[SOLVED] Configuring LinkSys WRT3200ACM with OpenVPN client

Hello there,

I recently came across this router and installed OpenWRT on it - however I am failing to configure it the way I want it to.
Maybe you guys can help me out.

The following is the actual situation:

  • I have a cable router, which I can't replace
  • So I purchased this router to mainly serve the purpose for a separate LAN with having a permanent OpenVPN connection to one of my servers within a datacenter on which I mainly do my work

I tried to setup the WRT3200ACM in two ways:

  1. WAN port uplink from cable router:
    I simply plugged in a cable from my cable router to the WAN port of the WRT3200ACM and use the cable router as "uplink". Furthermore I configured the router to be in another (non-default) network: This works perfectly fine, until I want to configure the OpenVPN connection - the OpenVPN connection works just fine from the router itself, however it does not work from any connecting PC. Even worse, I can't seem to resolve/ping anything from a client - from the router itself it works perfectly fine (resolving DNS and connecting to any servers within the data center from the router itself).

As I couldn't make it work, I thought I'll give it a shot while using the router as a bridge
2. Uplink from LAN port
I followed basically the same approach as above, but this time I disabled WAN completely and got my uplink via LAN. Furthermore I didn't put the router in a separate subnet, as it should only "extend" the current network. However I had the same results: OpenVPN connection works fine from the router itself, from a client not.

I used the following guides to set it up:
1: https://openwrt.org/docs/guide-user/services/vpn/openvpn/client
1 + 2: https://openwrt.org/docs/guide-user/network/wifi/bridgedap

My goal is to have the following setup:
Have the router in a separate subnet ( and route all traffic (from both WIFI and LAN), which are not in the local subnets ( (wrt3200acm) and (cable router)) through the openvpn connection.

I hope I could state my point properly.
If anything is unclear, please ask - I'd be happy to get a hint to the correct direction.

Thank you very much!


Hello there,

I figured it out on my own by replacing the included firewall command with own iptables rules.
In case somebody stumbles upon this thread, following are the iptables used:

-A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu

Allow all loopback (lo) traffic and reject anything

to localhost that does not originate from lo.

-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s -j REJECT

Allow ping and ICMP error returns.

-A INPUT -p icmp -m conntrack --ctstate NEW --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Allow all traffic from lan

-A INPUT -i br-lan -j ACCEPT

keep established connections

-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Allow traffic on the TUN interface.

-A INPUT -i tun0 -j ACCEPT

Allow forwarding from tun+ through other interfaces

-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -i tun0 -o eth1.2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1.2 -o tun0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br-lan -o tun0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br-lan -o eth1.2 -j ACCEPT

Log any packets which don't fit the rules above...

(optional but useful - you might want to limit it with -m limit --limit 3/min (or something similar))

-A INPUT -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 4
-A FORWARD -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 4

then reject them.



Remember to disable the firewall (service firewall stop, service firewall disable) - YOU ARE NOW ON YOUR OWN! Iptables are all which stands between you and the internet - so better know, what you are doing :).
You might further want to restrict the rules on your own. In my case this was more than sufficient.

Reloading the iptables rules is fairly easy and straight forward:
iptables-restore < /etc/iptables.rules (I have my rules stored in this file)

This should be called within rc.local like so:
root@OpenWrt:~# cat /etc/rc.local

Put your custom commands here that should be executed once

the system init finished. By default this file does nothing.

/usr/sbin/iptables-restore < /etc/iptables.rules
exit 0

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.