Hi, i need to configure a small TPLINK TL-WR802N v4 as VPN opener device. Stock firmware don't have VPN support so i have installed OpenWrt firmware.
Now i have device working and VPN connection already operative, i have installed as new interface using wireguard vpn extension. On my main home router i can see VPN successfully connected.
Now i will explain my idea:
Setup LAN ETH port of TL-WR802N as wan port with dhcp-client ip function active
Setup wireguard VPN as client (i have wireguard server configuration working on my home fritz router) [DONE]
Setup WiFi with proper DHCP server for wireless client, all traffic must pass through wireguard VPN
when totally configured i want to connect via ETH Cable this TL-WR802N on any connection away from my home and WiFi ap generated already have VPN opened from openWrt.
I think it is feasible but where i can find some suggestion for configuration ?
This application is usually described as a travel router with VPN.
Since there is only one Ethernet port, in order to serve a wired device on the client side of the network, the "upstream" connection toward the Internet will need to be wireless. This is not complicated to do. First move the Ethernet port into the lan network bridge instead of wan. Then configure a wifi Client (STA) with credentials to connect to the wifi at the hotel etc, and attach it to the wan network. For this to work the wan has to be a single interface, not a bridge.
If the wifi you are connecting to does not connect to the Internet immediately but instead makes you fill out a web page first (a captive portal) you will need to shut down the VPN client while filling out the page then turn it back on once authorized to use the Internet.
thanks @mk24 for reply and suggestions, the application is exactly what you explain but in the opposite flow: i want to connect device to hotel/customer/friend's Eth connection and wi fi network generated will alow me to connect multiple device under my home vpn.
You can change your Ehternet port to be a wan port. As post linked below describes, make sure you can connect via wifi before doing so. You don't want to lose admin access to your device. You might even want to experiment with hardware factory reset so you know you can get back in that way if all else fails.
thanks @jedboy for suggestion and link! I think now i'm near to the solution.
i have successfully created WAN interface and set up as DHCP client mode on eth0 port.
i have successfully created and opened WireGuard VPN
i have successfully created different static ip configuration for wireless (192.168.44.1) with DHCP server from 192.168.44.100 to 192.168.44.200
seems everithing ok but all my wireless client connected use WAN connection instead of VPN connection. i still see the pubblic IP of wan interface instead on pubblic IP of my main Wireguard VPN server at home. I think i have to modify route setting forcint to use VPN and not WAN but i don't know how, any suggestion for last step?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
ip route
Your travel router should have a default route to send everything out the wg interface.
The wg show should return a line with "latest handshake" if you don't have that it isn't working.
i have masked potential sensitive data with "___"
here the requested result
PS C:\WINDOWS\system32> ssh root@192.168.44.1
The authenticity of host '192.168.44.1 (192.168.44.1)' can't be established.
ED25519 key fingerprint is SHA256:Jf___.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '192.168.44.1' (ED25519) to the list of known hosts.
BusyBox v1.35.0 (2023-04-27 20:28:15 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 22.03.5, r20134-5f15225c1e
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:~# ubus call system board
{
"kernel": "5.10.176",
"hostname": "OpenWrt",
"system": "MediaTek MT7628AN ver:1 eco:2",
"model": "TP-Link TL-WR802N v4",
"board_name": "tplink,tl-wr802n-v4",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "ramips/mt76x8",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbc:7c68:c096::/48'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.44.1'
option gateway '192.168.1.203'
list dns '192.168.1.203'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '0'
config interface 'wan'
option proto 'dhcp'
option device 'eth0'
config interface 'VPN_WireGuard'
option proto 'wireguard'
option private_key 'EI___o='
list addresses '192.168.1.203/24'
config wireguard_VPN_WireGuard
option description 'Imported peer configuration'
option public_key 'L3___hQ='
option preshared_key 'rZ___MU='
list allowed_ips '192.168.1.0/24'
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25'
option endpoint_host '3___.myfritz.net'
option endpoint_port '55083'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
root@OpenWrt:~# wg show
interface: VPN_WireGuard
public key: gR___R8=
private key: (hidden)
listening port: 52007
peer: L3___hQ=
preshared key: (hidden)
endpoint: 8___4:55083
allowed ips: 192.168.1.0/24, 0.0.0.0/0
latest handshake: 2 minutes ago
transfer: 212.30 KiB received, 114.26 KiB sent
persistent keepalive: every 25 seconds
root@OpenWrt:~# ip route
default via 192.168.1.1 dev eth0 src 192.168.1.2
192.168.1.0/24 dev VPN_WireGuard scope link src 192.168.1.203
192.168.1.0/24 dev eth0 scope link src 192.168.1.2
192.168.44.0/24 dev br-lan scope link src 192.168.44.1
root@OpenWrt:~#```
thanks for your support, this point is a problem because fritz.box can create Wireguard vpn only with the same ip class of my main home lan subnet. change all lan configuration at home only to handle wireguard make me crazy, any other suggestion to avoid this?
If you plan to use the device as a travel router this could happen often, so you should probably consider changing your home lan subnet to something more exotic…
