WRT1900AC OpenVPN Setup with OpenWrt

Hi everyone, I'm new to OpenWRT and have just successfully flashed my Linksys WRT1900AC v1 Mamba with OpenWRT 18.06.4 as instructed on the device's OpenWRT wiki page. I struggle with the configuration and would appreciate your help. Let me describe my network topology:

I have a FTTH connection that terminates in a TP-LINK MC220L, which I connect to the WAN port of a Linksys WRT1900AC router running on stock firmware (I will call this one "stock router"). All of my client devices are connected to this router either via WiFi or via ethernet behind additional Linksys SE4008-EJ switches.

My goal: Connect a second (!) Linksys WRT1900AC unit running OpenWRT (the "OpenWRT router") to this network and route traffic from all devices I connect to this thing through an OpenVPN connection.

I have connected the WAN port of the OpenWRT router to one of the switches which is in turn connected to the stock router. Additionally, I have an ethernet cable between one of the OpenWRT's other ethernet ports and my laptop. I can access the OpenWRT router under 192.168.1.1 with both web and ssh. The router itself does not seem to be able to go online as it fails to download software package lists, and my laptop is not online either when connected this way. When I connect to the stock router, I see that the OpenWRT router had an IP assigned (192.168.1.177), but that's about it. I tried following this tutorial but I end up with a non-working configuration and cannot access the OpenWRT router on 192.168.1.2, the laptop remains offline. Rebooting restores original settings.

There are some shady VLAN settings by default that seem to separate the WAN port from the LAN ports. I tried putting all the ports into the same VLAN, which seems to have converted the OpenWRT router into a switch. I can no longer access it, it doesn't get an IP, and my laptop is now online when connecting to it. My best bet is probably to reset it. But what to do next?

You are running the 192.168.1.X scheme on both sides of the new Openwrt Router. Change the third byte 192.168.X.1 to something else in the configuration of the New OpenWrt. Then reboot the Openwrt, and the devices connected to it.

Then the Openwrt will have on wan 192.168.1.177, and 192.168.SOMETHING.1 on the LAN side. And all devices connected on the LAN side will have 192.168.SOMETHING.1+SomeNumber.

Then you can configure the OpenVPN client on the OpenWrt

Hi, thanks for the quick response! I think you made a very good point. Unfortunately, setting the IP to 192.168.2.1 did not help either - after applying the configuration, I cannot access the OpenWRT router anymore until I restart it, at which point it has restored the original configuration. I believe there is an issue with the base configuration and the way the interfaces are linked together. Let me share a couple of configuration details (this is after a reset; sorry for the huge picture, as a new user I can only upload one ):

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd35:ee0a:1d80::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

root@OpenWrt:~# ping openwrt.org
ping: bad address 'openwrt.org'

openwrt1.png1485×7848 959 KB

OpenWrt waits for 30 seconds after configuration change for you to access it again. If not, it will revert the setting.

Simple solution: Change your IP manually on your computer for the first time quickly. After confirming the change, all other devices by default will pickup the new 3rd Byte.

Cool, setting my laptop's IP manually helped me apply the setting and I could still connect to the router at 192.168.2.1, but not to the internet. After manually setting the DNS Server to 192.168.1.1 (the stock router), things were working. Unfortunately, I am now stuck with manual IP settings on my laptop - when switching to automatic, it doesn't get an IP assigned. This is my first problem, but not my main problem.

As the setup was now fine, I proceeded to install openvpn-openssl which worked fine, and I configured the connection for ProtonVPN. There were foursettings in the configuration file that I could not match in LuCI:

• comp-lzo no
• reneg-sec 0
• mssfix 1450
• block-outside-dns

Going without those, it seems I actually managed to connect. When I started OpenVPN, my laptop couldn't access the internet anymore. I figured out that I needed to add tun0 to the LAN bridge. This restored internet access. However, from both my laptop and the OpenWRT router, my external IP as observed by my remote webserver is still the normal one assigned by my ISP. After a reboot of the OpenWRT router, the laptop cannot access the internet anymore despite tun0 being bridged. Pings are answered by the OpenWRT router:

C:\Users\Dany>ping google.com

Pinging google.com [216.58.215.238] with 32 bytes of data:
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.

Ping statistics for 216.58.215.238:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

These are the system logs from the router when establishing the VPN connection:

