Topic: Forward Wifi through OpenVPN Interface

Hello, I'am an OpenWRT (Linux) Newbie and decided to buy an OpenWRT Router (Linksys WRT1200AC) cause I want to use a VPN-Service. I installed everything like it is described in the Tutorial on Providers-Page (nordvpn.com/de/tutorials/openwrt/openvpn/) and it works fine. Now my problem is the Wifi-Network. Something is wrong with my configuration I think because I cant connect to the internet via Wifi.
I created a new network Interface and configure the Firewall with Luci like the LAN Zone (like described inside the tutorial). But it doesnt work, I think i have to make some other changes but I doesn't have an idea which this could be.
I can connect to Wifi Network and get an ip-adres out of the "right ip-pool"...

Can anyone please help me

best regards,
ehorn

Re: Forward Wifi through OpenVPN Interface

Hi, and welcome to the forums.

To make it easier for us to help you, please provide the following details from your current setup. You can get these details by opening an SSH connection to the router, and typing the commands listed below.

cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/dhcp

The first one shows your network configuration as parsed by the UCI system. The second shows the firewall configuration. The last one shows your DHCP and DNS configuration.

Run each of these commands, and then copy the results of the commands into a new reply. When pasting the results, use the 'code' formatting elements to maintain readability.

An example below:

root@OpenWRT:~# cat /etc/config/network

.... results ....

Re: Forward Wifi through OpenVPN Interface

Hello, here are the results

network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd79:290a:e0e2::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ip6assign '60'
        option ipaddr '192.168.0.9'
        option netmask '255.255.0.0'
        option _orig_ifname 'eth1 wlan0 wlan1'
        option _orig_bridge 'true'
        option ifname 'eth1'

config interface 'wan'
        option ifname 'eth0'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 6'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 5'

config interface 'nordvpntun'
        option proto 'none'
        option ifname 'tun0'

config interface 'wifi'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.110'
        option gateway '192.168.0.110'
        option type 'bridge'
        option _orig_ifname 'wlan0 wlan1'
        option _orig_bridge 'true'

config route
        option interface 'wan'
        option target '192.168.1.8'
        option gateway '192.168.1.2'

config route
        option interface 'lan'
        option target '192.168.0.1'
        option gateway '192.168.0.9'
firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        option network 'nordvpntun'

config zone
        option name 'wifi'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'wifi'
        option forward 'ACCEPT'

config forwarding
        option dest 'vpnfirewall'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'vpnfirewall'

config forwarding
        option dest 'lan'
        option src 'wifi'

config forwarding
        option dest 'vpnfirewall'
        option src 'wifi'

config forwarding
        option dest 'wifi'
        option src 'lan'

config forwarding
        option dest 'wifi'
        option src 'vpnfirewall'
dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option nonwildcard '0'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'wifi'
        option interface 'wifi'
        option start '100'
        option limit '150'
        option leasetime '12h'

config host
        option name 'Server'
        option mac '4c:cc:6a:60:72:49'
        option ip '192.168.0.1'

config host
        option name 'Rechner A'
        option mac '50:e5:49:b2:fa:4b'
        option ip '192.168.0.12'

config host
        option name 'Rechner B'
        option mac '50:46:5D:8B:A6:E0'
        option ip '192.168.0.10'

config host
        option name 'Drucker'
        option mac '00:15:99:A3:AE:7E'
        option ip '192.168.0.3'

config host
        option name 'Internet-Radio'
        option mac '00:22:61:C0:D4:F4'
        option ip '192.168.0.6'

config host
        option name 'Fernseher'
        option mac 'E4:E0:C5:DA:A8:BC'
        option ip '192.168.0.7'

config host
        option name 'Tablet'
        option ip '192.168.0.11'
        option mac '94:b1:0a:ca:5c:a8'

config host
        option mac '00:0C:E7:16:71:66'
        option ip '192.168.0.13'
        option name 'Smartphone'

config host
        option mac '00:16:01:17:01:C2'
        option ip '192.168.0.8'
        option name 'Kamera'

4 (edited by Antek 2017-05-09 07:22:34)

Re: Forward Wifi through OpenVPN Interface

I'm not entirely familiar with Linksys WRT1200AC device's hardware or with VPN-connections, but here are a few things which  caught my eye in the configuration files. They may contribute to the inconsistent functionality, but I am by no means certain.

