I've 2 VPN accounts running in openwrt which I want to make available via 2 different wifi channels (named so it is clear which country is selected). I followed the manual of the VPN provider (proton), but my requirement/setup is different
The VPN accounts work and are configured, but I can use some help with the setup how to forward a connected wifi device to the correct VPN country. (Device is connected to Wifi_US which needs to be forwarded to the VPN US connection.
I think I can overcome the service errors, because this device is configured as 192.168.1.253.
But I still need to look into how I can forward a connected wifi device through this particular VPN tunnel.
For the moment I just want to forward any traffic connected to a wifi-channel
My best guess for the moment is that under Interface Configuration, Network some things have to change also...
I think I did the 1st step SSID->newly created network vpn_us. No idea how to proceed because I can't find these networks in BPR but the same also applies to the 2 up-and running VPN connections..
I also use Proton VPN for one of my VPN providers too.
After setting up the wireguard interface and verifying the handshake, I made a new firewall zone for it and literally mimicked it with the wan zone settings I had and checked both masquerading and mss clamping.
Then, I setup a new network interface (in this case it is my guest network interface) with its own ip subnet. I use pbr and assign the guest network to the proton vpn interface.
After that, I setup a new ssid for the guest network and VOILA! Magic happens! Any guest that is on my guest network is automatically tunneled thru the Proton VPN.
EDIT: I failed to mention, the guest network has its own firewall zone and I allowed forward to destination zone to WAN and the Proton VPN zones. I set input as reject, allow as accept, and forward as reject. I kept masquerading and mss clamping unchecked.
EDIT2: To secure the network, I added a firewall traffic rule that rejects any attempt to access the router and my modem.
I should mention, that I was getting DNS leaks using Proton VPN, so I installed stubby package and kept its default settings. Stubby works excellent right out of the box and uses Cloudflareâs DNS servers.
As far as pbr is concerned, you have to type out the name of the network interface you want on the left, include itâs full ip subnet in the next field (e.g. 192.168.1.1/24) and then select which gateway you want to assign it to on the right, in which case, choose the name of your wireguard interface.
Everything I mentioned can be done in luci.
Good luck!
EDIT: which reminds me - make sure to uncheck âuse default gatewayâ in your network interface settings that youâre assigning to the VPN. This can conflict with your route assignment in pbr. YMMV obviously and you wonât need to create a firewall traffic rule to prohibit access to your router and modem or install stubby. It is recommended to do a dns leak test when on a VPN irregardless to ensure its security.
PBR uses its own routing tables, so it won't conflict. What you can do is use different metric for the gateway in all interfaces which connect to the internet. Use a low value, e.g 10, for the wan and 20, 30, ... for the VPN interfaces.
After reading all your help, I'm wondering if I miss something while setting this up. My ProtonVPN uses the openvpn package (and I don't have a wireguard interface installed).
100% sure that Proton VPN is working because I did an IP check via the cmdline and my openwrt box had an foreign IP. (I did not check any routing at that time).
I collected some details of my configs
openwrt 22.03
#/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd83:****:****::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'wan'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.1.253'
option gateway '192.168.1.1'
list dns '192.168.1.1'
config device
option name 'wan'
option macaddr '5c:02:14:31:**:**'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'ztyouu2ouh'
#/etc/config/openvpn
config openvpn 'custom_config'
option config '/etc/openvpn/my-vpn.conf'
config openvpn 'sample_server'
option port '1194'
option proto 'udp'
option dev 'tun'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/server.crt'
option key '/etc/openvpn/server.key'
option dh '/etc/openvpn/dh2048.pem'
option server '10.8.0.0 255.255.255.0'
option ifconfig_pool_persist '/tmp/ipp.txt'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option status '/tmp/openvpn-status.log'
option verb '3'
config openvpn 'sample_client'
option client '1'
option dev 'tun'
option proto 'udp'
list remote 'my_server_1 1194'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option user 'nobody'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/client.crt'
option key '/etc/openvpn/client.key'
option verb '3'
config openvpn 'ProtonNL'
option config '/etc/openvpn/ProtonNL.ovpn'
config openvpn 'ProtonUS'
option config '/etc/openvpn/ProtonUS.ovpn'
option enabled '1'
#/etc/openvpn/ProtonUS.ovpn
client
dev tun
proto udp
remote 45.89.173.194 5060
remote 45.89.173.194 80
remote 45.89.173.194 51820
remote 45.89.173.194 1194
remote 45.89.173.194 4569
remote-random
resolv-retry infinite
nobind
auth SHA512
verb 3
setenv CLIENT_CERT 0
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
reneg-sec 0
remote-cert-tls server
auth-user-pass /etc/openvpn/ProtonUS.auth
pull
fast-io
<ca>
-----BEGIN CERTIFICATE-----
MIIFozCCA4ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADBAMQswCQYDVQQGEwJDSDEV
DK/yPwECUcPgHIeXiRjHnJt0Zcm23O2Q3RphpU+1SO3XixsXpOVOYP6rJIXW9bMZ
A1gTTlpi7A==
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
6acef03f62675b4b1bbd03e53b187727
16672ea16c012664f8a9f11255518deb
-----END OpenVPN Static key V1-----
</tls-auth>
Still wondering about which part is missing here (missing default gateways from the VPNs?) before making a next step in routing.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; uci export pbr; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
There is no other interface except lan to serve customer traffic.
You need to create the additional interfaces and connect them to the wifi SSID. Then you can configure it on the PBR to use a VPN as uplink.
Upgraded to Firmware Version OpenWrt 22.03.1 r19777-2853b6d652 / LuCI openwrt-22.03 branch git-22.339.35241-4ca7a8d. Updated all packages also. No clue how to create additional interfaces in Openwrt but will start looking into it. Always nice to learn something new
Network - Interfaces - Scroll to the bottom of the page "Add new Interface"
Give it a name and leave the others as you see. Then fill in the IP address and the mask.
Then go to Network - Wireless, add a new wifi and assign it to the new interface.
Ok, I managed to set up an interface with this help, linked it to a wifi adapter and even managed to set op a dhcp server to assign addresses to connecting clients. IP has been set to another subnet 192.168.2.1.
When connecting to wifi with a phone an 192.168.2.x ip address is assigned and a connection is there. Due to the lack of routing, there is no internet or vpn yet.
Trying to setup PBR (192.168.2.x - BPR - VPN) but run into issues and it doesn't work yet. Will continue to read more
