Wi-Fi Access Point with USB Teathering and OpenVPN using Raspberry Pi 3 B

Hi there,

as the title describes, I am trying to setup a VPN Wi-Fi Access Point with my Raspberry Pi 3 B using OpenWrt.
To supply the Raspberry Pi with an internet connection, I have connected my phone in USB teathering mode via an USB cable with the Raspberry Pi.

Without the OpenVPN connection I can establish a connection to the internet when connecting to the Wi-Fi Access Point connection.
The configuration files for the working setup (without VPN connection) are the following:

network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdbd:10b9:c802::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.71.71.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option force_link '1'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	option device 'wlan0'

config interface 'vpnclient'
	option proto 'none'
	option device 'tun0'
	option type 'bridge'

config interface 'TetheringWAN'
	option proto 'dhcp'
	option device 'usb0'
	option type 'bridge'
wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option country 'FR'
	option cell_density '1'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Borg Collective'
	option encryption 'psk-mixed'
	option key 'WIFI_PASSWORD'
	option network 'lan TetheringWAN vpnclient'
firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'TetheringWAN'
	list network 'lan'
	list network 'vpnclient'
	list network 'wwan'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option mtu_fix '1'
	option masq '1'
	option forward 'ACCEPT'
	list network 'TetheringWAN'
	list network 'lan'
	list network 'vpnclient'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'wan'
	option dest 'lan'

To set up the VPN, I followed this tutorial from minute 24:16 (code) and I sucessfully added the VPN connection, according to the LuCI interface:

However, when connecting to the Access Point, my IP adress does not change.
To resolve this, I was changing the firewall setup to separate the usb-teathering & lan network on one zone and the VPN with the Wi-Fi in another zone:

This leads to the following settings:

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdbd:10b9:c802::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.71.71.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option force_link '1'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	option device 'wlan0'

config interface 'vpnclient'
	option proto 'none'
	option device 'tun0'
	option type 'bridge'

config interface 'TetheringWAN'
	option proto 'dhcp'
	option device 'usb0'
	option type 'bridge'
wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/3f300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option country 'FR'
	option cell_density '1'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Borg Collective'
	option encryption 'psk-mixed'
	option key 'WIFI_PASSWORD'
	option network 'vpnclient'
firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'TetheringWAN'
	list network 'lan'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option mtu_fix '1'
	option masq '1'
	option forward 'ACCEPT'
	list network 'vpnclient'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'wan'
	option dest 'lan'

If you need more informations, don't hesitate, I would really appreciate your help :slight_smile:

All the best,
Julian

I found the problem, I did put the wrong credentials in the VPN conf :see_no_evil:
If you still have comments on the first firewall setup of the working stup please don't hesitate

Remove the wlan device from here... the wireless hardware should only be referenced in the wireless file.

Remove the bridge statements for both of these networks. Bridges are defined in device stanzas, not the interfaces. And neither of these are bridges, anyway.

Typically, a wan network will need to be masqueraded and should be treated as untrusted... so I'd recommend removing TetheringWAN from here and putting it in your wan zone.

The wan networks should never have access to the router's admin features unless the upstream network is fully trusted. Therefore, set input (and forwward) to REJECT.

Finally, remove this forwarding rule -- you don't typically want the untursted networks/zone (i.e. the wan) to have access to your main network.