Hi, is there any similar to Asus VPN Fusion (link) for OpenWrt? To set up the router as e.g. an OpenVPN client for selected devices on LAN (either with IP, or with MAC), so all traffic would go to the internet, only the selected devices would be directed through the VPN tunnel?
Thanks a lot!
Many vpn protocols are supported on openwrt. The two most popular are wireguard and OpenVPN.
Combined with policy based routing, you can send the traffic from some devices through the tunnel while others will bypass it.
Are you trying to connect to a commercial vpn service?
Yeah, it didn't cross my mind, to do it through routing, lol.
I just have an OpenVPN server at some other place and I wanted to bind a specific device (or devices) to the VPN from the router as a client, not from the devices themselves. Yeah, I could look into routing.
I know WireGuard would be much better, but I never managed to successfully set up even a WireGuard server on my OpenWrt router (I get TX, but no RX). I am not sure I want to deal with the client...
Wireguard is really easy to setup and much more performant. We can help you with that setup.
About the WireGuard server which does is not working on my OpenWrt router at the moment:
It is really weird. I really receive something only after routing it, and it is still only one way:
This is my network file:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'IP6_PREFIX::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.15.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'wan'
option device 'wan.10'
option proto 'pppoe'
option username 'PPPoE_USER'
option password 'PPPoE_PASS'
option ipv6 'auto'
config interface 'wan6'
option device 'wan.10'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config device
option type '8021q'
option ifname 'wan'
option vid '10'
option name 'wan.10'
config interface 'wg0'
option proto 'wireguard'
list addresses '10.3.0.1/24'
option listen_port '31885'
option private_key 'SERVER_PRIVATE_KEY'
list dns '192.168.15.1'
config wireguard_wg0
option description 'iPhone'
option public_key 'IPHONE_PUBLIC_KEY'
option private_key 'IPHONE_PRIVATE_KEY_FOR_QR'
list allowed_ips '10.3.0.2/32'
option route_allowed_ips '1'
option endpoint_host 'PUBLIC_IP_OR_DDNS'
option endpoint_port 'PORT'
option persistent_keepalive '25'
option preshared_key 'NOT_REALLY_NECESSARY'
config route
option interface 'wg0'
option target '10.3.0.0/24'
option gateway '192.168.15.1'
And this is my firewall file:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list device 'natcap+'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config nat 'nat6'
option name 'nat6'
option src 'wan'
option enabled '0'
option family 'ipv6'
option proto 'all'
option target 'MASQUERADE'
config rule 'ipv6_forward'
option family 'ipv6'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option name 'Allow-IPv6-Forward'
option proto 'all'
option enabled '0'
config rule 'ipv6_igmp_input'
option name 'Allow-IPv6-IGMP'
option src 'wan'
option proto 'igmp'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'Allow WireGuard'
list proto 'udp'
option src 'wan'
option dest_port 'PORT'
option target 'ACCEPT'
option src_port 'PORT'
option dest 'lan'
list dest_ip '192.168.15.1'
config redirect
option dest 'lan'
option target 'DNAT'
REST DELETED
config rule 'natcapovpn_tcp'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port 'OPENVPNPORT'
option name 'natcapovpn_tcp'
config rule 'natcapovpn_udp'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port 'OPENVPNPORT'
option name 'natcapovpn_udp'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'WireGuard Forward'
list proto 'udp'
option src 'wan'
option src_dport 'PORT'
option dest_ip '192.168.15.1'
option dest_port 'PORT'
config zone
option name 'VPN'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg0'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'VPN'
I think there is quite a lot of garbage from my trying... (e.g. I don't think I should need the port forwarding)
Remove this:
Remove this rule:
It should look like this:
config rule
option name 'Allow WireGuard'
list proto 'udp'
option src 'wan'
option dest_port 'PORT'
option target 'ACCEPT'
Delete this
Remove the masq and mtu_fix lines
I’d recommend making input and forward = accept
Add the following:
config forwarding
option src 'VPN'
option dest 'lan'
config forwarding
option src 'VPN'
option dest 'wan'
Now I got a packet:
But still nothing.
EDIT: Each time I connect, I get two packets. Maybe wrong settings on the client?
Let’s see the latest network and firewall files, as well as the config from your phone.
Firewall is now:
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list device 'natcap+'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config nat 'nat6'
option name 'nat6'
option src 'wan'
option enabled '0'
option family 'ipv6'
option proto 'all'
option target 'MASQUERADE'
config rule 'ipv6_forward'
option family 'ipv6'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option name 'Allow-IPv6-Forward'
option proto 'all'
option enabled '0'
config rule 'ipv6_igmp_input'
option name 'Allow-IPv6-IGMP'
option src 'wan'
option proto 'igmp'
option target 'ACCEPT'
option family 'ipv6'
config rule
option name 'Allow WireGuard'
list proto 'udp'
option src 'wan'
option dest_port 'PORT'
option target 'ACCEPT'
config rule 'natcapovpn_tcp'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port 'OPENVPNPORT'
option name 'natcapovpn_tcp'
config rule 'natcapovpn_udp'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port 'OPENVPNPORT'
option name 'natcapovpn_udp'
config zone
option name 'VPN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'VPN'
config forwarding
option src 'VPN'
option dest 'lan'
config forwarding
option src 'VPN'
option dest 'wan'
There is not much to do or show on the client. It is just a scanned QR code from the server.
root@Wifi:~# wg show
interface: wg0
public key: PublicKey
private key: (hidden)
listening port: Port
peer: PeerKey
preshared key: (hidden)
endpoint: PhoneIP:SomePort
allowed ips: 10.3.0.2/32
latest handshake: 14 minutes, 1 second ago
transfer: 868 B received, 23.48 KiB sent
persistent keepalive: every 25 seconds
Btw, is it possible that it generated a key pair with symbols which are not allowed?
