Help with configuring LAN->VPN->WWAN

turski · September 19, 2023, 5:39am

Hello!

I have a linksys WRT160NL router with clean OpenWrt 19.07.10 installed.

I want to:

connect two devices (TVs) via Ethernet cable to the router
force their traffic exclusively trough OpenVPN client installed on the router to paid server (SurfShark)
configure outgoing traffic from router to go through other already existing WiFi network by connecting to it as client (the WiFi is managed by separate device which I do not control)

I don't care about pretty network extensions with existing WiFi, the LAN I want to build here can be separate. I also don't want any fancy VLANs or anything special, just the bare minimum needed here to make this work. I can work trough CLI (SSH) or LuCI, both are fine for me.

So far, with various trials and errors and by following OpenWrt's documentation, I managed to:

install and configure VPN client, connect it to the server, and have the router to route outgoing network successfully trough VPN (I'm guessing here that I did it correctly - not sure, just that I can see the latency going way up whist doing traceroute when OpenVPN client is running)
connect to existing WiFi network so that router can use it (I can curl google.com and other stuff from the router itself)

But, no matter what I tried, my TVs do not have a network connection to the outside world. I simply cannot visit any website, or do anything with the established wired connection, other than load the LuCI interface. it always ended with the router working fine, but nothing else connected to it.

As a minor note, the VPN killswitch also never worked for me, I was able to stop the client and just use internet with low latency, but I think I shouldn't be able to do that at all?

I spent quite a few hours trying to do that by myself and with existing forum answers, but just nothing works for me. In fact I feel like my configuration is now at all-time low, since now on a fresh OpenWrt, with just the WiFi configured as a client, my LAN devices don't have any network connection to the internet, even though the router has.

Feel free to assume that I'm starting from blank OpenWrt config, since the resetting is already my second nature now

pavelgl · September 19, 2023, 6:51am

Did you follow the guide?

The most important in summary:
The lan and wwan interfaces must be on different subnets, and the wwan interface must be assigned to the wan firewall zone.

turski · September 19, 2023, 7:08am

Hi, thanks for answer.

Yes, I did. And just to be sure I did it again, just now, with fresh OpenWrt config (by performing a reset before).

And just to be double sure - I also moved my router to a different subnet (192.168.10.1) as advised.
There shouldn't be any conflicts, because when I connect directly to the WiFi network of the WAN-enabled router (the one I don't control), I get this IP: 192.168.0.125, so it must be on a different subnet.

Anyway, I do have internet connection on the router (can curl/traceroute google.com), but my laptop can't, even though it's connected directly by Ethernet cable to LAN port no. 1 on the linksys.

pavelgl · September 19, 2023, 8:33am

I presume the router's wan gateway is 192.168.0.1
Can you ping it from your laptop?
Run this (on the router) to see if it makes a difference:

iptables -t mangle -I PREROUTING -i wlan+ -j TTL --ttl-set 64

turski · September 19, 2023, 8:51am

I presume the router's wan gateway is 192.168.0.1

that's correct.

Can you ping it from your laptop?

I can't.

ping 192.168.0.1
ping: connect: Network is unreachable

but I can ping it from linksys if that helps.

As for the iptables - I first needed to install two packages to get the --ttl-set flag working:

opkg install iptables-mod-ipopt kmod-ipt-ipopt

found it here: https://forum.archive.openwrt.org/viewtopic.php?id=33065

and with that I added the iptables rule and tried again, but it didn't help the ping - it still says network is unreachable.

iptables -L:

Summary

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
input_rule  all  --  anywhere             anywhere             /* !fw3: Custom input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
syn_flood  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN /* !fw3 */
zone_lan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_input  all  --  anywhere             anywhere             /* !fw3 */

Chain FORWARD (policy DROP)
target     prot opt source               destination         
forwarding_rule  all  --  anywhere             anywhere             /* !fw3: Custom forwarding rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_forward  all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
output_rule  all  --  anywhere             anywhere             /* !fw3: Custom output rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED /* !fw3 */
zone_lan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_output  all  --  anywhere             anywhere             /* !fw3 */

