Multiple WIFI interface while running OpenVPN

I configured my router to work with OpenVPN. Currently, all of my client (lan, wifi) are forwarded with OpenVPN. I'm looking for a way, if I can create another WiFI which would not forward with OpenVPN mean time OpenVPN WiFi will also running, In a word, there will two WiFi.

  • One will act as OpenVPN client WiFi
  • Another will act like without OpenVPN WiFi.

I tried to create another WiFi interface and tried to create firewall rules for it, but the problem is it has no internet connection. Meantime another OpenVPN is working ok. Here is my network configuration

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9d:4e67:19e1::/48'

config interface 'lan'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'
        option dns '8.8.8.8 8.8.8.8'
        option delegate '0'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option clientid '1'
        option peerdns '0'
        option dns '8.8.8.8 8.8.4.4'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4'

config interface 'encryption'
        #VPN Interface
        option proto 'none'
        option ifname 'tun0'
        option delegate '0'

config interface 'noneyc'
       #Non VPN Interface
        option _orig_ifname 'radio0.network2'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option dns '8.8.8.8 8.8.4.4'
        option delegate '0'

and Here is Firewall configuration

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config include 'miniupnpd'
    option type 'script'
    option path '/usr/share/miniupnpd/firewall.include'
    option family 'any'
    option reload '1'

config zone
    option name 'encryption'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option network 'encryption'

config zone
    option name 'noneyc'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option network 'noneyc'
    option forward 'ACCEPT'

config forwarding
    option dest 'encryption'
    option src 'lan'

config forwarding
    option dest 'wan'
    option src 'lan'

config forwarding
        option dest 'wan'
        option src 'noneyc'

Here is Wireless configuration -

config wifi-device 'radio0'
    option type 'mac80211'
    option hwmode '11g'
    option path 'platform/ar934x_wmac'
    option country 'BD'
    option htmode 'HT40'
    option txpower '20'
    option channel '6'

config wifi-iface
    option device 'radio0'
    option network 'lan'
    option mode 'ap'
    option ssid 'Encrypted'
    option encryption 'psk2+ccmp'
    option key 'ItsPassword'

config wifi-iface
    option device 'radio0'
    option mode 'ap'
    option ssid 'Non Encrypted'
    option network 'noneyc'
    option encryption 'psk2+ccmp'
    option key 'ItsPassword'

I posted this issue in OpenWrt forum but answer seems complex for me. I followed this link to setup OpenVpn Server https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04.

Stephan posted a description of his configuration here: LAN - green WAN - red
and after I asked to him about config files, he posted here: LAN - green WAN - red

I didn't have time yet to investigate the "VPN for separate network/ssid" thing but it should be easy to achieve if firewall zones, forwards and routes are configured properly.

Post link to OpenWRT Forum answer, may be we can "translate" to a easier to follow instructions.

https://forum.openwrt.org/viewtopic.php?id=70915

1 Like

Howdy !

I just managed to get a a very similar Setup running.
But before i post my configs I have to tell you that the router-configs I show are not from my main router. (Don't get botherd by the DSL-settings. I just left them where they were, just in case i have to use it as the 'real'-router ) I use this one as a "bridged AP with OpenVPN onboard, with some handy LAN-Ports" :slight_smile:
This way the 'real' router won't get into trouble when procesing all the VPN-Stuff.

for the Speed concernd:
(my "VPN-AP-bridge" is a TP-Link TD-W8970B which has 4xGb-LAN , 2USB Ports , 2,4 ghz wifi & a 500MHz CPU , only the Flash is really small with 8MB)
My DSL ist a "slow" 6.592 Mb/s / 576 Kb/s connetion.
The download of a 200MB file had an average speed of 2/3 of my maximum downloadspeed without VPN connetion. (both via WIFI)

In Luci at the Interfaces Page I get the VPN & VPNWIFI shown. I don't know if it is really useful, but it helped me on my way to configure this stuff. [ It took me a couple of nights to come where I am now. ] Now it works & Iam happy with it, so i don't bother to change it right now. But:
If someone with more knowledge than me finds a smarter way to set it up, I'd like to read about it here :smiley:

So here are my configs. I hope they will help someome.

/etc/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'

config dsl 'dsl'
	option annex 'b'
	option xfer_mode 'atm'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr 'xxx.xxx.xx.xxx'
	option gateway 'xxx.xxx.xx.xxx'
	option delegate '0'
	option macaddr 'xx:xx:xx:xx:xx:xx'
	option dns 'xxx.xxx.xx.xxx'

config interface 'wan'
	option ifname 'ptm0'
	option proto 'pppoe'
	option username 'username'
	option password 'password'
	option ipv6 'auto'

config device 'wan_dev'
	option name 'ptm0'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan6'
	option ifname 'pppoe-wan'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 2 4 5 6t'

config interface 'vpn'
	option proto 'none'
	option ifname 'tun0'

/etc/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'vpn'

config zone
	option name 'vpnwifi'
	option network 'vpnwifi'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'vpnwifi'
	option dest 'vpn'

config forwarding
	option src 'vpn'
	option src 'lan'

config include
	option path '/etc/firewall.user'

/etc/wireless

config wifi-device 'radio0'
	option type 'xxx'
	option channel 'x'
	option hwmode 'xxx'
	option path 'xxx'
	option htmode 'xxxx'
	option country 'xx'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'NoEncryption'
	option network 'lan'
	option encryption 'psk2+ccmp'
	option key 'xxxxxxxx'
	option wps_pushbutton '0'
	option macadress 'FA:CE:00:00:00:00'

config wifi-iface 'tun_radio0'
	option device 'radio0'
	option mode 'ap'
	option wps_pushbutton '0'
	option macaddr 'FA:CE:00:FF:FF:FF'
	option ssid 'VPN-Encrypted'
	option encryption 'psk2+ccmp'
	option key 'xxxxxxxxxx'
	option network 'vpnwifi'

Greetings ! (Sorry for my english)

1 Like

Is that spilt VPN traffic with VPN-WIFI and Home Traffic with Lan Zone?

