Openvpn on wifi, no-vpn on lan

Installing and Using OpenWrt
1

Hi

I hope someone can help me here, I'll be as concrete as possible.

Goal:
Use openwrt to create a vpn tunnel using openvpn and nordvpn.
Have 1 wifi network connect to internet through the vpn tunnel.
Have lan connect to internet using wan directly (no-vpn).

What I tried:
I followed the guide and although I hit a few bumps I finally got it working.
(Restart openvpn if you make changes in network and interface. Get the username list correctly into the conf file)
It will route all traffic through the vpn.

I then tried to put the lan zone back to the wan interface, so that my normal lan traffic would route out through wan. It worked too.

I then created a new wifi network, and put it in the same group as the vpn tunnel. But then I don't receive DHCP address on device.
If I add the lan interface to here, I get an address but then my traffic is routed out normally to wan.

Is there a way?
I only use the configuration website if possible.

2

The magic word is PBR (Policy Based Routing)

If it is just one interface you can use netifd if you have some more wishes you can install the full PBR package

See:
https://openwrt.org/docs/guide-user/network/routing/pbr

For the full package:

Make sure to disable default OpenVPN routing by adding to the OpenVPN config:

pull-filter ignore "redirect-gateway ipv6"
pull-filter ignore "redirect-gateway"

Also setup an interface for the NordVPN device

For a simple netifd solution:

config route
	option interface 'nordvpn_iface'
	option table '102'
	option target '0.0.0.0/0'

config rule
	# for ip source:
	option src '192.168.3.0/24'
	# for interface
	#option in 'lan'
	option lookup '102'
3

Oh sweet, I'll enjoy looking into the magical documentation, I'll update here if I make my wish come through :dizzy::crossed_fingers:

I did read about another package that might be able to do some magical stuff with routing, but I lost that post in my search.

Step one
Upgrade openwrt to 23+

1 Like
4

Hi

  1. I managed to upgrade OpenWRT to version 23+
  2. Used the guide and set up NORDVPN again, worked fine.
  3. In interfaces i have "ifVPN" with setup from the guide, unmanaged, and device "tun0". DHCP server->general and "ignore interface" is cheked.
  4. Added below 2 lines to the OVPN config file
    pull-filter ignore "redirect-gateway ipv6"
    pull-filter ignore "redirect-gateway"
  5. install pbr + luci-app-pbr from system->software
  6. Added a new policy in PBR name VPN, remote adress "myip.com" interface "ifVPN" with "all" in protocol and "prerouting" in chain.
  7. In frewall zones i added a new zone named "vpnzone" with input accept, output accept, forward accept
    "lan -> wan + vpnzone" accept, accept, accept
    "wan ->reject" with input reject, output accept, forward reject + maswerading
    "vpnzone -> reject" with input reject, output accept, forward reject + maswerading + MSS clamping + covered networks choose the vpn interface

I did struggle a bit with getting it to work, sometimes it seems my DNS fails, sometimes if I disable a PBR policy, (and turn the service off) it's as if it's still there.
But finally I got it working, with the settings 99% as above (Might have forgotten some)

Trick for me (goal), all traffic is normally sent to wan, but specific remote destinations are routed through the VNP connection. All I have to do is add the remote locations, or a specific local IP.
It will be able to work for me, but requires a little more manual work.
The deluxe solution for me would have been having an entire wifi routed through the VPN, so if you connect to "VPN" wifi, you're always in the VPN network, but if you join normal wifi, youre just on wan.

egc, thank you for pointing me in a good direction! :slight_smile: