Wifi relay with build in VPN

Hi Everyone,
I am trying to configure a Netgear EX6150v2 to do the following:

I want it to connect to the internet by a Wifi Hotspot (Unitymedia). Also I want to have a VPN client running. All other devices which access the device, should connect to the internet over the vpn connection. If the vpn is down no internet access should be possible. (Adblocking for all connected devices would be a bonus.)

I found these tutorials:
https://openwrt.org/docs/guide-user/network/wifi/relay_configuration
https://support.nordvpn.com/Connectivity/Router/1047411192/OpenWRT-setup-with-NordVPN.htm
but the instructions dont work for me individually, not to mention simultaneosly

My questions:
-Is ist possible at all to set this up in this way?

-The device has two wifi modems. Is it possible to do it with one of them, or do I need two? (Its fine either way, just interested)

-It seems to be the case, that I need static IP adresses on my Wifi networks for relayd to work? This might be a problem since I seem to need a DHCP client configuration for the Wifi hotspot.

-Even with static IP adresses using the internet/wifi from another router I control, I cannot get relayd to work. I had it working for a while, but the OpenWRT device became very unstable and it became hard to access the LUCI gui, so I had to reset to factory defaults. Is there a relayd alternative?

Any answers would be appreciated

I infer from your post that you are not interested in making the clients of your Netgear part of the larger netowrk (i.e. you don't need to have the clients of your Netgear to commuincate with the other clients of the Unitymedia.

if that's correct then you don't need a relay. A simple WWAN on your Netgear, or something like Travelmate should do.

No, any client of the netgear should be able to access anything on the internet.
But only by using a VPN connection over the unitymedia wifi.

The simplest setup, and the most secure, is for everything that leaves the Netgear to be encrypted and go to a third-party VPN server. From there they privately access the Internet. You do not want users of the Netgear to directly see your computers and printers on the LAN, right?

In that case, it is like @Hegabo said, the Netgear router will be an ordinary client of the home network like a phone or tablet. It only needs Internet access. In this case you do not use relayd.

A wifi connection without vpn between devices would also be nice, but is really not the issue at the moment

So let me rephrase my problem:
In a basic configuration I connect to my internet router "SRF-WWU", now I want devices I connect to "FKU-WRT" to share that internet connection.

image.png767×218 23 KB

I have internet access on my phone ("FKU-WRT"), as long as I have an ethernet cable attached from my router to my access point (for configuration).
If I remove it, I do not have access anymore.

For the life of me, I cant get it working. Thats the issue I thought I needed relayd for, since I was using 2 radios previously. I basically almost use the settigs travelmate sets for me:

wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'
	option channel 'auto'
	option legacy_rates '1'
	option country 'DE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'FKU-WRT'
	option encryption 'psk2+ccmp'
	option key 'holy666!'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'
	option disabled '1'
	option channel 'auto'
	option legacy_rates '1'
	option country 'DE'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'FKU-WRT'
	option encryption 'psk2+ccmp'
	option key '--------'

config wifi-iface
	option network 'trm_wwan'
	option device 'radio0'
	option mode 'sta'
	option ssid 'SRF-WWU'
	option encryption 'psk2'
	option key '--------'
	option disabled '0'

network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '--------::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.3'
	option dns '192.168.1.3'

config interface 'trm_wwan'
	option proto 'dhcp'

firewall exerpt:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 trm_wwan'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

apparently i dont know how to quote either

Use code blocks, either [code] [/code] in your text or the </> on the top bar of the editor.

Most likely the problem is that the IP of the upstream network (your main router) is also 192.168.1.0/24. The WAN and LAN networks must not overlap IPs. Set the LAN IP to something obscure like 192.168.133.1. This will also help if you take the router out to use your VPN at a cafe or hotel since you don't know what WAN IP they will give you.

For configuration connect to the LAN side of the OpenWrt router. To be able to configure from the WAN side, you need to open ports on the firewall.

To include a code, you use the Pre-formatted text tool as @mk24 mentioned. You highlight the code, then hit Ctrl + Shift + C or click the </> button in the toolbar, with the text highlighted.

Thanks a lot.

It was the ip range. I actually tried that before, but it probably didnt apply correctly since I changed the ip with LuCi and the connection dropped once I did it. So I dismissed it as the solution, because I already tried that.

But changing it by scp text editor worked fine

Once this basic issue was solved I got all the other stuff I wanted running as well.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.