The VPN client is working. All devices connected to the router are connected to the VPN.
Is it possible to make the VPN available only to a specific LAN port?
= WiFi and three LAN ports do not have VPN access (internet from the WAN works).
One LAN port has VPN access.
You make a guest "wifi" but instead of adding a radio (SSID) to it you add one of the LAN ports
Next step is to use Policy Based Routing to only route that guest subnet with its lan port via the VPN
PBR:
Thanks to @egc and the anti-leak script I was able to finish off my step-by-step guide which is intended for exactly that topic (plus Guest Wifi). Please see below (using NordVPN as my VPN provider):
0. Update lists in luci and install luci-app-pbr
1. Followed this guide to create separate GuestWifi and LAN4 interfaces: https://www.youtube.com/watch?v=UvniZs8q3eU
2. Create GuestWifi: Create a new firewall rule, then add exceptions for DHCP and DNS in the traffic rules, create a bridge guest (br-GUEST) device in the devices tab (do NOT assign any port), create a GUEST interface. Disable ipv6 for the 2 wifi phys devices associated with br-Guest.
3. Same for LAN4: Create a new firewall rule (Set input => ârejectâ if you do not want LAN 4 to give access to the routerâs webpage), then add exceptions for DHCP and DNS in the traffic rules, create a bridge lan4 (br-lan4) device in the devices tab (assign eth port 4 and disable ipv6), create a LAN4 interface.
4. Remove lan4 from main br-lan device, and leave just ports 1-3.
5. Setup OpenVPN for NordVPN as explained here: https://support.nordvpn.com/hc/en-us/articles/20340177222289-OpenWrt-setup-with-NordVPN. (Important step is to use the encrypted credentials for the service via the NordVPN account â NOT the unencrypted ones, i.e. email and standard login password.). The only difference is that in the firewall rule of vpnfirewall, I specified lan4 and guestwifi instead of lan in the âallow forward from source zonesâ section. Also, in the zones section I edited lan4 and guest instead of lan, in the âallow forward to destination zonesâ.
6. In the pbr setup I did not specify the 443 port or the âtcpâ protocol. I left blank the ports and set protocol to âallâ. I set up two separate rules: 1 for LAN4 and 1 for GuestWifi. In such rules I entered:
a. Name: LAN4 OpenVPN and GUEST WiFi OpenVPN for each of the rules
b. Local addresses/devices: 192.168.4.1/24 for LAN4 rule and 10.20.30.40/24 for GUEST WiFi rule
c. Protocol: all
d. Chain: prerouting
e. Interface: nordvpntun
7. To unset an OpenVPN tunnel as default route:
Go to your openvpn configuration in luci, click edit and add the below line at the top of the config:
pull-filter ignore redirect-gateway
8. Warning: Please set âdhcp.lan.force=1â
If the dhcp.lan.force is set to 1, this speeds up the dnsmasq start/restart times and in turn speeds up the pbr service start/reload/restart times. To make things faster, run:
uci set dhcp.lan.force='1'
uci commit dhcp
If your LAN interface name(s) are different from lan, adjust the command above.
9. To stop the ISP leak upon boot before the pbr policy kicks in do the following:
a. Download script (raw file) from https://github.com/egc112/OpenWRT-egc-add-on/blob/main/stop-wan-leak/09-stop-wan-leak
b. Use WinSCP to transfer the script to /etc/hotplug.d/iface
c. {OPTIONAL} If needed, edit the script and set MYWANIF to your current wan by using ifconfig from command line to check. This has to be the logical wan interface as it appears in the interfaces tab in luci (e.g. wan â not eth1).
d. Reboot router.
Some extra but important notes:
- Killswitch is already embeded in pbr as long as strict enforcement is enabled in pbr and the 09-stop-wan-leak script is in place and properly configured.
- LAN 4 and Guest Wifi should have their own subnets (e.g. 192.168.4.1/24 and 10.20.30.40/24)
- Each OpenVPN interface should represent each VPN location/server
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.