Traffic not going through VPN tunnel on Raspberry pi with OpenWrt

Hi everybody, please excuse me for not formating right or missing some valuable info, its my first post on a forum, and i dont know how to do it propperly.

lets start like this. i live in China and i need to have my devices connected on a vpn in my appartment.
i want to connect my raspberry Pi 4 to my existing ISP router with lan cable, and broadcast that connection over internal wifi antena of raspberry Pi to my apartment.

When i connect to my home wireless and go to it takes to Chinese webportal and i think its my modem. takes me to another different Chinese web portal which could be my router.

Or is it vice versa, im not sure.

ALSO, if i go to the takes me to the same portal like
The same happens with it takes me to exactly the same portal as

Be aware that it doesn't just redirect me from 2.1 to 1.1. no, it's in the url that i am on 2.1 or 2.2.

Moving on. . .

I connect my raspberry pi with Ethernet cable to laptop, i go to openwrt. I enable wifi as AP so i can connect to it. And i give it ip

Then i disconnect the cable and and connect it to lan on my home router.

Now i can log on openwrt on (over wireless)

I go to interface settings and set LAN to wifi0 and WAN to Eth0.

Now i have internet with all the devices that are connected to the pi, but no vpn. I realize that im not routing traffic through pi and that is probably the problem, but im stuck and too stupid to realize where the mistake is.

VPN that im using is VPN12 and they have support for openwrt routers. Also i have managed to make things work with different setup where i used external wifi dongle on raspberry pi to broadcast wifi, and internal antena of the pi to connect to my existing wireless, and it worked but speeds were very bad, 0.5-2 mbs

network settings

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'fd86:5b44:4dbf::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option proto 'static'
        option netmask ''
        option ip6assign '60'
        option device 'wlan0'
        option ipaddr ''

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

dhcp settings

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

again, im sorry for my bad formating and im here to provide any details you would need to help me.

Take eth0 out of br-lan. Your lan device will be wireless and the wan is wired. A whole-house VPN client router starts as a basic lan->wan router then the VPN works on top of that. The only use of the eth0 port will be to link to the Internet. You will need to log in on wifi. You could use a USB to Ethernet adapter to add another port if you need wired lan.

im sorry, do you mean here? just to delist it here?

Yes remove that list ports line entirely. The wifi will be added to the bridge because it has option network lan in the wireless config file.

i have done what you suggested.

network looks like this

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr ''
        option netmask ''

config globals 'globals'
        option ula_prefix 'fd86:5b44:4dbf::/48'

config device
        option name 'br-lan'
        option type 'bridge'

config interface 'lan'
        option proto 'static'
        option netmask ''
        option ip6assign '60'
        option device 'wlan0'
        option ipaddr ''

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'

and my interfaces look like thhis

i rebooted the system, and nothing changed.

yes you are right here is that option in my wireless config

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

Thanks for sharing your intent and configuration, its definitely necessary in order to really troubleshoot and figure out how to get things set up to your desire.

Anyway, first, I'd like to mention, I don't see any VPN configuration in your network settings. So I am not sure if this is expected at this time, but that will clearly be crucial to your set up.

Next, it seems like you basically want your Raspberry Pi 4 to be your new "gateway / router" that all your clients connect to, correct? If thats the case, do you intent to connect your devices to the Raspberry Pi all wirelessly? If so, then depending on the size of your apartment, your WiFi connection won't be the best, as a Raspberry Pi does not make a great wireless access point (unless you add an external WiFi adapter, that actually has an exposed antenna, and even then, it won't be the greatest, or comparable to WiFi router devices)

To get a good understanding, it looks like this is what you want your setup to look like:

clients -> RPi 4 Router (with VPN) -> ISP modem / router

In this setup, I'd suggest configuring your ethernet port, as a WAN port. Then you connect that port, to your ISP router / modem, that will then assign it an IP address from the router, that will be used to connect to the internet.

Then, I'd set up your WiFi as a WLAN network, that will be your internal network for your client devices to connect to, and connect to the VPN.