  • The switch & VLAN -configuration have no tagged ports, nor do they share a common port (usually all switched VLANs have one common port through which tagged traffic flows towards the CPU)

  • The LAN and WAN interfaces 'eth1' and 'eth0' seem strange. Did you intend 'eth0.1' and 'eth0.0' so as to refer to the VLANs defined in the switch configuration? Does your device have two distinct interfaces in addition to the switched circuit?

  • The 'bridge' option for LAN and WLAN seems odd. Why do you want to bridge these two interfaces when they are using different IP address ranges?

  • The route configuration for WAN doesn't make sense to me since there are interface configurations using DHCP and DHCPv6

Post the results of 'swconfig list' so we can see what OpenWRT thinks about available switch devices onboard.

EDIT: After outputting the information about the switch devices, you can use 'swconfig dev <device name> show' to print details about the ports inside the switch. Using this combination together with plugging a single RJ-45 cable that is connected to a PC to each of the ports in sequence will allow you to discover which switch ports map to which physical ports. This information may be useful later on if you want to setup a VLAN configuration. When discovering the ports, there should be one port which is always active even though no physical cable is connected. This is the CPU-facing port.

Another question regarding your network topology. Is it correct to assume that you have an upstream device connected to the physical yellow-colored WAN port of the Linksys device, and that this device is responsible for routing traffic from the Linksys device to the Internet at large?

Also, what kind of a VPN solution do you want to achieve? Do you want all traffic from the Linksys router to hop into the VPN tunnel, go out to the upstream device and through the Internet to the NordVPN destination, or do you want to have just specific addresses relayed to the VPN tunnel and others should be directed to the "regular" Internet?

EDIT: Also, I forgot to mention that 'cat /etc/config/wireless' will display your Wi-Fi setup. Perhaps you can provide the output of this command as well?

Re: Forward Wifi through OpenVPN Interface

One more thing, which I didn't notice at first.

The IP ranges of the LAN and WLAN interfaces overlap, with the LAN being a 192.168.0.0 / 16 network and WLAN being a 192.168.0.0 / 24 network.

I'm pretty sure this overlap will cause routing issues in the network. I think it might be a better idea to use different address ranges completely:

LAN IP: 192.168.0.9
LAN Netmask: 255.255.255.0

WLAN IP: 192.168.1.1
WLAN Netmask: 255.255.255.0

I took the liberty of changing the WLAN interface to be at address 1 instead of 110. You can change it back if you want to, but since you are providing a DHCP server through this interface to wireless clients, you should adjust the 'start' number to be higher than '110' to prevent a wireless client from receiving the same address as the AP station.

I don't know how you'd go about splitting one 255-address network to two 128-address networks in the OpenWRT configuration.

6 (edited by cptdondo 2017-05-09 12:28:57)

Re: Forward Wifi through OpenVPN Interface

The easiest way is to use a tap interface and add it to the bridge.

If you have to use tun, then you should look into iproute2 and use advanced routing rules to route through the tun interface.

One caveat:  if the tun interface and your lan don't use the same subnet, then broadcasts won't work.

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'auth'
    option type 'bridge'
    option proto 'static'
    option ifname 'eth1.4 tap0 tap1'
    option ipaddr '192.168.4.1'
    option netmask '255.255.255.0'
    option broadcast '255.255.255.0'
    option metric '4'
#    option mtu '1492'

config interface 'open'
    option proto 'static'
    option ifname 'eth1.5'
    option ipaddr '192.168.5.1'
    option netmask '255.255.255.0'
    option broadcast '255.255.255.0'
    option metric '5'
#    option mtu '1492'

config interface 'guest'
    option proto 'static'
    option ifname 'eth1.6'
    option ipaddr '192.168.6.1'
    option netmask '255.255.255.0'
    option broadcast '255.255.255.0'
    option metric '6'
#    option mtu '1492'

config interface 'dmz'
    option proto 'static'
    option ifname 'eth2.3'
    option ipaddr '192.168.3.1'
    option netmask '255.255.255.0'
    option mtu '1492'

config interface 'dsl'
    option ifname 'eth0.8'
    option proto 'pppoe'
    option defaultroute '0'
    option peerdns '0'
    option metric '1'
    option enabled '1'

config interface 'cable'
    option ifname 'eth0.9'
    option proto 'dhcp'
    list dns '8.8.8.8'
    list dns '8.8.4.4'
    option peerdns '0'
    option metric '0'

config interface 'wired'
    option proto 'static'
    option ifname 'eth1.7'
    option ipaddr '192.168.7.1'
    option netmask '255.255.255.0'
    option broadcast '255.255.255.0'
    option metric '7'
#    option mtu '1492'

7 (edited by e-horn 2017-05-09 20:09:42)

Re: Forward Wifi through OpenVPN Interface

Antek wrote:

I'm not entirely familiar with Linksys WRT1200AC device's hardware or with VPN-connections, but here are a few things which  caught my eye in the configuration files. They may contribute to the inconsistent functionality, but I am by no means certain.

