OpenVPN on wifi only and not LAN - possible?

trendy · April 19, 2020, 9:04am

Both lan and lan2 interfaces are not assigned to lan zone at all. Restart the firewall manually and check at the beginning for errors preventing that.
service firewall restart

andyp · April 19, 2020, 9:22am

Thank you for your help........

root@OpenWrt:~# service firewall restart
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section @zone[0] (lan) cannot resolve device of network 'lan lan2'
Warning: Section @zone[0] (lan) has no device, network, subnet or extra options
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
root@OpenWrt:~#

trendy · April 19, 2020, 10:47am

Does it work like this?

config zone
        option name 'lan'
        list network 'lan'
        list network 'lan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

andyp · April 19, 2020, 11:19am

Thank you! All working perfectly!

Configuration backed up

Could I ask, from here, how complicated is it to have the VPN on the WLAN, as well as say 2 LAN ports? And then have the other 2 LAN ports not using the VPN?

trendy · April 19, 2020, 11:53am

You're welcome!

I think the easiest way is from Luci Network-Switch to assign physical ports from VLAN3 (not VPN) to VLAN1 (VPN). You could edit the network config file as well directly, but it is not so obvious which port is which.

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 0t'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '4 5 0t'

andyp · April 19, 2020, 10:53pm

Thanks - I used Luci Network-Switch to assign physical ports from VLAN3 (not VPN) to VLAN1 (VPN) - works perfectly....

One problem with the setup. I have noticed that both on the wifi (vpn) and lan I get periods of my web browser not being able to go to a website (says 'resolving host...' and then cant reach the webpage) - but ping 1.1.1.1 works and I think (for example) if a youtube video is already playing it keeps going (not 100% sure on that one). This happens every maybe 5 minutes, and lasts for maybe 2-3 minutes each time (quite variable). I don't need to change or reboot anything - if I wait, all becomes normal.

Any thoughts on what I could check / change to trouble shoot that?

And just for more info, if I use my original configuration (VPN on both WLAN and LAN) I dont see this issue at all.

andyp · April 20, 2020, 1:19am

I added 1.1.1.1 as a DNS server, and all now seems good and stable - thank you again!

system · April 30, 2020, 1:19am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.