Help setup OpenWrt VPN with single port TL-WR802N

asyba · October 22, 2022, 2:59am

ping to my iphone
at first nothing so I exit comand , but I tried again to check what happens if leave more time and got something .. very slow ?..

root@OpenWrt:~# ping 192.168.1.125
PING 192.168.1.125 (192.168.1.125): 56 data bytes

64 bytes from 192.168.1.125: seq=62 ttl=64 time=3.691 ms
64 bytes from 192.168.1.125: seq=63 ttl=64 time=27.504 ms
64 bytes from 192.168.1.125: seq=64 ttl=64 time=35.653 ms
64 bytes from 192.168.1.125: seq=65 ttl=64 time=76.718 ms
64 bytes from 192.168.1.125: seq=66 ttl=64 time=4.099 ms


^C
--- 192.168.1.125 ping statistics ---
110 packets transmitted, 5 packets received, 95% packet loss
round-trip min/avg/max = 3.691/29.533/76.718 ms
root@OpenWrt:~#

psherman · October 22, 2022, 3:04am

If your phone was sleeping, that could explain the slowness.

But the fact that you are getting ping responses from your iPhone is promising. If you have another computer on your main router, it would be good to ping that.

This suggests that your main router may have blocked this device for some reason... maybe the IP & MAC binding is doing something? Are there any other pages such as firewall rules or MAC address allow/block lists?

asyba · October 22, 2022, 3:19am

yess it was Mac binding.
from an old setup i bind a RPI to .105 and never could remove that for some reason, and the DCHP took that 105 aggh I changed to another one and assigned to dhcp reservation list to .160 and now I have internet!!

asyba · October 22, 2022, 3:22am

now I will start with vpn setup.

psherman · October 22, 2022, 3:33am

Great!! Once the vpn is running, we will make a minor tweak to the firewall and you’ll be done!

asyba · October 22, 2022, 3:36am

so vpn setup done, I tested what is my ip and is correct from other country, but no internet connection while connecting to Wifi, so firewall ?

psherman · October 22, 2022, 3:38am

Yes. Assign the vpn to a new firewall zone.

Forward and input = reject
Output = accept

Forward from lan zone > vpn zone.

Remove forwarding from lan > wan.

asyba · October 22, 2022, 3:50am

mm but I need to create an interface before??

there is no option for vpn only for lan or wan:

psherman · October 22, 2022, 3:52am

If you’re using OpenVPN, create an interface with dev tun0 and proto none (unmanaged). Then link that to the firewall zone.

asyba · October 22, 2022, 3:54am

okay

here on the WAN -> Reject Edit and add covered networks the tun0?

psherman · October 22, 2022, 3:56am

Did you create a new zone for the vpn?

asyba · October 22, 2022, 4:00am

mm like this

psherman · October 22, 2022, 4:12am

Yes. Enable masquerading and assign the vpn to thst zone.

asyba · October 22, 2022, 4:52pm

I think I have it working.
I have DNS leaks base on this https://www.expressvpn.com/es/dns-leak-test
what I can do to prevent that?

psherman · October 22, 2022, 5:15pm

I just use a known public dns and I don’t worry too much about it. Or you can specify the system dns based on the other endpoint. However, this is not trivial to set dynamically (I.e when the tunnel is up).

psherman · October 22, 2022, 5:19pm

Although, you’re using OpenVPN, right? You can actually add dns as a client side directive.

asyba · October 22, 2022, 6:33pm

yes openVPN ok I will read some of those docs later.

other question, Im testing speed.

notebook connected to the AP Openwrt with wireless.
VPN OFF openwrt: 37Mb download, 30Mb upload.
VPN ON openwrt: 6Mb download, 7mb upload.
VPN ON but using the app installed notebook: 28Mb download, 2Mb upload.

How or why download speed is so slow with vpn on inside openwrt? is there a way that I can improve?
I tested 10cm close to the AP by wireless.
ISP Max speed 300Mb
Testing with https://www.waveform.com/tools/bufferbloat

Note: the openwrt router Ethernet has max 100Mb and wireless max 300Mb, kind of dumb, I can never reach more than 100Mb, because ethernet makes limit to 100mb (WAN connected to main router)

Not sure why I can't get more than 50mb of regular speed on the openwrt I guess the tplink router is very bad and tiny antena, was designed for traveling so its very small, I guess is because of that.. ?

Unfortunately I never tested the stock firmware before I started right away flashing with Openwrt

Other idea that I have was to make the OpenWRT as repeater from this video https://youtu.be/928iaf374FU , so copy the Wifi from my main router and connect as client to the openwrt to then re-trasmit to another ssid and test speed with that, maybe more than 100mb I can get like that? also i can use the Ethernet port to connect to a device , I never make it work (I guess I know the issue now could be the MAC binding issue that prevent me)

asyba · October 22, 2022, 6:42pm

mmm maybe is because of the CPU

my should be the mt7621 or close one ??? and base on the performance is about Im getting, close to 20mb
maybe with wireguard I can get more?

asyba · October 22, 2022, 6:43pm

o wait is the other mt7628 and on wireguard shows 0, so it will not work? or nobody report it mmmm

psherman · October 22, 2022, 6:44pm

OpenVPN is an older and very cpu intensive vpn protocol. You will not be able to get faster speeds unless you get a much faster router (for OpenVPN, that tends to be in the range of x86 devices to get line rate vpn).

Use wireguard if your vpn provider offers it. Much faster!

Yes - small, inexpensive, power limited device has slow performance, at least by modern standards. Again, a more modern device will perform better.

Don’t even bother with this device. Performance will be very poor.