Sat Sep  7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: OpenVPN 2.4.5 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Sep  7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: library versions: OpenSSL 1.0.2s  28 May 2019, LZO 2.10
Sat Sep  7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: NOTE: --fast-io is disabled since we are not using UDP
Sat Sep  7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Sep  7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Sep  7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: TCP/UDP: Preserving recently used remote address: [AF_INET]209.58.142.155:443
Sat Sep  7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: Socket Buffers: R=[87380->87380] S=[16384->16384]
Sat Sep  7 23:15:18 2019 daemon.notice openvpn(protonvpn_us)[2694]: Attempting to establish TCP connection with [AF_INET]209.58.142.155:443 [nonblock]
Sat Sep  7 23:15:19 2019 daemon.notice openvpn(protonvpn_us)[2694]: TCP connection established with [AF_INET]209.58.142.155:443
Sat Sep  7 23:15:19 2019 daemon.notice openvpn(protonvpn_us)[2694]: TCP_CLIENT link local: (not bound)
Sat Sep  7 23:15:19 2019 daemon.notice openvpn(protonvpn_us)[2694]: TCP_CLIENT link remote: [AF_INET]209.58.142.155:443
Sat Sep  7 23:15:19 2019 daemon.notice openvpn(protonvpn_us)[2694]: TLS: Initial packet from [AF_INET]209.58.142.155:443, sid=e8681164 af593b22
Sat Sep  7 23:15:19 2019 daemon.warn openvpn(protonvpn_us)[2694]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Sep  7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: VERIFY OK: depth=2, C=CH, O=ProtonVPN AG, CN=ProtonVPN Root CA
Sat Sep  7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: VERIFY OK: depth=1, C=CH, O=ProtonVPN AG, CN=ProtonVPN Intermediate CA 1
Sat Sep  7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: VERIFY KU OK
Sat Sep  7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: Validating certificate extended key usage
Sat Sep  7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Sep  7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: VERIFY EKU OK
Sat Sep  7 23:15:20 2019 daemon.notice openvpn(protonvpn_us)[2694]: VERIFY OK: depth=0, CN=us-ca-102.protonvpn.com
Sat Sep  7 23:15:21 2019 daemon.warn openvpn(protonvpn_us)[2694]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1636'
Sat Sep  7 23:15:21 2019 daemon.warn openvpn(protonvpn_us)[2694]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Sat Sep  7 23:15:21 2019 daemon.notice openvpn(protonvpn_us)[2694]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sat Sep  7 23:15:21 2019 daemon.notice openvpn(protonvpn_us)[2694]: [us-ca-102.protonvpn.com] Peer Connection Initiated with [AF_INET]209.58.142.155:443
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: SENT CONTROL [us-ca-102.protonvpn.com]: 'PUSH_REQUEST' (status=1)
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.7.1.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.7.1.5 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: timers and/or timeouts modified
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: compression parms modified
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: Socket Buffers: R=[341760->327680] S=[44800->327680]
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: --ifconfig/up options modified
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: route options modified
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: route-related options modified
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: peer-id set
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: adjusting link_mtu to 1658
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: OPTIONS IMPORT: data channel crypto options modified
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: TUN/TAP device tun0 opened
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: TUN/TAP TX queue length set to 100
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: /sbin/ifconfig tun0 10.7.1.5 netmask 255.255.255.0 mtu 1500 broadcast 10.7.1.255
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: /sbin/route add -net 209.58.142.155 netmask 255.255.255.255 gw 192.168.1.1
Sat Sep  7 23:15:22 2019 daemon.notice netifd: Network device 'tun0' link is up
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.7.1.1
Sat Sep  7 23:15:22 2019 kern.info kernel: [  134.866924] IPv6: ADDRCONF(NETDEV_UP): tun0: link is not ready
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.7.1.1
Sat Sep  7 23:15:22 2019 daemon.notice openvpn(protonvpn_us)[2694]: Initialization Sequence Completed

The client side setting should match the server side.

You can import the whole OVPN-profile and don't make things complicated.

This is certainly wrong.

OK I'm getting really close now:

The client side setting should match the server side.

I downloaded the file from ProtonVPN. Not sure if this line contributes to the problem, I can just remove it. So what I ended up doing is I put the .ovpn file to /etc/openvpn/client.conf via ssh, and deleted my previous configuration in LuCI. It did complain about block-outside-dns which apparently is not understood by the current OpenVPN version of OpenWRT, so I removed it. Then I got this in the logs:

Sun Sep  8 11:39:24 2019 daemon.err openvpn(client)[5490]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Sun Sep  8 11:39:24 2019 daemon.notice openvpn(client)[5490]: Exiting due to fatal error

I figured out I had to change the auth-user-pass line in my configuration file to point to my file

auth-user-pass /etc/openvpn/auth.txt

Now the logs look like it's connecting correctly. From the SSH shell, I can traceroute openwrt.org and curl icanhazip.com and they correctly show me the different routing and my external IP address changes as I run service openvpn start and service openvpn stop, respectively.

But: My laptop remains unable to access the internet when OpenVPN is running, regardless of whether tun0 is bridged to the LAN or not (I've removed it again for now). And I still have the static IP configuration on my laptop that I want to get rid of. Unfortunately, I don't really understand the details behind the link you've shared with me. Could you please explain what I need to do?

I don't understand your configuration (in OP there was single OpenVPN-connection, here another ProtonVPN arouse). Please, describe it in detail.

There is only one VPN involved. I have an OpenVPN configuration file from ProtonVPN (ProtonVPN is simply a provider). There are two routers involved (both Linksys WRT1900AC): One router is connected to the ISP (fiber uplink) via its WAN port. This one is on stock firmware. The other one is on OpenWRT, and its WAN port is connected to one of the LAN ports of the first one, with a switch in between (the presence of the switch should not matter IMO). Finally, I have connected my laptop to the OpenWRT router via one of its LAN ports. The OpenWRT router can establish an OpenVPN connection with the VPN server provided by ProtonVPN. However, my laptop does not go online when this connection is established - it can only reach the local network (including the main router at 192.168.1.1). When the OpenVPN connection is NOT established, it does go online fine but my entire IP configuration including DNS needs to be static, otherwise it does not get an IP.

Final goal: All devices connected to the OpenWRT router should appear to be behind the IP from the OpenVPN connection for all traffic leaving my home network.

If it connects properly, you just need to configure firewall.

The simplest way is to add the VPN interface to the WAN zone:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client#firewall

Or you can create a separate zone if you need the kill switch functionality:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#kill_switch

I don't understand, why do you need extra router. But to provide VPN-connection to laptop you should create zone for tun adapter, and enable forwarding with masquerading to it. Problem with DHCP I don't understand, the question, what router DHCP-server is running on?