Using the instructions I found at PrivateInternetAccess.com: https://www.privateinternetaccess.com/helpdesk/guides/routers/lede/lede-firmware-openvpn-setup#section-7-configure-openvpn-connection
I created a virtual machine (192.168.2.1) running the latest stable OpenWRT which sits behind my home router (192.168.1.1) and have managed to connect to the PIA VPN successfully. The problem is that when the VPN is up, my VM clients on the 192.168.2.0 network stop seeing the internet.
Suggestions?
I have had this config working successfully with DD-WRT for many years but would like to make the switch to OpenWRT.
Thanks in advance,
Dan
root@OpenWrt:/etc/config# cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd1:635f:cfc1::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option peerdns '0'
option dns '209.222.18.218 209.222.18.222'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config interface 'PIA_VPN'
option proto 'none'
option ifname 'eth0'
root@OpenWrt:/etc/config# cat firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option network 'PIA_VPN wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'lan'
config openvpn 'PIA_VPN_CONFIG'
option dev 'tun'
option nobind '1'
option verb '3'
option persist_tun '1'
option persist_key '1'
option client '1'
option auth_user_pass '/etc/openvpn/credentials.txt'
list remote 'us-east.privateinternetaccess.com'
option proto 'udp'
option resolv_retry 'infinite'
option mute_replay_warnings '1'
option tls_client '1'
option auth_nocache '1'
option remote_cert_tls 'server'
option compress 'lzo'
option enabled '1'
option auth 'SHA1'
option cipher 'AES-128-CBC'
option ca '/etc/openvpn/ca.rsa.2048.crt'
option port '1198'