OpenWrt on Raspberry - WLAN Access Point route over tun0 (VPN)

Hello.

I am new to OpenWRT. I have installed it on an old Raspberry Pi 3B+ and it runs perfectly.

Because I want to use this as an VPN-Gateway i have installed OpenVPN and i have got the connection to my VPN-Provider up and running.

Now I don't know how to route the traffic of my WLAN-Devices connected to the Raspberry through the VPN-Tunnel...
The Raspberry is connected to my FRITZBox over a LAN-Cable.
FRITZBox has the IP-Adress 192.168.1.1, and the OpenWRT-Raspi has 192.168.1.2.
Could you help me setting this thing up, please?

Interfaces980×617 70.7 KB

One way, might be others ,

In your lan dhcp config , give the clients the ip of your vpn interface since they are in the same subnet?

Have to tested by hard setting the default gateway on your client devices (pc or phone) to use the vpn interface ip

Edit: I misunderstood. If your frtiz box is handling dhcp it will be harder to modify what it advertises as the default gateway address- they designed their web interface to be very hard to get wrong. That also makes it quite inflexible.

Which vpn flavor are you using btw?

I am using VyprVPN.
If I connect to the Raspberry running OpenWRT over WLAN, should the traffic not be routed through the VPN and over the LAN-Port to my FritzBox and the Internet?
If I check my IP online, it isn’t my VPN-IP...

I just want to use this Raspberry as a VPN-AccessPoint.
All devices connected via WLAN should be connected over VPN to the Internet.
The Devices connected directly to the Fritzbox should connect normally...

As @Sparks noticed, you need to advertise the 192.168.1.2 as gateway. Otherwise the Fritz is not aware of the VPN tunnel and will forward everything destined to the internet upstream to the ISP.
One solution is to use static settings to the lan hosts which should use the vpn.
If all lan hosts should use the vpn, then disable the Fritz DHCP server and enable the DHCP server on OpenWrt.
I would also advice to assign the VPN interface to the WAN firewall zone.

If I change the Gateway on my iPad to 192.168.1.2 I have no more access to the internet.

Bildschirmfoto 2020-12-25 um 22.28.371136×431 73.5 KB

Perhaps I have to add "WLAN" to my interfaces and set the routes?

Bildschirmfoto 2020-12-25 um 22.38.411229×701 174 KB

I have manually added the Interface "WLAN". Now I have to set the routes? Right??
There is a LAN-Bridge between 'eth0' and 'wlan0'. Is this correct?

First of all please refrain from posting all these screenshots.
Second the client wlan interface is not needed. The lan interface has a bridge of the eth0 and the wireless.
Verify that you allow forwarding cat /proc/sys/net/ipv4/ip_forward
If this is 1 and it still doesn't work post the following:

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Sorry for the screenshots!

ip_forward output is 1.

Here the output of the command

{
	"kernel": "4.14.209",
	"hostname": "OpenWrt",
	"model": "Raspberry Pi 3 Model B Plus Rev 1.3",
	"board_name": "raspberrypi,3-model-b-plus",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.5",
		"revision": "r11257-5090152ae3",
		"target": "brcm2708/bcm2710",
		"description": "OpenWrt 19.07.5 r11257-5090152ae3"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7a:c322:7f86::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '8.8.8.8'

config interface 'VyprVPN'
	option ifname 'tun0'
	option proto 'none'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/3f300000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option htmode 'VHT80'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key 'cleaned'
	option ssid 'VyprVPN-AccessPoint'
	option encryption 'psk2'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option start '201'
	option limit '20'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'VyprVPN'
	option name 'VyprVPN'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'

config forwarding
	option dest 'VyprVPN'
	option src 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.2.23.135/24 brd 10.2.23.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.2.23.1 dev tun0 
default via 192.168.1.1 dev br-lan 
10.2.23.0/24 dev tun0 scope link  src 10.2.23.135 
128.0.0.0/1 via 10.2.23.1 dev tun0 
128.90.96.26 via 192.168.1.1 dev br-lan 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.2 
broadcast 10.2.23.0 dev tun0 table local scope link  src 10.2.23.135 
local 10.2.23.135 dev tun0 table local scope host  src 10.2.23.135 
broadcast 10.2.23.255 dev tun0 table local scope link  src 10.2.23.135 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.2 
local 192.168.1.2 dev br-lan table local scope host  src 192.168.1.2 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.2 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Dec  6 07:31 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Dec 25 15:33 /tmp/resolv.conf
-rw-r--r--    1 root     root            35 Dec 25 15:32 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface lan
nameserver 8.8.8.8
head: /tmp/resolv.*/*: No such file or directory

