Use router as a access point connected to VPN

This is my first time doing anything like this...
Here's what I'm trying to do:


So I want to connect the OpenWRT router to the main router and send the traffic through a VPN (NordVPN) so I could have 2 networks to be shown on my computer (one is VPN enabled and the other is not)
My router is TP-Link WDR3600
I've followed This tutorial but it didn't work...
Any help would be appreciated A LOT!

Here's my /etc/config/network file:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix <ula_prefix>

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr <macaddr>

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.1'
        option type 'bridge'
        option peerdns '0'
        list dns '103.86.96.100'
        list dns '103.86.99.100'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option device 'eth0.2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wwan'
        option proto 'dhcp'

config interface 'nordvpntun'
        option proto 'none'
        option type 'bridge'
        option device 'wlan0'

My /etc/config/firewall file:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'nordvpntun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

And my /etc/config/wirless file:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option cell_density '0'
        option htmode 'HT40'
        option channel 'auto'
        option country 'CA'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'NAME'
        option encryption 'psk2'
        option key 'KEY'
        option network 'lan'

Looks like you deviated from the tutorial quite a bit (also, that tutorial is very old - no telnet on openwrt anymore).

You shouldn’t have a bridge or wlan device here. Just tun0

Likewise, your wan should not have a bridge.

Is your wan wired or wireless?

1 Like

Yea I first tried with tun0 but it was indicated as an "absent interface."

By "wan" if you mean how I connect my PC to the VPN router? yes its wireless.

No, the WAN is the upstream connection (usually the internet). How does your router connect?

1 Like

Oh right, via a DSL cable

DSL is clearly upstream -- your main router is probably connected to the internet via DSL.

What about your OpenWrt router with VPN functionality? How does that connect to the reset of the network?

1 Like

With a ethernet cable, from the openwrt internet port (the Blue port) to the main router ethernet port (as a device)

Idk if it’s gonna work but before setting up the vpn I was able to do this wirelessly (connect the openwrt to the main router and use it’s internet so it could be as a new network)

What address range does your main router use for its LAN (i.e. all of the other devices on your network)? Is it 192.168.1.0/24?

1 Like

Yes both of them

They cannot be the same... that is likely one of the major issues.

Change your OpenWrt router's LAN to something else in the RFC1918 address range such as 192.168.2.1 or 10.0.5.1 (as examples)

1 Like

Ok thanks
I’m gonna notify when its done

Done, but still nothing...
here's the updated network file:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '<ula_prefix>'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.71.71.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option force_link '1'

config device
        option name 'eth0.2'
        option macaddr '<macaddr>'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.1'
        option type 'bridge'
        option peerdns '0'
        list dns '208.67.222.220'
        list dns '103.86.99.100'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option device 'eth0.2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        option dns '208.67.222.220 1.1.1.1'

config interface 'nordvpntun'
        option proto 'none'
        option device 'tun0'

Your WAN still has a bridge definition. That should be removed. And your WAN device is wrong. Also, for the moment, remove the WAN DNS entries (you can put them back later, but we want to eliminate any variables that can mess things up). Make it look like this:

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.2'
2 Likes

Done, here's the results: (still has no internet)

You'll probably be best served by resetting the device to defaults. Change your LAN IP (as you have done already -- but you'll need to do it again after the reset).

See if that works before doing anything else. If that works, go back to your tutorial and run through it again.

1 Like

ok sure, thanks
gonna reply when done

Thanks a lot! It's working!
But there are still two thing left:

  1. The VPN is functioning correctly and the network file is all set up but no VPN config is showing in the GUI:

  2. It's really slower than expected, our network is has a default speed of around 12Mbps while by only connecting via the openwrt router to the main router the connection drops to around 6Mbps, and by connecting to a VPN it barely reaches 2Mbps. (note that I was unable to connect the openwrt router to the main router via ethernet instead I connected them wirelessly with the thought that it shouldn't be a problem that much, or is it?)

I know I can't do anything about the VPN part (that it may be the servers problem) but the thing thats really bugging me the most is almost halving the speed after connecting from the main router to the openwrt router...

OpenVPN encryption at 12 Mb is about what the CPU in the WDR3600 is capable of. If your VPN service offers Wireguard instead of OpenVPN, that mode demands less from the CPU in the router, and VPN speed will be improved. Otherwise you can live with 12 Mb or upgrade to a router with a more powerful CPU.

The simplest way to set up a box like this is to follow the instructions as if it were a main router, since most instructions you find for setting up a VPN client on a home router assume this. The fact that it is connected to the Internet indirectly through another router is of no consequence. The VPN client only needs some path to the Internet.

The only thing you should need to change from default configuration is the LAN IP subnet, if it conflicts with the IP of the network you're using for WAN.

Ummm, idk if it supports Wireguard:

This is what the link opens in the page... The tutorial page.

My main problem is the connection drop from the main router to the openwrt router which I wanna know if is it because of the fact that they (the routers) are connected wirelessly? Is ethernet connection really that effective? (tho the fact that the routers are less than a metre apart...)
If so what should I do?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.