OpenVPN on OpenWrt on router behind ISP router

Hi,

It is some time since I last posted as everything had been working fine but a house fire at Easter changed all that! All got out safely but lots of damage to the house and contents. Among the casualties were all the computers and associated equipment. Yes I did have backups in the house next door (mine as well) but that was also destroyed in the same fire. So sadly I have had to start all over again in the rental house we are now in. I have tried my best using the guides and my previous posts when it was first set up but have still encountered some difficulties.

The details of my equipment are as follows:

ISP - Free mobile (France) and no, it is not free.

ISP Router - TP-LinkArcher MR600 running a 4/5G SIM card (there is no fixed line or other connection in the rental house)

OpenWRT router - NewWiFi-D2 (labelled as LeCoo) with preinstalled OpenWRT:

The ISP router is set to 192.168.1.0/24 with WiFi SSID of MBD

The OpenWRT router is set to 10.0.0.0/24 with WiFi SSID of MBD5G and MBD2G

The OpenWRT router WAN interface set to 192.168.1.20/24

The routers are connected from the OpenWRT WAN output to a standard LAN input on the ISP router

When I connect to the OpenWRT router (as 10.0.0.40) I can ping both networks successfully and manage both router control panels on 10.0.0.1 and 192.168.1.1 respectively.

When I connect to the ISP router (as 192.168.1.40) I can only ping the 192.168.1.0/24 network. I cannot access the 10.0.0.0/24 network at all. Consequently I can only see the ISP router control panel.

I initially set the system up as a basic connection and assumed that using the gateway (192.168.1.1) would automatically pick up the DNS settings but this was not the case. I could ping the internet by IP address but not by dns name. I could not find much information in the guides about DNS settings but I eventually set custom DNS servers as 8.8.8.8 and 8.8.4.4. and since then I have been able to resolve addresses successfully when on the OpenWRT connection (using 10.0.0.40).

I have installed OpenVPN on the OpenWRT router (the main purpose of this exercise) together with Policy Routing. I have installed a working client configuration (working on my OpenVPN Connect app) but it will not connect from the OpenWRT router. Ultimately I will want to use policy routing for some of the equipment but this will have to wait until I can get the OpenVPN connection working.

So to my questions which I am happy to take one at a time. Please tell me if I need to load further information, logs etc.

Q1. Why did I need to insert the DNS records? Should the default gateway have worked and if so why has mine not?

Q2. Why can I not see both networks from the main ISP router? What do I need to tweak to make this happen?

Q3. Why can I not connect to my VPN? (I know I will need to post a lot more detail on this but could you tell me what to start with please?)

Thanks in advance,

Geoff

You should ask your ISP about that. Maybe they don't run nameserver on their router and they advertise some other nameserver in dhcp.

There is no static route on the ISP router for the OpenWrt prefix. And even if there was, you might have issues with asymmetric routing and invalid packets on the firewall of the ISP router.

Hard to say, what do the logs say when you try to connect?

Hi Trendy, thanks for response.

To be clear, although I call it the ISP router, it is actually my 4G router with my ISP SIM card in it. Every other device that connects to the ISP router has the dns set to 192.168.1.1 and works properly. The OpenWRT router has the gateway set to 192.168.1.1 and under advanced setting Use Default Gateway was ticked but dns would not resolve. However since working with it and rebooting it several times it now appears to be working fine. so Q1 is closed.

However, now that everything is on a default setting, I can no longer see the second network from the first no matter which I connect to. When it was sept up before the fire I was able to manage both networks no matter which I logged into. I am not experienced in static routing but I am sure I did not do anything with it previously. is there no way for the two networks to see each other? I thought that was what bridging was for?

On the VPN, I have now got it working (the ssl module was missing). however, when it is on, I cannot see anything! I would rather get Q2 dealt with first as have found a guide for the VPN and am slowly working through it. if it does not help me I will come back to Q3 later.

Geoff

UPDATE

I now have worked through the VPN guide and have the router using my VPN and all items connected to it now go over the VPN. SO Q3 is now also closed. however it leads me to:

Q4. How do I set up policy based routing so only the specified machines us the VPN?

I have searched through the guides but cannot find anything on this subject. Are there any links you can give me to read up on? I am also going back through my older posts to see if the information is in there.

G

Pleased to report that I have found some guides, followed them and got the network working as I want. Connections now default to the Wan interface and I have set policy routing for the items that need it to go via Tun0 to my VPN.

Thanks for the help offered.

Geoff

I'm glad you got it all working. Regarding Q2, I didn't realize you had it in bridging mode. However when you have bridging mode the hosts connected to the OpenWrt will have the ISP router as gateway as advertised by DHCP and it will be a problem to statically assign OpenWrt as gateway for the VPN to work.

