OpenVPN on Dumb Access Point

Hi all! I’m tearing my hair out here, hopefully someone can help with my config.

I got a tenbay AX router flashed with OpenWrt 22.03.3 as dump AP and im trying to config mullvad vpn on it.
ISP router with DHCP (192.168.18.1)-> LAN por on tenbay (static IP 192.168.18.2) DHCP off.
I got the openvpn working and started in VPN tab, but I don’t know how to route the wifi and lan interface to use the VPN tunel…

These are my current configurations:
/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdf4:dba4:b693::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'tun0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.18.2'
	option gateway '192.168.18.1'

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr '192.168.18.3'
	list dns '192.168.18.117'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'MULLVAD_VPN'
	option proto 'none'
	option device 'tun0'
	option type 'bridge'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'
	list network 'MULLVAD_VPN'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'VPN_FW'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option dest 'VPN_FW'
	option src 'lan'

/etc/config/openvpn

config openvpn 'custom_config'
	option config '/etc/openvpn/my-vpn.conf'

config openvpn 'sample_server'
	option port '1194'
	option proto 'udp'
	option dev 'tun'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/server.crt'
	option key '/etc/openvpn/server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option server '10.8.0.0 255.255.255.0'
	option ifconfig_pool_persist '/tmp/ipp.txt'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option status '/tmp/openvpn-status.log'
	option verb '3'

config openvpn 'sample_client'
	option client '1'
	option dev 'tun'
	option proto 'udp'
	list remote 'my_server_1 1194'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/client.crt'
	option key '/etc/openvpn/client.key'
	option verb '3'

config openvpn 'mullvad_client'
	option config '/etc/openvpn/mullvad_client.ovpn'
	option enabled '1'

Thanks for you time
Ilian

There are two ways to do this:

  1. create a routed network on the dumb AP -- that routed network will use the OpenVPN tunnel as the gateway.
    or
  2. Set the gateway on the hosts to use the dumb AP instead of the main router on the network.

Option 1 inherently means that devices that are connected to the network from the main router will be on a different network relative to those connected to the OpenWrt router. This is relevant if you need those devices to be able to conneect to each other.

Option 2 can be achieved in 2 ways -- set the gateway manually on the hosts that should use the VPN tunnel (i.e. static IP address assignment method on those devices), or (if supported by your main router), set the DHCP server to advertise the OpenWrt device as the gateway (this is all-or-nothing in most cases -- you can't typically send different gateay addresses to different hosts).

1 Like

Thanks psherman

Can you help me with option 1? I use the AP for my iot devices and my laptop and I have a nas on the host but its no big deal if i cannot access it.

By Option 2 I understand that i need to set LAN Host here on my host and i secondary dhcp server right?

I think that you said you only want the devices connected to the OpenWrt wifi or lan ports to access the Internet via VPN. This works best if you start with the OpenWrt router as a lan-wan router instead of a dumb AP. Then you can follow the usual OpenVPN install instructions as if it is the main router. The house network, connected to OpenWrt's wan port, is treated as part of the Internet-- outside the VPN tunnel.

1 Like

The screenshot you have provided will not help with option 2. There are a few ways to handle option 2, but since you are inclined to do option 1, @mk24's advice to work with the normal wan-lan configuration (i.e. standard operating mode for most OpenWrt devices) will be the easiest.

To make things as straightfoward as possible I'd suggest simply resetting your router to defaults. Make a backup first -- you can then pull the OpenVPN config back in (manually by using scp to move it to your router) and then you'll make a small number of other changes and you should be good to go.

Thanks guys i'll try the wan-lan vpn guide. If is not too much to ask what additional setting I need so that devices from host isp lan can access openwrt box devices and and vice versa?

Does your ISP router support static routes? If not, it will be a lot less straightforward.

I'm not sure as is I find mismatch info online

Its Huawei EG8145V5

WAN tab is empty I think static routes is ipv4?