First time setting up OpenVPN in CLI and with little OpenWRT experience. Overall it's nice, but I've been bashing my head against this for hours and it's time to ask for some help.
Device
IP
Function
Edge Router (Tomato)
192.168.1.1
Internet Gateway, DHCP Server
Interior router (OpenWRT 23.05.5 r24106 as Bridged AP over Ethernet)
192.168.1.248
Switch (firewall, odhcpd, dnsmasq are all disabled)
OpenVPN server on Interior router (standard CLI config)
192.168.9.1
The edge router works has no known issues, and is set as Gateway and DNS server for all devices on LAN.
The OpenWRT router was first configured per the Bridged Ethernet guide, next OpenVPN was set up per the basic server guide - aside from omitting the firewall section as that service is disabled.
Connecting to the VPN from LAN worked, but the clients could not ping WAN hosts or resolve DNS.
WAN access for the VPN clients is working after adding NAT rules (provided by Copilot, is there a better solution?):
nft add table ip nat
nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
nft add rule ip nat postrouting oifname "br-lan" ip saddr 192.168.9.0/24 counter masquerade
So the major remaining problem, is that although the VPN port is forwarded on the edge router, I cannot reach it from the WAN.
Other small things I'd like to get working:
DNS will not resolve if set to the edge router's address. VPN clients can ping that, but there is no response to their DNS queries. I could only get it working by using an Internet IP in /etc/openvpn/server.conf.
DHCP does not work as expected. I wanted the VPN client IPs set by the edge router in the default range, but when I set the .conf's server parameter to an address in the same subnet, the VPN clients can no longer reach the Internet. Not sure what's happening here as the the edge router does not log a DHCP request and clients just get the lowest available address, ie 192.168.1.2.
Client credentials - would like to require login & password + certificate. Didn't bother looking this up yet for obvious reasons but if someone has a decent guide let me know.
Does luci-app-openvpn actually work for servers? I only found instructions for setting up as a client, and while it has options to create/manage a server none of the actions I tried had any visible effect.
server.conf
user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.9.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN deedoo.waa.net"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
X
</dh>
<tls-crypt-v2>
X
</tls-crypt-v2>
<key>
X
</key>
<cert>
X
</cert>
<ca>
X
</ca>
Solved the major issue (can't connect from WAN) - in short, was still somehow connected to the LAN while testing. So while this may mean there's a loopback issue somewhere, this just leaves the small issues to solve if anyone can help.
Do you have a public IP address on your edge router, so an address starting with anything other then 10, 192.168, 172,16-32, 100,64-127?
When in doubt show the first two octets of your WAN address e.g. XXX.YYY
Delete the NAT rules, the proper way is to set a static route on the tomato main router to route 192.168.9.0/24 to 192.168.1.248
The TUN OpenVPN is a routed solution so the subnet of server, client and OpenVPN all need to be different!
So your OpenVPN clients have their own subnet which should be different from 192.168.1.0/24 (as it is possible that your OpenVPN clients use this very frequently used subnet it is not recommended to use for your router), and the OpenVPN clients have their separate OpenVPN address 192.168.9.x which is given by them from the OpenVPN server).
So you should always test from outside with your phone/laptop on cellular!
Check if you do that that your IP address of your phone is not 192.168.1.X!
The OpenVPN server should push either a default gateway to the OpenVPN client e.g. push "redirect-gateway def1" or a route to let the OpenVPN client connect to the OpenVPN server e.g.: push "route 192.168.1.0 255.255.255.0 vpn_gateway"
You can push the Tomato as DNS server to the clients (or any other DNS server you wish): push "dhcp-option DNS 192.168.1.1" but the Tomato should be able to deal with request from 192.168.9.0/24 usually this is the case
I tried it once and ran away, just upload your config and edit the config.
Make sure I disable my hotspot's own WiFi when testing (which prevented connecting through the public IP as the test device was still local)
Leave the VPN as as a separate subnet.
I don't control the edge router on the network this is destined for, so for now I'll keep the NAT rule, rather than trying to muddle through route creation on
unfamiliar hardware on a deadline.
The last hurdle will probably be the DDNS client - at some point I took a break from the OpenVPN settings as I thought it would be easy to set up, but it was also a fight (and then I wiped the router and started over). I had the actual update working, but the Luci module didn't seem to work right and the wiki guides were very long, for what could be done with a one-line wget.
I will read up on what you said about the gateway as I don't quite follow. And thank you for the suggestion about WireGuard, I was under the impression that was a paid VPN service so I hadn't considered it.
Tomato is obviously more limited, but it's impressive how much simpler it was to set up the prototype router that this OpenWRT one will replace. It's doing all of the things I mentioned without leaving the GUI.
I know Tomato, but changed to DDWRT long ago for my Broadcom routers and I can understand you find that, although limited, is easier to setup regarding OpenVPN.
NordVPN does not support WireGuard on the router (at least not the easy way), that is why it is not on my recommended list.
Most VPN providers do support WireGuard on the router, it is three times faster than OpenVPN and much easier to setup, so if your subscription ends look for a VPN provider which supports WireGuard on the router
You don't need to poke rules directly into the kernel table since this is part of OpenWrt's firewall abstraction. Re-enable the firewall and set up masquerade from vpn to lan. This is done by setting masq on the destination zone (lan), building a new zone for the vpn (use list device tun0 to put the OpenVPN tunnel into the zone), and an allow forward rule from vpn to lan.
The instructions for bridged AP are a bit draconinan in simply disabling services that are actually useful when you want to expand the device's role beyond a bridged AP.
The goal was a wired switch + VPN server with minimal resources used. Are you suggesting I start over but forego the AP config guide, and just set a static IP and add the WAN port to br-lan?