In addition, your behavior with the IP address you connect to is strange. I imagine that is your ISP's router's IP address, and not a Chinese portal, but I cant be sure without seeing it. With this in mind, I'd set up a different internal network on your WLAN, say

Then, that should really be it from a high level. If this makes sense, and this is what you want, we can get more into a configuration.

For a VPN on a router that routes all connections over the tunnel, and if you are using wireguard, you can watch a video I made on how to do that.

Then this way, all your clients should route their connection over the VPN.

hey Odyssey, vpn has its own luci app which i installed. my apartment is small enough for raspberry pi so the range is not a problem, but i did order netgear a6210 to help me if needed.

here is a folder wit screenshots to explain things better:

as i said, this vpn is working when i used 2 wireless devices to set up, and even then there is no vpn setup in /etc/config/wireless or in /etc/config/network

however, there is /etc/config/xray (which is vpn app in luci)

config general
        option xray_bin '/usr/bin/xray'
        option mark '255'
        option tproxy_port_tcp '1080'
        option tproxy_port_udp '1081'
        option socks_port '1082'
        option http_port '1083'
        option dns_port '5300'
        option dns_count '3'
        option fast_dns ''
        option secure_dns ''
        option default_dns ''
        list bypassed_domain_rules 'geosite:cn'
        list forwarded_domain_rules 'geosite:geolocation-!cn'
        list blocked_domain_rules 'geosite:category-ads'
        option wan_bp_list '/dev/null'
        option lan_target 'TP_SPEC_WAN_AC'
        option lan_ifaces 'br-lan'
        list wan_bp_ips ''
        option xray_api '1'
        option main_server 'cfg024a8f'
        option routing_domain_strategy 'AsIs'
        option conn_idle '300'
        option loglevel 'warning'
        option handshake '4'
        option uplink_only '2'
        option downlink_only '5'
        option buffer_size '512'
        option tproxy_udp_server 'cfg024a8f'
        option transparent_proxy_enable '1'
        option tproxy_sniffing '1'

after this there is bunch more config but its just for servers, all the same just different server names, ill just give you one example

config servers
        option alias 'AT Vienna XTLS 220928'
        option server ''
        option domain_strategy 'UseIP'
        option server_port '443'
        option password 'b37c7100-5ea5-412e-9ef6-6042f33f2e58'
        option protocol 'vless'
        option vless_encryption 'none'
        option vless_tls 'xtls'
        option vless_xtls_host ''
        option vless_xtls_insecure '0'
        list vless_xtls_alpn 'http/1.1'
        option transport 'tcp'
        option tcp_guise 'none'
        option vless_flow 'xtls-rprx-direct'

Thanks for sharing your configuration. I am not that familiar with xray from personal experience, but reading into it, it looks more like a proxy than a VPN. Though nonetheless, both can produce the same desired result. This would likely explain why we don't see VPN configuration in /etc/config/network, since you aren't creating a VPN interface at all.

I have also looked at your pictures and what I noticed is the following. is a rebranded LuCI interface, meaning its still OpenWrt on the backend., I'm not sure what that is, could be ISP. is clearly LuCI.

This leads me to believe that you are using some custom version of OpenWrt, that may have been provided by your ISP I presume.

If you are fine with Raspberry Pi WiFi coverage (or the addition of the netgear router as an access point), we can move onto the config.

From your config, it looks like the interface the proxy service uses is br-lan. If you remove the eth0 and wlan0 from the bridged interface, you are going to see that they do not use the proxy.

So, if we are still following the setup I mentioned earlier, where all your clients will connect over wireless, you want to change the following in the /etc/config/xray:


option lan_ifaces 'br-lan'


option lan_ifaces 'wlan0'

This should then forward your wireless connected clients over the xray proxy.

Lastly, to prevent IP collisions, you should chose another network range for your lan, that is not

So for your /etc/config/network file, you can make the lan interface look like this:

config interface
     option proto 'static'
     option netmask ''
     option ip6assign '60'
     option device 'wlan0'
     option ipaddr ''

thank you oddyssey, i actually set up everythnig like that, and it didint work... BUT i managed to make it work, i dont know why but the reason for it not working is LAN cant be 'wifi0', it has to be 'br - lan'.