Dear,
First of all thanks for amazing openwrt forum and support
I want to install and use openvpn for my guest wifi
I have 2 routers, one main router and second accesspoint connected and used with vlans.
Please guide,
Thanks
Are both routers running OpenWrt?
If so, presumably your main router is responsible for routing both networks, and your other device is just a bridged AP. Is that correct?
You'll install and configure OpenVPN on your main router such that it connects to your VPN provider. (If WireGuard is an option instead, I'd recommend that, but that is just a side note).
Once you have that setup, you'll use Policy Based Routing such that your guest network uses the VPN and your main network uses the standard wan (per the description of your goal).
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci
https://openwrt.org/docs/guide-user/services/vpn/wireguard/client
Currently if I activate any vpn client my second router stop connecting to internet
I haven’t installed pbr based routing.
Yes both router are on openwrt 24.10 latest
You should setup the vpn on the main router.
Yes I have installed and setup openvpn on my main router
Let’s take a look at the main router config:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Dear,
Please have a look at my config
ubus call system board
{
"kernel": "6.6.73",
"hostname": "MainRouter",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "D-Link DIR-2660 A1",
"board_name": "dlink,dir-2660-a1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3b:b831:3886::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.99'
option proto 'static'
option ipaddr '192.168.111.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '208.67.222.222'
list dns '208.67.220.220'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'Guest'
option proto 'static'
option ipaddr '192.168.101.1'
option netmask '255.255.255.0'
option device 'br-lan.3'
list dns '208.67.222.222'
list dns '208.67.220.220'
config interface 'IOT'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option device 'br-lan.4'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '4'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan1:t'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '80'
list ports 'lan1:t'
config interface 'GuestV'
option proto 'static'
option device 'br-lan.80'
option ipaddr '125.135.142.1'
option netmask '255.255.255.0'
list dns '208.67.222.222'
list dns '208.67.220.220'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option txpower '16'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '36'
option band '5g'
option cell_density '0'
option txpower '16'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'Jay2G'
option encryption 'psk-mixed'
option key '2002'
option network 'lan'
option ieee80211r '1'
option mobility_domain '119a'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'OpenG'
option encryption 'psk-mixed'
option key '1231'
option network 'Guest'
option ieee80211r '1'
option mobility_domain '119b'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'Jay'
option encryption 'psk-mixed'
option key '2002'
option network 'lan'
option ieee80211r '1'
option mobility_domain '118a'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'Open-IOT'
option encryption 'psk-mixed'
option key '1231'
option ieee80211r '1'
option mobility_domain '119c'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'IOT'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid 'OpenGV'
option encryption 'psk-mixed'
option key '1231'
option ieee80211r '1'
option mobility_domain '119d'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option network 'GuestV'
option disabled '1'
cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '10'
option limit '299'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Guest'
option interface 'Guest'
option start '100'
option limit '25'
option leasetime '12h'
config dhcp 'IOT'
option interface 'IOT'
option start '10'
option limit '50'
option leasetime '12h'
config dhcp 'GuestV'
option interface 'GuestV'
option start '5'
option limit '25'
option leasetime '12h'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'GuestZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Guest'
config zone
option name 'IOT'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'
config forwarding
option src 'GuestZone'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'IOT'
config rule
option name 'Gusst DHCP and DNS'
option src 'GuestZone'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'Guest block from LAN'
option src 'GuestZone'
option target 'REJECT'
list proto 'all'
list dest_ip '192.168.111.0/24'
config zone
option name 'GuestVPN'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GuestV'
config rule
option name 'GuestV DHCP and DNS'
option src 'GuestVPN'
option dest_port '53 67 68'
option target 'ACCEPT'
config zone
option name 'VPN'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
config forwarding
option src 'GuestVPN'
option dest 'VPN'
I can connect to internet from main router,
But can’t connect to internet from access point.
Please guide
not related but start + limit must be below 255
Are you saying that if you activate the VPN your LAN has internet via the VPN?
Test from a LAN client with ipleak.net to see if you indeed have the VPN as endpoint.
I am asking because I do not see the VPN interface/device anywhere mentioned in the Firewall zones
Also, fix the other obvious mistakes.
The vpn interface/device is not assigned to the firewall zone, so masquerading will not work. During testing add list device 'tun+' to the wan firewall zone. You can adjust this dedicated zone later.
Replace the IP address with a private one and remove all DNS settings from this and all other internal interfaces.
If you want to use OpenDNS, make the wan interface look like this:
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '208.67.222.222'
list dns '208.67.220.220'
See here a brief info on how to set up pbr (with netifd) without installing additional packages.
1 Like
with my config as which i stated above
when actvating vpn
i cannot connect to internet with my wifi and LAN port, both from connection from main router as well as accesspoint router to internet is not working
but my main router does connect to vpn destination with traceroute under Network-> diagnostics
traceroute to openwrt.org (64.226.122.113), 20 hops max, 46 byte packets
1 10.9.0.1 282.899 ms
2 *
The question was whether you have LAN clients with working internet via the VPN but it looks like the answer is no 
That is not surprisingly as there is no VPN interface/device added to the VPN firewall zone so the VPN traffic is not masqueraded.
A possible solution has already been handed to you by @pavelgl, did you follow his advice?
with this settings
all of my lan ports and all of my SSID connects to vpn
witih his guidance all of my lan ports and all of my ssids are connected to VPN
which is what i dont want
I want all of my LAn Ports and SSIDS except GuestWifi to connect to normal Internet
only Guestwifi should be connected to VPN
Of course it is all or nothing unless you use Policy Based Routing.
See:
https://openwrt.org/docs/guide-user/network/routing/pbr
PBR can take care of routing some client/interfaces through the VPN and others through the WAN
than its better i avoid using openvpn on my router as i dont want to use pbr and get myself more headaches
thanks for your time and guidance
Well there is a nice PBR app but I know what you mean
Sorry we cannot make it easier for you