You have WLAN separate from LAN, yet the ip subnets are the same. If you want these to be separate, rather than bridged, then you should put WLAN on 192.168.2.1 or something similar.
Use lowercase for network names. I known that LuCI shows them in upper case but that is not how they should be.
You don't need to create a new network for your wifi AP, and really you should not. Attach it to the existing lan bridge. This is done in the wifi configuration not the network configuration.
The two simplest ways to set up the networks, which serve the large majority of uses, are the LAN device (also called dumb AP) and the routed client.
A LAN device setup has only one network: lan. It is a bridge. The lan can have a static IP or be a DHCP client. The device has no DHCP server. All DHCP requests are bridged over to the primary network. So everything is part of that network. The device needs to be connected to a primary network by Ethernet cable or WDS, not as a regular STA.
The routed client works like a standard router with stock firmware that has some LAN ports and one WAN port. It's LAN network is independent of the network supplying an Internet connection. The routed client's LAN has a DHCP server. The WAN can be connected by wire or by wifi. It is usually a DHCP client. The only use of the WAN (though it is important) is to access the Internet.
Well, it's a raspberry pi, so it has one ethernet port and one wlan interface. @darkenvy The real question is: how do you want your PI to behave?
Are you trying to make it a wifi access point? So ethernet is connected to upstream network, and wifi clients connect to the PI? If so, why do you not want to use the upstream DHCP?
Are you trying to make it a wifi router: same as above except you want a separate subnet for the wifi clients? In that case, do you want NAT between the two networks, or regular routing?
Are you trying to make it act like a regular consumer router? You could with the addition of a managed switch that handles VLANs, then you could have both ethernet clients and wifi clients, as well as an ethernet uplink to the rest of the network.
what do you want it to do? Then it's easier to tell you how to configure it.
I fear it may have been easier to tell my endgoal first :p. I desire to create a hotspot that is always connected to a VPN. Attached below is a mockup image I created.
The routed client works like a standard router with stock firmware that has some LAN ports and one WAN port. It’s LAN network is independent of the network supplying an Internet connection. The routed client’s LAN has a DHCP server. The WAN can be connected by wire or by wifi. It is usually a DHCP client. The only use of the WAN (though it is important) is to access the Internet.
This is much more ideal and what I expected default behavior to be.
Are you trying to make it a wifi router: same as above except you want a separate subnet for the wifi clients? In that case, do you want NAT between the two networks, or regular routing?
Yes separate subnet. I do believe I want NAT between the two networks (I am not entirely sure; learning) as I want a different address space and to not use the upstream dhcp server.
I'm a programmer by trade but don't do a lot of networking outside of the old dd-wrt wrt54g routers of yesteryear . Excited and intimidated by the power of openwrt. https://puu.sh/zjHxN/990644d1fe.png
If you had a regular TP-Link WDR3600 or similar, LEDE does default to being much like stock firmware. But an install on a device with one Ethernet port by default has no WAN because there is no port for it.
I would set this up as a LAN device with the Pi having its LAN in the 192.168.1 subnet. This is how the VPN client will reach the Internet and the VPN server. Setting up this way as a LAN device allows you to easily access the Pi through the regular home network.
Users of the WLAN will only have access to the VPN tunnel though. This is done by setting up another network like 'vpnuser' and connecting the wifi AP only to it. The vpnuser network has a DHCP server issuing addresses in the 2 subnet. Also another set of firewall zones and rules so those connected to the AP are forwarded only to the VPN.
Make your LEDE LAN a DHCP client and also set a hostname (it doesn't automaticaly take the hostname of the machine).
When you plug in the Ethernet cable, the Pi will become part of the regular home network. Connect wired or wifi to the regular home router and log in. If the regular home router is properly configured, you can just type pi-vpn.lan in the browser. If that does not work, log in to the regular home router and check its DHCP lease table to find the IP of your Pi. You may want to use a static address if going by name isn't working.
How is the vpnuser network to DHCP serve though? You mentioned above that "The device has no DHCP server". When I go to choose protocols, I have these options:
Is this implying that you cant just set a port to be a wan port? That it is something special at the hardware level? If not, Ide probably lock myself out of the Pi and would have to get a serial cable for terminal action.
No, you can change the use of ports however you like, but by default LEDE listens on the LAN port with WiFi turned off, for security reasons, and without the ethernet connected to the LAN port you by default have no way to connect
Set the vpnuser network to have a static address, type in the static address you want it to have. Then you'll be able to enable the DHCP server on that network.
Thats where Im at right now unfortunately . O cant get a IP address on connecting clients.
I set it up exactly as we spoke in your post: Pi3 LEDE and DHCP. No leases! - #17 by mk24
I would approach this in stages. I have a similar configuration on the TP-Link TL-MR3020 and TL-WR902AC devices -- one ethernet port and wifi (although I have used wifi for both WAN and LAN simultaneously, but that's a different story), and the TP-Link router sets up a VPN tunnel that is transparent for the devices connected to it.
Part 1: Setup as a basic WAN/LAN router configuration.
Start with a default config of LEDE/OpenWRT.
Connect via ethernet, change the configuration to enable Wifi (it will be part of your LAN interface and firewall zone). Your LAN network will already have a defined subnet (default 192.168.1.0/24 with the Pi at 192.168.1.1/24). The DHCP server is enabled by default, as is DNS forwarding through the Pi (unless you specify other DNS servers)
Connect via wifi and disconnect ethernet.
Remove the ethernet port from the LAN interface and firewall zone.
Create a WAN network interface that uses the ethernet port and assign it to the wan firewall zone (which should already exist).
