Hello,
i successifull installed OpenWrt 19.07.0 r10860 into my Raspberry Pi 3B, connectet to my main router through lan cable, and to my VyprVPN account.
My goal whould be to route all traffic from the clients connected via Wifi to my openWRT router through the VPN tunnel.
Here is my network:
main router = 192.168.1.1 (DHCP server)
openWRT = 192.168.1.99 (DHCP disabled)
openWRT router is connected to my VyprVPN account, i can see it from the VyprVPN controll page.
Even if i go to Network>Diagnostics and make a traceroute to openwrt.org i get:
traceroute to openwrt.org (139.59.209.225), 30 hops max, 46 byte packets
1 *
2 192.168.64.2 172.427 ms
3 128.*.*.3 173.872 ms
4 208.*.*.73 176.167 ms
5 *
6 *
7 64.*.*.119 260.875 ms
8 64.*.*.16 260.033 ms
9 64.*.*.105 256.139 ms
10 80.*.*.163 252.033 ms
11 *
12 *
13 *
14 139.59.209.225 264.369 ms
so i guess VPN is working but only for the router.
My problem is "only the openWRT router traffic is going trought the VPN tunnel".
The traffic from clients connected via wifi to the openWRT router dont go through the VPN.
Here is my config:
client
dev tun
proto udp
remote ca1.vyprvpn.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
verify-x509-name ca1.vyprvpn.com name
auth-user-pass /etc/openvpn/userpass.txt
comp-lzo
keepalive 10 60
verb 3
auth SHA256
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
<ca>
-----BEGIN CERTIFICATE-----
###
-----END CERTIFICATE-----
</ca>
Firewall
Name : VyprVPN
Input : reject
Output : accept
Forward : reject
Masquerading : yes
MSS clamping : yes
Covered networks : VyprVPN
Allow forward to destination zones : unspecified
Allow forward from source zones : lan
tun0 interface:
Name : VyprVPN
Protocol : Unmanged
Bridged interfaces : NO
Interface : tun0
If the clients take dhcp settings from the main router, this is expected behavior.
However we cannot tell for sure, you need to paste here the output of the configs: uci export network; uci export wireless; uci export dhcp; uci export firewall
If you want / need router kernel Internet use to go through the VPN, you need a LAN-->WAN setup. Then when the VPN opens it will take over the normal WAN route to the Internet.
Perhaps you don't really need that though. If you only need the wifi users to go through the VPN, create a vpnuser network and firewall zone for them, and forward it to the VPN tunnel zone. Masquerade must be turned on for the tunnel.
This way the clients are taking DHCP settings from the main router, which advertises itself as default gateway. That is why the clients don't use VPN.
You need to isolate the hosts that must use VPN, as @mk24 mentioned.
Dare I suggest you using a USB-Ethernet adapter to your RPi to add a 2nd ethernet port, so there is one for WAN and other for LAN?
I don't own a RPi 3, but last time I looked at how to put Openvpn client on one, I thought I came across a number of **non-**OpenWrt solutions that work with just a single ethernet port.
I don't have a USB-ethernet adapter to try. I thought i can use the single Ethernet Port for LAN and WAN interface using a virtual eth0.1 port for WAN interface.
If you want to route all the clients connected to the Raspi wifi to the VPN, then you don't need anything else. Just don't bridge the LAN port with the wifi. Provide DHCP server for the wifi and forward everything to the VPN.
I have set up LAN interface to "only eth0" no bridge with "wlan0" now.
How can i provide DHCP server only for wifi clients ?
Do i have to add a new interface "wifi", set it with "wlan0" interface and then enable DHCP server ? It is correct? If it is right can i chose a different subnet for this purpose? i would like to have it on 192.168.2.0 network.
Yes a new network. I would call it vpnuser rather than "wifi" but you can call it whatever you would like.
vpnuser is type bridge and has an IP address that does not overlap any of your other networks, and has a DHCP server.
A wifi AP with network vpnuser. When a potential VPN user connects to this wifi they will get an IP address from your DHCP server. Again this IP is distinct from everything in the LAN or the WAN. But at this point they will have no Internet access.
Firewall zone for vpnuser network (only). This is the same rules as LAN. Later you may want stricter rules especially if there is a potential of vpn users hacking into your router.
Firewall zone for the vpn tunnel (only). It has masq and mtu fix set.
Firewall forwarding from vpnuser to vpntun.