Looks right.
You have disabled the dhcp server on the Fritz, correct?
When you connect to VyprVPN-AccessPoint you are getting an IP 192.168.201-220 /24 with gateway and dns 192.168.1.2 correct?
From the OpenWrt do a traceroute 8.8.8.8; traceroute dns.google

No. The DHCP-Server of the Fritzbox is not disabled.
I have an Home Automation with Home Assistant and 35 devices connected to the Fritzbox. I am afraid that this stops working if I disable it. Is there another way without disabling the DHCP of the Fritzbox? If I set the IP manually and set the Gateway to 192.168.1.2 in the devices i connect to VyprVPN-AccessPoint, i don’t get an internet connection.

root@OpenWrt:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
 1  192.168.1.1 (192.168.1.1)  9.685 ms  2.135 ms  1.753 ms
 2  10.9.0.1 (10.9.0.1)  12.442 ms  11.920 ms  13.805 ms
 3  89.28.144.1 (89.28.144.1)  15.886 ms  13.970 ms  11.295 ms
 4  89.28.144.17 (89.28.144.17)  12.940 ms  390.590 ms  140.673 ms
 5  113.64.39.62.rev.sfr.net (62.39.64.113)  26.864 ms  29.003 ms  27.365 ms
 6  125.10.136.77.rev.sfr.net (77.136.10.125)  29.825 ms  30.231 ms  28.812 ms
 7  125.10.136.77.rev.sfr.net (77.136.10.125)  30.065 ms  29.192 ms  29.873 ms
 8  72.14.194.30 (72.14.194.30)  25.001 ms  23.974 ms  24.775 ms
 9  *  *  *
10  dns.google (8.8.8.8)  22.974 ms  22.295 ms  21.980 ms
root@OpenWrt:~#

You cannot have both dhcp servers running like that.

It is using the Fritz as gateway, make sure that the OpenVPN tunnel is up before you run the traceroute.

Okay... One more time...

root@OpenWrt:~# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 46 byte packets
 1  *  *  *
 2  10.102.112.4 (10.102.112.4)  30.128 ms  32.578 ms  28.028 ms
 3  core1.ams.net.google.com (80.249.208.247)  28.837 ms  28.947 ms  32.599 ms
 4  108.170.241.193 (108.170.241.193)  30.900 ms  108.170.241.129 (108.170.241.129)  31.168 ms  108.170.241.225 (108.170.241.225)  29.303 ms
 5  142.250.224.133 (142.250.224.133)  29.994 ms  108.170.236.137 (108.170.236.137)  29.230 ms  108.170.237.29 (108.170.237.29)  34.751 ms
 6  dns.google (8.8.8.8)  30.415 ms  30.864 ms  30.574 ms
root@OpenWrt:~# 

Is it okay to disable the DHCP-Server on the OpenWRT-Router?
The Fritzbox is my main router so I don't want to disable it there.

Is it possible at all to connect via VPN on the OpenWRT-Router if the Fritzbox is the default gateway and both routers are on the same subnet?
On the OpenWRT I set the static IP to 192.168.1.2 and as default gateway I set the Fritzbox with 192.168.1.1

This looks better.

Yes.

Yes, you'll have to use static settings for the lan hosts which will be using the OpenWrt as gateway via the vpn.

It doesn’t work. If I set the IP-Address on my iPad to 192.168.1.40, set subnet to 255.255.255.0 and the gateway to 192.168.1.2 i have no internet connection.

If i am connected to the OpenWRT-Router and use 192.168.1.1 as gateway on my iPad i have got internet connection, but not over the VPN...

no internet connection is not a diagnosis... ( traceroute?, nslookup? )

i've used this on many clients and it works fine...

It works!!
I simply had to set the DNS to 8.8.8.8 manually on my client hosts...

Thank you all for helping me out, especially @trendy

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.