Hello Everyone again,
I am having some problem in setting up my Rasperry pi as VPN router.
I followed the instruction on the docs for set the VPN and evetyhing seems fine, I can reach internet , the VPN (nord vpn server) is enabled and running but my public ip is not changing.
As further information I conneted the Raspberry to the router using a ethernet cable.
Tried to check on past threads but notthing solved, hope someone can help.
You have to describe your setup: what's running where? What OS/firmware is on the Pi? Where is it connected to and how? How are you observing your public IP not changing? Is Pi sharing the internet with something else (i.e. acting as a router)?
Ok so here some more info:
Pi connected to main router using an Ethernet cable.
I connect to the Pi wifi my laptop and smartphone and check my public IP using varius website that offer this service.
Pi OS OpenWrt 24.10
Tried every kind of setting and followed different guide on youtube but the result is alwais the same, I can reach the internet connecting to the Raspeberry but the VPN is not tunneling.
in case is helpful here some more info:
{
"kernel": "6.6.73",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 4 (v7l)",
"model": "Raspberry Pi 3 Model B Rev 1.2",
"board_name": "raspberrypi,3-model-b",
"rootfs_type": "ext4",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "bcm27xx/bcm2709",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddb:4711:64e9::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
option ip6assign '60'
config interface 'tun0'
option proto 'none'
option device 'tun0'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra_slaac '1'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option family 'ipv4'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'tun0'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'tun0'
option masq '1'
config forwarding
option src 'lan'
option dest 'tun0'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.7/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
inet 10.100.0.2/16 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.100.0.1 dev tun0
default via 192.168.1.254 dev br-lan src 192.168.1.7
10.100.0.0/16 dev tun0 scope link src 10.100.0.2
91.205.107.133 via 192.168.1.254 dev br-lan
128.0.0.0/1 via 10.100.0.1 dev tun0
192.168.1.0/24 dev br-lan scope link src 192.168.1.7
local 10.100.0.2 dev tun0 table local scope host src 10.100.0.2
broadcast 10.100.255.255 dev tun0 table local scope link src 10.100.0.2
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
local 192.168.1.7 dev br-lan table local scope host src 192.168.1.7
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.7
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
lrwxrwxrwx 1 root root 16 Feb 3 23:09 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 47 Mar 11 08:28 /tmp/resolv.conf
-rw-r--r-- 1 root root 41 Mar 11 08:28 /tmp/resolv.conf.d/resolv.conf.auto
/tmp/resolv.conf.d:
-rw-r--r-- 1 root root 41 Mar 11 08:28 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1
==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error
==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface lan
nameserver 192.168.1.254
root@OpenWrt:~#
Did you follow this guide?
Yes that is the first one I followed, everything as described but VPN still not working
I assume this is setup as a BridgeAP ?
If so these are my notes about a WireGuard client on a BridgeAP but just read OpenVPN where it says WireGuard
If you want to setup a WireGuard Client on a BridgedAP, then be aware that normal traffic from your clients just bypasses your BridgedAP, so will not use the WireGuard tunnel unless you point the gateway of your clients to the BridgedAP (by using DNSMasq tagging with option 3 or iptables redirect) or setup a Guest Wifi on the BridgedAP.
In case of using a Guest wifi all clients using your Guest wifi will automatically use the WireGuard tunnel, so this is the more easier option.First double check that you have setup your BridgedAP correctly see:
https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/bridgedapFor a Guest Wifi see:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap
Setup the Guest wifi and check that it is working without WireGuard!
Note: do not forget to Enable Masquerading on the LAN zoneSetup a WireGuard client the regular way as described, but for firewall settings I recommend to use a separate zone for the WireGuard Interface as you need to enable MSS Clamping and then make a Forward rule to Forward from guest zone to vpn_client zone.
If you then remove the forwarding from guest zone to lan zone you will have an effective killswitch.
yes is setup as BridgeAP and was not aware that normal traffic just bypass the BridgetAP, was following step by step the guide and I tought was doing everything right.
I will try to set up a Guest Wifi and see if ti work.
Followed the guide but when connected to the Guest wifi cannot reach internet, also tried to stop the VPN to see if that was the problem but didn't solve.
If you do not have internet on your guest wifi while the VPN is stopped you probably have a setup error in either the setup of the BridgeAP or the setup of the Guset wifi on a BridgedAP, so carefully check with both wiki's
Restarted and followed the guide step by step and didn't solve, just noticed that the MAC address for the Br-guest is 00:00:00:00:00:00, don't know why.
As for the Bridge AP I can reach internet if conneted to the OpenWrt, the problem is the Guest Wifi