[Solved] Setup VPN router with OpenWrt

Hi all,
I am new in the OpenWrt world and I do not know much about networking.
I have built and installed my custom image of OpenWrt in my Netcomm nb604n (8 mb flash) without luci.
I want to convert this router into a VPN router so I can have my current router serving Australians IPs and my old router VPN serving Argentinians IPs.

The NB604N router does not have WAN port, so I assume I need to convert a LAN port into a WAN port but not sure how to do it.

This is the configuration of network interfaces I have (/etc/config/network)

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6d:b0a8:2238::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.250'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 8t'

And this is the firewall config

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan
        
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT
        
        
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fc00::/6
        option dest_ip          fc00::/6
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT
        
# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT
        

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT     
        
# include a file with users custom iptables rules
config include
        option path /etc/firewall.user        

The openvpn is connected to my vpn provider and it created a tun0 interface
this is the ifconfig:

br-lan    Link encap:Ethernet  HWaddr 00:60:64:97:63:B5
          inet addr:192.168.1.250  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::260:64ff:fe97:63b5/64 Scope:Link
          inet6 addr: fd6d:b0a8:2238::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2425 errors:0 dropped:0 overruns:0 frame:0
          TX packets:839 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:369695 (361.0 KiB)  TX bytes:102021 (99.6 KiB)

eth0      Link encap:Ethernet  HWaddr 00:60:64:97:63:B5
          inet6 addr: fe80::260:64ff:fe97:63b5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1054007 errors:0 dropped:0 overruns:0 frame:0
          TX packets:641624 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1125618679 (1.0 GiB)  TX bytes:98616768 (94.0 MiB)

eth0.1    Link encap:Ethernet  HWaddr 00:60:64:97:63:B5
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2259 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1087 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:311937 (304.6 KiB)  TX bytes:181303 (177.0 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:5346 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5346 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:458539 (447.7 KiB)  TX bytes:458539 (447.7 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet6 addr: fe80::a3fc:9da9:933:c80/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:76 (76.0 B)  TX bytes:2296 (2.2 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:60:64:97:63:B6
          inet6 addr: fe80::260:64ff:fe97:63b6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:336 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1677 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:88154 (86.0 KiB)  TX bytes:345887 (337.7 KiB)
          
          

I have seen a tutorial how to do it with my vpn provider but using Luci which I do not have installed

I hope you can help me.

Thank you very much.

Create a new switch_vlan number 2. Move one of the Ethernet ports out of VLAN 1 port list and into the new one. The CPU port (8) should be tagged in both VLANs. Then create a wan network and attach eth0.2 to it. Usually the proto of wan is dhcp (a dhcp client). There is already a wan firewall zone in place.

2 Likes

Thank you very much for helping me mk24

I have done what you mentioned to me. I have moved port 0 to a new vlan2.
The issue I still have is I do not know how to route traffic via the vpn tunnel tun0. When I connect to the wireless connection provided by this VPN router it still gives me IP of australia instead of Argentina (vpn tunnel).

This is the /etc/config/network file now

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6d:b0a8:2238::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.250'
        option gateway '192.168.1.1'
        option dns '203.12.160.35'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 8t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 8t'

config interface 'vpn'
       option ifname 'tun0'
       option proto 'none'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

This is the ifconfig

br-lan    Link encap:Ethernet  HWaddr 00:60:64:97:63:B5
          inet addr:192.168.1.250  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::260:64ff:fe97:63b5/64 Scope:Link
          inet6 addr: fd6d:b0a8:2238::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:575 errors:0 dropped:0 overruns:0 frame:0
          TX packets:248 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:110953 (108.3 KiB)  TX bytes:45948 (44.8 KiB)

eth0      Link encap:Ethernet  HWaddr 00:60:64:97:63:B5
          inet6 addr: fe80::260:64ff:fe97:63b5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1145961 errors:0 dropped:0 overruns:0 frame:0
          TX packets:697015 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1159509399 (1.0 GiB)  TX bytes:110011850 (104.9 MiB)

eth0.1    Link encap:Ethernet  HWaddr 00:60:64:97:63:B5
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3269 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3238 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1429447 (1.3 MiB)  TX bytes:962144 (939.5 KiB)