I don't exactly understand your question. so i give a general description. If thats not sufficient please feel free to ask again. Please as exact as possible. Thank you!

There are two wireless interfaces which you can use:

  1. SSID : NoEncryption ( interface default_radio0 )
    This one is connected to the Regular LAN .
    So it will be possible to connect to other LAN devices . If you use the internet over this interface your ISP (internet Service Provider) is able to see your traffic.
    This means it is just a regular wireless interface.

  2. SSID : VPN-Encrypted ( interface: tun_radio0 )
    This one is connected to the Networkinterface 'vpnwifi' .
    the 'vpnwifi' interface is forwarded to the networkinterface 'tun' (Which is used by OpenVPN )
    Because this router is 'chained' behind my "ISP router (Main router to connect the internet)", the tun interface cannot be forwared direcly to wan interface. Therefore tun interface is forwarded to lan interface.
    So it wont be possible to connect to any device on the lan , because lan is just used to 'tunnel' the VPN to the "ISP router" and further to the Internet.
    Your ISP sees only a VPN connection to your VPN-Provider. If it is encrypted the ISP cannot tell what you are doing within this VPN.
    This means any connection via the SSID VPN-Encrypted is VPN encrypted :wink: and cannot reach the lan !

Hope that helped :slight_smile:

Let me try your configuration. I don't think it would work, as I tried it once. I saw there is a solution which called policy based routing for this. Anyway, setting up your config now.

@Nobeard would you please also post the "vpnwifi" entry in the network file?

Thanks in advance :slight_smile:

@gb_master

sorry that i didn't put this info it in my first posting.

here ist the "vpnwifi" entry in /etc/config/network

config interface 'vpnwifi'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'

the IP adress of my regular LAN is in the 192.168.xxx.xxx Range.

AND to give a little update. I am no really a pro. The /etc/config/firewall is kinda set up by guessing what could work. (Not a very good Idea.)
In the meantime i kicked the lines:

......
config forwarding
option src 'vpn'
option dest 'lan'
.....
OUT of the firewall config.

AND i don't know if it is not a kind of extrem unsecure to set all options in:

config zone
option name 'vpnwifi'
option network 'vpnwifi'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'

to : ACCEPT

I allways wanted to dig deeper into this issue. But until today i didn't do so.
Perhaps you know a secure setting ?

@Nobeard thank you very much for your fast reply!

The configuration you posted matches what I thought it would have been, and I'm having a REALLY bad time trying to make this very simple configuration: OpenVPN running on openwrt with two SSIDs and only one of the SSIDs is supposed to be routed through the VPN.

Anyway I'll try more and more. I'm wondering if @amanjuman found a solution for this scenario, as I think he's got the same one as mine.

Thanks again :slight_smile:

Not yet, Still it unsolved for me.

In the end I used the package described in https://forum.openwrt.org/t/vpn-policy-based-routing-web-ui-discussion ... I think there must be a way of doing it only with UCI, but still :slight_smile:

I’ve got this working, although with WireGuard rather than OpenVPN, but I would expect the principle to be the same.

  1. In network add a new interface (let’s say priv), similar to lan, but with a different subnet address.
  2. In dhcp add a new section for the priv interface. Mine is exactly the same as lan.
  3. In wireless add a new wireless interface, which can be pretty much the same as the other one, but with a different SSID and belonging to the new network (option network 'priv').
  4. In firewall add the priv network to the lan zone, right next to the lan network.
  5. Now the tricky part is configuring the policy routing.
    1. I set allowed_ips in the WireGuard interface configuration to 0.0.0.0/0, because it has to be able to route request to all of the internet, and I also set route_allowed_ips to 0, because otherwise it would add a default route to the VPN, which is not what we want.
    2. In network I manually added a route for the VPN subnet, saying to go to the WireGuard interface:
      config route
          option interface 'wg0'
          option target '172.16.200.0/24'  # adjust this
      
    3. The I added another route, that sends all traffic through the VPN interface, but instead of the default routing table, added it to a table called vpn:
      config route
          option interface 'wg0'
          option target '0.0.0.0/0'
          option table 'vpn'
      
    4. And the final step is to add a rule that says that all traffic coming from the priv network has to be routed using the vpn routing table (this also goes to network):
      config rule
          option in 'priv'
          option lookup 'vpn'
      

This also works with IPv6 if you add a similar configuration for IPv6 networks. Of course, I omitted the VPN configuration part, as it depends on which exact kind of tunnel you want to use and is somewhat outside the scope of this topic.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.