OpenVPN with Mullvad on Raspberry Pi 4b

Hi,

I would like to use my Raspberry Pi 4b as a secondary AP from my modem/router and use it as VPN connection to MullvadVPN. My current setup is my Raspberry Pi 4b which is connected directly by Ethernet to my modem/router. I have no external wifi adapter to the Raspberry.

Before opening this post, I reflashed OpenWrt to restart on a clean slate and did the following.

WHAT I DID:

  1. Change the default IP form 192.168.1.1 to 192.168.2.10 so I can access the web interface.
uci set network.lan.ipaddr=192.168.2.10
uci commit
/etc/init.d/network restart
  1. Under Network - Interfaces, I edited the lan interfaces and set the IPv4 gateway to 192.168.2.1 under General Settings and *Use custom DNS servers to 8.8.8.8 under Advanced Settings. This allowed me to execute opkg update or else I would get error 6.

  2. I navigated to System - Software and click "Update lists..." to get the necessary packet which are mentionned on Mullvad website

  3. I have followed the instruction from the Mullvad website for OpenWRT from Install necessary software packages to the end. I did everything except step 5 under Configure the interface and the firewall since I do not see a WLAN interface.

  4. Under Network - Wireless, I edited --- dBm. I set the security to WPA2-PSK (strong security) and a key under Wireless Security. I ticked lan and MULLVAD_VPN under General Setup - Network.

After all of this, the AP gives me my regular connection with the Google DNS since I putted it earlier. What do I need to do? Also, here is my config

/etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2d:a671:09cc::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.10'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.2.1'
	list dns '8.8.8.8'

config interface 'MULLVAD_VPN'
	option proto 'none'
	option device 'tun0'
	option type 'bridge'

/etc/config/firewall
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'VPN_FW'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'MULLVAD_VPN'

config forwarding
	option dest 'VPN_FW'
	option src 'lan'
	

It looks like you are setting your Pi up as a Dumb AP:
https://openwrt.org/docs/guide-user/network/wifi/dumbap
check your settings with this but it looks OK

The problem with a VPN client on a Dumb AP is that regular LAN clients and that includes the clients connected to the AP will just pass the router and will not go through the router and thus will not use the VPN client.

The easiest solution is to make a guest Wi-Fi on the Dumb AP, as a guest Wi-Fi is not bridged to the LAN, traffic from that guest Wi-Fi will go through the Dumb AP and thus will be using the VPN.
See: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

For other clients on your LAN you have to point the gateway to the Dumb AP either by manually changing the gateway on those clients or using DNSMasq to hand out a different gateway (option 3) which can also be done on an individual basis with tagging, or use iptables to redirect traffic.

I have my doubts if this is OK, probably only attach it to the lan:

Note

  1. We have not seen any VPN logs so do not know if it actually connects
  2. For most advanced setups it is useful to enable MASQUERADING on the LAN interface of the Dumb AP so I would also advise to do so.

I have followed the instruction for the Dump AP. I now have a Guest_Wifi, but I cannot load any page when the VPN is enabled, but does when disabled (regular connection).

I am not experienced with what information I should provide to you / where to find them. I have included some screenshot, but do not hesitate to guide me if you want more information.



Also, just to be sure, in want to achieve something like this where instead of a wifi antena, I use the Ethernet Port and connect to MullvadVPN:
my SUPER secure Raspberry Pi Router (wifi VPN travel router)
How to set up Express VPN using OpenVPN inside OpenWRT running on a Raspberry Pi?

I will have a look later but one thing I noticed: the guest firewall zone has to allow forwarding not only to the LAN zone (unless you are looking to implement a kill switch) but also allow forwarding to the VPN_FW

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall
ip route show
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
logread | grep openvpn

This requires a totally different setup where the ethernet port is setup as WAN.
If this is your end goal then start over and setup the Ethernet port as WAN and the Pi is on its own subnet.
This is actually much easier to setup also for your VPN and it should just work with Mullvads instructions.

If you are starting over use WireGuard instead of OpenVPN, easier to setup and much faster

I should have expressed myself better earlier, but yes it is indeed what I want to accomplish. I will reflash OpenWrt and followed the instruction for Wireshark.

How do I achieve this? Is it just by following Mullvad instruction as you mentionned? Because for OpenVPN I did not mention how and just assume you had it.

Do you want to use the built in wifi as WAN or the ethernet port?

Make sure you know what you want and then setup the Pi accordingly.

Only then proceed with the VPN

I want the WAN to be the Ethernet port for now and use the built-in Wifi as the AP. In the future, I plan to replace the Ethernet port as the WAN for a Wifi Atena to make it mobile once I buy it.

Perhaps buy the Wifi antenna first so that you can set it up at once?

I have heard rumours that the built in wifi sucks not sure if that is the case for your model also but better research

Do you know any good Wifi atenna that works with OpenWrt?

No sorry do not have a Pi so cannot comment on that :frowning:

No worries, I really appreciate your help so far! I will do some research and test the built-in wifi while I wait for the antenna. From the video I posted earlier, they use the built-in wifi as their AP and the antenna as their WAN for traveling. So no matter the case, I will use the built-in wifi.

Also, I am almost done with the Wireshark guide for Mullvad

Just completed it the WireGuard guide for MullvadVPN. Unfortunately, same result. My connection is not going through the VPN. I imagine it has to do with how I setup my interface with the Ethernet Port and built-in wifi. I am having trouble understanding which should I put for which interface.

My advice: wait till you have the wifi antenna and then setup it up the right way.

Your current setup is totally different as there is no WAN at all which complicates setup.

Ok, I will update this post once I have it. Thanks a lot for your patience and help so far.

Hi again, I have changed my mind for the WAN setup. I will use the Ethernet Port as the WAN because of his faster speed and LAN as the built-in wifi. I can reflash OpenWrt from zero if necessary.

I just succeded with the Ethernet as WAN and Wifi as LAN. I am so proud right now. I was so complicated at first, but now I am starting to understand more. Thanks a lot for your help! I have made a backup of the config so that when I will decide to switch to the antenna, I will not lose this config.

1 Like

Kudos :slight_smile:
If the ethernet port is now your WAN than you should be able to get the VPN going with mullvads instructions.

Always making a backup is good practice so that you can go back to a working solution