I installed openwrt 21.02.3 on my linksys wrt1900ac v2 so that I can connect to vpn WiFi (and switch back to my isp router WiFi whenever I want). Works well on my android devices.
Whenever apple users come to visit they can't connect with their apple devices (2 iPhones and an iPad). They can connect to the WiFi but it says there is no Internet on that connection. Spent over an hour on with apple tech support and didn't get a solution but we did establish that the apple devices can connect to the isp router without issue and have Internet.
The android devices can be switched to airplane mode then when you turn the WiFi only back on and then connect to the vpn WiFi (linksys) it has Internet access.
Switching off wireless security on the vpn router doesn't affect the situation for either the apple (no Internet) or the android devices (have Internet).
No doubt I've got some unusual setting on the openwrt settings that apple doesn't play nicely with.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I found a workaround. I don't know what setting is wrong exactly but this gets it working.
On the iOS device, after connecting to the linksys wifi, I click on the wifi connection which brings up a list of network options. One of those is DNS which is automatic by default. If I click on that, change it to manual, and then enter google DNS (8.8.8.8) then the internet connection works on the iOS device.
This worked on all three iOS devices I have access to right now.
This indicates that your DNS is probably not working as expected in your configuration.
So... looking at DNS specifically -- what are the DNS entries that you've defined in your wan interface? It appears that they're for NordVPN, is that correct? These shouldn't be in your wan, and that could be part of the issue. You should use either the ISP/DHCP advertised DNS, or a public one (like 8.8.8.8) on your wan. Using DNS that is related to the VPN on your wan interface could cause a chicken-or-egg situation.
These are also likely to cause DNS problems... is there a reason you have made these changes?
On a slightly different topic, you've got your VPN setup with your wan zone... it seems that you had previously configured it differently with the vpnfirewall zone which would give you the ability to have a kill-switch. When it is setup with the wan zone, a kill switch won't work. This isn't a problem, per-se, but the vpnfirewall zone doesn't do anything right now.
Also, on wireless, don't use psk-mixed unless you actually need to (i.e. legacy devices). You should probably change this to psk2 (unless you want to use newer WPA3; keep in mind that many devices don't work well when you use sae-mixed (WPA2/WPA3) mode, so you want to be either WPA2 or WPA3, not mixed)
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
Apple devices working well now - thanks so much!
I suspect that the reason for most of these changed settings must have been either a previous vpn provider suggestion or an uneducated attempt to block dns leaks. I set up this router long ago originally.
I have just now followed this guide (only the first part - Web interface instructions) and it seems to be blocking dns leaks now:
I also noted your point about mixed mode and have set it to use just wpa2-psk on both SSIDs now.
Regarding the firewall vpn kill switch you mentioned, I have now followed (probably re-followed given that the zone was already set up) the instructions here:
WAN and VPN are both input=reject, output=accept, forward=reject, enable masquerading
One point I'm not clear on - what should the settings be for the LAN -> vpn row (in Luci this is)
currently I have input=accept, output=accept, forward=accept, disable masquerading. Is that correct or should it match the others?