  • The switch & VLAN -configuration have no tagged ports, nor do they share a common port (usually all switched VLANs have one common port through which tagged traffic flows towards the CPU)

  • The LAN and WAN interfaces 'eth1' and 'eth0' seem strange. Did you intend 'eth0.1' and 'eth0.0' so as to refer to the VLANs defined in the switch configuration? Does your device have two distinct interfaces in addition to the switched circuit?

  • The 'bridge' option for LAN and WLAN seems odd. Why do you want to bridge these two interfaces when they are using different IP address ranges?

  • The route configuration for WAN doesn't make sense to me since there are interface configurations using DHCP and DHCPv6

Post the results of 'swconfig list' so we can see what OpenWRT thinks about available switch devices onboard.

EDIT: After outputting the information about the switch devices, you can use 'swconfig dev <device name> show' to print details about the ports inside the switch. Using this combination together with plugging a single RJ-45 cable that is connected to a PC to each of the ports in sequence will allow you to discover which switch ports map to which physical ports. This information may be useful later on if you want to setup a VLAN configuration. When discovering the ports, there should be one port which is always active even though no physical cable is connected. This is the CPU-facing port.

Another question regarding your network topology. Is it correct to assume that you have an upstream device connected to the physical yellow-colored WAN port of the Linksys device, and that this device is responsible for routing traffic from the Linksys device to the Internet at large?

Also, what kind of a VPN solution do you want to achieve? Do you want all traffic from the Linksys router to hop into the VPN tunnel, go out to the upstream device and through the Internet to the NordVPN destination, or do you want to have just specific addresses relayed to the VPN tunnel and others should be directed to the "regular" Internet?

EDIT: Also, I forgot to mention that 'cat /etc/config/wireless' will display your Wi-Fi setup. Perhaps you can provide the output of this command as well?


Hello, thanks for your answer. I'm sorry but my english isn't very good so its a little hard for me to understand everything. I wil try it wink

First here is a picture of my wanted network-solution:
***://imagizer.imageshack.com/img923/4074/pk67zZ.jpg

Now I wil try to answer your questions
* I dont configure the switch and VLAN options. Is this necessary?
* I play around with the options (netmask...) so i could be that there are some conflicts or wrong configuration (like overlapping IP-Ranges)

I want to have a network like the picture above. All Network behind the VPN-Router should go through the VPN. Only the Server should have direkt internet-access. The server is behind another router (the first router) and have another IP-Range so in my opinion this should work. My problem is that i want to have access from all clients behind the vpn-router to the Server and the server should have access to the clients. I thougt i can reach this with another subnet-mask but it doesnt work. I think there should also be some ports forwared...
And the other problem is the Wifi I described above. Now you know the complete plan big_smile

The other points you answered I have to read twice and will post here tomorow...

8 (edited by Antek 2017-05-10 10:19:14)

Re: Forward Wifi through OpenVPN Interface

e-horn wrote:

First here is a picture of my wanted network-solution:

This picture makes things a bit more clear. What firmware is the VDSL Router using? OpenWRT, or Telekom's own firmware?

e-horn wrote:

Now I wil try to answer your questions
* I dont configure the switch and VLAN options. Is this necessary?

Based on your picture, the switch and VLAN configurations are not needed on the Linksys device. A VLAN configuration would allow you to isolate the four blue Ethernet ports behind the Linksys router from each other, so that port #1 has network #1, port #2 has network #2 and so on. Your picture has only the physical 'switch' device drawn to it, and the PCs and the printer in a single network behind this switch, hence no VLAN configuration is needed.

e-horn wrote:

All Network behind the VPN-Router should go through the VPN. Only the Server should have direkt internet-access. The server is behind another router (the first router) and have another IP-Range so in my opinion this should work. My problem is that i want to have access from all clients behind the vpn-router to the Server and the server should have access to the clients.

Since your server is visible to the Internet and visible to the clients behind the VPN-router, then what you need is a DMZ-configuration. The 'server' computer is placed on a DMZ (de-militarized zone) that allows incoming traffic to and reply-packets out from the machines inside the zone, but prevents new connections from machines inside the DMZ towards the network behind the VPN-router. It is a layer of security that protects your client devices in case the 'server' computer in the picture is breached by an attacker.

