Want all my connected devices are exposed to OpenVPN

This is quite different than the original description, and it appears you have now edited that post for more clarity.

Your printer should remain connected to your main network. You'll actually setup your Pi with OpenVPN server (or you could use Wireguard which is easier and more performant). Your Pi will be a client on your main network and will simply allow LAN access (you can limit the extent of that access, of course). You'll need to forward the VPN port from your main router to your OpenWrt Pi in order to allow external clients to connect to your VPN.

With that in mind, it makes sense to completely reset your Pi now and start over.
I'd recommend using Wireguard in the "road warrior" type configuration:

we are very close now, plz help.
https://forum.openwrt.org/t/want-all-my-connected-devices-are-exposed-to-openvpn/131464/20?u=babai93

Nothing should be connected to your Pi's wifi.

not getting you.

Your Pi should be purely a vpn server. It will allow LAN access as needed/desired. But nothing should be connecting to the Wifi from the Pi. All of your devices should be connected to your main network

I don't see which machine is the OpenVPN server. The OpenVPN server should be configured to push a route to 192.168.30.0/24 gatewayed by the VPN tunnel endpoint that hosts that network (100.96.1.3). Or these routes can be manually installed on each client. This assumes that the Pi remains at 10.96.1.3-- depending on the order that clients connect to the VPN server, they may receive a different IP via OpenVPN's automatic IP assignment. (That would not be an issue if the Pi itself is the OpenVPN server, but that depends on being able to configure its upstream to have a port open for incoming connections from the Internet.)

Or you might be able to bridge the wifi AP for the printer directly with the VPN tunnel, and make the printer a device on the tunnel itself, e.g. 100.96.1.4. Then the other clients could reach it as a single hop without needing an additional route. I have never actually tried that though.

The usual advice to run Wireguard instead of OpenVPN definitely applies here.

Sir, I am using OpenVPN Cloud, registered 3 User

for Wireguard - I don't have Static IP even the JioFiber wan IPs are not accessible from internet so I also can not use No-IP Dynamic DNS

and want to achieve as shown below

Network-ex2800×356 42.2 KB

• Configure the OpenVPN server to push a route 192.168.30.0/24 via 100.96.0.3.
• In the OpenWrt firewall on the Pi, make sure that forwarding from the VPN zone to the printer zone is enabled. Or place both of those networks in the same zone and make sure that forwarding is enabled on the zone. NAT (masquerade) must be turned off on these zones since this is a case of symmetric routing.
• Configure the Pi to reserve an easy to remember DHCP IP for the printer. You will need to manually enter this IP into the printer driver on the other endpoints. Automatic discovery does not work across networks.

done!!, but confused a lot how to configure fresh one.

only one problem is their -- all the devices connected to the RPi3 WiFi are not able to browse internet. please suggest

Solved after adding Firewall - NAT Rules -- now all internet Outbound request are passing through br-lan port (WAN)

Please find the configuration as below

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf7:3f84:1a58::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.29.10'
        option gateway '192.168.29.1'
        option dns '192.168.29.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'OpenVPN'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config interface 'vpn'
        option proto 'none'
        option device 'tun0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key '9777455393'
        option network 'OpenVPN'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'OpenVPN'
        option interface 'OpenVPN'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        list network 'OpenVPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'OpenVPN'
        option forward 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'OpenVPN'
        option dest 'vpn'

config zone
        option name 'OC'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        list network 'OpenVPN'

config forwarding
        option src 'lan'
        option dest 'OC'

config rule 'samba_nsds'
        option name 'Allow-Samba/NS/DS'
        option src 'lan'
        option dest_port '137-138'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'samba_ss'
        option name 'Allow-Samba/SS'
        option src 'lan'
        option dest_port '139'
        option proto 'tcp'
        option target 'ACCEPT'

config rule 'samba_smb'
        option name 'Allow-Samba/SMB'
        option src 'lan'
        option dest_port '445'
        option proto 'tcp'
        option target 'ACCEPT'


config nat
        option src '*'
        option target 'SNAT'
        option snat_ip '192.168.29.10'
        option name 'Allow_Internet2Client'
        list proto 'all'

root@OpenWrt:~# cat /etc/config/uhttpd

config uhttpd 'main'
        list listen_http '0.0.0.0:80'
        list listen_http '[::]:80'
        list listen_https '0.0.0.0:443'
        list listen_https '[::]:443'
        option redirect_https '0'
        option home '/www'
        option rfc1918_filter '0'
        option max_requests '3'
        option max_connections '100'
        option cert '/etc/uhttpd.crt'
        option key '/etc/uhttpd.key'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'

config cert 'defaults'
        option days '730'
        option key_type 'ec'
        option bits '2048'
        option ec_curve 'P-256'
        option country 'ZZ'
        option state 'Somewhere'
        option location 'Unknown'
        option commonname 'OpenWrt'

root@OpenWrt:~#

Routes Subnet1366×1427 145 KB

FirewallSetting844×730 52.1 KB

NATSetting972×533 26.6 KB

C:\>tracert google.co.in

Tracing route to google.co.in [172.217.167.227]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  OpenWrt.lan [192.168.30.1]
  2     7 ms     4 ms     2 ms  192.168.29.1
  3     6 ms     5 ms     6 ms  10.15.216.1
  4    19 ms    15 ms    15 ms  172.16.89.153
  5    17 ms    14 ms    16 ms  192.168.107.114
  6    19 ms    15 ms    14 ms  172.26.110.20
  7    20 ms    16 ms    15 ms  172.26.110.34
  8    17 ms    15 ms    14 ms  192.168.42.46
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15    73 ms    57 ms    56 ms  142.251.77.29
 16    72 ms    64 ms    63 ms  172.253.67.91
 17    63 ms    60 ms    58 ms  del11s04-in-f3.1e100.net [172.217.167.227]

Trace complete.

C:\>tracert 100.96.1.2

Tracing route to 100.96.1.2 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  OpenWrt.lan [192.168.30.1]
  2    63 ms    56 ms    55 ms  103.26.204.252
  3    57 ms    63 ms    56 ms  129.227.217.68
  4   388 ms   304 ms   304 ms  100.96.1.2

Trace complete.

C:\>

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.