ProtonVPN profile that is only active on a few SSIDs?

trafficriot · June 16, 2024, 4:04pm

I have recently installed OpenWRT on my TP Link AC1750 v5. I have downloaded an openvpn profile from protonvpn and noted my openvpn username and password (not my protonvpn login).

I have followed the guide on how to set up the protonvpn profile. I have imported the .ovpn file and added a .auth file path to the profile and created the auth file with my username and password through LUCI.

Where I deviated from protonvpn's guide is that I don't want all my traffic to go through the VPN. Instead I want users to be able to switch to a different SSID to use the VPN

So I created an interface called VPNUS. The protocol is set to unmanaged and the device is set to tun0 which was created when I started the VPN. I set use custom DNS to 10.2.0.1 which is the server provided in the protonvpn guide and I have use default gateway checked. Under firewall settings I created a new firewall zone called VPN. Under DHCP settings it just sets "Set up DHCP server"

Next Under Network > Wireless. I created a new wireless interface on 5ghz called MY-SSID-VPN-US. It is set up as access point, network is vpnus, and i set a passphrase.

Finally under network -> Firewall I edited the new vpn zone to accept input, accept output, and reject forwarding. I check Masquerading and MSS Clamping, set covered networks to VPNUS, And allowed forwarding to destination lan and wan/wan6 and allowed forwarding from lan because I want devices that are using the vpn to still be able to communicate with the lan devices that aren't using it.

Then I downloaded vpn-policy-routing. and set that up.

Here are the config files I thought relevant:

/etc/config/openvpn:

config openvpn 'ProtonVPNUS'
        option config '/etc/openvpn/ProtonVPNUS.ovpn'
        option enabled '1'

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd50:f930:8af1::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.0.11'
        list dns '10.64.187.1'

config device
        option name 'eth0.2'
        option macaddr 'REDACTED'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config interface 'IoT'
        option proto 'static'
        option ipaddr '10.20.30.1'
        option netmask '255.255.255.0'

config interface 'vpnus'
        option proto 'none'
        option device 'tun0'
        list dns '10.2.0.1'
        option type 'bridge'

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'PiVPN'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.0.11'
        option dest_port '51820'

config zone
        option name 'IoT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IoT'

config forwarding
        option src 'lan'
        option dest 'IoT'

config forwarding
        option src 'IoT'
        option dest 'wan'

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'
        list device 'phy0-ap1'
        list device 'phy1-ap2'
        list network 'vpnus'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option src 'VPN'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'VPN'

config forwarding
        option src 'VPN'
        option dest 'wan'

/etc/config/pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        option dnsmasq_enabled '1'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option webui_chain_column '1'
        option webui_sorting '1'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_interface 'VPNUS'
        list supported_interface 'tun*'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'vpn us traffic'
        option interface 'vpnus'
        option src_addr '192.168.1.0/24'

When I connect to MY-SSID-VPN-US I can set my password and then it tries to obtain an IP address and never does. So I manually set one and it connects but has no internet access.

So my questions are:

Is there anything shown above that would make the ability to obtain an IP not work? I assumed the VPN would handle this instead of a local DHCP server
Is there anything shown above that would prevent me from having internet access? Maybe a misconfigured firewall?
Is PBR necessary for a VPN to work?
If all else fails is there a way to check in SSH if the connection to proton vpn is actually established? I see that the tun0 is set up and it is shown in LUCI under VPN as started and enabled but I have no confirmation that I'm actually connected to ProtonVPN

egc · June 16, 2024, 4:25pm

Create a guest wifi:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

Setup your VPN tunnel in the normal way but add to the openvpn config:

redirect-private def1
pull-filter ignore "redirect-gateway"

Use Policy based routing to set the Guest interface to use the VPN

Remove the following things:

and

You can keep the list dns, it does not hurt but does not do what you expect

Furthermore set input to REJECT

trafficriot · June 18, 2024, 8:33pm

I tried this but still can't make it work. Can you explain what some of these options are doing?

1.) What is the difference between creating the guest network like you linked and me creating a separate wireless interface for the VPN?

2.) Why should VPN zone have input as REJECT?

egc · June 19, 2024, 6:20am

A guest wifi is a separate wireless interface

For the same reason it is set to REJECT on the WAN zone, you do not want your router exposed in a (potential) hostile environment

qounterclock · June 19, 2024, 8:55am

I'm trying to set up the same thing here: WiFi connected, but says "no internet access"

So far have not succeeded, but will report when I do.

egc · June 19, 2024, 10:01am

@qounterclock if you post your problem and settings in your own thread we are more than willing to have a look

qounterclock · June 19, 2024, 10:03am

Nah, it's fine, I'm just studying pbr-app documentation. I'll ask if I feel stuck. Thank you You've been very helpful yesterday.