Need help with set up please

Hi guys,
just created an account to ask for help directly over here.

I need help setting up OpenVPN on OpenWRT for TP-Link Archer23 Ax1800.
I already have my config file what i am trying to do is set up VPN on my router to support both wireless and ethernet.

I just need to know how once i've uploaded the config file and set up the interface, how do i create a new ssid to tie it to that new vpn connection and if i am safe to disable the openwrt connection after?

If this has been answered before please provide a link so i can go read up on it, first time using this site

Sorry if its longwinded. any help is appreciated.

Thanks

https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

By default, ethernet and wifi are bridged together for your lan. Therefore, a VPN will service both wifi and ethernet.

Please clarify your intent here:

• Create unique SSIDs and/or ethernet ports that are used for VPN vs non-VPN
• Setup such that all ethernet ports and a single SSID are all bound together and use the VPN

What do you mean by this? Are you talking about the OpenWrt SSID? If so, you can simply rename it; you don't need to disable it.

In the simplest configuration, all Internet usage from the router will be redirected into the VPN. Get that working first.

Then you can implement ways to have some networks bypass the VPN.

Hey,
Thanks for getting back!

i've followed all the steps in the luci guide from setting up to enabling killswitch etc but when i try to test my connection by going to ipleak.net the connection just times out.
Still connected to OpenWrt if that matters ?

my intent was the latter;

Setup such that all ethernet ports and a single SSID are all bound together and use the VPN

i'm not sure where i've gone wrong again at this point

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
cat /etc/config/openvpn

ubus call system board

{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:4",
	"model": "TP-Link Archer AX23 v1",
	"board_name": "tplink,archer-ax23-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'editedthis'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'OpenVPN'
	option proto 'none'
	option device 'tun0'
	option auto '0'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'editedthis'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option disabled '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'editedthis'
	option channel '36'
	option band '5g'
	option htmode 'HE80'
	option disabled '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'OpenVPN'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'OpenVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun+'
	list network 'OpenVPN'

config forwarding
	option src 'lan'
	option dest 'wan'

cat /etc/config/openvpn

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option verb '3'

config openvpn 'VPNNAME'
	option config 'config file from vpn provider'
	option enabled '1'

as requested, see above. let me know if i missed anything.

And just to reiterate incase my initial post was somewhat confusing, all i'm trying to do is set up openvpn on this router and was wondering once that's done if i could then just change the name of the SSID (Openwrt) and add encryption to it OR if i'd have to create new connections?
I want all my traffic to go through the said router.

Thanks again for taking the time to help, especially with the prompt responses.

Start with deleting this:

The OpenVPN network is already covered by the wan zone.

Reboot and check again

Hey, thanks for reaching out
still no luck unfortunately.

What i did was restore back up to before my initial attempt and followed the guide again (https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci) all the way to steps 5&6 but i am still unable to access the internet

update:

i've exhausted pretty much everything lol still cant get it to work.
set up is fine as per the guide but for some reason i cant access the internet or when i can it doesn't detect the vpn it just shows my localip

Is the VPN actually connecting?

