Help setup OpenWrt VPN with single port TL-WR802N

yess it was Mac binding.
from an old setup i bind a RPI to .105 and never could remove that for some reason, and the DCHP took that 105 aggh I changed to another one and assigned to dhcp reservation list to .160 and now I have internet!!

now I will start with vpn setup.

Great!! Once the vpn is running, we will make a minor tweak to the firewall and you’ll be done!

so vpn setup done, I tested what is my ip and is correct from other country, but no internet connection while connecting to Wifi, so firewall ?

Yes. Assign the vpn to a new firewall zone.

Forward and input = reject
Output = accept

Forward from lan zone > vpn zone.

Remove forwarding from lan > wan.

mm but I need to create an interface before??

there is no option for vpn only for lan or wan:

If you’re using OpenVPN, create an interface with dev tun0 and proto none (unmanaged). Then link that to the firewall zone.


here on the WAN -> Reject Edit and add covered networks the tun0?

Did you create a new zone for the vpn?

mm like this

Yes. Enable masquerading and assign the vpn to thst zone.

I think I have it working.
I have DNS leaks base on this
what I can do to prevent that?

I just use a known public dns and I don’t worry too much about it. Or you can specify the system dns based on the other endpoint. However, this is not trivial to set dynamically (I.e when the tunnel is up).

Although, you’re using OpenVPN, right? You can actually add dns as a client side directive.

yes openVPN ok I will read some of those docs later.

other question, Im testing speed.

notebook connected to the AP Openwrt with wireless.
VPN OFF openwrt: 37Mb download, 30Mb upload.
VPN ON openwrt: 6Mb download, 7mb upload.
VPN ON but using the app installed notebook: 28Mb download, 2Mb upload.

How or why download speed is so slow with vpn on inside openwrt? is there a way that I can improve?
I tested 10cm close to the AP by wireless.
ISP Max speed 300Mb
Testing with

Note: the openwrt router Ethernet has max 100Mb and wireless max 300Mb, kind of dumb, I can never reach more than 100Mb, because ethernet makes limit to 100mb (WAN connected to main router)

Not sure why I can't get more than 50mb of regular speed on the openwrt I guess the tplink router is very bad and tiny antena, was designed for traveling so its very small, I guess is because of that.. ?

Unfortunately I never tested the stock firmware before I started right away flashing with Openwrt

Other idea that I have was to make the OpenWRT as repeater from this video , so copy the Wifi from my main router and connect as client to the openwrt to then re-trasmit to another ssid and test speed with that, maybe more than 100mb I can get like that? also i can use the Ethernet port to connect to a device , I never make it work (I guess I know the issue now could be the MAC binding issue that prevent me)

mmm maybe is because of the CPU

my should be the mt7621 or close one ??? and base on the performance is about Im getting, close to 20mb
maybe with wireguard I can get more?

o wait is the other mt7628 and on wireguard shows 0, so it will not work? or nobody report it mmmm

OpenVPN is an older and very cpu intensive vpn protocol. You will not be able to get faster speeds unless you get a much faster router (for OpenVPN, that tends to be in the range of x86 devices to get line rate vpn).

Use wireguard if your vpn provider offers it. Much faster!

Yes - small, inexpensive, power limited device has slow performance, at least by modern standards. Again, a more modern device will perform better.

Don’t even bother with this device. Performance will be very poor.

is possible somehow setup the main router (not openwrt) that a specific IP device connected, goest to the openwrt router first and use the tunnel vpn and then go back to the main router and continue go out to internet? to avoid using the AP openwrt wifi for that device.
using static routing?

I'm not sure I totally understand what you're asking here, but if I'm getting your thought, no, this is not possible.

Your main router would need to have a system to provide a different gateway to the device in question... most routers do not have a way to do this... it is possible with RADIUS based systems, but that is seriously overkill. Static routing is not going to help you here, although Policy Based Routing could be useful.... you'd need to connect through your OpenWrt device though, so you don't fix the issue of that being low performance even without using the VPN.

From there, your choice is to either send the traffic through the VPN tunnel or via the main router. When traffic goes through the VPN, it is not possible to send the traffic back to the main router out to the internet (this is the part of your question that I don't totally understand, but the device using the VPN isn't even aware that the main router exists because of the tunnel) except insofar as the VPN tunnel itself uses the main router as its gateway.