I would like to use my Raspberry Pi 4b as a secondary AP from my modem/router and use it as VPN connection to MullvadVPN. My current setup is my Raspberry Pi 4b which is connected directly by Ethernet to my modem/router. I have no external wifi adapter to the Raspberry.
Before opening this post, I reflashed OpenWrt to restart on a clean slate and did the following.
WHAT I DID:
Change the default IP form 192.168.1.1 to 192.168.2.10 so I can access the web interface.
uci set network.lan.ipaddr=192.168.2.10
uci commit
/etc/init.d/network restart
Under Network - Interfaces, I edited the lan interfaces and set the IPv4 gateway to 192.168.2.1 under General Settings and *Use custom DNS servers to 8.8.8.8 under Advanced Settings. This allowed me to execute opkg update or else I would get error 6.
I navigated to System - Software and click "Update lists..." to get the necessary packet which are mentionned on Mullvad website
I have followed the instruction from the Mullvad website for OpenWRT from Install necessary software packages to the end. I did everything except step 5 under Configure the interface and the firewall since I do not see a WLAN interface.
Under Network - Wireless, I edited --- dBm. I set the security to WPA2-PSK (strong security) and a key under Wireless Security. I ticked lan and MULLVAD_VPN under General Setup - Network.
After all of this, the AP gives me my regular connection with the Google DNS since I putted it earlier. What do I need to do? Also, here is my config
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2d:a671:09cc::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.10'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.2.1'
list dns '8.8.8.8'
config interface 'MULLVAD_VPN'
option proto 'none'
option device 'tun0'
option type 'bridge'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'VPN_FW'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'MULLVAD_VPN'
config forwarding
option dest 'VPN_FW'
option src 'lan'
The problem with a VPN client on a Dumb AP is that regular LAN clients and that includes the clients connected to the AP will just pass the router and will not go through the router and thus will not use the VPN client.
For other clients on your LAN you have to point the gateway to the Dumb AP either by manually changing the gateway on those clients or using DNSMasq to hand out a different gateway (option 3) which can also be done on an individual basis with tagging, or use iptables to redirect traffic.
I have my doubts if this is OK, probably only attach it to the lan:
Note
We have not seen any VPN logs so do not know if it actually connects
For most advanced setups it is useful to enable MASQUERADING on the LAN interface of the Dumb AP so I would also advise to do so.
I have followed the instruction for the Dump AP. I now have a Guest_Wifi, but I cannot load any page when the VPN is enabled, but does when disabled (regular connection).
I am not experienced with what information I should provide to you / where to find them. I have included some screenshot, but do not hesitate to guide me if you want more information.
I will have a look later but one thing I noticed: the guest firewall zone has to allow forwarding not only to the LAN zone (unless you are looking to implement a kill switch) but also allow forwarding to the VPN_FW
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall
ip route show
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn
This requires a totally different setup where the ethernet port is setup as WAN.
If this is your end goal then start over and setup the Ethernet port as WAN and the Pi is on its own subnet.
This is actually much easier to setup also for your VPN and it should just work with Mullvads instructions.
If you are starting over use WireGuard instead of OpenVPN, easier to setup and much faster
I should have expressed myself better earlier, but yes it is indeed what I want to accomplish. I will reflash OpenWrt and followed the instruction for Wireshark.
How do I achieve this? Is it just by following Mullvad instruction as you mentionned? Because for OpenVPN I did not mention how and just assume you had it.
I want the WAN to be the Ethernet port for now and use the built-in Wifi as the AP. In the future, I plan to replace the Ethernet port as the WAN for a Wifi Atena to make it mobile once I buy it.
No worries, I really appreciate your help so far! I will do some research and test the built-in wifi while I wait for the antenna. From the video I posted earlier, they use the built-in wifi as their AP and the antenna as their WAN for traveling. So no matter the case, I will use the built-in wifi.
Also, I am almost done with the Wireshark guide for Mullvad
Just completed it the WireGuard guide for MullvadVPN. Unfortunately, same result. My connection is not going through the VPN. I imagine it has to do with how I setup my interface with the Ethernet Port and built-in wifi. I am having trouble understanding which should I put for which interface.
Hi again, I have changed my mind for the WAN setup. I will use the Ethernet Port as the WAN because of his faster speed and LAN as the built-in wifi. I can reflash OpenWrt from zero if necessary.
I just succeded with the Ethernet as WAN and Wifi as LAN. I am so proud right now. I was so complicated at first, but now I am starting to understand more. Thanks a lot for your help! I have made a backup of the config so that when I will decide to switch to the antenna, I will not lose this config.
