VPN connected but wifi clients don't go through tunnel

Hello,
i successifull installed OpenWrt 19.07.0 r10860 into my Raspberry Pi 3B, connectet to my main router through lan cable, and to my VyprVPN account.

My goal whould be to route all traffic from the clients connected via Wifi to my openWRT router through the VPN tunnel.

Here is my network:
main router = 192.168.1.1 (DHCP server)
openWRT = 192.168.1.99 (DHCP disabled)

openWRT router is connected to my VyprVPN account, i can see it from the VyprVPN controll page.
Even if i go to Network>Diagnostics and make a traceroute to openwrt.org i get:

traceroute to openwrt.org (139.59.209.225), 30 hops max, 46 byte packets
 1  *
 2  192.168.64.2  172.427 ms
 3  128.*.*.3  173.872 ms
 4  208.*.*.73  176.167 ms
 5  *
 6  *
 7  64.*.*.119  260.875 ms
 8  64.*.*.16  260.033 ms
 9  64.*.*.105  256.139 ms
10  80.*.*.163  252.033 ms
11  *
12  *
13  *
14  139.59.209.225  264.369 ms

so i guess VPN is working but only for the router.

My problem is "only the openWRT router traffic is going trought the VPN tunnel".
The traffic from clients connected via wifi to the openWRT router dont go through the VPN.

Here is my config:

client
dev tun
proto udp
remote ca1.vyprvpn.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
verify-x509-name ca1.vyprvpn.com name
auth-user-pass /etc/openvpn/userpass.txt
comp-lzo
keepalive 10 60
verb 3
auth SHA256
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA

<ca>
-----BEGIN CERTIFICATE-----
###
-----END CERTIFICATE-----
</ca>

Firewall

Name : VyprVPN
Input : reject
Output : accept
Forward : reject
Masquerading : yes
MSS clamping : yes
Covered networks : VyprVPN
Allow forward to destination zones : unspecified
Allow forward from source zones : lan

tun0 interface:

Name : VyprVPN
Protocol : Unmanged
Bridged interfaces : NO
Interface : tun0

Any help? Thank you.

Your firewall file appears to be missing WAN and LAN zones.

In my experience, the OpenWrt router LAN interface must be on a different subnet to the WAN interface for openvpn client routing to work.

Suggest reviewing the following wiki page and particularly the alternative guide at bottom of the page written for Home Hub 5A.
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

Check firewall and network settings: https://airvpn.org/forums/topic/20303-airvpn-configuration-on-openwrt-preventing-traffic-leakage-outside-tunnel/

If the clients take dhcp settings from the main router, this is expected behavior.
However we cannot tell for sure, you need to paste here the output of the configs:
uci export network; uci export wireless; uci export dhcp; uci export firewall

Thank you all for your suggestions.

In the end I did it following this guide: OpenVPN Client for HH5A as suggested by @bill888 .

I did It using the same subnet of my main router 192.168.1.1 and disabling DHCP server from OpenWRT.

If I now go to the network interfaces I only have 2 (LAN interface and VPN interface) there is no WAN interface!
Do i may have to create one?

I tried to change OpenWRT subnet from LAN interface and i get a lot of trouble (network unreachable and so).

Thank you guys!

If you want / need router kernel Internet use to go through the VPN, you need a LAN-->WAN setup. Then when the VPN opens it will take over the normal WAN route to the Internet.

Perhaps you don't really need that though. If you only need the wifi users to go through the VPN, create a vpnuser network and firewall zone for them, and forward it to the VPN tunnel zone. Masquerade must be turned on for the tunnel.

This way the clients are taking DHCP settings from the main router, which advertises itself as default gateway. That is why the clients don't use VPN.
You need to isolate the hosts that must use VPN, as @mk24 mentioned.

Dare I suggest you using a USB-Ethernet adapter to your RPi to add a 2nd ethernet port, so there is one for WAN and other for LAN?

I don't own a RPi 3, but last time I looked at how to put Openvpn client on one, I thought I came across a number of **non-**OpenWrt solutions that work with just a single ethernet port.

I don't have a USB-ethernet adapter to try. I thought i can use the single Ethernet Port for LAN and WAN interface using a virtual eth0.1 port for WAN interface.

I will look for alternative solutions

If you want to route all the clients connected to the Raspi wifi to the VPN, then you don't need anything else. Just don't bridge the LAN port with the wifi. Provide DHCP server for the wifi and forward everything to the VPN.

I have set up LAN interface to "only eth0" no bridge with "wlan0" now.
How can i provide DHCP server only for wifi clients ?
Do i have to add a new interface "wifi", set it with "wlan0" interface and then enable DHCP server ? It is correct? If it is right can i chose a different subnet for this purpose? i would like to have it on 192.168.2.0 network.

Appreciate your help !

uci export network

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc8:063c:7a85::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option ifname 'eth0'
        option ipaddr '192.168.1.99'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option type 'bridge'

config interface 'VPN_tun0'
        option ifname 'tun0'
        option proto 'none'

uci export wireless

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/soc/3f300000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option htmode 'HT20'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Router_WRT'
        option key '########'
        option encryption 'psk2'
        option network 'lan'

uci export dhcp

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        list server '192.168.1.1'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option start '100'
        option leasetime '12h'
        option limit '150'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wireless'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'wireless'

uci export firewall

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option network ' '
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option network 'VPN_zone VPN_tun0'
        option name 'VPN_zone'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'

config forwarding
        option dest 'VPN_zone'
        option src 'lan'

Yes a new network. I would call it vpnuser rather than "wifi" but you can call it whatever you would like.
vpnuser is type bridge and has an IP address that does not overlap any of your other networks, and has a DHCP server.
A wifi AP with network vpnuser. When a potential VPN user connects to this wifi they will get an IP address from your DHCP server. Again this IP is distinct from everything in the LAN or the WAN. But at this point they will have no Internet access.
Firewall zone for vpnuser network (only). This is the same rules as LAN. Later you may want stricter rules especially if there is a potential of vpn users hacking into your router.
Firewall zone for the vpn tunnel (only). It has masq and mtu fix set.
Firewall forwarding from vpnuser to vpntun.

Network:

config interface 'vpnusers'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '172.16.1.1'

Wireless:
Under default_radio0 change network from lan to vpnusers

DHCP:

config dhcp 'vpnusers'
        option interface 'vpnusers'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option start '100'
        option leasetime '12h'
        option limit '150'

Firewall:

config zone
        option name 'vpnusers'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpnusers'

config forwarding
        option dest 'VPN_zone'
        option src 'vpnusers'

Thanks.
vpn working perfectly under raspberry pi 3 .

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.