ProtonVPN "Lan Connections" on WRT Lan

Hi All,

First post from a novice :grin:

Just installed openwrt on my two COVR-X1860 devices in the past week. I'm using wpadmeshopenssl for wireless backhaul. Both nodes have the same SSID and password.

Not having any issues other than a feature in the Proton VPN android app not working when connected the wifi through the openwrt network. On a separate network it works fine.

I want to have the function enabled to interact with the various smart home devices I have on the LAN without using split tunnelling - if I could split tunnel a range of IPs in the proton app that would work but unfortunately that is not the case.

Not sure what other details I can but if someone could point in me in the right direction I would be really appreciative!

Please post output of

ubus call system board

@brada4 sure and thanks

> root@ThePromisedLanRouter:~# ubus call system board
> {
>         "kernel": "5.15.150",
>         "hostname": "ThePromisedLanRouter",
>         "system": "MediaTek MT7621 ver:1 eco:3",
>         "model": "D-Link COVR-X1860 A1",
>         "board_name": "dlink,covr-x1860-a1",
>         "rootfs_type": "squashfs",
>         "release": {
>                 "distribution": "OpenWrt",
>                 "version": "23.05.3",
>                 "revision": "r23809-234f1a2efa",
>                 "target": "ramips/mt7621",
>                 "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
>         }
> }

Please post

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall

outputs removing all MAC addresses, passwords, public IP addresses (but leave rest of lines with values removed intact) ProtonVPN should be working fine whenever you see "internet access" working.

Thanks

root@ThePromisedLanRouter:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdef:e222:25ef::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'ethernet'
        option ipv6 '0'

config device
        option name 'ethernet'
        option macaddr ''
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.0.0.0'
        option ip6assign '60'
        option delegate '0'

config device
        option name 'internet'
        option macaddr ''

config interface 'wan'
        option device 'internet'
        option proto 'pppoe'
        option username ''
        option password ''
        option ipv6 'auto'
        option peerdns '0'
        list dns '1.1.1.1'

config interface 'wan6'
        option device 'internet'
        option proto 'dhcpv6'

root@ThePromisedLanRouter:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HE40'
        option cell_density '0'
        option txpower '20'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid ''
        option encryption 'sae-mixed'
        option key ''
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel '40'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid ''
        option encryption 'sae-mixed'
        option key ''
        option dtim_period '2'
        option ieee80211r '1'
        option mobility_domain '4f57'
        option ft_over_ds '0'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'mesh'
        option encryption 'sae'
        option mesh_id 'lanmesh'
        option mesh_fwding '1'
        option mesh_rssi_threshold '0'
        option key ''
        option network 'lan'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid ''
        option encryption 'psk2'
        option key ''
        option network 'lan'

root@ThePromisedLanRouter:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'LanLan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option family 'ipv4'

config forwarding
        option src 'LanLan'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'LanLan'

root@ThePromisedLanRouter:~#

If anyone else is experiencing a similar issue:

The problem was that my local network (LAN) was using the 10.0.0.x IP range, which conflicted with Proton's use of the same range. This caused an IP conflict between my LAN and the "Proton LAN."

Changing my LAN range to 172.16.0.x fixed the issue with the Proton "LAN connections" feature in the Proton app

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.