Is this implying that you cant just set a port to be a wan port? That it is something special at the hardware level? If not, Ide probably lock myself out of the Pi and would have to get a serial cable for terminal action.
No, you can change the use of ports however you like, but by default LEDE listens on the LAN port with WiFi turned off, for security reasons, and without the ethernet connected to the LAN port you by default have no way to connect
Set the vpnuser network to have a static address, type in the static address you want it to have. Then you'll be able to enable the DHCP server on that network.
Thats where Im at right now unfortunately . O cant get a IP address on connecting clients.
I set it up exactly as we spoke in your post: Pi3 LEDE and DHCP. No leases!
My computer gives up and creates a self assigned IP. The dreaded 169.254.xxx.yyy
10.8.0.1 is an internal network IP address.
Only external IP addresses can be used for DNS.
I would approach this in stages. I have a similar configuration on the TP-Link TL-MR3020 and TL-WR902AC devices -- one ethernet port and wifi (although I have used wifi for both WAN and LAN simultaneously, but that's a different story), and the TP-Link router sets up a VPN tunnel that is transparent for the devices connected to it.
Part 1: Setup as a basic WAN/LAN router configuration.
Start with a default config of LEDE/OpenWRT.
Connect via ethernet, change the configuration to enable Wifi (it will be part of your LAN interface and firewall zone). Your LAN network will already have a defined subnet (default 192.168.1.0/24 with the Pi at 192.168.1.1/24). The DHCP server is enabled by default, as is DNS forwarding through the Pi (unless you specify other DNS servers)
Connect via wifi and disconnect ethernet.
Remove the ethernet port from the LAN interface and firewall zone.
Create a WAN network interface that uses the ethernet port and assign it to the wan firewall zone (which should already exist).
IMPORTANT: your default LAN subnet will be 192.168.1.0/24 -- if your upstream router (connected to the internet) is also using that same subnet, one of them must be changed. I'd recommend changing the Pi to any other RFC1918 compliant address space (for example, 192.168.200.0/24).
Connect your Pi to your upstream router via ethernet.
Verify internet connectivity through your Pi (i.e. wifi device > Pi > main router > internet).
Step 2: Install and configure the VPN
- Follow a reputable guide for installing and configuring the VPN software and client config (general guide).
- Configure a firewall zone for the VPN. That zone should have forwarding from VPN > WAN enabled, and you also want LAN > VPN forwarding enabled.
- Assuming that it is an OpenVPN based config, the directive
redirect gateway 'def1'will force all traffic through the tunnel.
- Verify that the VPN will connect properly and that you maintain internet connectivity with the VPN enabled. Run a traceroute before and after enabling the VPN so that you can verify that traffic is flowing through the tunnel.
- If you want to prevent any and all internet access from the wifi clients (connecting through the Pi) if the tunnel is not up, you will remove forwarding from LAN > WAN in the firewall.
I suggest not having the Pi have a wan interface. If you keep the Pi's lan bridged to the home network lan, then you can log in to the Pi from the home network without needing a separate AP on the Pi just for administration.
Also do not forward all LAN traffic through the VPN. Set up a separate vpnuser network for the vpn users.
You will need to set up dhcp config to start a DHCP server on the vpnuser network. This is in /etc/config/dhcp if you are editing config files directly.
I think that @mk24 and I have different perspectives, so the advice you take depends in large part on your end goal and requirements.
Here's the reasoning for my approach (YMMV, of course):
Set up a travel router such that it creates a trusted WLAN for my devices, featuring:
-- known and consistent SSID/password that I control, which all of my devices can store for auto-connect (making everything else easier)
-- firewall and masquerade NAT (like many normal router configs) so that I can treat the upstream network as I would with any other WAN (especially on public networks like at cafes and hotels and the like).
-- from the perspective of the upstream network, it looks like a single device which is great for captive portals/vouchers or pay-per-device access plans when on some types of networks (NOTE: this works most of the time, but sometimes the systems work with cookies or other methods that are not fully compatible with my approach)
-- known/consistent LAN/WLAN IP scope and router address for config/admin, not at all dependent on a connection to an upstream network or its configuration for LAN/WLAN and direct router access (obviously internet doesn't work without an upstream network).
-- All of my devices can communicate with each other since I don't use wifi client isolation (some guest networks use this to help with security, but by nature, that prevents devices from direct communication when desired).
-- I have no need or desire to have the router admin accessible on its "WAN" side, so the WAN is fire-walled normally.
-- If I wanted to do all the above (and below) but be able to administer the travel router from its WAN connection (if I was setting this up hanging off a trusted network), I'd just add firewall traffic rules to allow web or ssh connections from the WAN.