eth0.2    Link encap:Ethernet  HWaddr 00:60:64:97:63:B5
          inet addr:192.168.1.12  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::260:64ff:fe97:63b5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:570 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:113853 (111.1 KiB)  TX bytes:4975 (4.8 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:5903 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5903 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:546504 (533.6 KiB)  TX bytes:546504 (533.6 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet6 addr: fe80::12a1:e444:a6b3:1323/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:47 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:3320 (3.2 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:60:64:97:63:B6
          inet6 addr: fe80::260:64ff:fe97:63b6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2993 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3145 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:916772 (895.2 KiB)  TX bytes:1534994 (1.4 MiB)

so interface lan is a bridge 'eth0.1' with static ip 192.168.1.250 and gateway '192.168.1.1' (ip of the router that provides internet to this VPN router)

and interface 'wan' uses 'eth0.2' and has dynamic ip (assigned by the router that provides internet to this router) 192.168.1.12

This is the /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0/bcma0:1'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key 'SOME_PASS'

by the way when I do a traceroute from openwrt it is going through argentina ip (tun0)

root@OpenWrt:/etc/openvpn# traceroute www.google.com
traceroute to www.google.com (216.58.200.100), 30 hops max, 38 byte packets
 1  10.8.8.1 (10.8.8.1)  356.510 ms  359.524 ms  365.609 ms
 2  host1.131.255.4.baehost.com.ar (131.255.4.1)  362.520 ms  354.256 ms  366.397 ms
 3  10.255.14.1 (10.255.14.1)  358.836 ms  363.283 ms  364.362 ms
 4  192.168.132.1 (192.168.132.1)  366.577 ms  362.201 ms  366.832 ms
 5  *  *  *
 6  190.94.176.190 (190.94.176.190)  351.319 ms  365.380 ms  449.991 ms
 7  108.170.248.247 (108.170.248.247)  370.640 ms  108.170.248.231 (108.170.248.231)  367.946 ms  74.125.242.195 (74.125.242.195)  423.920 ms
 8  66.249.95.215 (66.249.95.215)  390.384 ms  371.234 ms  379.002 ms
 9  216.239.54.112 (216.239.54.112)  541.656 ms  546.278 ms  535.143 ms
10  216.239.51.244 (216.239.51.244)  528.397 ms  216.239.46.109 (216.239.46.109)  679.323 ms  676.285 ms
11  108.170.247.65 (108.170.247.65)  667.864 ms  669.420 ms  669.570 ms
12  108.170.247.33 (108.170.247.33)  668.120 ms  678.978 ms  209.85.254.119 (209.85.254.119)  675.944 ms
13  209.85.254.119 (209.85.254.119)  665.836 ms  syd09s14-in-f4.1e100.net (216.58.200.100)  668.339 ms  673.081 ms

but when I connect via wifi it goes trough Australian Ip (internet provided by main router)

First of all fix the IP conflict by moving the LAN interface to a different subnet.

br-lan    Link encap:Ethernet  HWaddr 00:60:64:97:63:B5
          inet addr:192.168.1.250  Bcast:192.168.1.255  Mask:255.255.255.0
eth0.2    Link encap:Ethernet  HWaddr 00:60:64:97:63:B5
          inet addr:192.168.1.12  Bcast:192.168.1.255  Mask:255.255.255.0

Paste here the following:
ip -4 addr; ip -4 ro; ip -4 ru

1 Like

Thank you for your help.
This is the command I run:


root@OpenWrt:~# ip -4 addr; ip -4 ro; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
135: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
137: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.12/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2  src 192.168.1.12
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.12
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

and this is the /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6d:b0a8:2238::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 8t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 8t'

config interface 'openvpn'
       option ifname 'tun0'
       option proto 'none'

I am still have the issue about the traceroute going via VPN (argentinian ip) when I login to openwrt (via ssh to 192.168.1.12 ip)

root@OpenWrt:~# traceroute www.google.com
traceroute to www.google.com (172.217.25.132), 30 hops max, 38 byte packets
 1  10.8.8.1 (10.8.8.1)  320.260 ms  320.379 ms  319.243 ms
 2  31.169.123.1 (31.169.123.1)  317.151 ms  319.333 ms  319.494 ms

but when I connect via wifi or via ethernet cable (no ssh) it does not go through vpn tun0

definetly there is something wrong in my configuration.
The only way to ssh into the openwrt vpn router is connecting the router via lan ethernet to the main router and doing ssh to 192.168.1.12. So I currently have my vpn router connected with two ethernet cables one for the vlan (wan) port 1 (with static ip 192.168.2.1) and one connected to port 4 with dynamic ip 192.168.1.12

I don't see any tun0 nor routes in the ip commands.
Post also the VPN configuration.

