OpenVPN on Dumb AP

I had been running OpenVPN server on an MR6350 (as a 2nd router after AT&T's BGW210 main router) with an unofficial 23.05 snapshot that I built from @RolandoMagico's code for about 6 weeks when I was abroad. Everything worked perfectly. Now I want to configure MR6320 as a Dumb AP so that devices connected to it are in the same subnet of the main router. Followed the OpenWrt guide, I successfully configured MR6350 as a Dumb AP but I have trouble to get OpenVPN working. I think it probably needs some firewall tweaks but not knowing much about network, I am stuck. I have googled the internet and people were saying "yes, it is doable" but nobody gave explicit instructions on how to do it. I hope some network gurus here can shed some light and point to the direction I should look into. Thanks in advance.

yes, primarily on the main router, unless all AP traffic's supposed to go via the VPN.

I would like to keep the main router out of the loop. Could you give some brief (high level) description of the areas that need to be touched? Thanks. I have tried, blindly though, changing some firewall settings to no avail.

Assuming you are talking about an OpenVPN server on your dumb acces point, you need at least a port forward on the main router.

Furthermore either set a static route on the main router to route the VPN subnet via the dumb AP or enable Masquerading on the LAN zone of your dumb AP, in that case the VPN needs its own zone as the VPN does not need Masquerading

You haven't specified if you're trying to setup OpenVPN as a server or a client.

As @egc mentioned, the server would need port forwarding from your main router.

However, if you're talking about a client, see this:

As an aside, if Wireguard is an option, I'd recommend that instead of OpenVPN. Wireguard is more modern, secure, easy to configure, and far more performant than OpenVPN.

1 Like

Yes, it is about OpenVPN server. (I have edited my original post to make it clear.) The main router has been configured to direct custom TCP/UDP port number to the Dumb AP's 443/1194. I assume this is the port forwarding you allude to.

Thanks for pointing out LAN zone masquerading and VPN's own zones (one for TCP and one for UDP). I will play with them.

Sorry, I didn't make it clear that my question is for the server. Wireguard did come to my mind. There are three tasks I want this Dumb AP to do: adding LAN ports in the main router's subnet, a VPN server and extroot to run a large program (LMS server). Wireguard did come to my mind as an alternative but it is new to me as well as extroot. (I probably have questions on extroot later after I get past the VPN server.) Also I need to investigate if LMS (Lyrion/Logitech Media server) would work in the OpenWrt environment, There are too may unknowns to me so I went with OpenVPN that I already have experience.

What is this the device upon which you are running these services?

ubus call system board
BusyBox v1.36.1 (2024-09-23 12:34:46 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.5, r24106-10cc5fcd00
 -----------------------------------------------------
root@MR6350:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "MR6350",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Linksys MR6350",
        "board_name": "linksys,mr6350",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

I don't think that LMS is going to happen...

  • This device has 128MB of RAM. I would be surprised if you can fit LMS into that footprint in general.
  • While I do see linux installers for that software, none of those are going to run on OpenWrt. You'll have to attempt to compile it yourself for OpenWrt (probably not so easy)... doesn't solve the problem above, though.
  • Or, it might be possible to put it in a docker container, but that's not happening on your device (not enough RAM).

That said, you could presumably run another much more basic media server on your device. I wouldn't recommend it, though... you should probably get something with a lot more RAM (in the GB range) of this purpose.

That said, Wireguard and/or OpenVPN can run on your device without an issue... WG will be more performant on that hardware.

If your upstream router supports static routes, you can avoid the need to use masquerading on your lan firewall zone. But, if not, masquerading will be useful and necessary.

MR6350 actually has 256MB RAM. Currently it has 134MB available after OpenVPN is loaded. My current LSM setup is on a Pogoplug Pro with 128MB RAM running a lean Debian 9. So I thought maybe 256MB is enough. If not, I can go to an MR8300 which has 512MB RAM (and official OpenWrt firmware support).

I actually compiled the LMS server currently running on the Pogoplug Pro myself. At that time there wasn't a 32-bit ARM package so I had to do it myself. But I would like to avoid the route this time around. It has been at least three years and I have lost all the details compiling package.

About putting LMS in a docker container, my concern is about overall router performance, especial the wired LAN functioning.

Thanks for pointing out the areas that I should pay attention to and alternatives that I should consider. Very much appreciated.,

Thanks, @egc. I got it to work after doing these things: masquerading the LAN zone, create a VPN zone with the device 'tun+' and VPN zone to LAN zone forwarding. I even added the "wan" device to "br-lan" to get one more wired port.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.