A simple subnet configuration will not be enough. You'll need routing and specific firewalling rules at least on the Linksys device, so traffic flows are correct. I might be able to help you in some bits, but most of the configuration is out of my league.

EDIT: For added security, you could consider creating a VLAN configuration on the VDSL router. Depending on what firmware the device is running, this may be a simple endeavor, or a bit harder.

For details on how a DMZ could be done in OpenWRT, see the article "Setting up a DMZ" in the OpenWRT Wiki. If you cannot create a DMZ with the VDSL router, then another alternative is to create a DMZ configuration on the Linksys device and make it your primary router, then attach the VDSL router directly to the WAN-port of the Linksys device. Note that this kind of a setup will place a heavy burden on the Linksys device so it's CPU, memory etc. specs need to be top notch.

Re: Forward Wifi through OpenVPN Interface

Antek wrote:

What firmware is the VDSL Router using? OpenWRT, or Telekom's own firmware?

The original Telekom Firmware (I think it isnt possible to install OpenWRT at the router)

I tried to setup my network at least three times and everytime something doesn't work right. So I thought that I can set up my network piece by piece.

In my imagination I should first start to configure the VPN-Router. (please reply if i am wrong)

the firmware of the Router is:

Hostname    OpenWrt
Model    Linksys WRT1200AC
Firmware Version    OpenWrt Designated Driver r49377 / LuCI Master (git-16.151.26687-f4af114)
Kernel Version    4.4.7

I set up a working vpn connection for the LAN-interface (like written above) with some firewall entries.
Now i will set up the WIFI-interface to go through the vpn-interface (-tunnel) too

...and if this works I will take a look on configuring the DMZ or how to solve the "Server-Issue"

@Antek you wrote that "the 'bridge' option for LAN and WLAN seems odd." What did you mean?
I configure the router via LUCI and there are no bridge-mode active?!

You also said "The route configuration for WAN doesn't make sense to me since there are interface configurations using DHCP and DHCPv6"
Can you explain me what you mean here?


here is my WIFI-setup, hope it will help

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'DE'
        option txpower '20'
        option channel 'auto'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option key '***'
        option ssid '(VPN 5GHz)'
        option encryption 'psk-mixed'
        option network 'wifi'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
        option htmode 'HT20'
        option country 'DE'
        option txpower '20'

config wifi-iface
        option device 'radio1'
        option mode 'ap'
        option macaddr '62:38:e0:d9:2e:f6'
        option ssid '(VPN 2,4GHz)'
        option encryption 'psk-mixed'
        option key '***'
        option network 'wifi'
        option disabled '1'

thanks for your time and patience with me wink

10 (edited by Antek 2017-05-11 12:39:49)

Re: Forward Wifi through OpenVPN Interface

e-horn wrote:

I tried to setup my network at least three times and everytime something doesn't work right. So I thought that I can set up my network piece by piece.

In my imagination I should first start to configure the VPN-Router. (please reply if i am wrong)

The idea of building network piece by piece is correct, but I think you are starting from the wrong end. To build this kind of a network, I would start from the VDSL router, with a single laptop connected to it over a regular LAN cable.

The VDSL router's WAN settings come from your ISP. Whatever they are, I do not know.

The VDSL router's LAN settings are static IP 192.168.1.1 with Netmask 255.255.255.0. DHCP server is enabled on the LAN side and address range is from 192.168.1.10 to 192.168.1.20 for a maximum of 10 clients. I do not know how to configure a Telekom router, so you're on your own to get these settings rights.

Now test that you can reach the Internet from the laptop that is connected to a LAN port on the VDSL router. If you can't reach the Internet at this point, go back to start and check your settings.

----

Now we move on to the OpenWRT side. Connect the laptop to the OpenWRT router's LAN port. Ensure you can access LuCI on the OpenWRT from your laptop. Set the administrative password if not set yet, then disable the OpenVPN service in System -> Startup for now. First we need to get the general network working, then we build the VPN tunnel and other fancies on top of it.

DISCLAIMER:
The configuration files below are my own making and have not been tested in your specific situation. They may work, but they may also brick your device completely, making it inaccessible. Check and double-check the files carefully and before you save them, ensure you have some means of restoring the previous configuration if things go south. I will not take responsibility, nor will I compensate for any damages caused. You have thus been warned.

