Need help with openvpn configuration on OpenWrt router

Hi all,
even my English is not so good, I want to ask for help in this forum.
I tried to use the TL-WR902AC travel router as VPN (hide.me) client behind my cable router (Fritzbox), so that all connected wifi devices can communicate via the VPN tunnel.
I installed succesfully the openwrt image OpenWrt 21.02.3 r16554-1d4dea6d4f / LuCI openwrt-21.02 branch git-22.083.69138-0a0ce2a and the openVPN client package.
In the ssh shell i can see that the tun0 is up and got an IP address from the hide.me server. A "traceroute -i tun0 google.de" is showing succes.
I can connect to the TP Link via 2.4 and 5 Ghz, but the data does not run through the VPN tunnel.
If I check my IP via an external service I got the IP from the Fritzbox and not from the VPN tunnel:-(
see my confs:

I hope someine can help me with this topic.
Thanks in advance
Ralph from Germany

It is routing problem. See configuration file for OpenVPN, the line like redirect-gateway def1 Remove also forwarding rule from lan to wan to prevent traffic leakage.

Hi, thanks for your quick responce. There is no redirect line in my OpenVPN conf.
Unfortunatelly I'm not the specialist in the forwarding and router topic :roll_eyes:
Iff i run the traceroute command from the ssh shell with the tun0 interface and compare it with the output of the Luci diagnostic tracerout, it is showing the same. I wonder why when querying my own IP then the IP of the cable router is given.

Thanks

additional I checked in the Realtime Graphs the Traffic on tun0. In case auf the tracerout commands in the ssh shell and the Luci diagnostic, i can see the traffic, but if i use the connected wifi device, there is no traffic on tun0 visible, only on the LAN bridge. It seems that the radio traffic does not go through tun0.

Run ip route command when the vpn is active.

Look for lines that look like this:

0.0.0.0/1 via x.x.x.x dev tun0
128.0.0.0/1 via x.x.x.x dev tun0

If you don't see any, insert the following into the openvpn client configuration file and restart the service.

route 0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0

I added the route lines to the client conf, and get following output from ip route:

0.0.0.0/1 via 10.132.14.1 dev tun0
default via 10.132.14.1 dev tun0
10.132.14.0/23 dev tun0 scope link  src 10.132.15.216
128.0.0.0/1 via 10.132.14.1 dev tun0
192.168.0.0/24 dev br-lan scope link  src 192.168.0.100
194.36.108.19 via 192.168.0.251 dev br-lan

but there is furthermore no traffic from radio through tun0.

OK, so there is a default gateway set.
Remove or comment the newly created lines in the openvpn client file an set a metric for the wan interface.

image

Restart the network and openvpn services and post the result of ip route again.
Run traceroute from the router without specifying an interface and also post the result.

The problem here is that you're running the travel router as a dumb AP, but following instructions as if it were a LAN->WAN router.

In the dumb AP, wireless users are on LAN and they are bridged directly to your house main router. They'll never be aware that they should route through the VPN instead. They really can't, since you'd need a DHCP server to tell them to use your router as the default gateway, and that will interfere with other devices on the LAN that should get DHCP instructions to use the main router as the default gateway.

There are two approaches to remedy this.

  1. Set up as a LAN-WAN router then follow regular instructions to install VPN client.
  2. Add a new network and bridge, e.g. vpnuser, and firewall rules to forward vpnuser->vpn tunnel

I suggest 1 as simpler for a beginner.

1 Like

The TL-W902AC Travel router has one ethernet interface only and so there is no WAN interface in openwrt, this router act as AP behind an cable router and has lan bridge interface.
See the conf of this interface:

Then follow the mk24 instructions.

Yes you would run the single port as WAN, and have all LAN-type connections by wifi. You can open the firewall to allow logging into OpenWrt from the WAN side.

Additionally if you want extra APs which are direct links to your house LAN (the travel router's WAN) for non-VPN uses, that is possible by making wan a bridge and attaching the APs to it.

I will switch the interface to WAN, then the router can only be reached via wifi and I'm not sure how the firewall needs to be adjusted so that it works. Sorry I'm a noop :wink:

As it was stated above. Our instructions are intended for 'router' mode, not 'dumb ap'.