Back to Q2. When I am normally connected to my wireless LAN I can see both 10.0.0.1 and 192.168.1.1.

As soon as I open the VPN connection, I am restricted to 10.0.0.1. So it is the VPN connection causing the issue.

How do I add a link so that even with the VPN on I can still see the two LANs?

Geoff

Did you add a rule in policy routing to send packets to 192.168.1.0/24 via wan interface?

Hi Trendy,

Sorry for the delay in responding but we have been pretty occupied on other issues. Where do I add the rules for the routing? Under Network Static Routes?

Also, just posted another issue on combining two 4G routers via mwan3 and cannot get the second to work and I suspect it is for the same reason. I need the LAN and router to be able to see the two routers and at the moment it is only seing one of them. They are set to 192.168.1.0/24 and 192.168.0.0/24 and at the moment I can only access the 192.168.1.0/24 network router.

Is it a similar solution or something more complex I need to do. The other post is here:

Appreciate any input you can give.

Geoff

If you run mwan3 then it creates rules for all internal networks.
If not you need to add them yourself. I am not sure which version you are running and if rules are available in Luci. If not you can add them manually.

Thanks Trendy.

I have now got it to work.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Unfortunately, I thought it was solved but it is not. Recap of my system. Two 4G SIM card routers on 192.168.0.1 and 192.168.1.1 feeding into Openwrt router managing DHCP for the LAN on 10.0.0.1. Everything connected over wifi.

Without OpenVPN running my LAN machines can access 10.0.0.1 and 192.168.1.1 but not 192.168.0.1.

With OpenVPN running (either locally on the machine or through policy setting on the Openwrt router)
my LAN machines can only access 10.0.0.1 and not 192.168.1.1 or 192.168.0.1.

So there are two issues. Accessing the 192.168.0.1 network under any circumstances and then accessing both under OpenVPN.

I am sure this is not hard to fix but I am not confident on what needs to be done or how to do it.

I assume it is all in static routing AND firewall policies but not sure how to start.

I am reading through previous osts but they tend to be specific and not generic solutions.

Geoff

Have read up and tried lots of options for routing but cannot get through to the 192.168.0.0/24 network. It is also on a router that cannot have static routes added to it. Should I invest in a second private 4G router or can I achieve it without adding routes to the 4G network side?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Thanks Trendy, a very merry xmas to you.

I have removed passwords and Mac numbers. Also removed a listing of static routes I tried but have disabled as they are irrelevant (I assume).

root@OpenWrt:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
{
	"kernel": "5.4.179",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Newifi-D2",
	"board_name": "d-team,newifi-d2",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.2",
		"revision": "r16495-bf0c965af0",
		"target": "ramips/mt7621",
		"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd33:1ec6:00a8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.0.1'
	list dns '192.168.1.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '10.0.0.1'
	list dns '192.168.0.1'
	list dns_search 'mbd'
	list dns_search 'lan'

config interface 'tun0'
	option proto 'none'
	option device 'tun0'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '1'
	option name 'lan4.1'
	option mtu '1500'

config interface 'wan_free'
	option proto 'static'
	option device 'wan'
	option ipaddr '192.168.1.20'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option metric '10'

config interface 'wan_sfr'
	option proto 'static'
	option device 'lan4'
	option ipaddr '192.168.0.20'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'
	option metric '20'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key ‘xxxxxxxxxxxxxxx’
	option ssid 'MBD'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option key ‘xxxxxxxxxx’
	option ssid 'MBD'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option domain 'mbd'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '151'
	option limit '49'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'GJJ-iMac24'
	option mac ‘XX:XX:XX:XX:XX:XX’
	option ip '10.0.0.40'

config host
	option name 'JCP-Air'
	option dns '1'
	option mac 'XX:XX:XX:XX:XX:XX’
	option ip '10.0.0.45'

config host
	option name 'GJJ-AIR'
	option dns '1'
	option mac 'XX:XX:XX:XX:XX:XX’
	option ip '10.0.0.50'

config host
	option name 'HiSenseTV'
	option dns '1'
	option mac 'XX:XX:XX:XX:XX:XX’
	option ip '10.0.0.80'

config host
	option name 'Humax'
	option dns '1'
	option mac 'XX:XX:XX:XX:XX:XX’
	option ip '10.0.0.85'

config host
	option name 'SonosOne-L'
	option dns '1'
	option mac 'XX:XX:XX:XX:XX:XX’
	option ip '10.0.0.201'

config host
	option name 'SonosOne-R'
	option dns '1'
	option mac 'XX:XX:XX:XX:XX:XX’
	option ip '10.0.0.202'

config host
	option name 'SonosOneTV-Bar'
	option dns '1'
	option ip '10.0.0.203'

config host
	option name 'SonosOneTVBass'
	option dns '1'
	option ip '10.0.0.204'

