All hello!
I've been struggling with the same problem for 3 days now.
I need to connect the raspberry so that it acts as a vpn-wifi router for the wifi clients connected to it, and the raspberry itself is connected via a lan cable to the router. Help, please, already the whole brain has broken.
Now I have broken everything so much that I can’t even enter the web interface of the router
Configs:
those screen shots doesn't really say anything useful, the settings can be correct, or incorrect.
question is, what does, and doesn't work ?
btw, the build in wifi of the RPi is pretty shitty.
Miraculously, I restored the web interface. Configs below.
Internet works without vpn enabled
WiFi works
Internet does not work with vpn enabled
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3f:f44a:dbcc::/48'
config interface 'lan'
option force_link '1'
option type 'bridge'
option proto 'static'
option ifname 'eth1'
option ipaddr '192.168.1.15'
option netmask '255.255.255.0'
list dns '1.1.1.1'
config interface 'openvpn'
option proto 'none'
option device 'tun0'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option peerdns '0'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'br-lan'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wan'
list device 'eth0'
list device 'tun0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'ovpn'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'openvpn'
list device 'tun0'
option input 'REJECT'
option forward 'REJECT'
config redirect 'tcp_int'
option name 'Intercept-TCP'
option src 'lan'
option dest_port '9040'
option proto 'tcp'
option extra '--syn -m addrtype ! --dst-type LOCAL,BROADCAST'
option target 'DNAT'
config redirect 'dns_int'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option proto 'tcp udp'
option target 'DNAT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'ovpn'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'ovpn'
from where ?
At the same time, the vpn config itself works fine in the openvpn client on Windows
from the central router. 192.168.1.1
and did you put the rpi/VPN as the default gw in the main router ?
or are you bouncing and forwarding all outgoing traffic in its fw ?
The central router is essentially an external network. It should only pass traffic through itself.
but it shouldn't (VPN tunnel excluded), if all traffic's supposed to be VPNed ?
in fact there is a head router. It gives a "white" Wi-Fi network, but there is an RPI, it should give Wi-Fi with VPN enabled. I need ways to implement
lets start over.
does the Rpi/internet work, via your RPi, if the VPN isn't enabled ?
i.e. there should be 2 networks
main router - white lan, white wifi
main router - rpi - vpn wifi
Rpi is connected to the main router
yes, ping 8.8.8.8 is good
from the router itself ?
and the clients too ?
yes, on the wifi works too, but when I click "start" in the vpn-openvpn tab of the vpn network, the Internet disappears
how is this supposed to work ?
you manually have the clients switch wifi between the plain, and the VPNed ?
yes, it is two different wireless networks
you should probably start by switching the LAN subnet on your RPi, to something else than 192.168.1
and move the LAN port to the wan zone, to make it a proper router.
make sure internet access still works afterwards, then read Raspberry Pi Access Point VPN
at the same time, I will still need to turn on the killswitch necessarily.
could you help me with reassembly of all configs? Many thanks in advance