I'm trying to follow the openvpn client guide
Unfortunately my IP does not change. Any help would be appreciated.
Config/Log information requested in the troubleshooting is available at pastebin
echo "redirect-gateway def1" >> /etc/openvpn/vpnclient.ovpn
service openvpn restart
Thank you for the help. I have redirect-gateway in the openvpn settings already. I uploaded the ovpn config and ip routing table below.
traceroute -n example.org
root@OpenWrt:~# traceroute -n openwrt.org
traceroute to openwrt.org (139.59.209.225), 30 hops max, 38 byte packets
1 10.8.0.1 17.341 ms 15.181 ms 14.821 ms
2 107.181.189.61 18.301 ms 15.228 ms 15.272 ms
3 38.88.7.241 14.719 ms 15.607 ms 17.924 ms
4 154.24.61.69 15.935 ms 19.105 ms 19.372 ms
5 154.54.1.5 20.175 ms 18.390 ms 21.912 ms
6 213.248.82.152 31.027 ms 31.548 ms 20.238 ms
7 62.115.117.49 70.225 ms 69.017 ms 67.005 ms
8 62.115.137.58 87.305 ms 80.91.246.163 85.762 ms 62.115.137.58 87.061 ms
9 213.155.135.4 169.609 ms 170.984 ms 80.91.251.101 157.986 ms
10 62.115.123.12 177.012 ms 62.115.122.139 161.094 ms 62.115.123.12 175.263 ms
11 62.115.120.6 169.881 ms 62.115.120.0 186.673 ms 62.115.120.6 170.661 ms
12 80.239.128.21 167.892 ms 80.239.128.23 174.431 ms 164.356 ms
13 * * *
14 139.59.209.225 176.085 ms 163.787 ms 161.975 ms
That was the traceroute from the router. I was confused and though it was not using the vpn. The 10.8.0.1 is the hop to the vpn (???).
wget -qO- https://ipecho.net/plain
shows my ip is 107.181.189.40 (the vpn ip).
Here is a traceroute from a computer on the network.
From the computer:
wget -qO- https://ipecho.net/plain
Gives me the IP address 104.142.126.204 which is not expected. Sorry for the confusion.
There's no WAN-interface, so OpenWrt is not your main router?
Correct. I have it connected to another router that is then connected to the Internet.
I think I know what the issue is.
The setup is computer -> wifi - > openwrt router -> ethernet -> router2 -> internet.
The openwrt router is in bridge mode and the computer has router2 as the gateway. The computer is forwarding the packet directly to router2, which bypasses the openwrt's routing table.
What I don't know is what to change. How can I get my computer to think the openwrt is the gateway?
Edit: I tested it by manually adding a default route to the openwrt router on the computer. It worked, the computer's IP address was the VPNs.
The least complicated way is to set up another network on the OpenWrt router for the VPN users. Establish a wifi AP and/or an Ethernet VLAN connection to that network.
You also need firewall zones and rules so that vpnuser will forward and NAT to the vpn tunnel which then goes to the VPN server and reaches the Internet as their IP.
The downside of this is that when connected to the VPN, your computer will no longer be able to access printers, etc on your LAN.
I'm rather confused.
What settings do I use for the network vpnuser? Static address? What address? What gateway?
You create another network, using an unused Private IP subnet.
Yes, just like LAN is configured (using another subnet to prevent a conflict, of course).
None, it's a LAN, your traffic goes via WAN or VPN.
I am unable to connect to the wifi. "Failed to obtain IP address".
The relevant portion of the configs:
/etc/config/network
...
config interface 'vpnuser'
option proto 'static'
option ifname 'br-vpnclient'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option type 'bridge'
/etc/config/wireless
...
config wifi-iface
option device 'radio1'
option mode 'ap'
option encryption 'none'
option network 'vpnuser'
option ssid 'VpnWifi'
/etc/config/firewall
...
config zone
option forward 'ACCEPT'
option masq '1'
option network 'vpnuser'
option family 'ipv4'
option name 'vpnuser'
option input 'ACCEPT'
option output 'ACCEPT'config forwarding
option dest 'vpnclient'
option src 'vpnuser'
Edit: I'm going to try enabling dhcp on vpnuser so an IP is available even if the internet is not. It's still not happy.
Is there a tutorial or book that would be helpful for learning how network & firewall works? For example, I was reading chapter 3 of ibm red book to figure out what ip route meant.
Create a vpnuser DHCP server in /etc/config/dhcp. Basically copy the LAN section and change the name. The "start" address is implied from the address set in /etc/config/network, so you can have two DHCP server sections that look the same but actually serve different addresses.
The IP address range of vpnuser must not overlap either the LAN or the WAN. 192.168.0.1 is not a good choice.
If your VPN users are all on wifi, you should not specify any option ifname in the vpnuser config. A br-vpnuser will be automatically created. Your wifi AP will attach to it with its reference to option network vpnuser. If you have Ethernet vpnusers you would need to put that Ethernet ifname (most likely a VLAN) in /etc/config/network under vpnuser.
I switched vpnuser to 192.168.3.1. Enabled DHCP on vpnuser. Connecting to wifi failed, 'Failed to obtain IP address'.
Note 'lan' does not have a dhcp as it is bridged with another router that handles the dhcp.
Use brctl show to confirm your bridges are properly set up. There should be a br-vpnuser with the VPN AP in it. ip addr show should show br-vpnuser having the IP you set.
root@OpenWrt:/etc/config# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.14cc209fc672 no eth1.1
wlan1
br-vpnuser 7fff.16cc209fc671 no wlan1-1
Pastebin for the full ip addr show.
83: br-vpnuser: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 16:cc:20:9f:c6:71 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.1/24 brd 192.168.3.255 scope global br-vpnuser
valid_lft forever preferred_lft forever
inet6 fe80::14cc:20ff:fe9f:c671/64 scope link
valid_lft forever preferred_lft forever
Looks like br-vpnuser exists and is using ip address 192.168.3.1
Thank you for taking so much time to try and figure out my issue.
Edit: dmesg output when connecting to VpnWifi. Get's to authenticated + associated then deauthenticating by local choice.