10300000.wmac'

	option channel '1'

	option band '2g'

	option htmode 'HT40'

	option country 'AR'

	option cell_density '0'



config wifi-iface 'default_radio0'

	option device 'radio0'

	option network 'lan'

	option mode 'ap'

	option ssid 'GALA1'

	option encryption 'psk2'

	option key '4237345fj'



root@OpenWrt:~# cat /etc/config/dhcp



config dnsmasq

	option domainneeded '1'

	option boguspriv '1'

	option filterwin2k '0'

	option localise_queries '1'

	option rebind_protection '1'

	option rebind_localhost '1'

	option local '/lan/'

	option domain 'lan'

	option expandhosts '1'

	option nonegcache '0'

	option authoritative '1'

	option readethers '1'

	option leasefile '/tmp/dhcp.leases'

	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

	option nonwildcard '1'

	option localservice '1'

	option ednspacket_max '1232'



config dhcp 'lan'

	option interface 'lan'

	option start '100'

	option limit '150'

	option leasetime '12h'

	option dhcpv4 'server'

	option dhcpv6 'server'

	option ra 'server'

	list ra_flags 'managed-config'

	list ra_flags 'other-config'



config dhcp 'wan'

	option interface 'wan'

	option ignore '1'



config odhcpd 'odhcpd'

	option maindhcp '0'

	option leasefile '/tmp/hosts/odhcpd'

	option leasetrigger '/usr/sbin/odhcpd-update'

	option loglevel '4'



root@OpenWrt:~# cat /etc/config/firewall



config defaults

	option input 'ACCEPT'

	option output 'ACCEPT'

	option forward 'REJECT'

	option synflood_protect '1'



config zone

	option name 'lan'

	option input 'ACCEPT'

	option output 'ACCEPT'

	option forward 'ACCEPT'

	list network 'lan'

	option masq '1'



config zone

	option name 'wan'

	option input 'REJECT'

	option output 'ACCEPT'

	option forward 'REJECT'

	option masq '1'

	option mtu_fix '1'

	list network 'WAN'



config forwarding

	option src 'lan'

	option dest 'wan'



config rule

	option name 'Allow-DHCP-Renew'

	option src 'wan'

	option proto 'udp'

	option dest_port '68'

	option target 'ACCEPT'

	option family 'ipv4'



config rule

	option name 'Allow-Ping'

	option src 'wan'

	option proto 'icmp'

	option icmp_type 'echo-request'

	option family 'ipv4'

	option target 'ACCEPT'



config rule

	option name 'Allow-IGMP'

	option src 'wan'

	option proto 'igmp'

	option family 'ipv4'

	option target 'ACCEPT'



config rule

	option name 'Allow-DHCPv6'

	option src 'wan'

	option proto 'udp'

	option dest_port '546'

	option family 'ipv6'

	option target 'ACCEPT'



config rule

	option name 'Allow-MLD'

	option src 'wan'

	option proto 'icmp'

	option src_ip 'fe80::/10'

	list icmp_type '130/0'

	list icmp_type '131/0'

	list icmp_type '132/0'

	list icmp_type '143/0'

	option family 'ipv6'

	option target 'ACCEPT'



config rule

	option name 'Allow-ICMPv6-Input'

	option src 'wan'

	option proto 'icmp'

	list icmp_type 'echo-request'

	list icmp_type 'echo-reply'

	list icmp_type 'destination-unreachable'

	list icmp_type 'packet-too-big'

	list icmp_type 'time-exceeded'

	list icmp_type 'bad-header'

	list icmp_type 'unknown-header-type'

	list icmp_type 'router-solicitation'

	list icmp_type 'neighbour-solicitation'

	list icmp_type 'router-advertisement'

	list icmp_type 'neighbour-advertisement'

	option limit '1000/sec'

	option family 'ipv6'

	option target 'ACCEPT'



config rule

	option name 'Allow-ICMPv6-Forward'

	option src 'wan'

	option dest '*'

	option proto 'icmp'

	list icmp_type 'echo-request'

	list icmp_type 'echo-reply'

	list icmp_type 'destination-unreachable'

	list icmp_type 'packet-too-big'

	list icmp_type 'time-exceeded'

	list icmp_type 'bad-header'

	list icmp_type 'unknown-header-type'

	option limit '1000/sec'

	option family 'ipv6'

	option target 'ACCEPT'



config rule

	option name 'Allow-IPSec-ESP'

	option src 'wan'

	option dest 'lan'

	option proto 'esp'

	option target 'ACCEPT'



config rule

	option name 'Allow-ISAKMP'

	option src 'wan'

	option dest 'lan'

	option dest_port '500'

	option proto 'udp'

	option target 'ACCEPT'