I thought this should be pretty straightforward, but after hours and hours of tinkering and reading online, I can't seem to get it to work. Here's what I want to accomplish:
Main Router handles DHCP and is has the IP of 192.168.33.1.
OpenWrt Router has a static IP of 192.168.33.2 with DHCP off and connected to the Main Router via a LAN port.
The goal is to allow all clients connected to OpenWrt by default to use the Main Router's internet, but clients that set the OpenWrt Router as the gateway should have their traffic routed through the VPN client running on the OpenWrt Router.
So far I've managed to set up the OpenWrt Router as a VPN Client. The LAN interface is br-lan and I can't seem to get the traffic routed from the LAN through the VPN. Internet works for OpenWrt Router clients, as traffic seems to go through the main router.
I added an interface for tun0 but read somewhere that it may not be required.
Any suggestions of how I can get this working? Any additional information you need to know?
Trying to do similiar wg setup from one router instead of two. One interface for internet to ebay, credit cards, etc. Is it possible to have separate wifi radios for internet and vpn?
How do you know ip for clearnet site is "clear" without exposing vpn?
Trying to create another lan interface for internet only with owrt vpn wg client always on. Any tips appreciated.
Well, it seems like posting is an important step to finding the solution, even if no answers are posted in reply! I managed to get this working using ChatGPT 4 to help explain things to me while I tinkered with the settings. The problem is that I can't fully explain why it works, so if someone is interested in writing that up here for future users, that may still be helpful.
Very strange differentiation.
@ulmwind why do you say so?
I want clients to be able to choose whether they use the vpn or not and I want all clients to be able to share the same network resources such as printer etc. so I figured by letting the client choose its gateway with everything being on the same subnet accomplishes that.
Would you set it up differently?
Maybe its me always thinking in the same categories. If there's easier ways here, feel free to correct me.
- I'd create different networks for "with vpn" and "without vpn".
- Both networks get individual IP ranges.
- Both networks get individual Wifi SSIDs.
- The password for both Wifi SSIDs can be the same.
- The firewall zone for both networks can be the same.
- Create a rule that routes traffic from one network through the VPN.
- Clients can pick just by selecting one SSID or the other.
This obviously will utilize CPU for routing between your two networks on traffic that otherwise could just easily be handled by the bridge and bypass the CPU, but if your hardware is powerfull enough to handle VPN it is certainly powerfull enough to handle local routing.
You can use the same subnet and gateway for all clients with PBR.
Just create a routing policy for specific source IPs or MACs.