NordVPN with separate WiFi

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I want make (separate) VPN Wifi and noVPN Wifi in different subnet.

Tutorial:

VPN Wifi working and get new external IP but noVPN Wifi not working if OpenVPN connected succesfuly.

Config with working VPN Wifi:

openvpn log with working VPN:

Wed Jan  1 15:11:21 2020 daemon.err openvpn(client)[1062]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Jan  1 15:11:21 2020 daemon.err openvpn(client)[1062]: TLS Error: TLS handshake failed
Wed Jan  1 15:11:21 2020 daemon.err openvpn(client)[1062]: Fatal TLS error (check_tls_errors_co), restarting
Wed Jan  1 15:11:21 2020 daemon.notice openvpn(client)[1062]: SIGUSR1[soft,tls-error] received, process restarting
Wed Jan  1 15:11:21 2020 daemon.notice openvpn(client)[1062]: Restart pause, 5 second(s)
Wed Jan  1 15:11:26 2020 daemon.warn openvpn(client)[1062]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Wed Jan  1 15:11:26 2020 daemon.notice openvpn(client)[1062]: NOTE: --fast-io is disabled since we are not using UDP
Wed Jan  1 15:11:26 2020 daemon.notice openvpn(client)[1062]: TCP/UDP: Preserving recently used remote address: [AF_INET]195.206.183.56:443
Wed Jan  1 15:11:26 2020 daemon.notice openvpn(client)[1062]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed Jan  1 15:11:26 2020 daemon.notice openvpn(client)[1062]: Attempting to establish TCP connection with [AF_INET]195.206.183.56:443 [nonblock]
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: TCP connection established with [AF_INET]195.206.183.56:443
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: TCP_CLIENT link local: (not bound)
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: TCP_CLIENT link remote: [AF_INET]195.206.183.56:443
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: TLS: Initial packet from [AF_INET]195.206.183.56:443, sid=7657d3b7 93f5cc76
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: VERIFY KU OK
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: Validating certificate extended key usage
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: VERIFY EKU OK
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: VERIFY OK: depth=0, CN=uk1424.nordvpn.com
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed Jan  1 15:11:27 2020 daemon.notice openvpn(client)[1062]: [uk1424.nordvpn.com] Peer Connection Initiated with [AF_INET]195.206.183.56:443
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: SENT CONTROL [uk1424.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.4 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: OPTIONS IMPORT: compression parms modified
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: Socket Buffers: R=[341760->327680] S=[44800->327680]
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: OPTIONS IMPORT: route options modified
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: OPTIONS IMPORT: route-related options modified
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: OPTIONS IMPORT: peer-id set
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: OPTIONS IMPORT: adjusting link_mtu to 1659
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: OPTIONS IMPORT: data channel crypto options modified
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: TUN/TAP device tun0 opened
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: TUN/TAP TX queue length set to 100
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: /sbin/ifconfig tun0 10.7.2.4 netmask 255.255.255.0 mtu 1500 broadcast 10.7.2.255
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: /sbin/route add -net 195.206.183.56 netmask 255.255.255.255 gw 11.11.183.254
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.7.2.1
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.7.2.1
Wed Jan  1 15:11:29 2020 daemon.notice openvpn(client)[1062]: Initialization Sequence Completed

root@OpenWrt:~# cat /etc/config/network


config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'client_vpn'
        option proto 'none'
        option ifname 'tun0'
        option metric '10'

config interface 'vpnuser'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option type 'bridge'

config rule
        option in 'vpnuser'
        option lookup '100'

config route 'vpn'
        option interface 'client_vpn'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '100'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
		
config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'vpnuser'
        option forward 'ACCEPT'
        option network 'vpnuser'

config forwarding
        option dest 'vpn'
        option src 'vpnuser'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option network 'client_vpn'

root@OpenWrt:~# cat /etc/config/wireless


config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/qca955x_wmac'
        option htmode 'HT20'
        option country 'US'
        option legacy_rates '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk-mixed'
        option key 'pass'
        option ssid 'WifinoVPN'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'WifiVPN'
        option network 'vpnuser'
        option encryption 'psk-mixed'
        option key 'pass'

root@OpenWrt:/etc/config# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        list dhcp_option '6,1.1.1.1,1.0.0.1'
        list dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'vpnuser'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'vpnuser'

root@OpenWrt:/etc/config# ip -4 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 11.11.181.252/22 brd 11.11.183.255 scope global eth0.2
       valid_lft forever preferred_lft forever
8: br-vpnuser: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-vpnuser
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.7.2.4/24 brd 10.7.2.255 scope global tun0
       valid_lft forever preferred_lft forever

root@OpenWrt:/etc/config# ip -4 ro

0.0.0.0/1 via 10.7.2.1 dev tun0
default via 11.11.183.254 dev eth0.2  src 11.11.181.252
10.7.2.0/24 dev tun0 scope link  src 10.7.2.4
11.11.180.0/22 dev eth0.2 scope link  src 11.11.181.252
128.0.0.0/1 via 10.7.2.1 dev tun0
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.2.0/24 dev br-vpnuser scope link  src 192.168.2.1
195.206.183.56 via 11.11.183.254 dev eth0.2

root@OpenWrt:/etc/config# ip -4 ru

0:      from all lookup local
1:      from all iif br-vpnuser lookup 100
32766:  from all lookup main
32767:  from all lookup default