The baseline of these configurations comes from the files you posted earlier. I have removed everything that I thought unnecessary. Note that all # comments written into the files will be removed if you use LuCI or the 'uci' command-line client to alter settings. Keep this in mind later on.

/etc/config/network:

config interface 'loopback'
        option ifname          'lo'
        option proto           'static'
        option ipaddr          '127.0.0.1'
        option netmask         '255.0.0.0'

config globals 'globals'

config interface 'wan'
        option ifname          'eth0'
        option proto           'dhcp'  # We get the WAN IP from the VDSL Router - this may change later on
        option defaultroute    '1'     # This will create a default route for all traffic not intended to local LAN or WLAN clients

config interface 'lan'
        option ifname          'eth1'
        option proto           'static'
        option ipaddr          '192.168.2.1'
        option netmask         '255.255.255.0'
        option ipv6            '0'       # We don't want IPv6 for now; we keep things simple
        option type            'bridge'  # We will bind to this network directly from the wireless config file

As you can see, the switch option has completely been eradicated from this file.

I do not know if the Linksys device requires the switch configuration section in order for the Ethernet ports to work. If the switch configuration is required, then omitting it will cause the OpenWRT device to become inaccessible through the LAN ports. You should still be able to connect to it through WLAN, so all is not lost.

/etc/config/wireless:

config wifi-device 'radio0'
        option type       'mac80211'
        option hwmode     '11a'
        option path       'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
        option htmode     'VHT80'
        option country    'DE'
        option txpower    '20'
        option channel    'auto'

config wifi-iface
        option device     'radio0'
        option mode       'ap'
        option encryption 'psk-mixed'
        option key        '***'          # Change this
        option ssid       'WLAN 5GHz'    # Change this if needed. There's no VPN yet, though
        option network    'lan'          # Adds this interface to the LAN network, creating a two-way bridge (LAN & 5 GHz)

config wifi-device 'radio1'
        option type       'mac80211'
        option channel    '11'
        option hwmode     '11g'
        option path       'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
        option htmode     'HT20'
        option country    'DE'
        option txpower    '20'
        option disabled   '1'            # Toggle to '0' to enable this radio device

config wifi-iface
        option device     'radio1'
        option mode       'ap'
        option macaddr    '62:38:e0:d9:2e:f6'        
        option encryption 'psk-mixed'    
        option key        '***'          # Change this
        option ssid       'WLAN 2,4GHz'  # Change this if needed
        option network    'lan'          # Adds this interface to the LAN network, creating a three-way bridge (LAN, 5 GHz and 2.4 GHz)
        option disabled   '1'            # Toggle to '0' to enable this AP station on the radio device

As you can see, we are bridging the LAN and the two WLAN networks together, and all the clients will be served by a single DHCP server residing in the OpenWRT router. Devices in the LAN and WLAN networks will be able to connect to each other right away.

/etc/config/dhcp:

config dnsmasq
        option domainneeded      '1'
        option boguspriv         '1'
        option localise_queries  '1'
        option rebind_protection '1'
        option rebind_localhost  '0'
        option local             '/lan/'
        option domain            'lan'
        option expandhosts       '1'
        option readethers        '1'
        option leasefile         '/tmp/dhcp.leases'
        option resolvfile        '/tmp/resolv.conf.auto'
        option localservice      '1'
        option nonwildcard       '0'

config dhcp 'dhcp-lan'
        option interface         'lan'
        option dhcpv6            'disabled'
        option ra                'disabled'
        option ignore            '0'
        option start             '10'
        option limit             '150'
        option leasetime         '12h'

config dhcp 'dhcp-wan'
        option interface         'wan'
        option ignore            '1'

We enable DHCPv4 server on the LAN interface and disable it on the WAN.

/etc/config/firewall:

config defaults
        option syn_flood   '1'
        option input       'REJECT'   # By default, all traffic in all zones is rejected so as to protect your networks
        option output      'REJECT'
        option forward     'REJECT'

config zone
        option name      'zone-lan'
        option network   'lan'
        option input     'ACCEPT'   # Traffic coming to this router from interfaces in this zone is allowed
        option output    'ACCEPT'   # Traffic going from this router through interfaces in this zone is allowed
        option forward   'ACCEPT'   # Traffic forwarded between interfaces in this zone is allowed
        option family    'ipv4'

config zone
        option name      'zone-wan'
        option network   'wan'
        option output    'ACCEPT'   # Masqueraded traffic will generate new packets, so we need to allow this
        option masq      '1'        # This option, together with forwarding configs below, will create the necessary rules for return traffic to work
        option mtu_fix   '1'
        option family    'ipv4'
    
