Hello there

Intro & Objective

I will start by stating my objective: creating a secondary router in my home where, if a client connects via LAN or through the SSID, all traffic coming/going to the downstream client device (such as a computer or laptop) runs as a client to an OpenVPN server I have set up.

Current setup

I have a Linksys MR8300 with openwrt installed. It currently has 100 percent packet loss when testing via diagnostic. The WAN port of the openwrt linksys router is wired to a LAN port in the upstream (ISP-provided) router. I intend to still have regular devices connected to the upstream router be reasonably impacted by the openwrt device.

Other than attempting to configure wireless for my openwrt linksys device (I get "wireless is not associated") I have openwrt's 22.03.2 for that device installed.

I am not sure what steps are needed in order to follow this guide, but this sounds like what I am attempting to do: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

As a starting point, it is sometimes/often necessary to change the LAN IP address of the OpenWrt router so that it doesn't conflict with the upstream router's subnet. If your existing router is using 192.168.1.0/24 for its LAN, you must change OpenWrt... it can be any RFC1918 range that doesn't conflict. For example, 192.168.4.1 would be fine for the OpenWrt lan address.

If this doesn't solve the problem, please post your config files for review:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I think you're saying that you want endpoints connected to the 8300 (wifi or LAN ports) to go to the Internet via VPN, while endpoints connected to the main router continue to go directly to the Internet without VPN.

In that case, the configuration of OpenWrt is the same as if it were a main router connected directly to the Internet. Though as psherman said, since your WAN IP will be a private range, you have to be sure not to conflict with the new LAN.

Get regular lan-wan routing working first, then install and configure OpenVPN.

HI psherman

Thanks for getting back to me. Indeed they do have the same subnet. (i.e. 192.168.1.1) The link that you shared is not clear to me and appears to be outdated in terms of its explanation on how to change the IP of the openwrt router.

The link is up to date and describes the process of changing your LAN IP, but I can help provide some clarification if you'd like... what's causing confusion?

Actually, scratch that. I found out how to do it.
Network->Interfaces->Edit LAN.. simple as that

I am not succeeding much with wireless though. I am researching how to handle it but the WAN interfaces are all disabled.

These should be two different issues.

Can you post your config files? we can usually spot errors pretty quickly.

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '100'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'AlmonteSpecial'
        option encryption 'psk2'
        option key 'opensesame'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface 'wifinet5'
        option device 'radio0'
        option mode 'sta'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt:~# vi /etc/config/wireless
root@OpenWrt:~#
sam@dufflebags:~$ 

Indeed, they are both different issues. Now that I've changed the address of the openwrt machine to .2.1 everything is good, the VPN is evidently working. But I am struggling with WAN. Should I make a new post?

Try setting your country codes on all radios (make sure it is consistent and is relevant to where you actually are).

Can you describe the problem with the wan?

I just don't understand how to broadcast a wireless signal via Openwrt. Under interfaces, the only GUI interface that appears to be working right now is the LAN.
My virtual interface (TESTTUN) is useless, does nothing, and my WAN & WAN6 just don't do anything.

Set all three radios to your country. Do this by editing an interface on a radio, click the Advanced tab near the top of the page, and pull down to choose the county. Do this 3 times, they must all 3 be set to the same country.

In the MR8300, radio 0 must be set to channel 100 or higher, and radio2 to channel 60 or lower. Note that in most countries, a DFS channel (60-132) will not come up immediately as there is a 1 minute wait to confirm there is no radar operating nearby.

Delete all the interfaces except for one AP on each radio. You have a STA interface on one radio that will never find its AP, that keeps any APs configured on the radio from starting up.

The lan should be using device br-lan. Then, from there, you go to the wireless configuration and you set the SSID and password, and you associate it with the lan network.

Thank you for the replies.

I now only have radio0 setup as 5ghz. I managed to connect with another device.

Right now on a desktop I am hardwired into openwrt with openvpn set up as a client. From this hardwired machine I am accessing the web via the VPN.

However, on a remote laptop connected to my openwrt associated SSID (there's only one attached to LAN) , this is not hte case. It is connected directly to the public internet which is not the VPN. What am I missing here?

I should also add that I initially intended on following this guide to get the wifi radio to broadcast only VPN connection: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

Let's take a look at the full set of config files... so far, we've only seen the wireless file. Please post all 4 so that we can see the latest situation.

/etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf3:1e74:d30e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '100'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'US'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid MyAmazingSSID'
        option key 'myamazingpassword'
        option encryption 'psk2'
        option network 'lan'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

config wifi-iface 'wifinet5'
        option device 'radio0'
        option mode 'sta'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list device 'tun0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

I should also add that since I have altered things (not sure what specifically did this) I am now noticing that traffic on LAN (my connected desktop) does not appear to be going through the VPN anymore

So you're saying that the devices connected via wifi are not using the tunnel, but the ethernet connected ones do?

I'm not seeing any reason for that behavior, but I can suggest the following:

1. move the VPN into a separate zone. Remove it from the wan zone, create a new zone. Remove lan > wan forwarding (this won't be obvious, but is removed from the below config) and enable lan > vpn forwarding. Your config should look like this:

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list device 'tun0'

config forwarding
        option src 'lan'
        option dest 'vpn'

With this, your config will only allow the lan clients to egress via the VPN tunnel... they will not be able to egress via the wan.

2. Check to make sure that your SSID is unique and that your devices only have a single active connection to the network we're talking about here (the secondary router)... any other connections (wifi or wired, like to your main upstream network) could obviously have the effect of accidentally bypassing the VPN.