Separate guest LAN and private LAN with OpenVPN

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello!

I'm pretty new to LEDE (and more advanced networking in general) and I managed to set it up so that my internet traffic all gets forced through the OpenVPN tunnel by following this guide. I am using a TP-Link TL-WDR3600.

Afterwards I tried to set up a separate guest LAN on device Ethernet port #4 by creating a new VLAN with only the (tagged) CPU port and port 5 in it. The guest LAN should not be routed through the VPN tunnel.
Then I set up the firewall to allow forwarding from the guestzone firewall zone to the wan zone.
I also added custom rules such that the guest zone name resolution works.

I've looked at multiple threads here and followed the LEDE guest wifi setup but unfortunately a client connected to the guest LAN has no internet access (name resolution works and it get's assigned an IP in the expected range).

The error message when trying to ping google.com is "Destination Port Unreachable".

Below are my config files.

/etc/config/network 
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd29:e9be:9a05::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option macaddr 'macaddr'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 1'
	option vid '2'

config interface 'MULLVAD_VPN'
	option proto 'none'
	option ifname 'tun0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 5'

config interface 'guest'
	option proto 'static'
	option ifname 'eth0.3'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
/etc/config/firewall 
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option output 'ACCEPT'
	option network 'lan'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'VPN_FW'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'MULLVAD_VPN'

config zone
	option name 'guestzone'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest'
	option input 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'guestzone'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest Zone DNS'
	option src 'guestzone'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest Zone DHCP'
	option src 'guestzone'

config forwarding
	option dest 'VPN_FW'
	option src 'lan'
/etc/config/dhcp 
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option nonwildcard '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	list dhcp_option '6,10.8.0.1,193.138.219.228'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'guest'

I appreciate any help or suggestions!

Thank you,
g4lvanix

2

It looks like your firewall config is missing a rule

    # Guest #
#---------------------------------------------------
config rule
    option  target          'ACCEPT'
    option  proto           'all'
    option  src             'guestzone'
    option  dest            'wan'
    option  name            'Allow Guest -> WAN'
  • Did you purposefully configure the firewall to allow inbound access to guestzone? If not: option input 'REJECT'

.

Your network Guest interface section is also missing two options:

    # Guest #
#---------------------------------------------------

config interface 'guest'
    option  ifname          'eth0.3'
    option  type            'bridge'
    option  proto           'static'
    option  ipaddr          192.168.4.1
    option  netmask         255.255.255.0
    option  dns             '208.67.222.222 208.67.220.220'
    option  delegate        0
      # If you don't utilize IPv6

Once changes have been made: cd /etc/init.d ; ./network restart ; ./firewall restart

3

The rule shouldn't be needed since a forwarding section for guestzone to wan was included. I think the problem is routing and not firewall rules/forwardings. I guess the VPN tunnel is used as default route, but it can't be used by guestzone The solution will require use of "IP rules" in the network configuration or mwan3 or similar I think. BTW you should make sure failsafe is working in case you are locked out of the router.

https://wiki.openwrt.org/doc/uci/network#ip_rules

4

The two sections I posted are from a working Guest WiFi, with the main issue being the two options left out of the Network config. You can't resolve a WAN address with no DNS specified, and without the bridge, the guest WiFi would need to be on it's own interface.

5

DNS resolution seems to be working since the error message when trying to ping google.com is “Destination Port Unreachable” and not "unknown host google.com" or similar which you expect when DNS resolution doesn't work.

Of course configuring input 'REJECT' in guestzone will block DNS resolution unless you explicitly add firewall rules that allows it or use external DNS resolvers. In your example you use opendns' resolvers.