Chain forwarding_lan_rule (1 references)
target     prot opt source               destination         

Chain forwarding_rule (1 references)
target     prot opt source               destination         

Chain forwarding_wan_rule (1 references)
target     prot opt source               destination         

Chain input_lan_rule (1 references)
target     prot opt source               destination         

Chain input_rule (1 references)
target     prot opt source               destination         

Chain input_wan_rule (1 references)
target     prot opt source               destination         

Chain output_lan_rule (1 references)
target     prot opt source               destination         

Chain output_rule (1 references)
target     prot opt source               destination         

Chain output_wan_rule (1 references)
target     prot opt source               destination         

Chain reject (5 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             /* !fw3 */ reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50 /* !fw3 */
DROP       all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_dest_ACCEPT (4 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_forward (1 references)
target     prot opt source               destination         
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan forwarding rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3: Zone lan to wan forwarding policy */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_input (1 references)
target     prot opt source               destination         
input_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan input rule chain */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_lan_src_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_output (1 references)
target     prot opt source               destination         
output_lan_rule  all  --  anywhere             anywhere             /* !fw3: Custom lan output rule chain */
zone_lan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */
DROP       all  --  anywhere             anywhere             ctstate INVALID /* !fw3: Prevent NAT leakage */
ACCEPT     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_forward (2 references)
target     prot opt source               destination         
forwarding_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan forwarding rule chain */
zone_lan_dest_ACCEPT  esp  --  anywhere             anywhere             /* !fw3: Allow-IPSec-ESP */
zone_lan_dest_ACCEPT  udp  --  anywhere             anywhere             udp dpt:isakmp /* !fw3: Allow-ISAKMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_wan_dest_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_input (2 references)
target     prot opt source               destination         
input_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan input rule chain */
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc /* !fw3: Allow-DHCP-Renew */
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request /* !fw3: Allow-Ping */
ACCEPT     igmp --  anywhere             anywhere             /* !fw3: Allow-IGMP */
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port redirections */
zone_wan_src_REJECT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_output (2 references)
target     prot opt source               destination         
output_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan output rule chain */
zone_wan_dest_ACCEPT  all  --  anywhere             anywhere             /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
target     prot opt source               destination         
reject     all  --  anywhere             anywhere             /* !fw3 */
reject     all  --  anywhere             anywhere             /* !fw3 */

pavelgl · September 19, 2023, 9:14am

Your laptop doesn't seem to have a default gateway set.
Did you set the IP configuration manually or via DHCP?

trendy · September 19, 2023, 9:15am

Versio 19.07 is old and unsupported. We can have a look but it will be difficult to reproduce.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

turski · September 19, 2023, 9:42am

Your laptop doesn't seem to have a default gateway set.
Did you set the IP configuration manually or via DHCP?

yes, I did, and I think I forgot to change it back to DHCP. I switched it just now in case that was a problem, but unfortunately I still can't get the network up on this laptop.

But this prompted me to check out the Ethernet connection with another laptop, and surprisingly to me - it works just fine.

Therefore, the issue must have been with my laptop's network configuration all the way. Damn it.
I'm not sure what's wrong still, since switching to DHCP didn't change it for me.

turski · September 19, 2023, 10:06am

Okay, I found what was wrong with my laptop - wired connection was not configured to use automatic routes, and instead it was using the (empty) list of routes in GUI. So, any packet going out didn't know where to head out, I think?

Here's my change:

I had this switched OFF for some reason. Switching it ON fixed the wired connection and thus network access trough the linksys.

I don't want to close this thread just yet, since I need to ensure my VPN setup from yesterday (before reset) worked as expected.

turski · September 19, 2023, 10:08am

Hi trendy,

since the problem wasn't rooted in OpenWrt config, I think it's not necessary to send this debug info? It would be full of defaults anyway. I'll send them if I get stuck somewhere again, though.

system · September 29, 2023, 10:08am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.