yes, ping 8.8.8.8 is good
from the router itself ?
and the clients too ?
yes, on the wifi works too, but when I click "start" in the vpn-openvpn tab of the vpn network, the Internet disappears
how is this supposed to work ?
you manually have the clients switch wifi between the plain, and the VPNed ?
yes, it is two different wireless networks
you should probably start by switching the LAN subnet on your RPi, to something else than 192.168.1
and move the LAN port to the wan zone, to make it a proper router.
make sure internet access still works afterwards, then read Raspberry Pi Access Point VPN
at the same time, I will still need to turn on the killswitch necessarily.
could you help me with reassembly of all configs? Many thanks in advance
do you by any chance have to LAN ports on the RPi ?
one default port
that is, do I need to assign eth0 to the interface lan and wan?
There's config in there for two.
Swap eth1 and eth0 in the config above.
no internet access
Post ifconfig output.
If you only have one port it needs to be only in wan and connect to the main router.
Then you should open ports 22 and 80 TCP so you can use ssh and http respectively to log into the Pi from the main "white" network, which is on the wan side so normally it is firewalled. Or you can use the wifi AP on lan, which will eventually route to the VPN server but with the default firewall you can also use it to log into the router. What you can't do is put a single Ethernet port in both networks.
If your house "white" network uses IPs of the form 192.168.1.X you need to change the LAN to a different range so there is no conflict and proper routing can work.
Create a firewall zone for the vpn using list device tun0. You don't need to declare a network for the vpn within OpenWrt since the OpenVPN application will take care of creating the device and setting its IP. The vpn zone needs masquerading turned on. Then have a forward rule from lan to vpn.
Note that if you don't have a forward rule from lan to wan (only from lan to vpn), "kill switch" functionality is inherent. If the VPN is down the LAN users have no other path to the Internet.
2 Likes
like this?
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3f:f44a:dbcc::/48'
config interface 'lan'
option force_link '1'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.2.15'
option netmask '255.255.255.0'
list dns '1.1.1.1'
option device 'br-lan'
config interface 'openvpn'
option proto 'none'
option device 'tun0'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option peerdns '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
No, take eth0 out of everything except wan. br-lan will be empty until the wifi starts up and attaches to it which will be taken care of in /etc/config/wireless.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3f:f44a:dbcc::/48'
config interface 'lan'
option force_link '1'
option proto 'static'
option ipaddr '192.168.2.15'
option netmask '255.255.255.0'
list dns '1.1.1.1'
option device 'br-lan'
config interface 'openvpn'
option proto 'none'
option device 'tun0'
config interface 'wan'
option proto 'dhcp'
option peerdns '0'
option device 'eth0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
Or use option ifname 'eth0'?
Take eth0 out of br-lan. You will need to reach the lan side only by wifi since you only have one Ethernet port. It would be a good idea to at least temporarily change the default firewall policy on wan to input:ACCEPT so you can log into the router from the wan side.
option device and list ports is the new syntax, option ifname is deprecated.
2 Likes