When I do ifconfig I can see the tun0

...
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.8.5  P-t-P:10.8.8.5  Mask:255.255.255.0
          inet6 addr: fe80::198a:1ac4:f81:e404/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:29 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2568 (2.5 KiB)  TX bytes:1444 (1.4 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:60:64:97:63:B6
          inet6 addr: fe80::260:64ff:fe97:63b6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:35263 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36282 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:12197666 (11.6 MiB)  TX bytes:14619200 (13.9 MiB)

this is the file /etc/openvpn/my-vpn.conf

client
dev tun
proto udp
remote ar-bua.prod.surfshark.com 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
#dhcp-option DNS 10.8.0.1
#redirect-gateway def1
#redirect-gateway local def1


remote-cert-tls server

auth-user-pass auth.txt

#comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC

auth SHA512
....

and this is the /etc/config/dhcp


config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option dhcp_option '6,162.252.172.57,149.154.159.92,136.243.231.242'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

Establish the VPN-connection and check again:

ip a; ip r; ip ru; iptables-save

Thank you for your help:
I have checked again, the tun0 is there now

root@OpenWrt:~# ip -4 addr; ip -4 ro; ip -4 ru


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
135: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
137: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.12/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
140: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.8.8.5/24 brd 10.8.8.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.8.1 dev tun0
default via 192.168.1.1 dev eth0.2  src 192.168.1.12
10.8.8.0/24 dev tun0 scope link  src 10.8.8.5
31.169.123.7 via 192.168.1.1 dev eth0.2
128.0.0.0/1 via 10.8.8.1 dev tun0
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.12
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

This is the result of the command you sent me:
ip a; ip r; ip ru; iptables-save

root@OpenWrt:~# ip a; ip r; ip ru; iptables-save
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 00:60:64:97:63:b5 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::260:64ff:fe97:63b5/64 scope link
       valid_lft forever preferred_lft forever
4: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether 76:35:2b:ab:ee:b1 brd ff:ff:ff:ff:ff:ff
5: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether 9e:e8:d2:62:8d:d8 brd ff:ff:ff:ff:ff:ff
135: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:60:64:97:63:b5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd6d:b0a8:2238::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::260:64ff:fe97:63b5/64 scope link tentative flags 08
       valid_lft forever preferred_lft forever
136: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 00:60:64:97:63:b5 brd ff:ff:ff:ff:ff:ff
137: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 00:60:64:97:63:b5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.12/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::260:64ff:fe97:63b5/64 scope link
       valid_lft forever preferred_lft forever
138: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether 00:60:64:97:63:b6 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::260:64ff:fe97:63b6/64 scope link
       valid_lft forever preferred_lft forever
140: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    link/[65534]
    inet 10.8.8.5/24 brd 10.8.8.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::198a:1ac4:f81:e404/64 scope link
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.8.1 dev tun0
default via 192.168.1.1 dev eth0.2  src 192.168.1.12
10.8.8.0/24 dev tun0 scope link  src 10.8.8.5
31.169.123.7 via 192.168.1.1 dev eth0.2
128.0.0.0/1 via 10.8.8.1 dev tun0
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.12
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
# Generated by iptables-save v1.8.2 on Thu Apr 11 11:27:46 2019
*nat
:PREROUTING ACCEPT [1135:259568]
:INPUT ACCEPT [63:6496]
:OUTPUT ACCEPT [216:13837]
:POSTROUTING ACCEPT [47:2438]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
-A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Apr 11 11:27:46 2019
# Generated by iptables-save v1.8.2 on Thu Apr 11 11:27:46 2019
*raw
:PREROUTING ACCEPT [2940:431588]
:OUTPUT ACCEPT [1511:481680]
:zone_lan_helper - [0:0]
:zone_vpn_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
-A PREROUTING -i tun0 -m comment --comment "!fw3: vpn CT helper assignment" -j zone_vpn_helper
COMMIT
# Completed on Thu Apr 11 11:27:46 2019
# Generated by iptables-save v1.8.2 on Thu Apr 11 11:27:46 2019
*mangle
:PREROUTING ACCEPT [2943:431744]
:INPUT ACCEPT [1875:178928]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1514:482364]
:POSTROUTING ACCEPT [1514:482364]
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Apr 11 11:27:46 2019
# Generated by iptables-save v1.8.2 on Thu Apr 11 11:27:46 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_dest_REJECT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -p tcp -m tcp --dport 53 -m comment --comment "!fw3: @rule[9]" -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m comment --comment "!fw3: @rule[9]" -j ACCEPT
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_REJECT
-A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Apr 11 11:27:46 2019

