I have the interface running, but traffic is either blocked or not directed via the VPN, could somebody please advise what I need to do, I'm not experienced with Firewall rules at all.
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd22:bbf3:283f::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.2'
option gateway '192.168.0.1'
list dns '1.1.1.1'
list dns '8.8.8.8'
list dns '8.8.4.4'
list dns '192.168.0.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'VPN'
option proto 'none'
option device 'tun0'
option auto '0'
/etc/config/firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun+'
list network 'wan'
list network 'wan6'
list network 'VPN'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'VPN'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
list network 'VPN'
config forwarding
option src 'lan'
option dest 'wan'
You have already added the VPN interface in wan firewall zone, so you can erase the VPN firewall zone.
Other than that the configuration looks good.
I can see that you are using default gateway on the lan interface. Do lan hosts use OpenWrt as the default gateway? If not, they'll be using the ISP router directly and they won't be able to use the vpn.
One solution is to disable dhcp server on the ISP router and enable on OpenWrt.
Another solution is to connect the OpenWrt WAN port to the ISP router, so there is proper network segregation.
@trendy I'm going to be running two routers, the ISP provided with no VPN and the OpenWrt with VPN (When I can get it to work). Clients will be connecting via the respective lan/wifi to the separate routers, so I think everything should be Ok? I have set the OpenWrt to the DMZ on the IP router, so I think everything should be ok on that side?
Also I have been messing, trying to get the VPN to work since my original post, everything looking ok below?
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list device 'tun0'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config forwarding
option src 'lan'
option dest 'wan'
Also I'm seeing this in the log, is this why I'm not seeing traffic via the VPN?
@trendy Ok, so I need to stop the OpenWrt router from being a client of the ISP router? So I'm guesing that it needs to be the DHCP server?
The ouput from the traceroute is:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.0.2/24 brd 192.168.0.255 scope global wan
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.0.2/24 brd 192.168.0.255 scope global br-lan
valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
inet 10.8.0.143/24 scope global tun0
valid_lft forever preferred_lft forever
default via 192.168.0.1 dev wan src 192.168.0.2
10.8.0.0/24 dev tun0 scope link src 10.8.0.143
174.138.13.4 via 192.168.0.1 dev br-lan
192.168.0.0/24 dev br-lan scope link src 192.168.0.2
192.168.0.0/24 dev wan scope link src 192.168.0.2
broadcast 10.8.0.0 dev tun0 table local scope link src 10.8.0.143
local 10.8.0.143 dev tun0 table local scope host src 10.8.0.143
broadcast 10.8.0.255 dev tun0 table local scope link src 10.8.0.143
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.0.0 dev br-lan table local scope link src 192.168.0.2
broadcast 192.168.0.0 dev wan table local scope link src 192.168.0.2
local 192.168.0.2 dev br-lan table local scope host src 192.168.0.2
local 192.168.0.2 dev wan table local scope host src 192.168.0.2
broadcast 192.168.0.255 dev br-lan table local scope link src 192.168.0.2
broadcast 192.168.0.255 dev wan table local scope link src 192.168.0.2
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 38 byte packets
1 192.168.0.1 (192.168.0.1) 0.684 ms 0.499 ms 0.489 ms
2 * * *
3 lag2.sr10.sabir.isp.sky.com (89.200.132.86) 8.297 ms 8.850 ms 8.043 ms
4 02780daf.bb.sky.com (2.120.13.175) 8.195 ms 7.996 ms 8.272 ms
5 one.one.one.one (1.1.1.1) 8.008 ms 7.799 ms 8.459 ms
Adding VPN to a dumb AP means that you will need to start routing between the VPN users and the VPN tunnel. If you leave VPN users on the LAN which is connected to the upstream network, they will continue to bridge to the upstream router and since it doesn't know about any VPN, they go directly to the Internet.
There are two ways to do this. The simplest one is to maintain the default lan-->wan routing setup, as if the router was connected direct to the ISP even though it is not. When the conventional VPN client setup is implemented, the VPN will take over the route from the LAN to the Internet and send LAN users via VPN instead.
A more complicated way is to make a network for VPN users like a guest network. It would have its own separate IP range, DHCP server, and firewall zone. This network forwards to a vpntunnel zone containing the VPN tunnel. NAT must be enabled on this destination zone. The advantage of this setup is an inherent "kill switch" functionality-- if the VPN fails, the vpn users have no Internet instead of (unknowingly) a raw connection.
Also since a VPN client makes a regular outgoing connection to the server, there is no need to open ports or DMZ on the main router.