I configured my router to work with OpenVPN. Currently, all of my client (lan, wifi) are forwarded with OpenVPN. I'm looking for a way, if I can create another WiFI which would not forward with OpenVPN mean time OpenVPN WiFi will also running, In a word, there will two WiFi.
One will act as OpenVPN client WiFi
Another will act like without OpenVPN WiFi.
I tried to create another WiFi interface and tried to create firewall rules for it, but the problem is it has no internet connection. Meantime another OpenVPN is working ok. Here is my network configuration
I didn't have time yet to investigate the "VPN for separate network/ssid" thing but it should be easy to achieve if firewall zones, forwards and routes are configured properly.
Post link to OpenWRT Forum answer, may be we can "translate" to a easier to follow instructions.
I just managed to get a a very similar Setup running.
But before i post my configs I have to tell you that the router-configs I show are not from my main router. (Don't get botherd by the DSL-settings. I just left them where they were, just in case i have to use it as the 'real'-router ) I use this one as a "bridged AP with OpenVPN onboard, with some handy LAN-Ports"
This way the 'real' router won't get into trouble when procesing all the VPN-Stuff.
for the Speed concernd:
(my "VPN-AP-bridge" is a TP-Link TD-W8970B which has 4xGb-LAN , 2USB Ports , 2,4 ghz wifi & a 500MHz CPU , only the Flash is really small with 8MB)
My DSL ist a "slow" 6.592 Mb/s / 576 Kb/s connetion.
The download of a 200MB file had an average speed of 2/3 of my maximum downloadspeed without VPN connetion. (both via WIFI)
In Luci at the Interfaces Page I get the VPN & VPNWIFI shown. I don't know if it is really useful, but it helped me on my way to configure this stuff. [ It took me a couple of nights to come where I am now. ] Now it works & Iam happy with it, so i don't bother to change it right now. But:
If someone with more knowledge than me finds a smarter way to set it up, I'd like to read about it here
So here are my configs. I hope they will help someome.
I don't exactly understand your question. so i give a general description. If thats not sufficient please feel free to ask again. Please as exact as possible. Thank you!
There are two wireless interfaces which you can use:
SSID : NoEncryption ( interface default_radio0 )
This one is connected to the Regular LAN .
So it will be possible to connect to other LAN devices . If you use the internet over this interface your ISP (internet Service Provider) is able to see your traffic.
This means it is just a regular wireless interface.
SSID : VPN-Encrypted ( interface: tun_radio0 )
This one is connected to the Networkinterface 'vpnwifi' .
the 'vpnwifi' interface is forwarded to the networkinterface 'tun' (Which is used by OpenVPN )
Because this router is 'chained' behind my "ISP router (Main router to connect the internet)", the tun interface cannot be forwared direcly to wan interface. Therefore tun interface is forwarded to lan interface.
So it wont be possible to connect to any device on the lan , because lan is just used to 'tunnel' the VPN to the "ISP router" and further to the Internet.
Your ISP sees only a VPN connection to your VPN-Provider. If it is encrypted the ISP cannot tell what you are doing within this VPN.
This means any connection via the SSID VPN-Encrypted is VPN encrypted and cannot reach the lan !
Let me try your configuration. I don't think it would work, as I tried it once. I saw there is a solution which called policy based routing for this. Anyway, setting up your config now.
the IP adress of my regular LAN is in the 192.168.xxx.xxx Range.
AND to give a little update. I am no really a pro. The /etc/config/firewall is kinda set up by guessing what could work. (Not a very good Idea.)
In the meantime i kicked the lines:
......
config forwarding
option src 'vpn'
option dest 'lan'
.....
OUT of the firewall config.
AND i don't know if it is not a kind of extrem unsecure to set all options in:
config zone
option name 'vpnwifi'
option network 'vpnwifi'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
to : ACCEPT
I allways wanted to dig deeper into this issue. But until today i didn't do so.
Perhaps you know a secure setting ?
The configuration you posted matches what I thought it would have been, and I'm having a REALLY bad time trying to make this very simple configuration: OpenVPN running on openwrt with two SSIDs and only one of the SSIDs is supposed to be routed through the VPN.
Anyway I'll try more and more. I'm wondering if @amanjuman found a solution for this scenario, as I think he's got the same one as mine.
I’ve got this working, although with WireGuard rather than OpenVPN, but I would expect the principle to be the same.
In network add a new interface (let’s say priv), similar to lan, but with a different subnet address.
In dhcp add a new section for the priv interface. Mine is exactly the same as lan.
In wireless add a new wireless interface, which can be pretty much the same as the other one, but with a different SSID and belonging to the new network (option network 'priv').
In firewall add the priv network to the lan zone, right next to the lan network.
Now the tricky part is configuring the policy routing.
I set allowed_ips in the WireGuard interface configuration to 0.0.0.0/0, because it has to be able to route request to all of the internet, and I also set route_allowed_ips to 0, because otherwise it would add a default route to the VPN, which is not what we want.
In network I manually added a route for the VPN subnet, saying to go to the WireGuard interface:
And the final step is to add a rule that says that all traffic coming from the priv network has to be routed using the vpn routing table (this also goes to network):
config rule
option in 'priv'
option lookup 'vpn'
This also works with IPv6 if you add a similar configuration for IPv6 networks. Of course, I omitted the VPN configuration part, as it depends on which exact kind of tunnel you want to use and is somewhat outside the scope of this topic.