OpenVPN on OpenWrt on router behind ISP router

Hi,

It is some time since I last posted as everything had been working fine but a house fire at Easter changed all that! All got out safely but lots of damage to the house and contents. Among the casualties were all the computers and associated equipment. Yes I did have backups in the house next door (mine as well) but that was also destroyed in the same fire. So sadly I have had to start all over again in the rental house we are now in. I have tried my best using the guides and my previous posts when it was first set up but have still encountered some difficulties.

The details of my equipment are as follows:

ISP - Free mobile (France) and no, it is not free.

ISP Router - TP-LinkArcher MR600 running a 4/5G SIM card (there is no fixed line or other connection in the rental house)

OpenWRT router - NewWiFi-D2 (labelled as LeCoo) with preinstalled OpenWRT:

Hostname OpenWrt
Model Newifi-D2
Architecture MediaTek MT7621 ver:1 eco:3
Target Platform ramips/mt7621
Firmware Version OpenWrt 21.02.2 r16495-bf0c965af0 / LuCI openwrt-21.02 branch git-22.046.85957-59c3392
Kernel Version 5.4.179

The ISP router is set to 192.168.1.0/24 with WiFi SSID of MBD

The OpenWRT router is set to 10.0.0.0/24 with WiFi SSID of MBD5G and MBD2G

The OpenWRT router WAN interface set to 192.168.1.20/24

The routers are connected from the OpenWRT WAN output to a standard LAN input on the ISP router

When I connect to the OpenWRT router (as 10.0.0.40) I can ping both networks successfully and manage both router control panels on 10.0.0.1 and 192.168.1.1 respectively.

When I connect to the ISP router (as 192.168.1.40) I can only ping the 192.168.1.0/24 network. I cannot access the 10.0.0.0/24 network at all. Consequently I can only see the ISP router control panel.

I initially set the system up as a basic connection and assumed that using the gateway (192.168.1.1) would automatically pick up the DNS settings but this was not the case. I could ping the internet by IP address but not by dns name. I could not find much information in the guides about DNS settings but I eventually set custom DNS servers as 8.8.8.8 and 8.8.4.4. and since then I have been able to resolve addresses successfully when on the OpenWRT connection (using 10.0.0.40).

I have installed OpenVPN on the OpenWRT router (the main purpose of this exercise) together with Policy Routing. I have installed a working client configuration (working on my OpenVPN Connect app) but it will not connect from the OpenWRT router. Ultimately I will want to use policy routing for some of the equipment but this will have to wait until I can get the OpenVPN connection working.

So to my questions which I am happy to take one at a time. Please tell me if I need to load further information, logs etc.

Q1. Why did I need to insert the DNS records? Should the default gateway have worked and if so why has mine not?

Q2. Why can I not see both networks from the main ISP router? What do I need to tweak to make this happen?

Q3. Why can I not connect to my VPN? (I know I will need to post a lot more detail on this but could you tell me what to start with please?)

Thanks in advance,

Geoff

You should ask your ISP about that. Maybe they don't run nameserver on their router and they advertise some other nameserver in dhcp.

There is no static route on the ISP router for the OpenWrt prefix. And even if there was, you might have issues with asymmetric routing and invalid packets on the firewall of the ISP router.

Hard to say, what do the logs say when you try to connect?

Hi Trendy, thanks for response.

To be clear, although I call it the ISP router, it is actually my 4G router with my ISP SIM card in it. Every other device that connects to the ISP router has the dns set to 192.168.1.1 and works properly. The OpenWRT router has the gateway set to 192.168.1.1 and under advanced setting Use Default Gateway was ticked but dns would not resolve. However since working with it and rebooting it several times it now appears to be working fine. so Q1 is closed.

However, now that everything is on a default setting, I can no longer see the second network from the first no matter which I connect to. When it was sept up before the fire I was able to manage both networks no matter which I logged into. I am not experienced in static routing but I am sure I did not do anything with it previously. is there no way for the two networks to see each other? I thought that was what bridging was for?

On the VPN, I have now got it working (the ssl module was missing). however, when it is on, I cannot see anything! I would rather get Q2 dealt with first as have found a guide for the VPN and am slowly working through it. if it does not help me I will come back to Q3 later.

Geoff

UPDATE

I now have worked through the VPN guide and have the router using my VPN and all items connected to it now go over the VPN. SO Q3 is now also closed. however it leads me to:

Q4. How do I set up policy based routing so only the specified machines us the VPN?

I have searched through the guides but cannot find anything on this subject. Are there any links you can give me to read up on? I am also going back through my older posts to see if the information is in there.

G

Pleased to report that I have found some guides, followed them and got the network working as I want. Connections now default to the Wan interface and I have set policy routing for the items that need it to go via Tun0 to my VPN.

Thanks for the help offered.

Geoff

I'm glad you got it all working. Regarding Q2, I didn't realize you had it in bridging mode. However when you have bridging mode the hosts connected to the OpenWrt will have the ISP router as gateway as advertised by DHCP and it will be a problem to statically assign OpenWrt as gateway for the VPN to work.

Back to Q2. When I am normally connected to my wireless LAN I can see both 10.0.0.1 and 192.168.1.1.

As soon as I open the VPN connection, I am restricted to 10.0.0.1. So it is the VPN connection causing the issue.

How do I add a link so that even with the VPN on I can still see the two LANs?

Geoff

Did you add a rule in policy routing to send packets to 192.168.1.0/24 via wan interface?