Hello OpenWrt community,

Thanks to your help I've been able to setup a client bridge with my Buffalo whr-600.  I wanted to setup openvpn on this device as well, but I'm wondering if anyone can give me a tip on where/which interface the openVPN service needs to connect to in order for my clients to connect.

Here's my current setup

Main Router (DHCP/AP - 192.168.1.1) --->

OpenWrt Router - wireless client bridge. 
                  Interfaces so far:

                  LAN (10.10.2.1)
                  Wireless Client Bridge (192.168.1.5)
                  Relay (192.168.1.6) (relays between Wireless client Bridge and LAN - to give wired clients access)
                  Wireless AP (Allows clients to get repeated signal)
                  Relay 2 (192.168.1.7) (relays between AP and LAN - to give extended wireless clients access)
                  WAN port (currently not used).

i followed the beginner's guide to openvpn
http://wiki.openwrt.org/doc/howto/vpn.openvpn

But i think this guide was intended that the WAN interface be the connect point for the OpenVPN service.

So i'm wondering, when we want to forward the VPN port from the Main router to the OpenWRT and connect to the OpenVPN service, which interface should the connecting interface for OpenVPN?

Should I create another relay (relay3 192.168.1.8) and relay between Wireless bridge and OpenVPN service?

or should the openVPN service be binded to the client Bridge?

The goal here is to have vpn clients come through the main router --> openwrt --> open vpn and access the subnet 192.168.1.x

also on another note regarding the beginner's guide of openvpn,  it mentions client setup,
"Configure the network on the OpenWrt client"
- is it referring to configuring another client? or does the openvpn server has to have a client also?

Thanks in advance for your advice

The guide you linked to refers to connecting two OpenWrt devices together with OpenVPN, one server and one client (it will support any other OpenVPN client as well).

Do you plan to run OpenVPN in routing (tun) or bridged (tap) mode? Routed mode is easiest, and you shouldn't run bridged unless you have to. Read more about differences at community.openvpn.net/openvpn/wiki/BridgingAndRouting.

OpenVPN will have its own interface, tun0 or tap0 (tun1, tun2 and so on if you run multiple instances). You can set OpenVPN to listen on all interfaces for connecting clients (default). If you only want to listen on one interface, pick the one you are forwarding to from your WAN router.

You will probably need some firewall configuration as well. I currently run four OpenVPN instances on a device configured as a pseudobridge using relayd. Each on its own interface tun0-3, defined as vpn0-3 in /etc/config/network. Here is an excerpt of my /etc/config/firewall, showing the changes I made for OpenVPN:

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan wwan'
    option masq '1'
    option masq_src '!192.168.1.0/24'

config zone
    option input 'ACCEPT'
    option output 'ACCEPT'
    option name 'vpn'
    option forward 'REJECT'
    option network 'vpn0 vpn1 vpn2 vpn3'

config rule
    option target 'ACCEPT'
    option src 'lan'
    option dest 'wan'

config rule
    option target 'ACCEPT'
    option src 'vpn'
    option dest 'lan'
    option name 'vpn2lan'
    option family 'ipv4'

config rule
    option target 'ACCEPT'
    option src 'lan'
    option dest 'vpn'
    option name 'lan2vpn'
    option family 'ipv4'

config forwarding
    option dest 'wan'
    option src 'lan'

config forwarding
    option dest 'lan'
    option src 'vpn'

config forwarding
    option dest 'vpn'
    option src 'lan'

192.168.1.0 is my local LAN subnet, OpenVPN clients have various 10.* subnets. The masq options in the lan zone NATs the VPN clients.

Marko,
Thank you very much for shedding the light on this.  I was hoping to run TUN so that i could my android devices to connect, but it looks like I really need TAP, since I need to access my devices on my local LAN. 

Is there anyway to run TUN (let's say 10.x traffic) and route any of the local traffic to it (192.168.x)?

thanks again, very good info!

Sure, just set up multiple instances. Here are two of mine from /etc/config/openvpn:

config openvpn 443udp_server
        option enabled 1
        option port 443
        option proto udp
        option dev tun
        option ca /etc/openvpn/ca.crt
        option cert /etc/openvpn/server.crt
        option key /etc/openvpn/server.key
        option tls_server
        option dh /etc/openvpn/dh2048.pem
        option server "10.44.30.0 255.255.255.0"
        option ifconfig_pool_persist /tmp/ipp.txt
        list push "redirect-gateway def1 bypass-dhcp"
        list push "comp-lzo yes"
        list push "dhcp-option DNS 77.109.148.136"
        list push "dhcp-option DNS 77.109.148.137"
        option keepalive "10 120"
        option tls_auth "/etc/openvpn/ta.key 0"
        option cipher AES-128-CBC
        option comp_lzo 'yes'
        option persist_key 1
        option persist_tun 1
        option user nobody
        option status /tmp/openvpn-443udp-status.log
        option verb 3
config openvpn 443tcp_server
        option enabled 1
        option port 443
        option proto tcp
        option dev tun
        option ca /etc/openvpn/ca.crt
        option cert /etc/openvpn/server.crt
        option key /etc/openvpn/server.key
        option tls_server
        option dh /etc/openvpn/dh2048.pem
        option server "10.44.31.0 255.255.255.0"
        option ifconfig_pool_persist /tmp/ipp.txt
        list push "redirect-gateway def1 bypass-dhcp"
        list push "comp-lzo yes"
        list push "dhcp-option DNS 77.109.148.136"
        list push "dhcp-option DNS 77.109.148.137"
        option keepalive "10 120"
        option tls_auth "/etc/openvpn/ta.key 0"
        option cipher AES-128-CBC
        option comp_lzo 'yes'
        option persist_key 1
        option persist_tun 1
        option user nobody
        option status /tmp/openvpn-443tcp-status.log
        option verb 3

You would set up (at least) two. They all need to run on different ports (note that TCP and UDP are independent, so 443/tcp is not the same as 443/udp). You would have one configured with dev tap and server_bridge directives, and the other with dev tun and server directives. Create client configurations tailored to the different clients.

Marko, thanks so much for sharing the knowlege.  I'm going to work on this and see how it goes.

Assuming you have the OpenWRT server on the Buffalo 600 and you will be connecting through your "Main Router", your clients will be pointing at the"front door" of your main router at [WANIP:PORT] .  You need to move the traffic from your main router to the Buffalo.  You will need at least a port forward from the main router to the Buffalo I think (not sure with the relayd stuff) 192.168.1.5:[PORT]

I built this under DD-WRT and had to port forward and set some firewall rules on the main router to get the traffic through to the VPN device.  You may want to see the DD-WRT site on the port forward and firewall rules, at least for the concept. I made another post recently on similar.  https://forum.openwrt.org/viewtopic.php?id=59347

Thanks for the tip RangerZ.  Actually right now, it turns out that i'm having problems with my installation of openvpn.  Learning how to troubleshoot it.  So far I've been up each night until 2am learning bit by bit about OpenWrt and all it's possible features.  Thanks to you guys, I know that it's possible to do what I want with it.  Will keep you guys posted.