Ping from Laptop with VPN Wifi:

ping 192.168.1.1.
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64

ping 192.168.2.1
Reply from 192.168.2.1: bytes=32 time=1ms TTL=64

ping 8.8.8.8
Reply from 8.8.8.8: bytes=32 time=41ms TTL=55

If i add this to .ovpn:
route-nopull

Not working VPN Wifi but working noVPN Wifi.

openvpn log with not working VPN wifi:

Wed Jan  1 15:26:23 2020 daemon.notice openvpn(client)[2362]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Wed Jan  1 15:26:23 2020 daemon.notice openvpn(client)[2362]: library versions: OpenSSL 1.0.2t  10 Sep 2019, LZO 2.10
Wed Jan  1 15:26:23 2020 daemon.warn openvpn(client)[2362]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Wed Jan  1 15:26:23 2020 daemon.notice openvpn(client)[2362]: NOTE: --fast-io is disabled since we are not using UDP
Wed Jan  1 15:26:23 2020 daemon.notice openvpn(client)[2362]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jan  1 15:26:23 2020 daemon.notice openvpn(client)[2362]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed Jan  1 15:26:23 2020 daemon.notice openvpn(client)[2362]: TCP/UDP: Preserving recently used remote address: [AF_INET]195.206.183.56:443
Wed Jan  1 15:26:23 2020 daemon.notice openvpn(client)[2362]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed Jan  1 15:26:23 2020 daemon.notice openvpn(client)[2362]: Attempting to establish TCP connection with [AF_INET]195.206.183.56:443 [nonblock]
Wed Jan  1 15:26:24 2020 daemon.notice openvpn(client)[2362]: TCP connection established with [AF_INET]195.206.183.56:443
Wed Jan  1 15:26:24 2020 daemon.notice openvpn(client)[2362]: TCP_CLIENT link local: (not bound)
Wed Jan  1 15:26:24 2020 daemon.notice openvpn(client)[2362]: TCP_CLIENT link remote: [AF_INET]195.206.183.56:443
Wed Jan  1 15:26:24 2020 daemon.notice openvpn(client)[2362]: TLS: Initial packet from [AF_INET]195.206.183.56:443, sid=4fa2565d b32b88f6
Wed Jan  1 15:26:24 2020 daemon.warn openvpn(client)[2362]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jan  1 15:26:24 2020 daemon.notice openvpn(client)[2362]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Wed Jan  1 15:26:24 2020 daemon.notice openvpn(client)[2362]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4
Wed Jan  1 15:26:24 2020 daemon.notice openvpn(client)[2362]: VERIFY KU OK
Wed Jan  1 15:26:24 2020 daemon.notice openvpn(client)[2362]: Validating certificate extended key usage
Wed Jan  1 15:26:24 2020 daemon.notice openvpn(client)[2362]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Jan  1 15:26:24 2020 daemon.notice openvpn(client)[2362]: VERIFY EKU OK
Wed Jan  1 15:26:24 2020 daemon.notice openvpn(client)[2362]: VERIFY OK: depth=0, CN=uk1424.nordvpn.com
Wed Jan  1 15:26:25 2020 daemon.notice openvpn(client)[2362]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed Jan  1 15:26:25 2020 daemon.notice openvpn(client)[2362]: [uk1424.nordvpn.com] Peer Connection Initiated with [AF_INET]195.206.183.56:443
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: SENT CONTROL [uk1424.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS 103.86.99.100,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.2.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.2.4 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Wed Jan  1 15:26:26 2020 daemon.err openvpn(client)[2362]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Wed Jan  1 15:26:26 2020 daemon.err openvpn(client)[2362]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Jan  1 15:26:26 2020 daemon.err openvpn(client)[2362]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: OPTIONS IMPORT: timers and/or timeouts modified
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: OPTIONS IMPORT: compression parms modified
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: Socket Buffers: R=[341760->327680] S=[44800->327680]
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: OPTIONS IMPORT: --ifconfig/up options modified
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: OPTIONS IMPORT: route-related options modified
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: OPTIONS IMPORT: peer-id set
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: OPTIONS IMPORT: adjusting link_mtu to 1659
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: OPTIONS IMPORT: data channel crypto options modified
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: TUN/TAP device tun0 opened
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: TUN/TAP TX queue length set to 100
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: /sbin/ifconfig tun0 10.7.2.4 netmask 255.255.255.0 mtu 1500 broadcast 10.7.2.255
Wed Jan  1 15:26:26 2020 daemon.notice openvpn(client)[2362]: Initialization Sequence Completed

is it possible to do work both at the same time (VPNwifi and noVPN wifi)?

