I'm a little lost and am hoping someone can point me in the right direction. The goal is that I want to be able to connect my laptop , via wire to my TP router, and the installed VPN will show my laptop as in whatever country.
There is a fixed router (Router A) in my airbnb apartment - it's an airbnb so I don't have admin access. IP is 192.168.200.1. I have LAN ports and a wifi network.
I have a TP-Link 3020 (Router B). OpenWRT is installed, so too is a VPN which works. It has one LAN port. IP is 192.168.1.1.
I have wirelessly connected both routers (router B has joined router A's network) so that I can now connect to the internet via WIFI from my phone and have a VPN IP address.
However if I try a wired connection between the routers - there is no internet connection. I am expecting that if the two routers are wired, then the travel router would "join" the main network and give me access via wifi, this isn't happening.
I think I'm missing a step somewhere but am at a bit of a loss - I suspect it's the firewall or IP/DNS settings.
If this isn't clear, or you need more info / system logs, let me know.
do you ever use your ethernet connection as a LAN port? Chances are that it is currently configured as such, but you need to decide if you want the ethernet port to function as a WAN or a LAN.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
To answer you question - I assume you mean the ethernet connection on the travel router? Not really, but as I am moving around I've assumed I will always physically connect the travel router to the apartment router so it will rarely, if ever, be used as a LAN connection to my laptop.
The basic "whole house" VPN client router starts as a regular lan->wan router. Since this device has only one Ethernet port you have to decide whether the port will be on the lan or the wan side. The other connection will be wireless. If wan is wired, then all the lan users have to be wireless. Set up a wifi AP on lan first, then move the Ethernet port to wan.
Once you have plain lan->wan routing working, then add the VPN. When OpenVPN starts up and connects to a commercial VPN service, by default it will reconfigure the routing table so that all Internet usage by lan goes out to the VPN tunnel. This requires having the VPN tunnel in a zone that has NAT (masquerade) enabled. You can either use the existing wan zone or create a new zone e.g. 'vpn'. The new zone would have lan->vpn forwarding enabled, and you'd remove the default lan->wan forwarding. The effect of this is the so-called "kill switch" where if the VPN is not working, LAN users will not connect to the "raw" Internet.
Changes applied, and it looks better (I can connect to the internet), however the IP address is my local address, not the VPN one. Is this something you can help with or is this more the VPN set up (so hidden in my Open VN settings?)
The travel router is wired via LAN to the Airbnb router, and I am connecting via wifi to the travel router.
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/10300000.wmac'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option channel '6'
option country 'FR'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'psk2'
option key 'xxxxx'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'sta'
option network 'wwan'
option ssid 'AIRBNBWIFI'
option encryption 'psk2'
option key 'xxxxxxx'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wwan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
config forwarding
option src 'lan'
option dest 'vpn'
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2c:584b:67b5::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.100.1'
list dns '192.168.100.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 6t'
config interface 'wwan'
option proto 'dhcp'
root@OpenWrt:~#
If your wan is wired, you should not have a wifi sta conected to the upstream router, or the associated wwan network. Delete those things.
Then you need to set up an actual wired wan network:
config interface 'wan'
option proto 'dhcp'
option device 'eth0.1'
Remove eth0.1 from the lan bridge. Also do not set gateway or DNS in the lan, these will be configured when the wan gets DHCP from the upstream router.
This does not specify a network, it should have option network 'lan'. Do not reference wifi interfaces in /etc/config/network.
If the upstream router is also 192.168.1.0/24 network you need to change your LAN to something outside that range (e.g. 192.168.2.1) for proper routing.
You may want to start over from defaults since you've done several things here that will break it.
Default configuration
Start a wifi AP on lan (it is already there, but disabled, configure SSID and encryption and enable it)
Disconnect Ethernet cable, connect laptop to the router's new wifi AP and log in.
Remove eth0.1 from the br-lan bridge.
Create a new network interface named exactly wan (lower case), proto DHCP client, device eth0.1
Connect Ethernet cable to a LAN port of the upstream router and you should now have Internet on the router and laptop.
Install and configure OpenVPN.
