Route all wifi traffic through vpn - rpi4

andreferreira · December 5, 2023, 10:34pm

I'm trying to setup a raspberry that would route all wifi clients through a vpn.

This is my first time working with OpenWRT, I have some Linux experience but very little network wise.

Steps taken:
So far I've gone as flashing OpenWRT, setting up AdBlock, assign a static IP to the lan interface and setup the wireless network. After these steps I can successfully connect to the new wifi network with any device and have internet access with the adblock already taking effect.

Then for the VPN part, I followed a number of tutorials that guided me through setting it up through Wireguard, which didn't work and then through OpenVPN which also didn't work.
I understand both Wireguard and OpenVPN should not be used at the same time, I'm happy to remove either as long as I get something working.

Issue:
I always have internet access outside of the VPN, no matter what settings I have for the interfaces/firewall.

Most of the guides use a Wifi dongle and create a new firewall zone for that interface only but since I don't have that extra dongle I wanted to use the onboard wifi chip.

I suspect the issue is that both my eth0 and wifi are included in the bridge making traffic flow from one to the other and bypassing the vpn, but I'm honestly not sure if that's the cause or not.

Thank you before hand!

Here are some screenshots of some of my current setup.
Interfaces

Firewall

OpenVPN

WireGuard

stangri · December 6, 2023, 4:14am

They can totally be used at the same time.

andreferreira · December 7, 2023, 8:53am

How come?
Would that be the way to go?

egc · December 7, 2023, 9:05am

The fact that it can does not mean you should do it

It complicates things but is certainly possible with PBR

If you need a VPN I would advise you to try WireGuard as it is usually easier to setup.
see : https://openwrt.org/docs/guide-user/services/vpn/wireguard/start

andreferreira · December 7, 2023, 11:06pm

Thank you for the link!

I followed these steps:

https://openwrt.org/docs/guide-user/services/vpn/wireguard/client (all the steps)
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#kill_switch (kill switch)
https://openwrt.org/docs/guide-user/services/vpn/wireguard/all-traffic-through-wireguard (all steps)

My final result is very similar to the one on the screenshots, but I still don't have my wifi traffic going through the vpn.

In most of the examples I see, people have the device to which clients will connect (be it wifi or eth with switch) outside of the bridge and in it's own firewall zone.
I tried doing the same, by making lan have only eth0 (with static IP and connected to the ISP router) and creating a dedicated wifi interface with only the wifi device as DHCP.
As soon as I did this change, clients are no longer able to connect to the network at all.

My current settings:

egc · December 8, 2023, 10:58am

Ok, you do not have a WAN so I assume this router is setup as a OpenWRT Dumb AP/Switch

All traffic just bypasses this router and does not go through the router so it will bypass the VPN.

If you have only a few clients then on the LAN clients manually set the gateway to point to this router (192.168.1.123).

Alternatively you can use DNSMasq on the main router to hand out a different gateway to specific clients or to all clients.

But the easiest way of dealing with this is to make a Guest Wifi on this router.
A guest wifi has its own subnet this means that traffic from this guest wifi is going through the router and thus will be picked up by the VPN.

Furthermore enable Masquerading on the LAN interface