Add this address to the wg interface address on your phone.
Interesting, still only 2 packets received, but I get the "VPN" logo on the phone and it sends some insane amount of data:
Is your OpenVPN connection active. If so, disable it.
Remove the endpoint host and port from the er config on the openwrt side.
Still nothing
Please post the current network file. Also, don’t forget to restart the router.
Sorry, I've been busy with some other stuff. So, I have a new snapshot on my Redmi AX6000 and I have it as a dumb AP / switch atm (e.g. 192.168.9.0 VPN > 192.168.9.1 Redmi > 192.168.15.2 Redmi > 192.168.15.1 main router > Internet). I am now able to connect to the OpenVPN and WireGuard server on the Redmi AX6000, but...
On the WireGuard server (but same as on the OpenVPN server), I am able to connect to all the devices in the cascade (e.g. 192.168.9.0 VPN > 192.168.9.1 Redmi > 192.168.15.2 Redmi > 192.168.15.1 main router > Internet), but no other devices within the 192.168.15.0 network (e.g. another OpenWrt device on 192.168.15.3).
I have "0.0.0.0/0, ::/0, 192.168.15.0/24" in Allowed IPs on the client, I have a routing on the main router from 192.168.15.0 through 192.168.15.2 to 192.168.9.0 (although, I am not sure I even need this, I wouldn't be connecting in the direction to the client).
Main router network file (stock vendor-modified 18.06-SNAP firmware, but working normally):
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config switch
option name 'switch0'
config interface 'lan'
option ifname 'eth2 eth3 eth4'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option multicast_querier '0'
option igmp_snooping '0'
option macaddr 'MAC'
option ieee1905managed '1'
option ipaddr '192.168.15.1'
option ip6assign '64'
config interface 'eth1'
option ifname 'eth1.10'
option keepup '1'
config interface 'eth2'
option ifname 'eth2'
config interface 'eth3'
option ifname 'eth3'
config interface 'eth4'
option ifname 'eth4'
config interface 'miot'
option ifname 'wl13'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.32.1'
option netmask '255.255.255.0'
config interface 'wan'
option proto 'pppoe'
list dns '1.1.1.1'
list dns '1.0.0.1'
option peerdns '0'
option username 'PPPoE-NICK'
option special '0'
option mru '1480'
option password 'PPPoE-PASSWORD!'
option ifname 'eth1.10'
option ipv6 'auto'
config route 'switchVPN'
option interface 'lan'
option target '10.9.3.0'
option netmask '255.255.255.0'
option gateway '192.168.15.2'
config route 'switchWireGuard'
option interface 'lan'
option target '192.168.9.0'
option netmask '255.255.255.0'
option gateway '192.168.15.2'
The Redmi AX6000 WireGuard (and OpenVPN) server's network file:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'ULA::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.15.2'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.15.1'
list dns '192.168.15.1'
config device
option name 'wan'
option macaddr 'MAC'
config interface 'wg0'
option proto 'wireguard'
option private_key 'PRIVATE-KEY'
option listen_port 'WG-PORT'
list addresses '192.168.9.1/24'
list addresses 'fd00:9::1/64'
config wireguard_wg0 'wgclient'
option public_key 'PUBLIC-KEY'
option preshared_key 'PRESHARED-KEY'
list allowed_ips '192.168.9.2/32'
list allowed_ips '192.168.15.0/24'
list allowed_ips 'fd00:9::2/128'
Is it even possible to share the lan network if the OpenWrt router with the WireGuard server is not in the router mode, but only a dumb AP / switch with disabled firewall, dnsmasq, and odhcpd?
Remove 192.168.15.0/24 from the allowed IPs.
Removed in the client config on the switch and the client config file, but still not able to connect to other devices on 192.168.15.0. I am able to connect to the internet through the VPN, I am able to connect to the devices in the cascade, but nothing within the LAN network.
Ok, here is a solution to one of the issues:
For the WireGuard server on a dumb AP / switch (with disabled odhcpd, dnsmasq, firewall) to allow clients to reach devices in the lan network, not only those in the cascade between the VPN client and the internet (not only VPN client > WireGuard gateway > Switch IP > Router IP > Internet), I had to add following nftable rules to the startup script (/etc/rc.local):
nft add table ip nat
nft add chain ip nat postrouting { type nat hook postrouting priority srcnat \; }
nft add rule ip nat postrouting masquerade
nft add table ip filter
nft add chain ip filter FORWARD { type filter hook forward priority 0 \; }
nft add rule ip filter FORWARD iifname "wg0" accept
nft add rule ip filter FORWARD oifname "wg0" accept
For routing OpenVPN on the dumb AP / switch without firewall, I need to add following to the startup switch (adjusted IP domain of OpenVPN, e.g. 10.8.0.0):
nft add rule ip nat postrouting oifname "br-lan" ip saddr 10.8.0.0/24 masquerade
nft add rule ip filter FORWARD iifname "tun0" accept
nft add rule ip filter FORWARD oifname "tun0" accept
Now I can use VPN services even on a dumb AP / switch with disabled firewall etc. I think this can be useful to many people and maybe, it would be worth updating the WireGuard and OpenVPN manuals to include dumb APs / switches.
The original question, however, stays. How can I connect to VPN on the main router (main router as a VPN client) and route only selected lan devices through the VPN?
I see what the issue was overall...
You need to either enable masquerading on the lan zone of your OpenWrt + WG router, or you need to add a static route on the main router so that the return traffic can be properly routed back to the WG tunnel.
Either method works -- if your main router supports adding static routes, you can just add one and then you can turn off masquerading on the WG router's lan zone.