OpenVPN on switch router

Esrever · March 26, 2020, 3:20am

Hello,

I have an Asus AC66U running transmission and woulf like to setup one of my OpenWRT routers to be a VPN Server for it (either my DGN3500 or Archer C50).
My network loop is:
Modem > DSL-AC88U (No VPN needed) > DGN3500 (No VPN needed) 》Archer C50 linked DGN3500 (No VPN needed) > AC66U connected to DGN3500 (all traffic to be VPN)

Which router would best suit this task and will it just be as easy as installing the VPN Server then pointing the AC66U DNS and Gateway to that router rather than the AC88U which is the settings currently?

Thanks

trendy · March 26, 2020, 8:55am

I don't think that any of them has some crypto sub-board or coprocessor, so go for the one with the fastest CPU. If possible avoid AC88U since it is the edge router and might be already under load.

Esrever · March 26, 2020, 9:11am

The AC66U is already running transmission so that's taxing its resources, and the AC88U can only run the stock asus firmware (not even Asus Merlin is supported, yet)
Probs use the DGN3500 as it is in path of packets anyways.

trendy · March 26, 2020, 9:12am

Compared to C50 it is much better choice.

Esrever · March 31, 2020, 10:12am

I am going through the documentation files but am having trouble setting up the interface and firewall side of things.
I have setup OpenVPN and seems to be running. I know I need to set another VLAN switch but do I tag wan and lan ports or just the lan ports coming in?

Thanks for any help

trendy · March 31, 2020, 10:17am

I don't think you need another vlan.
First you don't need to segregate the networks, second even if you did, the other devices should also be configured to be aware of the vlans.

Esrever · March 31, 2020, 10:27am

seems like I am way off here then,
Okay so with just OpenVPN installed, when I create the tun interface as per guide I am only able to select lan interface (my gateway router and lan devices are all included in this). This seems incorrect as I need to separate my devices from my gateway route.

trendy · March 31, 2020, 10:43am

I didn't get that, could you post the configuration part that has the issue?

Esrever · March 31, 2020, 11:36am

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
    link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff
5: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 30:46:9a:26:55:d0 brd ff:ff:ff:ff:ff:ff
6: tun0: <POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc fq_codel state DOWN qlen 100
    link/[65534]
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 30:46:9a:26:55:ce brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.4/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdd6:8b03:6aed::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::3246:9aff:fe26:55ce/64 scope link
       valid_lft forever preferred_lft forever
12: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 30:46:9a:26:55:ce brd ff:ff:ff:ff:ff:ff
default via 192.168.1.1 dev br-lan
192.168.1.0/24 dev br-lan scope link  src 192.168.1.4
root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdd6:8b03:6aed::/48'
network.atm=atm-bridge
network.atm.vpi='1'
network.atm.vci='32'
network.atm.encaps='llc'
network.atm.payload='bridged'
network.atm.nameprefix='dsl'
network.dsl=dsl
network.dsl.annex='a'
network.dsl.firmware='/lib/firmware/adsl.bin'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.4'
network.lan.netmask='255.255.255.0'
network.lan.gateway='192.168.1.1'
network.lan.dns='192.168.1.1'
network.lan.ip6assign='60'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='30:46:9a:26:55:ce'
network.wan=interface
network.wan.ifname='dsl0'
network.wan.proto='pppoe'
network.wan.username='username'
network.wan.password='password'
network.wan.ipv6='1'
network.wan.auto='0'
network.wan_dev=device
network.wan_dev.name='dsl0'
network.wan_dev.macaddr='30:46:9a:26:55:cf'
network.wan6=interface
network.wan6.ifname='@wan'
network.wan6.proto='dhcpv6'
network.wan6.auto='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch[0].enable_vlan4k='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='5t 3 2 1 0'
network.vpn=interface
network.vpn.ifname='tun0'
network.vpn.proto='none'
network.vpn.auto='0'
root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

When I create the firewall zone for vpn (in Luci) I can only select lan as forwarded source and destination.

trendy · March 31, 2020, 12:25pm

Either you will create an interface in Luci for the vpn, or you can add the tun0 directly in the vpn zone using command line with option device tun0