[Solved] Vpn router problems

Hello, I have a tplink router connected as wireless client to the primary Vodafone router. I'd like to use the tplink as vpn router . I was able to setup the nordvpn connection with Luci and followed various tutorials to make it work on connected devices via lan cable, but im having problems. Or I'm not able to connect to internet or I can connect but not hidden by vpn , only with Vodafone ip. Any help? Thanks

This is a bit unusual setup. If the vpn is not running on the main internet gateway, you'll need to make the other hosts in the lan aware that this is the default gateway. This can be done by changing the default gateway in dhcp server. But definitely it is not a good solution by design.

Thx, yes I know it's not the best solution but my main router is blocked and can't add a vpn on it. So I just need to go into the DHCP server and put the tplink ip as gateway? Thx. I add that I only need the vpn connection on the devices connected via lan to the tplink.

If your main router is blocked, then I rather doubt you'll be able to change the gateway option in its dhcp.
It would work better to decommission it, or connect the wan port of tplink only on the lan ports of the vodafone. Then connect all your hosts in the lan of tplink.

With blocked I meant I can't install openwrt or add other functions, but I can change settings. So I need to change the gateway in main router and not on tplink? I just need to vpn protect the devices connected to the tplink , not all the devices, I hope you understand what I would like to do. Thanks

The standard configuration should work if you use the TP-Link to route those users to its "WAN" which is actually the LAN of your main router. In other words everything beyond the TP-Link is considered the Internet to them.

This will not work so well if the VPN users need direct connection to machines on the main router's LAN.

1 Like

Thanks but the standard configuration doesn't work, I still have the same public ip of the main router. Regarding the vpn users , they don't need to connect to the lan machines of main router, so that's not a problem for me

Then let's have a look at the configuration of OpenWrt to see what's wrong:

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

Please use "Preformatted text </>" for logs, scripts, configs and general console output.
grafik

Sorry for the delay, but I was sleeping :stuck_out_tongue:

Here's the output:

root@OpenWrt:~# uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro ls tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd8b:71c7:6986::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'dsl0'
        option proto 'pppoe'
        option username 'username'
        option password 'password'
        option ipv6 '1'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config device 'wan_dev'
        option name 'dsl0'
        option macaddr 'f8:1a:67:a1:a7:6c'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 2 4 5 6t'

config interface 'wwan'
        option proto 'dhcp'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
        option htmode 'HT20'
        option legacy_rates '0'
        option country 'IT'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

config wifi-iface 'wifinet1'
        option ssid 'Vodafone-A78545582'
        option device 'radio0'
        option mode 'sta'
        option key 'mypassword'
        option encryption 'psk2'
        option network 'wwan'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'
        option network 'wan wan6 wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'ovpn_fw'
        option src 'lan'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.8.0.10/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
8: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.14/24 brd 192.168.1.255 scope global wlan0
       valid_lft forever preferred_lft forever
ip: invalid argument 'ls' to 'ip'
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Feb 27 21:05 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Apr 13 16:52 /tmp/resolv.conf
-rw-r--r--    1 root     root            93 Apr 14 07:41 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wwan
nameserver 192.168.1.1
nameserver 8.8.8.8
nameserver 8.8.4.4
search station

You have an IP conflict with lan and wwan interfaces. You'll need to change the lan interface to another network, like 192.168.2.1/24

When I try to change the lan interface to 192.168.2.1/24 through Luci, it tells : failed to confirm apply within 30 seconds, waiting for rollback...
In this situation I'm no more able to access to control panel till I switch off and on the router, then the ip is back to the old one 192.168.1.1

Wait until it times out and then click the apply unchecked.
Then reconnect to the router to get an updated IP and use the 2.1 to connect to the router.

I didn't have the apply unchecked loading. So I edited /etc/config/network manually and now I finally have the 2.1 ip, the problem is that I still can't surf the net.

Okay, post once again the following:
ip -4 addr; ip -4 ro; ip -4 ru

root@OpenWrt:~# ip -4 addr; ip -4 ro; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/16 brd 192.168.255.255 scope global br-lan
       valid_lft forever preferred_lft forever
6: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.14/24 brd 192.168.1.255 scope global wlan0
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.0.1 dev tun0
default via 192.168.1.1 dev wlan0  src 192.168.1.14
10.8.0.0/24 dev tun0 scope link  src 10.8.0.2
128.0.0.0/1 via 10.8.0.1 dev tun0
192.168.0.0/16 dev br-lan scope link  src 192.168.2.1
192.168.1.0/24 dev wlan0 scope link  src 192.168.1.14
217.138.219.134 via 192.168.1.1 dev wlan0
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Fix the mask to /24

ok fixed it, I still can't surf though. Do I need to create a new interface for managing tun0 ?

root@OpenWrt:~# ip -4 addr; ip -4 ro; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.14/24 brd 192.168.1.255 scope global wlan0
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.8.2.8/24 brd 10.8.2.255 scope global tun0
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.8.2.1 dev tun0
default via 192.168.1.1 dev wlan0  src 192.168.1.14
10.8.2.0/24 dev tun0 scope link  src 10.8.2.8
128.0.0.0/1 via 10.8.2.1 dev tun0
192.168.1.0/24 dev wlan0 scope link  src 192.168.1.14
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
217.138.219.134 via 192.168.1.1 dev wlan0
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

I created a new unmanaged interface for tun0 , disabled ipv6 and added tun0 to wan in firewall settings and now I can surf, but the ip is the vodafone one, not the vpn one.

That was not necessary.

It was already there.

config zone
        option name 'wan'
[...]
        list device 'tun0'
        option network 'wan wan6 wwan'

Maybe the vpn is not connected? As long as the tunnel is up, the default gateway is from the tunnel.
Post a traceroute from the host that you have the issue. tracert 1.1.1.1 in windows traceroute 1.1.1.1 in linux.

Traccia instradamento verso one.one.one.one [1.1.1.1]
su un massimo di 30 punti di passaggio:

  1     1 ms    <1 ms    <1 ms  OpenWrt.lan [192.168.2.1]
  2    20 ms    19 ms    19 ms  10.8.2.1
  3    20 ms    28 ms    20 ms  217.138.197.73
  4   182 ms   181 ms   167 ms  217.138.223.68
  5    70 ms    60 ms    60 ms  te-2-10-0.bb2.mil1.it.m247.com [77.243.185.142]
  6    20 ms    19 ms    22 ms  xe-1-2-3-0.bb1.mil1.it.m247.com [37.120.128.182]
  7    23 ms    21 ms    21 ms  cloudflare.minap.it [185.1.114.25]
  8    20 ms    32 ms    20 ms  one.one.one.one [1.1.1.1]

Traccia completata.

I deleted the interface and now it seems to work! If I check my ip now it's not the vodafone one anymore :slight_smile: thanks a lot!