config host
	option name 'SonosOneTV-L'
	option dns '1'
	option ip '10.0.0.205'

config host
	option name 'SonosOneTV-R'
	option dns '1'
	option ip '10.0.0.206'

config host
	option name 'Play1-L'
	option dns '1'
	option mac 'XX:XX:XX:XX:XX:XX’
	option ip '10.0.0.207'

config host
	option dns '1'
	option mac 'XX:XX:XX:XX:XX:XX’
	option name 'Play1-R'
	option ip '10.0.0.208'

config domain
	option name 'GJJ-iMac24'
	option ip '10.0.0.40'

config domain
	option name 'Humax'
	option ip '10.0.0.85'

config domain
	option name 'GJJ-Air'
	option ip '10.0.0.50'

config domain
	option name 'HiSenseTV'
	option ip '10.0.0.80'

config domain
	option name 'JCP-Air'
	option ip '10.0.0.45'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	list network 'tun0'
	list network 'wan_free'
	list network 'wan_sfr'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.20/24 brd 192.168.0.255 scope global lan4
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.20/24 brd 192.168.1.255 scope global wan
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.0.0.1/24 brd 10.0.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
14: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.8.0.6/24 scope global tun0
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wan table 1 proto static metric 10 
10.0.0.0/24 dev br-lan table 1 proto kernel scope link src 10.0.0.1 
10.8.0.0/24 dev tun0 table 1 proto kernel scope link src 10.8.0.6 
192.168.1.0/24 dev wan table 1 proto static scope link metric 10 
default via 192.168.0.1 dev lan4 table 2 proto static metric 20 
10.0.0.0/24 dev br-lan table 2 proto kernel scope link src 10.0.0.1 
10.8.0.0/24 dev tun0 table 2 proto kernel scope link src 10.8.0.6 
192.168.0.0/24 dev lan4 table 2 proto static scope link metric 20 
default via 10.8.0.6 dev tun0 table tun0 
default via 192.168.1.1 dev wan table wan_free 
default via 192.168.0.1 dev lan4 table wan_sfr 
default via 192.168.1.1 dev wan proto static metric 10 
default via 192.168.0.1 dev lan4 proto static metric 20 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.6 
192.168.0.0/24 dev lan4 proto static scope link metric 20 
192.168.1.0/24 dev wan proto static scope link metric 10 
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.1 
local 10.0.0.1 dev br-lan table local proto kernel scope host src 10.0.0.1 
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.1 
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.6 
local 10.8.0.6 dev tun0 table local proto kernel scope host src 10.8.0.6 
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.6 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.0.0 dev lan4 table local proto kernel scope link src 192.168.0.20 
local 192.168.0.20 dev lan4 table local proto kernel scope host src 192.168.0.20 
broadcast 192.168.0.255 dev lan4 table local proto kernel scope link src 192.168.0.20 
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.20 
local 192.168.1.20 dev wan table local proto kernel scope host src 192.168.1.20 
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.20 
0:	from all lookup local
980:	from all fwmark 0x30000/0xff0000 lookup wan_sfr
981:	from all fwmark 0x20000/0xff0000 lookup wan_free
982:	from all fwmark 0x10000/0xff0000 lookup tun0
1001:	from all iif wan lookup 1
1002:	from all iif lan4 lookup 2
2001:	from all fwmark 0x100/0x3f00 lookup 1
2002:	from all fwmark 0x200/0x3f00 lookup 2
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
3001:	from all fwmark 0x100/0x3f00 unreachable
3002:	from all fwmark 0x200/0x3f00 unreachable
32766:	from all lookup main
32767:	from all lookup default
root@OpenWrt:~# 

Also, I misled you earlier. everything on the LAN is wireless but there are wired connections between the 4G routers and the Openwrt router. I also have an IP phone that avoids the Openwrt router on 192.168.1.65.

Also, you might like to know why I want to do this. Nothing fancy, I just want to be able to access the admin pages 192.168.1.1, 192.168.0.1 and 10.0.0.1 all from my LAN devices to control the network and reboot when problems occur. Currently I have to leave the WiFi on and change from the Openwrt wireless to connect to the SFR wireless to access that router's admin page.

I would also like to be able to do this management whether or not the VPN is connected on the machine I am using.

Geoff

Merry Christmas and a happy new year to you as well!

From lan interface remove the dns entries which are not reachable on this interface, like the google dns. Also remore the 10.0.0.1 as it is its own address.
Assign a metric to tun0 interface as well, say 30.
Also post the uci export pbr

root@OpenWrt:~#  uci export pbr
uci: Entry not found
root@OpenWrt:~# 

I do not think pbr is installed. I am on 21.02.2.

Do you want me to rerun the previous commands?

Geoff

My wrong, it should be uci export mwan3