Hello
I'm trying to setup openwrt to have a wifi network that uses the vpn and an other wifi network that just goes straight to the internet.
I've followed lots of different guides but just can't seem to get it to work right.
I think i have the interfaces setup correctly of which i have added a second lan2 interface a VPN interface, and created firewall zones for each, the lan interfaces are on there own subnets.
The vpn establishes a connection but I am unable to use it and I have no internet on the lan2 interface when th vpn is connected
Could anyone just point me to where i may be going wrong?
Im running OpenWrt 19.07.5, r11257-5090152ae3
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd60:5ad2:1d49::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option clientid '31323334353637383930313240736b7964736c7c31323334353637383930313233343536'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '84:d8:1b:f9:c7:58'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'VPN'
option ifname 'tun0'
option proto 'none'
config interface 'lan2'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option ipaddr '192.168.1.1'
config rule
option in 'lan2'
option lookup '100'
config route 'vpn'
option interface 'VPN'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '100'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'VPN'
option forward 'REJECT'
option name 'vpn'
option output 'ACCEPT'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option network 'lan2'
option input 'ACCEPT'
option name 'lan2'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option dest 'vpn'
option src 'lan2'
config forwarding
option dest 'wan'
option src 'lan'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
option start '192.168.0.2'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option ip '192.168.0.3'
option mac '20:47:ED:DC:4F:02'
option dns '1'
option name 'SkyHDLiv'
config host
option mac 'B8:27:EB:A7:13:6A'
option name 'Rpi'
option dns '1'
option ip '192.168.0.16'
config host
option mac '1C:5A:3E:E3:56:B5'
option name 'TVLiv'
option dns '1'
option ip '192.168.0.101'
config dhcp 'lan2'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'lan2'
Output from command ip -4 addr ; ip -4 ro ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 94.13.25.139/22 brd 94.13.27.255 scope global eth0.2
valid_lft forever preferred_lft forever
9: br-lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan2
valid_lft forever preferred_lft forever
16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.8.3.2/24 brd 10.8.3.255 scope global tun0
valid_lft forever preferred_lft forever
default via 94.13.24.1 dev eth0.2 proto static src 94.13.25.139
10.8.3.0/24 dev tun0 proto kernel scope link src 10.8.3.2
94.13.24.0/22 dev eth0.2 proto kernel scope link src 94.13.25.139
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
192.168.1.0/24 dev br-lan2 proto kernel scope link src 192.168.1.1
0: from all lookup local
1: from all iif br-lan2 lookup vpn
32766: from all lookup main
32767: from all lookup default
This is part of my ovpn config from vpn provider
client
dev tun
proto udp
remote (removed for post)
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
remote-cert-tls server
auth-user-pass /etc/openvpn/Nordvpn.auth
script-security 2
route-nopull
verb 3
fast-io
cipher AES-256-CBC
auth SHA512