NordVPN setup Linksys WRT1900ACS separate vlan and wireless

Hi There

I'm trying to setup NordVPN with ovpn on the WRT1900ACS 18.06.2.

I have configured router ready and all is in place.

Basically vlan switch port 4 be the VPN only port and rest will be ISP as normal.

Separate wireless for VPN too.

The problem is that everything works but although NordVPN connects it tunnels through normal ISP and not NordVPN.

Port 1,2,3 = ISP

Port 4 = NordVPN but traffic still is ISP and not NordVPN.

My configs: Firewall

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'lanvpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option network 'lanvpn'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lanvpn'
	option dest 'wan'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'nordvpntun'

config forwarding
	option src 'lanvpn'
	option dest 'vpnfirewall'

config forwarding
	option src 'vpnfirewall'
	option dest 'lanvpn'

Network:

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.28.1'
	option netmask '255.255.255.0'
	option gateway '192.168.28.1'
	option ifname 'eth0.1'

config interface 'lanvpn'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.38.1'
	option netmask '255.255.255.0'
	option gateway '192.168.38.1'
	option ifname 'eth0.3'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0 5t'

config interface 'nordvpntun'
	option proto 'none'
	option ifname 'tun0'

Ovpn:

config openvpn 'nordvpn'
	option enabled '1'
	option config '/etc/openvpn/us***.nordvpn.com.udp.conf'

ovpn conf file:

client
dev tun
proto udp
remote *.*.*.* 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
auth-user-pass secret.txt
verb 3
route-nopull
fast-io
cipher AES-256-CBC
auth SHA512

If i set the openvpn file with:

route-nopull - i get normal ISP traffic and my connection vlan port 4 is ISP

pull - if set to pull, i get full VPN traffic route on vlan port 4 but the other ports 1,2,3 have no ISP traffic / no internet.

What am i missing?

Is there something within the the ovpn config file that needs addressing.
Is there anyone who done the same and got it to work.
Help is much appreciated and if anyone has any excellent guides too.

What am i missing?

Currently its functioning as it should but its probably not what you would have expected.

Whats missing is "extra" routing tables, "correct" firewall rules since lanvpn>wan may give regular ISP gateway instead of the vpn so leakage... and finally don't rename *.ovpn files into *.conf but keep using *.ovpn since conf influence the single openvpn service in a way you can't specificly control it anymore with multiple tunnels inside openvpn.

Yes, multiple different vpn tunnel gateway's to specific (v)lan/(v)wlan interfaces on the same router, but it will take some effort to setup.

I guess you checked similar sources, these are the ones that were useful for me:
source for ovpn files are the keys missing in yours?

tutorial that will replace your default gateway with vpn, but you noticed that its somehow correlated to "pull/route-nopull" but not exactly what you want

Great info about source based routing "extra routing tables" specific to your use-case, everything you want is there step by step, but it will not work since the separate up/down scripts will not get all the required arguments to manually setup the route

By using route-nopull you get the chance to setup the router yourway instead of the replacing default gateway but you have to do it manually yourself. As soon as you use the route-nopull flag the openvpn service when succesfully establing vpn communication will receive info about what ip/subnet/gateway/packetsize etc. These info arguments will be passed to the up/down scripts $1 $2 $3 $4 $5 etc but one of them is broken but can be fetched from the systemlog. ifconfig_remote_ip=$5 isbroken but can be replaced by ifconfig_remote_ip=$(logread | grep $vpn_prof | grep gateway | sed -e 's/.*route-gateway //'| sed -e 's|,.*||' | tail -n 1)

general openwrt routing info which makes sence if you understand the former link by beentje

If my own documentation/script is well tested I can provide more specific steps but this may get you going.

Start with a clean openwrt router install and make sure no other openvpn-server.conf files are used except the single one you added for your specific server.ovpn, the default openwrt openvpn files can also stay. Install the package "bind-dig" to test inside your router which gateway is active. See

Thanks @walterav

That's detailed info there.

Is that suited to what i already have setup?

I did originally use the nordvpn guide for vpn but that was for only the whole router to be behind a vpn connection.
What i wanted to do was to have best of both worlds and utilise vlan to split the connection but that doesn't seem to work at all, it's either VPN or normal ISP and especially when using route-nopull option.
With my current network config in place and with route-nopull option I get via vlan0 normal ISP internet but vlan0.3 has no VPN internet although connected.
If using the pull option I get VPN traffic via vlan0.3 and no internet fron vlan0 ISP.

Is your instruction specifically for whole router behind VPN and to route specific IP's away?

I'm kind of confused on which bit to do.
Can you provide some sort of instruction for my current setup with vlans in use?

My firewall currently is:

Is using vlans possible for all this?

It is not possible to route traffic SEPARATELY by using routes in openvpn-config. They are applied to ALL traffic, there is no dependence on vlan etc. You should configure routes using vpnbypass package or policy-based routing package. You can also configure it by hands selectively marking packages and routing them into special table.

Thanks @ulmwind

Do you know of any links to any good guides to do all that from scratch?

Start with https://github.com/stangri/openwrt_packages/blob/master/vpnbypass/files/README.md

Ok, seems straight forward enough with vpn bypass.
So I need to basically setup my Linksys WRT1900acs 18.06.2 router exactly like how NordVPN officially does it.

