Mobile devices not routing through OpenVPN

philled · January 8, 2020, 8:23pm

Hi, I've installed OpwnWRT on a TP-Link Archer C7 Wifi router. I set it up in bridge mode and it's working just fine as a wireless access point. Now I want the traffic that goes through it from the mobile devices in the house to go through a VPN.

I followed the setup instructions for Nord VPN at https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWRT-CI-setup-with-NordVPN.htm. The VPN connection is getting set up and I can see from the logs on the TP-Link that it's getting an IP address in the UK (I'm connecting to a Nord VPN UK server):

Thu Jan  9 07:04:52 2020 daemon.notice openvpn(nordvpn)[6179]: /sbin/ifconfig tun0 10.8.0.27 netmask 255.255.255.0 mtu 1500 broadcast 10.8.0.255
Thu Jan  9 07:04:52 2020 daemon.notice openvpn(nordvpn)[6179]: /sbin/route add -net 178.239.160.204 netmask 255.255.255.255 gw 192.168.0.254
Thu Jan  9 07:04:52 2020 daemon.notice openvpn(nordvpn)[6179]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Thu Jan  9 07:04:52 2020 daemon.notice openvpn(nordvpn)[6179]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.1
Thu Jan  9 07:04:52 2020 daemon.notice openvpn(nordvpn)[6179]: Initialization Sequence Completed

But my mobile devices are still showing with an Australian IP address when I look at whatismyipaddress.com. So it looks like the mobile device traffic isn't getting routed through the VPN. Is this because the TP-Link is in bridged mode, or have I misconfigured somewhere? I have this in /etc/config/firewall:

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'nordvpntun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

Thanks in advace for any help.

trendy · January 8, 2020, 8:27pm

The easy way is to revert it from dumbAP to routing mode. Then it can serve dhcp settings to the wireless clients with itself as gateway and redirect the incoming traffic to the vpn instead of the isp.

ulmwind · January 8, 2020, 8:34pm

Sorry, you should decide, what you want:

DumbAP functions as bridge without routing functions.
RoutedAP functions as router.

mk24 · January 8, 2020, 9:18pm

Make another network and firewall zone for VPN users. This network would have a DHCP server and forward / NAT to the VPN tunnel. The LAN network remains bridged in to the house LAN as in a standard dumb AP. Its main purpose is to connect the encrypted side of OpenVPN to the Internet. However the VPN users should never see it.

The VPN user network should be a bridge so you can connect a wifi AP to it as well as possibly some wired port(s) by using a VLAN through the switch.

philled · January 9, 2020, 11:14am

Thanks for this. It sounds like an option I may be capable of doing! My home LAN at present is 192.168.0.0. I presume the router will need to hand out IP addresses on a different network such as 192.168.1.0, correct?

And if so, I will need to set up some routing so the devices on 192.168.1.0 can access other devices on 192.168.0.0. Will that be easy to set up? Will I need to set up some sort of routing rule to achieve that?

trendy · January 9, 2020, 11:29am

Yes

You'll need to add a static route on the main router you have for the internet, since it is the default gateway for 192.168.0.X devices. The route will point to Archer for the 192.168.1.0/24