Openvpn client not changing my ip

I'm trying to follow the openvpn client guide

Unfortunately my IP does not change. Any help would be appreciated.

Config/Log information requested in the troubleshooting is available at pastebin

echo "redirect-gateway def1" >> /etc/openvpn/vpnclient.ovpn
service openvpn restart

Thank you for the help. I have redirect-gateway in the openvpn settings already. I uploaded the ovpn config and ip routing table below.

root@OpenWrt:~# cat /etc/openvpn/vpnclient.ovpn

root@OpenWrt:~# route

traceroute -n
root@OpenWrt:~# traceroute -n
traceroute to (, 30 hops max, 38 byte packets
 1  17.341 ms  15.181 ms  14.821 ms
 2  18.301 ms  15.228 ms  15.272 ms
 3  14.719 ms  15.607 ms  17.924 ms
 4  15.935 ms  19.105 ms  19.372 ms
 5  20.175 ms  18.390 ms  21.912 ms
 6  31.027 ms  31.548 ms  20.238 ms
 7  70.225 ms  69.017 ms  67.005 ms
 8  87.305 ms  85.762 ms  87.061 ms
 9  169.609 ms  170.984 ms  157.986 ms
10  177.012 ms  161.094 ms  175.263 ms
11  169.881 ms  186.673 ms  170.661 ms
12  167.892 ms  174.431 ms  164.356 ms
13  *  *  *
14  176.085 ms  163.787 ms  161.975 ms

That was the traceroute from the router. I was confused and though it was not using the vpn. The is the hop to the vpn (???).

wget -qO-

shows my ip is (the vpn ip).

Here is a traceroute from a computer on the network.

From the computer:

wget -qO-
Gives me the IP address which is not expected. Sorry for the confusion.

There's no WAN-interface, so OpenWrt is not your main router?

Correct. I have it connected to another router that is then connected to the Internet.

I think I know what the issue is.

The setup is computer -> wifi - > openwrt router -> ethernet -> router2 -> internet.

The openwrt router is in bridge mode and the computer has router2 as the gateway. The computer is forwarding the packet directly to router2, which bypasses the openwrt's routing table.

What I don't know is what to change. How can I get my computer to think the openwrt is the gateway?

Edit: I tested it by manually adding a default route to the openwrt router on the computer. It worked, the computer's IP address was the VPNs.

The least complicated way is to set up another network on the OpenWrt router for the VPN users. Establish a wifi AP and/or an Ethernet VLAN connection to that network.

You also need firewall zones and rules so that vpnuser will forward and NAT to the vpn tunnel which then goes to the VPN server and reaches the Internet as their IP.

The downside of this is that when connected to the VPN, your computer will no longer be able to access printers, etc on your LAN.

I'm rather confused.

What settings do I use for the network vpnuser? Static address? What address? What gateway?

You create another network, using an unused Private IP subnet.

Yes, just like LAN is configured (using another subnet to prevent a conflict, of course).

None, it's a LAN, your traffic goes via WAN or VPN.

I am unable to connect to the wifi. "Failed to obtain IP address".

The relevant portion of the configs:

config interface 'vpnuser'
option proto 'static'
option ifname 'br-vpnclient'
option ipaddr ''
option netmask ''
option type 'bridge'

config wifi-iface
option device 'radio1'
option mode 'ap'
option encryption 'none'
option network 'vpnuser'
option ssid 'VpnWifi'

config zone
option forward 'ACCEPT'
option masq '1'
option network 'vpnuser'
option family 'ipv4'
option name 'vpnuser'
option input 'ACCEPT'
option output 'ACCEPT'

config forwarding
option dest 'vpnclient'
option src 'vpnuser'

Edit: I'm going to try enabling dhcp on vpnuser so an IP is available even if the internet is not. It's still not happy.

Is there a tutorial or book that would be helpful for learning how network & firewall works? For example, I was reading chapter 3 of ibm red book to figure out what ip route meant.

Create a vpnuser DHCP server in /etc/config/dhcp. Basically copy the LAN section and change the name. The "start" address is implied from the address set in /etc/config/network, so you can have two DHCP server sections that look the same but actually serve different addresses.

The IP address range of vpnuser must not overlap either the LAN or the WAN. is not a good choice.

If your VPN users are all on wifi, you should not specify any option ifname in the vpnuser config. A br-vpnuser will be automatically created. Your wifi AP will attach to it with its reference to option network vpnuser. If you have Ethernet vpnusers you would need to put that Ethernet ifname (most likely a VLAN) in /etc/config/network under vpnuser.

I switched vpnuser to Enabled DHCP on vpnuser. Connecting to wifi failed, 'Failed to obtain IP address'.

Note 'lan' does not have a dhcp as it is bridged with another router that handles the dhcp.

Use brctl show to confirm your bridges are properly set up. There should be a br-vpnuser with the VPN AP in it. ip addr show should show br-vpnuser having the IP you set.

root@OpenWrt:/etc/config# brctl show
bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.14cc209fc672	no		eth1.1
br-vpnuser		7fff.16cc209fc671	no		wlan1-1

Pastebin for the full ip addr show.

83: br-vpnuser: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 16:cc:20:9f:c6:71 brd ff:ff:ff:ff:ff:ff
    inet brd scope global br-vpnuser
       valid_lft forever preferred_lft forever
    inet6 fe80::14cc:20ff:fe9f:c671/64 scope link 
       valid_lft forever preferred_lft forever

Looks like br-vpnuser exists and is using ip address

Thank you for taking so much time to try and figure out my issue.

Edit: dmesg output when connecting to VpnWifi. Get's to authenticated + associated then deauthenticating by local choice.