Using OpenWRT router for VPN with 5g-sim main router

Hi,

I'm trying to use my OpenWRT router (WRT-1900ACS) as a 2nd router connected to my main ISP 5G-Sim router in order to use Wireguard VPN on OpenWRT along with pbr (Policy Based Routing).

For example, If my phone is connected to my main router's WIFI, I want it to be able to go through the wireguard VPN interface on the OpenWRT router. And for my laptop to go through another (different location) wireguard VPN interface. And other devices to go through WAN.

Please have a look at this gallery for all my settings:

https://imgur.com/a/ajrlc81

Additional details:

ISP 5G-sim Router (Main) - 192.168.10.1
OpenWRT router - 192.168.10.2

I've connected the OpenWRT router to the main router via ethernet (From main router's LAN port to OpenWRT router LAN1 port)

I have also setup a Wireguard Interface and assigned a VPN firewall zone to it.

With this setup, I can access both my Main and OpenWRT settings from my devices when connected to the main router's wifi. The OpenWRT router also has access to internet itself.

Next I installed the pbr packages required, then setup a rule for my phone to go through the VPN. So for example:

192.168.10.115 --> "WG-Miami" interface

And this is where I'm facing an issue. I can't start the pbr service. It gives me the following errors:

Service Errors

Failed to set up 'lan/br-lan/192.168.10.1'!
Failed to set up 'wan/0.0.0.0'!
Failed to set up 'WG_Miami/0.0.0.0'!
Failed to set up any gateway!

Also, I can't test if the wireguard VPN interface is working either since I can't route anything through it using pbr, and not sure how to make the whole network go through the VPN to test it. But that's not something I want to actually do, but just for testing purposes i imagine it wouldn't hurt.

Would appreciate any tips, what am I doing wrong here with the settings? Also, I'm a Luci user so would appreciate if you could guide me through Luci, but if it must be done otherwise, I will manage. Anything to fix this situation. Thanks

It will be exceedingly difficult to get the traffic to be tunneled the way you have configured your network. It is possible with manual configuration of your client devices (i.e. your phone, laptop, etc.), but that is usually more prone to issues than it is worth.

Without manual configuration of your phone, this is not possible.

If, instead, you connect your phone to the wifi from the WRT1900ACS (with some additional configuration changes), this would be much easier to achieve.

Do you need to use the main router's wifi? Disabling the main router's wifi (making it basically just a modem) and putting all of your devices behind the OpenWrt router will be the best way to achieve your goal. Is this an option you can consider?

Thank you for the reply.

I guess I will have to if there are no other options. But I'm willing to try and achieve this the way I want even if it's a little bit of a challenge.

The reason why I want to stick to the main router's WIFI is because it's a WIFI6 router and it's the router that's in the room where I will be in the most. I also can't move the main router because it's a SIM based router and it has to sit near the window to get the best signal. Otherwise it will drop to 4G and I'll get slow speeds. So the OpenWRT router is sitting in a completely different area and I'm also connecting some old PCs to it through Ethernet. I can and will be using the OpenWRT router's WIFI when im near it but that's not going to happen often. I just really want to be able to route through it even if I'm connected to main router's WIFI.

I'm still looking around, reading through different guides. Another setup I've seen is to connect the ethernet cable coming from the main router's LAN port to the OpenWRT's "WAN" port. And then setting up OpenWRT to be on a different subnet. So for example 192.168.20.1. And then manually configure the devices to use a static IP and set the gateway to 192.168.20.1

Would that work even If I'm connected to the main router's wifi? (with IP: 192.168.10.1)? Is this the method you were mentioning when you said it's possible with manual configuration?

If you want to use the OpenWrt router as 'just another lan device" that sets up an outbound VPN connection, it is possible, but annoying and far from ideal.

The issue is that the DHCP server on your main router is going to assign itself as the network's gateway... therefore all of the client devices on your network will sent internet traffic to the main gateway for routing towards the internet. Neither your client devices nor your main router have any awareness that there is another gateway in your network.

Assuming that the VPN is up and running properly, you can point your devices to a gateway address of 192.168.10.2 (instead of the default 1921.68.10.1). The OpenWrt device should then route through the VPN.

To achieve this, you'll usually need to do one of two things:

  1. manually configure your client devices. You'll set a static IP on those devices within your main router's subnet (192.168.10.0/24), being sure to avoid conflicting addresses and the DHCP address range. You'll set the gateway to 192.168.10.2, and likely the dns to the same address. Subnet mask will be 255.255.255.0 or /24, unless your main router is not running a /24 network (most home networks are /24).
    or
  2. Set the DHCP server to advertise the desired gateway. Sometimes you can actually tell the main router's DHCP server to advertise a different gateway, although that's not terribly common in the vendor firmware, and in most cases it is all-or-nothing (meaning that you'd be VPN'ing everything, not just specific devices -- not sure if that matters here). You could also consider disabling the DHCP server on the main router and then use the DHCP server on your OpenWrt device -- in that case, you can specify DHCP options 3 and 6 (gateway and DNS) accordingly. I think it might even be possible to configure the DHCP server on OpenWrt to issue different options to different clients (based on their MAC addresses), but I've never tried to do this (also be aware that you need to disable the randomized/private MAC addresses that are common these days for most mobile devices and full computer os's).

I don't want to be VPN'ing everything so the first option is for me. Now, is there anything I need to change in my router settings/cable connection from what I have now to properly achieve the first option? Because I did try setting up my devices manually to use a static IP with gateway 192.168.10.2. And It works, I get internet access and can also access both routers. But the main issue is with "pbr" (Policy Based Routing). It fails to start therefore I cant actually set any device to go through VPN... So it leads me to think that there's something wrong in my router settings because pbr gives me the following errors:

Service Errors

Failed to set up 'lan/br-lan/192.168.10.1'!
Failed to set up 'wan/0.0.0.0'!
Failed to set up 'WG_Miami/0.0.0.0'!
Failed to set up any gateway

It's failing to set up lan 192.168.10.1 (which is my main router's IP and what I've set up as gateway in the LAN interface settings of OpenWRT).

You do not need PBR.

All devices pointed at 192.168.10.2 will use the VPN.

There is a third option which is to reroute traffic e.g. coming from your phone to the openwrt router with iptables rules.
The ISP router has to support using iptables rules and you have to read u on the subject, but basically it is a DNAT rule e.g.:
iptables -t nat -I PREROUTING -s <phones address> ! -d 192.168.0.0/16 -j DNAT --to 192.168.10.2

Well I want PBR. Because I'll be having multiple VPN configs setup. I have to fix the issue with PBR and figure why its not working.

But even then, as of now, I'm not even sure how to get any device pointed to 192.168.10.2 to go through VPN. Because it seems like the wireguard VPN is not the default gateway.

If you want to run multiple tunnels then you indeed have to use PBR

If the allowed IPs are 0.0.0.0/0 and you have enabled Route Allowed IPs then the tunnel is the default route

Any ideas as to why my PBR is giving me those errors?

There is no WAN, I do not know if the PBR package can deal with this.

Have you consulted the manual: https://docs.openwrt.melmac.net/pbr/ ?

I'm reading through it and I'm not sure but PBR might not work unless the WAN interface is doing something.

Will it work if I connect my main router to the WAN port of my OpenWRT router? I've never done this setup. I guess I would have to set the WAN to static address and point it to my main router (192.168.10.1)

No matter what I try, I'm still not able to achieve this. Would appreciate your help here because I'm confused about all the settings now. I've been playing around with the settings way too much.