So I followed the steps to specify NordVPN on my now OpenWRT router and it seemed like everything works, below is the system log info regarding the connection:
Sat May 4 14:20:54 2019 daemon.notice openvpn(nordvpn)[2211]: /sbin/ifconfig tun0 10.8.1.11 netmask 255.255.255.0 mtu 1500 broadcast 10.8.1.255
Sat May 4 14:20:54 2019 daemon.notice netifd: Interface 'nordvpntun' is enabled
Sat May 4 14:20:54 2019 daemon.notice netifd: Network device 'tun0' link is up
Sat May 4 14:20:54 2019 daemon.notice netifd: Interface 'nordvpntun' has link connectivity
Sat May 4 14:20:54 2019 daemon.notice netifd: Interface 'nordvpntun' is setting up now
Sat May 4 14:20:54 2019 daemon.notice netifd: Interface 'nordvpntun' is now up
Sat May 4 14:20:54 2019 daemon.notice openvpn(nordvpn)[2211]: /sbin/route add -net 104.200.132.172 netmask 255.255.255.255 gw 192.168.1.254
Sat May 4 14:20:54 2019 daemon.notice openvpn(nordvpn)[2211]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
Sat May 4 14:20:54 2019 daemon.notice openvpn(nordvpn)[2211]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.1.1
Sat May 4 14:20:54 2019 daemon.notice openvpn(nordvpn)[2211]: Initialization Sequence Completed
Sat May 4 14:20:54 2019 user.notice firewall: Reloading firewall due to ifup of nordvpntun (tun0)
Sat May 4 14:21:58 2019 daemon.info dnsmasq[529]: read /etc/hosts - 4 addresses
The problem is connecting to the router provides me with my ISP IP address, not the NordVPN address.
What I'm wondering is if this is due to which port I have my ISP modem connected to - Prior to this, I was using the c2600 as a "dumb" switch, nothing more, and I just plugged in the ethernet cables wherever, do I need to specifically choose a port for the ISP modem to go into? If so, which one?
I'm including the contents of a few different files below to give some context as to my setup
Do you mean that you connect some PC on the LAN interface of the router and it acquires IP and other settings from DHCP of the ISP modem ?
What IP does it get?
Your config looks weird
you have defined twice the vpn firewall zone. It could be all combined in one firewall zone, WAN which is already there.
WAN interface has DHCP protocol and LAN interface has static IP with default gateway. Where is the upstream router connected?
So should I leave the WAN as a DHCP client and change the LAN to the new subnet, will that allow me to access the router when I connect the cable to the WAN? As it is right now I CAN access it when the LAN ip is on the same subnet.
And, after that, what would be the best steps for setting up NordVPN, would this guide still be the best to follow?
Thanks again for all the help. I really appreciate it.
sorry to be back with another question, but I just came up with a concern - When I had the ethernet connection from my router plugged into the WAN port, the OpenWRT router was wholly inaccessible.
What steps do I need to take in order to access the router when I connect to the WAN port?
As well, what should I specify for the Gateway on the LAN? I can only factor in the gateway of the main router, which is 192.168.1.254, but I can't suss out how that will factor going through different subnets?
Thanks again!
** Another edit, modified the Network file and changed the subnet of the LAN to 192.168.2.1 and rebooted, no access to the interface now. Connected the cable to the WAN port, still no dice =/
Connect to the wireless and I end up with no internet connection, I'm getting served a "169" IP address.
Everything worked prior to that. I just wasn't getting served under a VPN.
I was able to regain access by manually assigning an IP address. So that's something.
Router can access the internet (going into Diagnostics and pinging openwrt works) but anything connected to the wireless just doesn't.
Tried adjusting the gateway to just be the OpenWRT router, no dice. Tried specifying Google DNS servers, no dice.
Seems like I'm not getting fed DHCP and even manually specifying the IP address and trying to modify the DNS settings per device does me no good unfortunately.
So even with all this going I can't fully even test if the VPN portion of things is working, SEEMS like it is based on the Traceroute, but if I can't connect and get internet doesn't help a ton unfortunately
Even tested pinging devices on the primary subnet 192.168.1.XXX and that works great. Just CANNOT figure out why I'm not able to serve an IP address to connected wireless clients, and even with a static IP still no access to the internet.
To allow incoming connections from the WAN firewall zone to the device. By default everything is blocked.
Nothing, Openwrt gets the default gateway from the DHCP running on WAN interface.
Please post here the output of the following command, all in one line cat /etc/config/network; cat /etc/config/firewall; cat /etc/config/wireless ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7d:3874:5a29::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
option dns '192.168.1.254 8.8.8.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'openvpn'
option proto 'none'
option ifname 'eth0'
option auto '1'
option type 'bridge'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'DROP'
config zone
option name 'wan'
option output 'ACCEPT'
option network 'wan wan6'
option input 'DROP'
option forward 'DROP'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option network 'openvpn'
option input 'DROP'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option dest 'vpn'
option src 'lan'
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'VHT80'
option country 'US'
option legacy_rates '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk2'
option key '6047256846'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option htmode 'HT20'
option country 'US'
option legacy_rates '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'serenity'
option encryption 'psk2'
option key '6047256846'
option network 'lan'
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
list dhcp_option '6,103.86.96.100,103.86.99.100'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.69/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
inet 10.8.2.7/24 brd 10.8.2.255 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.2.1 dev tun0
default via 192.168.1.254 dev eth0.2 src 192.168.1.69
10.8.2.0/24 dev tun0 scope link src 10.8.2.7
104.200.132.172 via 192.168.1.254 dev eth0.2
128.0.0.0/1 via 10.8.2.1 dev tun0
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.69
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Also from my other thread, traceroute from the Diagnostics section on the router:
traceroute to openwrt.org (139.59.209.225), 30 hops max, 38 byte packets
1 10.8.2.1 3.027 ms
2 104.200.132.190 3.400 ms
3 104.200.132.142 2.673 ms
4 173.205.42.93 2.810 ms
5 154.24.61.69 3.453 ms
6 154.54.27.161 8.374 ms
7 64.86.123.93 160.234 ms
8 62.115.117.49 56.031 ms
9 *
10 62.115.112.245 146.032 ms
11 80.231.130.105 160.773 ms
12 80.231.154.142 175.105 ms
13 62.115.120.6 155.850 ms
14 195.219.87.13 167.036 ms
15 195.219.87.18 173.663 ms
16 139.59.209.225 163.435 ms
From my Windows 10 machine connected via either Wifi radio
tracert openwrt.org
Unable to resolve target system name openwrt.org.
Tracing route to 8.8.4.4 over a maximum of 30 hops
1 2 ms 3 ms 1 ms OpenWrt.lan [192.168.2.1]
2 OpenWrt.lan [192.168.2.1] reports: Destination protocol unreachable.```
No change. Had to reboot the router to get internet access back there after that last command, but no change on my connected devices, well not entirely true, here's the tracert output from windows now: