OpenWrt Bridge Configuration Issues

bradc1975 · November 1, 2018, 5:31pm

I’m fairly new to networking setup here but have been doing my best to Google for answers, so please excuse where my knowledge may be lacking..

Goal: I have a LAN router that I want to access remotely via OpenVPN as if I were plugged into the device. The device has multiple PCs hooked up into it locally, and also accesses other network resources via an Internet connection such as a chat server. However, the router has a firewall and thus it does not have full Internet access.

My VPN router (GL-AR150 running OpenWRT) needs to have two connections made to it: one to the LAN device itself (obvious reasons), and one for the router itself to obtain full access to the Internet (thus allowing incoming VPN connection).

AR150 = VPN Router
R6400 = WAN router with full Internet access
LAN Router = device with network resources that I want to access

Right now the physical configuration looks like this:

[ AR150 ] -> eth1 -> [ LAN Router ] -> [ R6400 ]
[             ] -> eth0 -> [ R6400 ]

My interfaces are LAN, LAN2, WAN.

LAN is linked to the Wifi Adapter to access configuration and nothing else really. I don’t need the Wifi for anything else other than configuring the VPN router.
WAN is linked to eth0 to provide access into the VPN router from the client.
LAN2 is an interface I created to act as a bridge between eth1 (physical connection to LAN router), br0, and tap0. Tap0 is my virtual TAP interface and br0 my virtual bridge interface.

If I plug a machine directly into the LAN device, I get an IP assigned in 10.154.202.X, subnet 255.255.255.0, Default Gateway 10.154.202.254. DNS 10.133.1.1 and 10.134.1.1. This is the behavior I’m trying to replicate for the client when connected via VPN.

Right now I’m able to connect the client to the VPN router without issue in Windows. I get an IP assigned in the specified subnet (10.154.202.50 usually) and I can ping anything plugged into the LAN router directly, but can’t get anything outside of it. It’s also not assigning a Default Gateway when I load ipconfig.

Here’s my configuration. Any help would be appreciated.

Server Config:

client-to-client
persist-key
persist-tun
auth SHA1
cipher BF-CBC
comp-lzo adaptive
dev tap0
dev-type tap
group nogroup
keepalive 10 120
mode server
mute 5
port 9000
proto udp
push "persist-key"
push "persist-tun"
push "redirect-gateway def1"
route-gateway dhcp
server-bridge 10.154.202.20 255.255.255.0 10.154.202.50 10.154.202.55
topology subnet
duplicate-cn
user nobody
verb 3

Client Config:

client
dev tap
proto udp
remote [IP Address Removed] 9000
resolv-retry infinite
nobind
persist-key
persist-tun
auth SHA1
cipher BF-CBC
comp-lzo adaptive
nice 0
mute 5
verb 3

jolouis · November 1, 2018, 8:30pm

Seems overly complicated, I assume there's some reason you can't run the VPN directly on the "WAN" router itself?

In your current configuration, from what I can piece together, the main issue is a lack of default gateway. If the "WAN" router is responsible for doing the DHCP, and you want your device behind the VPN to act as if it is connected to the WAN router, it's easier to avoid having OpenVPN assign the address. You are bridging, so the DHCP request from the end device can flow over the VPN to the WAN router (in theory, if all is correct).

To do that, remove these lines:


push "redirect-gateway def1"
route-gateway dhcp
server-bridge 10.154.202.20 255.255.255.0 10.154.202.50 10.154.202.55

and replace with simply

server-bridge 10.154.202.20 255.255.255.0

With that config, your client should get a DHCP response from the WAN router instead of the VPN box.

bradc1975 · November 1, 2018, 9:07pm

Thanks for the reply - I'm actually trying to get a DHCP assigned to the OpenVPN client PC from the LAN router, not the WAN router. The WAN router is basically just the VPN box's link to the outside world, but I'm trying to access resources and get DHCP assignments from the LAN router.

I removed the first two lines you suggested. When replacing the third line as suggested, OpenVPN failed to start altogether. With the first two lines removed, that unfortunately didn't solve the issue.

Given that I'm trying to get DHCP from the LAN router (not WAN) what do you think I'm doing wrong here? Any suggestions are appreciated.

mk24 · November 2, 2018, 12:25am

This needn't be that complicated. With a TAP, the VPN link is basically a layer 2 bridge. Remote VPN users get their IP from the main router DHCP, then they can participate in the whole LAN as if they were locally connected.

So on the VPN server, which may or may not be running in the main router, attach the TAP interface to br-lan.

bradc1975 · November 2, 2018, 8:54pm

TAP interface is already connected to br-lan.

Maybe I can be more clear as to what my problem is:

The WAN router is assigning an IP/default gateway to the VPN router (since it needs one to access the Internet) and the LAN Router is also assigning an IP/default gateway to the VPN router (since VPN router needs to be a client on the LAN router to access LAN router resources).

I can set the VPN router to use the Default Gateway of the WAN router, but if I do that, all traffic gets routed through the WAN gateway and I can't get to anything on the LAN router, other than machines directly connected to it. If I set the VPN router to use the Default Gateway of the LAN router, the traffic correctly goes through the LAN router but I can't get into the VPN at all (since the VPN client can't establish a connection through the WAN router)

I'm trying to figure out how to properly establish a connection via the WAN router, AND when the client is connected to route all traffic through the LAN router's default gateway.

mk24 · November 2, 2018, 9:41pm

There is only one router in your serving network: the main router that connects the LAN to the Internet. The machine that runs the OpenVPN server is strictly a LAN device. It is possible to run the VPN server on the same machine that is the main router, but in many cases you want something with a better CPU to handle encryption.

It is necessary to configure the main router to forward a port from the Internet to the VPN server's IP on the LAN so that VPN users can connect to the VPN server. This is the only special configuration needed of the main router, so an ISP-supplied device or other unit with basic consumer firmware can usually be used.

Once they have connected to the VPN server, each VPN user's tunnel opens onto your LAN through br-lan in the VPN server machine.

They then receive a DHCP assignment from your main router, and act like they are part of your LAN. Including that when they go to the Internet, it is through your WAN.

At the server, the OpenVPN option "redirect-gateway def1 bypass-dhcp" is needed to allow DHCP assignments to pass through the tunnel.

This is an interesting situation at the client machine, since the VPN client process needs to continue to use the "real" connection to the Internet or it will lose contact with the VPN server, but a web browser etc. should use the tunnel connection. How to do this varies by client.

If you use an OpenWrt router at the client end, set up a "vpnuser" network bridge to an Ethernet or wifi port and set "defaultroute" to 0 to cause it to not reset the router's Internet route to the VPN one.