From there, I add the VPN functionality. The VPN server is on my home network, and my remote (travel router) is what I bring with me when I am traveling. This allows me to encrypt my connection from the perspective of the network I am using while away from the house (i.e. the network operator and/or other guests at a hotel/cafe/etc cannot see the specifics of my usage), and it also helps with geo based issues so that I can access services just like when I'm at home (think: the Great Firewall of China or content restrictions on services like Netflix when I'm out of the country -- I'm making my connection 'originate' from my own home even when I'm away).
In my case, if the tunnel is up, I want all my LAN/WLAN traffic to exit through the VPN, and for it to be totally transparent to my devices. Optionally, I have a mode to prevent any leakage from the LAN > WAN if the tunnel is down.
So that's how mine works. I'm happy to share my implementation details if this is what you want to do.
Once I do this, I can no longer connect to the Luci panel from the wireless client. I speculate that the issue is that I cannot get this darn thing to act like a regular router. Like dlakelan mentions:
Are you trying to make it a wifi router: same as above except you want a separate subnet for the wifi clients? In that case, do you want NAT between the two networks, or regular routing?
it's strange that I can't just make a isolated wifi AP that distributes it's own addresses and doesn't route to wan. It's like this darn thing requires some other upstream.
This sounds like the path that I am aligned to. Essentially that I will be able to take this Pi, plug the wan into any internet providing source and have my own personal network.
This seems like the million dollar question. How? Is this do-able in Luci? Because I have not seen any options for DHCP serving outside of 'static' protocol. And when I do that, it simply will not give out leases.
I can get it to give out leases (ive seen it a few days ago before starting this thread) if I have static protocol setup and bridged to my upstream router. (I can get 192.168.111 ip when the upstream is also 192.168.1.1/24. And the leases are deff coming from LEDE)
Perhaps it would be a good idea to reset to default settings or even re-flash and start over.
If you're going to make a router, you need a DHCP server on the LAN, which is the default if you start with default settings. Do not connect to the home network yet. Make a wifi AP attached to LAN and you should be able to log in either by wire or by wifi. Then you can log in by wifi and re-purpose the Ethernet port as a WAN connection.
Also you cannot use the same IP subnet (e.g. 192.168.1.X) on both networks when you are routing between them.
I second this, it shouldn't be too complicated. The complicated bit is adding the VPN, but start by just getting it online with ethernet a part of WAN and only a wifi AP on LAN. Then add the VPN complication.
I'd suggest to renumber the LAN something like 10.63.33.1/24 because that's unlikely to clash with any common network you're going to connect to as you move from place to place.
Great! So I can't really help that much with the Pi specific stuff (I don't have one, never configured a Pi with LEDE/OpenWRT), but I outlined the steps in broad strokes previously. I can help with the OpenVPN stuff once you have working router configuration.
I agree with @mk24 that the best approach is to start with the default config and not attempt to connect to an upstream network until you have the Pi setup with LAN on Wifi and WAN on ethernet, and your network address spaces for LAN are non-overlapping.
Once that is done, make a backup of your configuration so that you can easily get back to a known good state if you experience problems during the rest of the process (OpenVPN setup with a VPN network interface and firewall zone).
One problem, I am reflashing my sd card each and every time [I mess up] with the prebuilt image I found for the pi3. Unfortunately, I think that the default image may not be the best build of LEDE because it lacks the dhcp ability.
I found lede-17.01.2-brcm2708-bcm2710-rpi-3-ext4-sdcard.img here: https://downloads.lede-project.org/releases/17.01.2/targets/brcm2708/bcm2710/
UPDATE: I made a backup after initially setting up LEDE. I forgot
Cool. So my plan is to only get a wifi AP working with dhcp. tied or untied to upstream (as long as the LEDE is distributing dhcp leases and not upstream).
This is my plan moving forward atm.
Any release build should have LuCI preinstalled AND it will absolutely have DHCP already enabled (on the ethernet port). You need to make the wifi a member of the LAN network (bridge) and turn on the radio (including configuring the SSID and password), and you should get DHCP on wifi, too.
Your right. I made a backup after initially setting up LEDE. I forgot.
Im starting over now. (I updated my above post for reference)
Sweet! Im there! Im making a backup now before I move onto the vpn stuff. I must have REALLY messed up my previous config because I couldn't get things to behave.
Im getting closer...
Where can I find this setting in Luci, or which file would this go in? I see people on the internet reference this, however, this seems to be for a different configuration than in /etc/config/openvpn on LEDE. Thoughts?
UPDATE: I honestly think I have everything working! Im double and triple checking everything now.
In the meantime, let me tip you guys some doge ;). Ive put you guys through a lot when I in fact ruined my install