What I do not know is what is the physical connection between both routers ?
In the main router (internet connected) I have two ethernet cables connected to the openwrt router one on port 0 (WAN - static ip 192.168.2.1) and one in port 4 (LAN - dynamic ip 192.168.1.12).
I am connecting to the modem from a PC connected to the main router and doing a ssh to 192.168.1.12
That is the only way I can ssh to the openwrt router.

uci -q delete firewall.@zone[2]
uci set firewall.@zone[1].device="tun0"
uci commit firewall
service firewall restart

I did the commands you posted.
What should I do next?
Basically I can connect via ssh 192.168.1.12 to the OpenWrt router when I connect to the OpenWrt wifi network but I still need two ethernet cables to connect to the main router which confuses me.
In the main router (internet connected) I have two ethernet cables connected to the openwrt router one on port 0 (WAN - static ip 192.168.2.1) and one in port 4 (LAN - dynamic ip 192.168.1.12).
I am connecting to the modem from a PC connected to the main router and doing a ssh to 192.168.1.12

LAN port of the Openwrt router is not supposed to connect back to the main router. Why did you do that?

because I have two interfaces
br-lan Link encap:Ethernet HWaddr 00:60:64:97:63:B5
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0

and
eth0.2 Link encap:Ethernet HWaddr 00:60:64:97:63:B5
inet addr:192.168.1.12 Bcast:192.168.1.255 Mask:255.255.255.0

I can only connect via ssh to the openwrt router via ip 192.168.1.12 (I think this IP is assigned by the main router) if I disconnect any of the two cables of the openwrt router I cant log it anymore.
That is why I am sure there is something wrong in my openwrt network config
Also when I am connected to the openwrt wifi and I access via web to http://192.168.1.1 I can see the main router admin screen. Is it expected ?

Again, you have to use a different IP range for the WAN and LAN. As the main router is 192.168.1.X, change your OpenWrt router lan IP to 192.168.2.1. This will move all of its LAN users to 192.168.2.X.

Add a firewall rule to open port 22 (TCP) on the wan so you can ssh in from the WAN side, i.e. your main LAN. Or you can configure the OpenWrt router as a LAN device and not have a WAN network in it at all. See the "dumb AP" configuration guide for that.

As for the VPN, since you only get one IP address from the VPN provider, you will NAT the users into the VPN tunnel like you would with a regular Internet connection. Create a new network for VPN users called vpnuser. Set this with a static IP that is different from all your other networks and set up a DHCP server. Attach the users' wifi AP and / or ethernet VLAN to it. Create two firewall zones vpn and vpnuser. vpn is the VPN tunnel so it needs to have masq turned on. There needs to be a forwarding rule from vpnuser to vpn.

This is not correct. You are mixing two networks on the same switch.

Yes.

Sorry, how can I move all LAN users to 192.168.2.X ?
This is what I have in my /etc/confing/network
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'

I opened the port 22 on the firewall for the wan, now I have only one cable connected WAN (vlan - port 0 of OpenWrt router).
if you do not mind sharing some uci commands I would appreciate as .I do not know how to do it.
Thank you very much

Looks like this is the main issue, but I do not understand how to split both networks (WAN) and (LAN)

Like this



                 internet
                      |
                 +---------------+
                 |main router    |
                 +-----+---------+
                       |
                       |WAN
                  +--------------+
                  | OpenWrt      |
                  +--------------+
                       ^
                       |LAN
                       +
                +----------------+
                | Switch         |
                +----------------+
                   ^      ^    ^
                   |      |    |
                   +      +    +
                    Clients

but the switch is not a real device, right ? I have two physical devices (main router) and OpenWrt Router connected via WAN (vlan - port 0 of OpenWrt router).

BTW , only have WAN cable connected, as and I still can do ssh to 192.168.1.12 as I open the port 22 on the firewall for the wan

For the most part, UCI commands edit the /etc/config files one line at a time. If you can do that directly, there's no need to use UCI commands.

After you have changed the OpenWrt LAN to 2.1, anyone connecting to the LAN side of the OpenWrt router will get a DHCP assignment in 192.168.2.X. Really though there won't be much there, since those who want to go direct to the Australian ISP can use the main router's LAN, and those who want to VPN to Argentina will use the OpenWrt router's vpnuser.