Put OpenVPN tunnel in wan firewall zone or a new zone (named 'vpn' for example) with masquerade enabled on vpn and forwarding from lan to vpn.
Disconnect Ethernet cable, connect laptop to the router's new wifi AP and log in.
I've actually being struggling to connect to the router over wifi. I think it's because the air bnb router (which I have no admin access to) is giving the travel router a new IP address. Is there any method / tool I can use to find out the new IP address?
You won't be connected to the airbnb router at all at that stage. During this setup process, your PC should only be connected to the OpenWrt router and no other networks. The OpenWrt router's IP address will be the same LAN IP 192.168.1.1 that you were using over the cable.
Set OpenWrt wifi to use a different SSID than the airbnb router of course.
The Ethernet cable should not be connected to anything until you have fully moved eth0.1 to the wan network and applied that change. At that point connect the cable and OpenWrt will acquire a wan IP address from the airbnb router, but that will not affect operations on the lan side.
Ok, I have made your changes, however I have an odd issue with the VPN connection.
I have internet access wirelessly to my travel router.
I have set up the VPN
I have set up a new zone.
However I cannot connect to the internet.
However - when I activate the software version of the VPN my access to the internet restarts.
Is there something in my setup blocking connections until a VPN is present? A few other posters mentioned a killswitch.
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd77:ba5c:6e91::/48'
config device
option name 'br-lan'
option type 'bridge'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 6t'
config interface 'wan'
option proto 'dhcp'
option device 'eth0.1'
To clarify, the software version of the vpn - is the vpn installed on my laptop. When I connect to it, the connection kicks in.
And MY IP address is the software's destination (Japan) rather than the router's vpn destination (France).
Remove the following from your firewall config if you do not want your traffic to be able to bypass the VPN. (removing this means that your client devices will not be able to connect to the internet unless the VPN tunnel is up and running).
As @mk24 mentioned earlier, this will not work if the upstream device (the AirBnB wifi that you cannot control) uses the same subnet.
You might use some uncommon/random subnet within the RFC1918 ranges to make a collision less likely... for example, 172.23.24.0/24 would probably be unlikely to conflict with any upstream you're likely to encounter.
This is confusing. Do you have a VPN configured on the MR3020? Is there one setup on your computer? Both?
Are things working the way you want, or are there still issues?
I have wifi access to the internet.
There is a VPN on the MR3020.
I turn this "on". It connects to the VPN servers (no error messages), but doing so kills my current internet connection.
I also have a software vpn on my laptop.
If I try to connect via the MR3020 wifi - I cannot reach the internet. If I then turn on my computers VPN the connection works.
However the IP address is from the software's location, not the router's VPN.
Actually, it looks like it is just my laptop - everything else seems fine so I'll fiddle around with it myself.
Could I possibly add a follow on question before closing this down?
My wifi speed on this network is pretty "meh". i.e. I connect my laptop and get
Air bnb wifi - 70mb
Air bnb wired connection - 100 mb
MR3020 wifi connection - 15mb (provided by the lan cable into the router)
Is this expected due to it being a relay i.e. speed naturally gets "lost", or is something afoot? I don't think it is the VPN, as the software version of it is fine.
If this is worthy of another post, let me know and I'll ask in a fresh thread)
The mr3020 is an old and low power device. It has slow WiFi and a slow/under powered cpu. This is expected behavior because of the nature of the hardware in the box. It’s like expecting a typical small family sedan like a Toyota Corolla from the 1980s to be fast by modern standards… it’s not, but it was fine for its era.
15 Mb is actually more than expected for OpenVPN on a MR3020. For OpenVPN at 100 Mb you need quite a bit of CPU in the router. Also a 2.4 GHz 20MHz 1x1 (I think the radio is 1x1) link is only good for about 30 - 40 Mb actual throughput best case. Finally, the Ethernet port in the MR3020 operates at 100 Mb line speed, which limits to about 94 Mb net speed, but that isn't the main problem here, it's the slow CPU and limited wifi.
If your VPN service offers Wireguard, that protocol is much easier on the router CPU and will result in better speed on your hardware.
This is confusing. Do you have a VPN configured on the MR3020? Is there one setup on your computer? Both?