IMPORTANT: your default LAN subnet will be 192.168.1.0/24 -- if your upstream router (connected to the internet) is also using that same subnet, one of them must be changed. I'd recommend changing the Pi to any other RFC1918 compliant address space (for example, 192.168.200.0/24).
Connect your Pi to your upstream router via ethernet.
Verify internet connectivity through your Pi (i.e. wifi device > Pi > main router > internet).
Step 2: Install and configure the VPN
Follow a reputable guide for installing and configuring the VPN software and client config (general guide).
Configure a firewall zone for the VPN. That zone should have forwarding from VPN > WAN enabled, and you also want LAN > VPN forwarding enabled.
Assuming that it is an OpenVPN based config, the directive redirect gateway 'def1'will force all traffic through the tunnel.
Verify that the VPN will connect properly and that you maintain internet connectivity with the VPN enabled. Run a traceroute before and after enabling the VPN so that you can verify that traffic is flowing through the tunnel.
If you want to prevent any and all internet access from the wifi clients (connecting through the Pi) if the tunnel is not up, you will remove forwarding from LAN > WAN in the firewall.
I suggest not having the Pi have a wan interface. If you keep the Pi's lan bridged to the home network lan, then you can log in to the Pi from the home network without needing a separate AP on the Pi just for administration.
Also do not forward all LAN traffic through the VPN. Set up a separate vpnuser network for the vpn users.
You will need to set up dhcp config to start a DHCP server on the vpnuser network. This is in /etc/config/dhcp if you are editing config files directly.
I think that @mk24 and I have different perspectives, so the advice you take depends in large part on your end goal and requirements.
Here's the reasoning for my approach (YMMV, of course):
Set up a travel router such that it creates a trusted WLAN for my devices, featuring:
-- known and consistent SSID/password that I control, which all of my devices can store for auto-connect (making everything else easier)
-- firewall and masquerade NAT (like many normal router configs) so that I can treat the upstream network as I would with any other WAN (especially on public networks like at cafes and hotels and the like).
-- from the perspective of the upstream network, it looks like a single device which is great for captive portals/vouchers or pay-per-device access plans when on some types of networks (NOTE: this works most of the time, but sometimes the systems work with cookies or other methods that are not fully compatible with my approach)
-- known/consistent LAN/WLAN IP scope and router address for config/admin, not at all dependent on a connection to an upstream network or its configuration for LAN/WLAN and direct router access (obviously internet doesn't work without an upstream network).
-- All of my devices can communicate with each other since I don't use wifi client isolation (some guest networks use this to help with security, but by nature, that prevents devices from direct communication when desired).
-- I have no need or desire to have the router admin accessible on its "WAN" side, so the WAN is fire-walled normally.
-- If I wanted to do all the above (and below) but be able to administer the travel router from its WAN connection (if I was setting this up hanging off a trusted network), I'd just add firewall traffic rules to allow web or ssh connections from the WAN.
From there, I add the VPN functionality. The VPN server is on my home network, and my remote (travel router) is what I bring with me when I am traveling. This allows me to encrypt my connection from the perspective of the network I am using while away from the house (i.e. the network operator and/or other guests at a hotel/cafe/etc cannot see the specifics of my usage), and it also helps with geo based issues so that I can access services just like when I'm at home (think: the Great Firewall of China or content restrictions on services like Netflix when I'm out of the country -- I'm making my connection 'originate' from my own home even when I'm away).
In my case, if the tunnel is up, I want all my LAN/WLAN traffic to exit through the VPN, and for it to be totally transparent to my devices. Optionally, I have a mode to prevent any leakage from the LAN > WAN if the tunnel is down.
So that's how mine works. I'm happy to share my implementation details if this is what you want to do.
Once I do this, I can no longer connect to the Luci panel from the wireless client. I speculate that the issue is that I cannot get this darn thing to act like a regular router. Like dlakelan mentions:
Are you trying to make it a wifi router: same as above except you want a separate subnet for the wifi clients? In that case, do you want NAT between the two networks, or regular routing?
it's strange that I can't just make a isolated wifi AP that distributes it's own addresses and doesn't route to wan. It's like this darn thing requires some other upstream.
This sounds like the path that I am aligned to. Essentially that I will be able to take this Pi, plug the wan into any internet providing source and have my own personal network.
This seems like the million dollar question. How? Is this do-able in Luci? Because I have not seen any options for DHCP serving outside of 'static' protocol. And when I do that, it simply will not give out leases.
I can get it to give out leases (ive seen it a few days ago before starting this thread) if I have static protocol setup and bridged to my upstream router. (I can get 192.168.111 ip when the upstream is also 192.168.1.1/24. And the leases are deff coming from LEDE)
Perhaps it would be a good idea to reset to default settings or even re-flash and start over.
If you're going to make a router, you need a DHCP server on the LAN, which is the default if you start with default settings. Do not connect to the home network yet. Make a wifi AP attached to LAN and you should be able to log in either by wire or by wifi. Then you can log in by wifi and re-purpose the Ethernet port as a WAN connection.
Also you cannot use the same IP subnet (e.g. 192.168.1.X) on both networks when you are routing between them.
I second this, it shouldn't be too complicated. The complicated bit is adding the VPN, but start by just getting it online with ethernet a part of WAN and only a wifi AP on LAN. Then add the VPN complication.
I'd suggest to renumber the LAN something like 10.63.33.1/24 because that's unlikely to clash with any common network you're going to connect to as you move from place to place.
. Excited and intimidated by the power of openwrt.
. O cant get a IP address on connecting clients.