Then install vpn-bypass and configure:

config vpnbypass 'config'
option enabled '1'
list localport '1194'
list localsubnet '198.228.28.0/24' or indiviudal address's?
list remotesubnet '<isp address??>'

Would this be correct?

You should only specify local subnet.

My guess is that your router behaves as a default OpenWrt configured router with a (192.168.1.0/24)LAN/(public/nat/etc)WAN side and that you want most of your router to behave like that, but only specific interfaces vlan/switchport/virtualssid/etc to be connected to a vpn gateway. It is perfectly possible to have a virtual wifi ssid called "blablaUK" be connected to a UnitedKingdom based VPN server and another virtual wifi ssid called "blablaDE" to a German one even at the same time, also the standard ssid "blablaLAN" or LAN ports still let clients route to the regular WAN route. My guess is that you want your router to behave like that?

Beentje his tutorial about source based routed does exactly what you want, however he only uses 1 ip on the same subnet as his LAN subnet to become connected to the VPN. Maybe you didn't see the resemblance yet but its perfectly possible to implement what you want if you see it like this.

You could create an extra local LAN interface(subnet 192.168.75.0/24)& 2 firewall zones (one called VPNWAN like VPN_FW called by beentje) and offcourse since you created an extra LAN interface create a VPNLAN firewall interface resembling a normal OpenWrt LAN template (unsafe) or (guest lan) that will only get connected to your isolated vlan/switchport/virtualssid/etc, and instead of using a single 'ip' he uses for an "appletv" in his "up script" you must add "multiple ip's" by hand so if you want 8 clients in your seperate vlan to be connected to that VPN you have to edit/copy the up and down script to match that.

(https://beenje.github.io/blog/posts/openvpn-source-based-routing)[example edit beentje upvpn script]

#!/bin/sh

clientA=192.168.75.21 
clientB=192.168.75.22
clientC=192.168.75.23
clientD=192.168.75.24
clientE=192.168.75.25 
clientF=192.168.75.26
clientG=192.168.75.27
clientH=192.168.75.28

tun_dev=$1
tun_mtu=$2
link_mtu=$3
ifconfig_local_ip=$4

#ifconfig_remote_ip=$5 <--- this one is broken and won't get called
BROKENARG=$(logread | grep $FIXME | grep gateway | sed -e 's/.*route-gateway //'| sed -e 's|,.*||' | tail -n 1)

echo "Routing client $clientA traffic through VPN"
ip rule add from $clientA priority 10 table vpn
ip route add $clientA dev $tun_dev table vpn
ip route add default via $BROKENARG dev $tun_dev table vpn
ip route flush cache

echo "Routing client $clientB traffic through VPN"
ip rule add from $clientB priority 10 table vpn
ip route add $clientB dev $tun_dev table vpn
ip route add default via $BROKENARG dev $tun_dev table vpn
ip route flush cache

echo "Routing client $clientC traffic through VPN"
ip rule add from $clientC priority 10 table vpn
ip route add $clientC dev $tun_dev table vpn
ip route add default via $BROKENARG dev $tun_dev table vpn
ip route flush cache

#edit copy another 5 times for D,E,F,G,H and also edit the downvpn script the same way

Change/edit the "subnet" the way you need and match it with $CLIENTABC, and you must change $FIXME with the name of your "vpnprofile" you used in "/etc/config/openvpn" beentje uses the name ''myvpn". Another tip don't name interfaces/firewall zones/openvpn profiles the same like the NordVPN howto and sadly beentje also does name his "/etc/config/network" interface the same as the openvpn profile "myvpn" which is confusing and will not work with the BROKENARGUMENT fix!

If you look at @ulmwind suggestion with vpnbypass, it goes the otherway around by letting the default gateway (your regular WAN/ISP) be replaced by the VPN gateway (like the default nordvpn tutorial does) and than selective let some local IP's bypass the VPN for some traffic. Personnaly I don't like that reverse approach.

Another tip is when you have a different LAN subnet for the VPN edit the DHCP server option for that LAN to give specific DNS server for the users inside the VPN. And offcourse adjust the dhcp server range to only assign IP's 192.168.75.21-28 you assignend via the upvpn/downvpn scripts.

EDIT cli debugging tips:

logread
/etc/init.d/openvpn start #or stop
cat /etc/iproute2/rt_tables 
ip route show table main
ip route show table $Beentje used vpn for table number 10
route -n
dig +short myip.opendns.com @resolver1.opendns.com
dig +short myip.opendns.com @resolver1.opendns.com -b $local side of vpn ip given by vpn server
BROKENARG=$(logread | grep $FIXME | grep gateway | sed -e 's/.*route-gateway //'| sed -e 's|,.*||' | tail -n 1)
echo $BROKENARG #if this doesn't output the inner tunnel IP remote side keep looking at logread 

PS: BROKENARG can only be found in logread if the tunnel was setup/connected with route-nopull so you have to "/etc/init.d/openvpn start" and than try to get that variable filled the right way by editing $FIXME with a unique no othername/pattern matching name for the openvpn profile. So in otherwords if the name "myvpn" is used for both the vpn profile and the LAN interface it may be wrongly filtered by my "sed/grep" pattern matching.