logread -e openvpn

Tue Apr  9 22:29:37 2024 daemon.notice openvpn(OpenVPN)[2069]: Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
Tue Apr  9 22:29:37 2024 daemon.notice openvpn(OpenVPN)[2069]: OpenVPN 2.5.8 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Apr  9 22:29:37 2024 daemon.notice openvpn(OpenVPN)[2069]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
Tue Apr  9 22:29:37 2024 daemon.warn openvpn(OpenVPN)[2069]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr  9 22:29:38 2024 daemon.notice openvpn(OpenVPN)[2069]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Apr  9 22:29:38 2024 daemon.notice openvpn(OpenVPN)[2069]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Apr  9 22:29:43 2024 daemon.err openvpn(OpenVPN)[2069]: RESOLVE: Cannot resolve host address: **INFOFROMVPNPROVIDER**:1194 (Try again)
Tue Apr  9 22:29:45 2024 daemon.notice openvpn(OpenVPN)[2069]: UDP link local: (not bound)
Tue Apr  9 22:29:45 2024 daemon.notice openvpn(OpenVPN)[2069]: UDP link remote: [AF_INET]**INFOFROMVPNPROVIDER**:1194
Tue Apr  9 22:29:45 2024 daemon.notice openvpn(OpenVPN)[2069]: Network unreachable, restarting
Tue Apr  9 22:29:45 2024 daemon.notice openvpn(OpenVPN)[2069]: SIGUSR1[soft,network-unreachable] received, process restarting
Tue Apr  9 22:30:25 2024 daemon.warn openvpn(OpenVPN)[2069]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr  9 22:30:25 2024 daemon.notice openvpn(OpenVPN)[2069]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Apr  9 22:30:25 2024 daemon.notice openvpn(OpenVPN)[2069]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Apr  9 22:30:25 2024 daemon.notice openvpn(OpenVPN)[2069]: TCP/UDP: Preserving recently used remote address: [AF_INET]**INFOFROMVPNPROVIDER**:1194
Tue Apr  9 22:30:25 2024 daemon.notice openvpn(OpenVPN)[2069]: UDP link local: (not bound)
Tue Apr  9 22:30:25 2024 daemon.notice openvpn(OpenVPN)[2069]: UDP link remote: [AF_INET]**INFOFROMVPNPROVIDER**:1194
Tue Apr  9 22:30:25 2024 daemon.warn openvpn(OpenVPN)[2069]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr  9 22:30:25 2024 daemon.notice openvpn(OpenVPN)[2069]: VERIFY OK: depth=2, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=Windscribe Node CA X1
Tue Apr  9 22:30:26 2024 daemon.notice openvpn(OpenVPN)[2069]: VERIFY OK: depth=1, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=Windscribe Node CA X2
Tue Apr  9 22:30:26 2024 daemon.notice openvpn(OpenVPN)[2069]: VERIFY KU OK
Tue Apr  9 22:30:26 2024 daemon.notice openvpn(OpenVPN)[2069]: Validating certificate extended key usage
Tue Apr  9 22:30:26 2024 daemon.notice openvpn(OpenVPN)[2069]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Apr  9 22:30:26 2024 daemon.notice openvpn(OpenVPN)[2069]: VERIFY EKU OK
Tue Apr  9 22:30:26 2024 daemon.notice openvpn(OpenVPN)[2069]: VERIFY X509NAME OK: C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=xxx.windscribe.com
Tue Apr  9 22:30:26 2024 daemon.notice openvpn(OpenVPN)[2069]: VERIFY OK: depth=0, C=CA, ST=ON, L=Toronto, O=Windscribe Limited, OU=Systems, CN=xxx.windscribe.com
Tue Apr  9 22:30:26 2024 daemon.notice openvpn(OpenVPN)[2069]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Tue Apr  9 22:30:26 2024 daemon.notice openvpn(OpenVPN)[2069]: [xxxx.windscribe.com] Peer Connection Initiated with [AF_INET]**INFOFROMVPNPROVIDER**:1194
Tue Apr  9 22:30:27 2024 daemon.notice openvpn(OpenVPN)[2069]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Apr  9 22:30:27 2024 daemon.notice openvpn(OpenVPN)[2069]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Apr  9 22:30:27 2024 daemon.notice openvpn(OpenVPN)[2069]: TUN/TAP device tun0 opened
Tue Apr  9 22:30:27 2024 daemon.notice openvpn(OpenVPN)[2069]: net_iface_mtu_set: mtu 1500 for tun0
Tue Apr  9 22:30:27 2024 daemon.notice openvpn(OpenVPN)[2069]: net_iface_up: set tun0 up
Tue Apr  9 22:30:27 2024 daemon.notice openvpn(OpenVPN)[2069]: net_addr_v4_add: **IPADDRESS** dev tun0
Tue Apr  9 22:30:27 2024 daemon.notice openvpn(OpenVPN)[2069]: /usr/libexec/openvpn-hotplug up OpenVPN tun0 IPADDRESS init
Tue Apr  9 22:30:27 2024 daemon.notice openvpn(OpenVPN)[2069]: Initialization Sequence Completed

Very important that the tunnel is only in one zone. As you're using a commercial service for general Internet access, that zone should be wan. Don't create a new zone. Also it is no longer necessary to create a proto none interface in /etc/config/network. Use list device in the firewall zone to reference the tunnel device directly.

You should be able to ping the VPN server machine through the tunnel. The IP for this is conventionally the .1 of the network assigned to the VPN tunnel. If that works then check that the routing table was properly set up. There should be 0.0.0.0/1 and 128.0.0.0/1 via VPN.

Hey what do you mean by this? mind breaking it down for me please.
I'm not doing anything differently when it comes to setting up - just following the steps set out in the guide. What should i check / be doing differently?

I've got one more attempt left in me lol otherwise i'm returning the router tomorrow and purchasing something else where i can just configure the vpn directly in the admin panel! - I didn't think it'd be this frustrating been at it literally all day!

• Default configuration
• Get router connected to the Internet and confirm that it routes lan->wan properly
• Install OpenVPN
• Upload provider's .ovpn file and reference it as the option config in an enabled instance in /etc/config/openvpn. Remove the sample config instances.
• Add tun0 to the wan firewall zone as a device, not as a network.

followed every step mentioned, no luck unfortunately

Update:

Given up and will be returning the router to get something else where i can configure everything on a built-in admin panel. I've wasted far too many hours on this and it's infuriating.
Wanted to take this time to thank everyone who commented on here to try and help. You guys are stars

Thanks again
Jim