2 
from all iif br-vpnuser lookup 100

I've never seen such option. Standard approach is to mark packets.

config rule
        option in 'vpnuser'
        option lookup '100'

Have you seen example using such approach?

3

it is in my config/network

4

Yes, have you seen such example anywhere? Use vpnbypass or policy-based-routing.

5

ok. If i use vpnbypass i need openvpn with default settings (network/firewall/dhcp..)? i want watch netflix from US (now i am i EU)

6

NordVPN? Really?

https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

7

Now i am testing with ProtonVPN.

8

Are they the same of Proton mail? I may have a look

I am currently using PrivateVPN, it's cheap and reliable

9

Same of Proton Mail.

How work PrivateVPN with netflix?

10

netflix works like a charm :slight_smile:
it's based on Sweden so no log policy is assured (well, it should...)

ProtonVPN is for sure reliable and secure, and no log policy will be sure thing (I live in Switzerland, ISP shall log by law, but for some reasons VPN providers do not have to log) but it's not cheap at all

11

You should configure OpenVPN to route all packets to it. After that configure vpnbypass to route only packets from specific network.

12

Been a while since I did this but it didn't require much special stuff like marking.

First realize that the "non-VPN" wifi is simply a standard router configuration. You want to run OpenVPN alongside this without letting it take over the router's default routing. So the OpenVPN settings to not accept pushed routes and not install a default route are important.

With that set up you should have a tun0 that leads to the VPN server but the router otherwise still operates without anything actually going through the VPN. Confirm that the OpenVPN client can actually authenticate and connect to your VPN service before going further.

Next you would set up another network that NATs the user devices that want to VPN into the VPN tunnel. It is exactly like a guest network that holds a separate group of users and NATs them into the WAN. To that end you need two firewall zones one for the VPN tunnel and one for the VPN user network. Set up forwarding from vpnuser to vpntun and enable masquerade on the vpntun zone.

13

that's exactly what i did. I simply started the how-to from the nordvpn website, got it working, then changed that network to 192.168.1.1/25, created another vlan, gave that 182.168.1.129/25, installed vpnbypass, and added a new SSID to the new vlan.

The only thing i did not do was in the nordvpn tutorial, I did not add the script to block non-vpn traffic when the tunnel goes down, as I have that set up in vpnbypass.

14

How should I change my settings? Post in first message.

15

Maybe you can share config or tutorial (changed that network to 192.168.1.1/25, created another vlan......)?

16

oh, i just played around till i got it working... in the LuCI web console, do the following:

Network > Switch.
Click Add, set the new VLAN to "CPU: tagged" and "WAN off". Any LAN ports can be switched between VLANs (VLAN 1 will be ports tied to the VPN, and VLAN 3 is non-VPN). For each LAN port, set it to "untagged" if you want it to be applied, and "off" otherwise.

Once that is configured, you'll see a new interface (probably "eth0.3" physical, and "LAN2" logical).

In Networking > Interface, you need to configure the IPv4 configurations on both LAN and LAN2 to different subnets and configure the DHCP for them.

Then go to Networking > Wireless, then add a new SSID. Edit the new one, and edit it. In the Interface Configuration > Network, select the new interface (LAN2 for me).

After you set the correct network, you can connect to the SSID to validate you are in the correct IP range through DHCP.

Once you validated that, you can just follow the vpnbypass (vpn-policy-routing) tutorials available on here, and make a policy with only the local addresses and interface portion configured, and you'll be all set.

Good luck!

17

I threw some applicable configs files (scrubbed of passwords, etc) into a zip for you so you can check it out. Again, I just installed openwrt for the first time less than a month ago, and am not terribly familiar with linux, so after the nordvpn tutorial, most of it was just trial, error, and educated guesses.

18

Thank you. I will try :slight_smile:

19

It is working!!!

but i have strange things :frowning: i can not open some website with novpn wifi.. or very long loading and only show letters

exmaple: delfi.ru

and very big load:

image
image795×421 15.7 KB

20

I do not see any significantly heavy load on the top screen.
Try with a traceroute or mtr to see if you have latency or packet loss with the sites you have issues.