Hello
I setup NordVpn (OpenVpn) on Openwrt from Here then
I asked chatgpt and i guided me like this.
To set up two SSIDs with one bypassing OpenVPN and the other using OpenVPN on OpenWRT, you need to utilize VLANs, separate network interfaces, and policy-based routing. Here's a step-by-step guide:
- Configure VLANs: Create two VLANs, one for each SSID.
- Assign Interfaces: Assign each VLAN to a separate wireless network interface.
- Set up OpenVPN: Configure OpenVPN on your OpenWRT router.
- Create Firewall Zones: Define firewall zones for each network and set up rules for routing traffic.
Here's how to do it:
Step 1: Configure VLANs
Edit /etc/config/network:
config interface 'vpn'
option ifname 'eth0.2' # Assuming eth0.2 is your VLAN for VPN traffic
option proto 'dhcp'
config interface 'direct'
option ifname 'eth0.3' # Assuming eth0.3 is your VLAN for direct traffic
option proto 'dhcp'
Step 2: Assign Interfaces
Edit /etc/config/wireless:
config wifi-iface 'vpn_iface'
option device 'radio0' # Adjust according to your device
option network 'vpn'
option mode 'ap'
option ssid 'Your_VPN_SSID'
# Other necessary settings for your VPN SSID
config wifi-iface 'direct_iface'
option device 'radio0' # Adjust according to your device
option network 'direct'
option mode 'ap'
option ssid 'Your_Direct_SSID'
# Other necessary settings for your direct SSID
Step 3: Set up OpenVPN
Configure OpenVPN using the appropriate VPN provider's settings. This involves creating the client configuration file and placing it in the appropriate location (/etc/openvpn/).
Step 4: Create Firewall Zones
Edit /etc/config/firewall:
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'vpn'
config zone
option name 'direct'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'direct'
Step 5: Policy-based Routing
You need to set up policy-based routing to route traffic from one VLAN through OpenVPN and the other directly.
Edit /etc/config/firewall:
config rule
option name 'VPN Traffic'
option src 'vpn'
option dest '*'
option target 'ACCEPT'
option priority '10'
config rule
option name 'Direct Traffic'
option src 'direct'
option dest '*'
option target 'ACCEPT'
option priority '20'
After configuring these settings, restart your network and firewall services or reboot your router to apply the changes.
Now I cant connect to 'Your_VPN_SSID' and 'Your_Direct_SSID'. My config
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdae:05db:c7a9::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'e8:48:b8:e1:5a:2a'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2 3 4 5'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
config interface 'nordvpntun'
option proto 'none'
option device 'tun0'
config interface 'vpn'
option proto 'dhcp'
option device 'eth0.2'
config interface 'direct'
option proto 'dhcp'
option device 'eth0.3'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid '240'
option encryption 'psk2'
option key 'nyxuyfg/lh;ug4653764ud'
config wifi-iface 'vpn_iface'
option device 'radio1'
option network 'vpn'
option mode 'ap'
option ssid 'Your_VPN_SSID'
option encryption 'psk2'
option key '4etxfhh87g'
config wifi-iface 'direct_iface'
option device 'radio1'
option network 'direct'
option mode 'ap'
option ssid 'Your_Direct_SSID'
option encryption 'psk2'
option key '97hhjcjkkcjgx'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'vpn'
config zone
option name 'direct'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'direct'
config rule
option name 'VPN Traffic'
option src 'vpn'
option dest '*'
option target 'ACCEPT'
option priority '10'
config rule
option name 'Direct Traffic'
option src 'direct'
option dest '*'
option target 'ACCEPT'
option priority '20'