I have configured my Openwrt to connect to my purevpn account - all looks good and it says it is conected. However when I check my ip I still see my oriignal ip.
I am connecting to the OpenWrt router via my local wifi, and that router is plugged into my isp router, the lan option type is set to "bridged".
I guess I need to make the PureVPN known to the LAN? Any ideas?
You have both isp router and HH5A running dhcp servers.
PureVPN interface is not assigned to any firewall zone.
Pure_fw zone has no forwarding from lan.
The first problem is the most important to fix, otherwise the lan hosts might get dhcp settings from the isp router dhcp server and bypass the OpenWrt and the vpn.
Thanks I have followed the guide in the PDF. After adding the vpn interface and configuring the lan and wan per the guide I have plugged the red hh5 wan with a network cable going to a spare ethernet socket on the main router. When I go to System -> Software -> Update Lists it seems I have a connection as downloads complete.
However, when connecting to the HH5 from my network via wireless I can't browse the web and I can't ping google.com. The wlan interface is associated with the LAN so I presume that the firewall rules apply by default?
{
"kernel": "4.14.209",
"hostname": "OpenWrt",
"system": "xRX200 rev 1.2",
"model": "BT Home Hub 5A",
"board_name": "bt,homehub-v5a",
"release": {
"distribution": "OpenWrt",
"version": "19.07.5",
"revision": "r11257-5090152ae3",
"target": "lantiq/xrx200",
"description": "OpenWrt 19.07.5 r11257-5090152ae3"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '****'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '8.8.8.8'
list dns '8.8.4.4'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '****'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr '****'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6t'
config interface 'WAN'
option proto 'static'
option gateway '192.168.0.1'
option ipaddr '192.168.0.200'
list dns '8.8.8.8'
list dns '8.8.4.4'
option ifname 'eth0.2'
option netmask '255.255.255.0'
option type 'bridge'
config interface 'pure_vpn'
option ifname 'tun0'
option proto 'none'
option type 'bridge'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk2'
option key '****'
option wpa_disable_eapol_key_retries '1'
option network 'lan'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'pci0000:00/0000:00:0e.0'
option htmode 'HT20'
option cell_density '0'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk2'
option key '****'
option wpa_disable_eapol_key_retries '1'
option disabled '1'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'pure_vpn'
option name 'vpn_zone'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
config forwarding
option dest 'vpn_zone'
option src 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
19: br-WAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.0.200/24 brd 192.168.0.255 scope global br-WAN
valid_lft forever preferred_lft forever
default via 192.168.0.1 dev br-WAN
192.168.0.0/24 dev br-WAN scope link src 192.168.0.200
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.0.0 dev br-WAN table local scope link src 192.168.0.200
local 192.168.0.200 dev br-WAN table local scope host src 192.168.0.200
broadcast 192.168.0.255 dev br-WAN table local scope link src 192.168.0.200
broadcast 192.168.1.0 dev br-lan table local scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link src 192.168.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
ls: /tmp/resolv.*/*: No such file or directory
If you use Windows, what does ping 8.8.8.8 ( and tracert 8.8.8.8 ) return over ethernet (and wifi) as suggested on page 24 of the guide when diagnosing connectivity issues?
You appear to have ticked the 'Bridge interfaces' check box when you created the 'tun0' interface. See 'Physical interfaces' tab for 'tun0' interface in LuCI.
Try unticking it to see if it resolves the ping issue as shown above?
Did you reset the HH5A before following the guide?
I've removed the error above, so now I only have the interface selected as tun0 for the vpn interface. bridge interfaces is not checked for any of the 3 options (wan, lan or vpn).
I didn't reset the router prior to install but I was confident I hadn't set anything that might break a new install, or do you highly recommend the reset?
First make sure you can route without any VPN. The main problem with plugging wan into another router is that the LAN IP range has to be different from WAN, or you will not be able to route between them which means no Internet access from the LAN devices.
So if your main router is also 192.168.1.0/24, the same range as OpenWrt's default LAN, you have to change one of them.
Other than that it doesn't matter if you have WAN plugged into another router or connected directly to the Internet. The VPN setup is the same.
Try again by adding a VPN instance for the free provider VPNbook (Ping won't work with VPNbook). I think Zoog and Proton VPN still provide a free service with a monthly allowance which I've used in the past for testing.
Update: I quickly loaded a spare HH5a with 19.07.5. Reset it and followed the tutorial/guide and set it up for VPNbook. LAN IP 192.168.111.1. Static IP on WAN interface, then wired to my main router.
I used the following credentials and US1 server ovpn file downloaded from their website.
vpnbook
23DHa92
vpnbook-us1-udp53.ovpn
Both tutorial/guide and VPNbook are fine (Ping does not work with vpnbook). I can access bbc.co.uk website. It redirects me to non-UK-region specific page which was to be expected,
I presume you do see 'daemon.notice.openvpn.......Initiallization Sequence Completed' in the system log to confirm the VPN connection has been established?
RX: 0 B (0 Pkts.)
TX: 0 B (0 Pkts.)
Error: Network device is not present
The above is normal if the VPN tunnel is down, or misconfigured....
PureVPN also offers 2 different sets of ovpn files. I presume you are using the newer v2 files? The older v1 files require separate certificate files etc which would need to be SCPed to the HH5a, and paths to these files added to the .ovpn file.
Network named "WAN" does not mean the same as "wan." Use lowercase for all network names. This is really confusing because LuCI will upcase them. If you're not using the internal DSL modem you can delete configs relating to DSL. Also wan does not need to be a bridge when it has only the one Ethernet port.
Recommended practice is to directly set list device tun0 in /etc/config/firewall to associate a firewall zone to the VPN tunnel, instead of creating a dummy VPN network.
I don't see any evidence of a tun0 interface, suggesting that OpenVPN did not start up or authenticate properly. Check the logs as @bill888 said you should see a lot of messages from OpenVPN ending with the "Initialization Sequence Completed" one.
Have tried VPNbook and Proton - both services start and say connected but same behaviour as PureVPN - web pages will not load. However I do not see Initiallization Sequence Completed in the system log. But I do see:
Tue Mar 30 23:26:38 2021 daemon.notice openvpn(vpnbook)[12051]: Attempting to establish TCP connection with [AF_INET]192.99.37.222:80 [nonblock]
Tue Mar 30 23:26:39 2021 daemon.notice openvpn(vpnbook)[12051]: TCP connection established with [AF_INET]192.99.37.222:80
Initially I followed a post on PureVPN showing how to manually configure a connect without the config file, I mnually created he user pass, cert etc via vim and terminal. I also tried with the config file downloaded from PureVPN, neither worked.
When i am connected to a VPN I am still seeing: Error: Network device is not present
That would suggest mis-configuration? But there are only 6 possible settings for this interface:
Protocol: unmanaged
Bring up on boot: checked
Use builtin IPv6-management: checked
Force link: not checked
Bridge interfaces: not checked
Interface: tun0
firewall: vpn (the same which is forwarding from LAN per the guide).
I do no know what else I can try, thanks for the help.
OpenVPN directly creates the tun0 interface after it connects to the provider. You do not need to set up a tun0 interface in OpenWrt at all, other than to use option device to make the firewall aware of the tun0 device after it exists.
Post the full log of OpenVPN attempting to connect.
Sorry, the interface names are lowercase (just checked) in etc/config/network. As you said - they appear uppercase when viewing the interface list though.
Recommended practice is to directly set list device tun0 in /etc/config/firewall to associate a firewall zone to the VPN tunnel, instead of creating a dummy VPN network.