do you by any chance have to LAN ports on the RPi ?
one default port
that is, do I need to assign eth0 to the interface lan and wan?
There's config in there for two.
Swap eth1 and eth0 in the config above.
no internet access
Post ifconfig output.
If you only have one port it needs to be only in wan and connect to the main router.
Then you should open ports 22 and 80 TCP so you can use ssh and http respectively to log into the Pi from the main "white" network, which is on the wan side so normally it is firewalled. Or you can use the wifi AP on lan, which will eventually route to the VPN server but with the default firewall you can also use it to log into the router. What you can't do is put a single Ethernet port in both networks.
If your house "white" network uses IPs of the form 192.168.1.X you need to change the LAN to a different range so there is no conflict and proper routing can work.
Create a firewall zone for the vpn using list device tun0. You don't need to declare a network for the vpn within OpenWrt since the OpenVPN application will take care of creating the device and setting its IP. The vpn zone needs masquerading turned on. Then have a forward rule from lan to vpn.
Note that if you don't have a forward rule from lan to wan (only from lan to vpn), "kill switch" functionality is inherent. If the VPN is down the LAN users have no other path to the Internet.
2 Likes
like this?
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3f:f44a:dbcc::/48'
config interface 'lan'
option force_link '1'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.2.15'
option netmask '255.255.255.0'
list dns '1.1.1.1'
option device 'br-lan'
config interface 'openvpn'
option proto 'none'
option device 'tun0'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
option peerdns '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
No, take eth0 out of everything except wan. br-lan will be empty until the wifi starts up and attaches to it which will be taken care of in /etc/config/wireless.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3f:f44a:dbcc::/48'
config interface 'lan'
option force_link '1'
option proto 'static'
option ipaddr '192.168.2.15'
option netmask '255.255.255.0'
list dns '1.1.1.1'
option device 'br-lan'
config interface 'openvpn'
option proto 'none'
option device 'tun0'
config interface 'wan'
option proto 'dhcp'
option peerdns '0'
option device 'eth0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
Or use option ifname 'eth0'?
Take eth0 out of br-lan. You will need to reach the lan side only by wifi since you only have one Ethernet port. It would be a good idea to at least temporarily change the default firewall policy on wan to input:ACCEPT so you can log into the router from the wan side.
option device and list ports is the new syntax, option ifname is deprecated.
2 Likes
Very strange. Now the Internet on the router works both with VPN and without it. However, Wi-Fi clients still cannot access the Internet. Already tried several tutorials. I don't understand why at all, everything seems to be correct
Let's see the latest config files:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall