Issues with OpenVPN tunnel on TL-WR902AC

Hi guys,

I'm having trouble to setup an openvpn connection with my TL-WR902AC running on openwrt.

What I want to achieve:

  • Provide a Wifi network, which leads all traffic to a VPN server. So my TL-WR902AC should act as an access point, which runs a VPN client and route all wifi data through the VPN tunnel.

What I did:

  • Flashed the TL-WR902AC with OpenWrt
  • Changed the static address (192.168.1.1) to DHCP. --> So when connecting the WR902AC with a LAN cable to my router, it retrieves a local IP address and I can reach the Luci Interface.
  • Downloaded and installed OpenVPN and the Luci Interface for it
  • Created a Wifi network, which I can connect to. The connected clients get local IP addresses from my main router, as it was meant to be.
  • Created a new OpenVPN client by uploading the config file I exported from my VPN server. (If I use this config file and use it unchanged in the openvpn app on my iphone, the tunnel works fine and all traffic runs through VPN).
  • Created a new interface 'vpnclient', unmanaged and with device 'tun0'.
  • Changed the new interface 'vpnclient', so I created a new firewall zone on the firewall tab called 'vpnclient'.
  • Then in the firewall section (Network->Firewall) I have the zones LAN(green) => WAN(red), WAN(red) and vpnclient(green). I have edited the zone LAN=>WAN and add 'vpnclient' to the "allow forward to destination zones" dropdown. So it now says LAN=>WAN & vpnclient.
  • I checked the checkbox 'masquerading' also for vpnclient (it was already checked for WAN).
  • I did not change anything in my ovpn config file, except of I have added username and password to the text box and in the ovpn editor I added the path behind 'auth-user-pass'. (Just as question right now: Do I have to change the line 'dev tun' to 'dev tun0'?)

My issues:

  • When I have done all steps above and when I press 'start' on my openvpn connection, nothing happens.
  • When I check the checkbox 'enable' and press save, the TL-WR902AC is connecting to the VPN server (I can see that on my VPN server side), but I can't open Luci anymore. So I'm totally locked out of my TL-WR902AC. When I unplug and plug it again, I can connect for a millisecond, but as the VPN connection is being set up automatically, I'm locked immediately again.
  • Even the TL-WR902AC is now connected to the VPN server, it unfortunately doesn't seem to tunnel all traffic through the VPN connection, as I do not have the IP address of the VPN server gateway. I still have the VPN address of the location I'm using the TL-WR902AC VPN.

Question:

  • How do I manage to be able to open Luci, even I have started my VPN? I have to reflash my device, as I can never manage my device anymore.
  • What do I miss out to route all traffic through my VPN tunnel?
  • When I use the iphone app with the exact same ovpn config file, it is working fine. After connecting I can see, that I have the IP address of the internet connection behind the VPN server.

Experts, I'm quite stucked and hope anyone of you could help me out of trouble! :slight_smile:

Forgot to say: All openvpn config I have got from this video:

Thank you & best regards,
Arne

what openwrt version did you install, considering it's a 8/64 device.

Hey frollic,

thank you for the quick answer!
That's my details:

Hostname OpenWrt
Model TP-Link TL-WR902AC v3
Architecture MediaTek MT7628AN ver:1 eco:2
Target Platform ramips/mt76x8
Firmware Version OpenWrt 22.03.5 r20134-5f15225c1e / LuCI openwrt-22.03 branch git-23.093.57104-ce20b4a
Kernel Version 5.10.176

I just forgot to say, that even I can‘t access LuCI anymore, I can still connect to wifi and have internet access. But without tunneling…

Does anybody has an idea?

Thank you & best regards,
Arne

I think you're out of flash space, but it's only a guess.

Hmm, that could be. Or I lock myself out with the VPN connection somehow, so I can't access Luci anymore.
But could that also be the issue for not using the tunnel for the internet? Or do I miss out anything, like the '0' of tun0 in the ovpn file ('dev tun0' instead of 'dev tun'?)

Thank you & best regards

I guess I have found out my issue:

  • I have set up the LAN Interface as DHCP client to retrieve an IP address of my main router and to be able to reach the configuration page of openwrt

  • That works good as a dumb Access point, where each wifi connection is just retrieving it‘s own up from my main router, which is connected via LAN to my openwrt router. Internet on the Wi-Fi clients works fine.

  • Now I have installed OpenVPN. Could it be, that the fact, both routers (the main router with dhcp) and my openwrt router are in the same network, is the problem?

  • If my openwrt router with the WiFi clients has to have it‘s own IP area, how can I give the openwrt router access to the internet and how do I have to do the configuration?

I hope my issue is understandable?

Thank you & best regards

The main issue is that the devices on your network will use the main router as the gateway. You need to instruct them otherwise, but that becomes a bit cumbersome.

The easiest solution is to run your WR902AC in normal routed mode (where the WAN would be the upstream/main network, and you'd create a separate LAN behind this device). Then, when you run OpenVPN (or WG or any tunnel), the devices will be using the WR902AC as their gateway, which will in turn be sending all traffic through the tunnel.

1 Like

Hi PSherman,

thank you for the answer!
Sounds like it can't be done the way I thought. But maybe you have other ideas for me how to achieve my goal.

What I wanted to do:

  • Make it possible to connect from my second location to my home location, so I can do streaming with the IP address of my home location.
  • Make it possible to connect on that second location to a special wifi, that has the tunnel to my home location. That's why my idea to use the TL-WR902AC to have my own wifi. But all other clients should use the ordinary wifi on my second location, which has no tunnel.
  • On my home location I have already running an openvpn server, which works fine with f.e. the openvpn iphone app.

Thank you for any ideas/recommendations!

Br Arne