# We need to allow incoming DHCPv4 renew, since the WAN interface is using DHCP
# Otherwise it will not get a new IP when the lease-time expires
config rule
        option name      'Allow-DHCPv4-Renew'
        option src       'wan'
        option proto     'udp'
        option dest_port '68'
        option target    'ACCEPT'
        option family    'ipv4'

# Remove this section if you do not want to allow pinging the router from WAN
config rule
        option name      'Allow-Ping'
        option src       'wan'
        option proto     'icmp'
        option icmp_type 'echo-request'        
        option target    'ACCEPT'
        option family    'ipv4'

# Remove this section if you do not want to allow IGMP traffic to the router from WAN
config rule
        option name      'Allow-IGMP'
        option src       'wan'
        option proto     'igmp'
        option family    'ipv4'
        option target    'ACCEPT'

config include
        option path '/etc/firewall.user'

# Allow LAN & WLAN traffic to forward to WAN (and to Internet). 
# Return traffic works automatically due to masquerading
config forwarding
        option src    'lan'
        option dest   'wan'
        option family 'ipv4'

This configuration should work, assuming I have not made mistakes or typos in the files. Check it and double-check it nevertheless. It can also give you some ideas on how OpenWRT works internally.

After making these changes, plug the WAN port of the OpenWRT router to a LAN port on the VDSL Router, restart the OpenWRT router and ensure your laptop can connect to Internet from the LAN and WLAN sides of the OpenWRT router.

Then we can carry with the remainder of the tasks.

---

e-horn wrote:

@Antek you wrote that "the 'bridge' option for LAN and WLAN seems odd." What did you mean?
I configure the router via LUCI and there are no bridge-mode active?!

You also said "The route configuration for WAN doesn't make sense to me since there are interface configurations using DHCP and DHCPv6"
Can you explain me what you mean here?

The bridge option seemed odd because your earlier configuration did not add any other physical interfaces to the "LAN" UCI interface in /etc/config/network or in /etc/config/wireless. Perhaps this was a remnant from an older configuration?

The old 'wifi' interface in /etc/config/network was the target of both 'wifi-iface' interfaces from the old /etc/config/wireless, so the bridge option made sense there. You basically bridged the two WLANs together.

As for the old route configurations...

config route
        option interface 'wan'
        option target '192.168.1.8'
        option gateway '192.168.1.2'

The old WAN interface was using DHCP and DHCPv6 clients (although who was serving it, I don't know).
In your picture, there are no devices with '192.168.1.8' address, nor are there any 'host' entries in the old DHCP config with this address. I didn't know what this route was supposed to do, so it seemed odd.

config route
        option interface 'lan'
        option target '192.168.0.1'
        option gateway '192.168.0.9'

The picture doesn't show who the address 192.168.0.1 belongs to, perhaps there is a typo and it should be 192.168.1.1 so as to refer to the old 'Server' computer? Anyhow, it doesn't seem to make sense.

Re: Forward Wifi through OpenVPN Interface

Hello Antek, ive cleaned up all older configurations for my VPN-Connection and tested your configuration. But something doesn't work sad
With the router itself I can connect to the Internet so there have to be something wrong with the forwarding maybe...
When I traceroute google from my pc after geting the correct IP-adress and gateway he said that he can't reach the target-protocol?!

12 (edited by Antek 2017-05-16 06:39:23)

Re: Forward Wifi through OpenVPN Interface

e-horn wrote:

With the router itself I can connect to the Internet so there have to be something wrong with the forwarding maybe...
When I traceroute google from my pc after geting the correct IP-adress and gateway he said that he can't reach the target-protocol?!

Here's a short checklist:

1) Ensure ping and possibly traceroute work from the VDSL router's configuration interface, if it has these tools
2) Ensure ping and traceroute work from your PC connected to a LAN port of the VDSL router
3) Ensure ping and traceroute work from the OpenWRT router's LuCI interface
4) Ensure ping and traceroute work from your PC connected to a LAN port of the OpenWRT router
5) Ensure ping and traceroute work from your PC connected over WLAN to the OpenWRT router

Just run 'ping www.google.fi' and 'traceroute www.google.fi' in each case. Where does it stop working?

Re: Forward Wifi through OpenVPN Interface

The ping from VPN-Router works. The traceroute from my PC connected to Lan-port of the vpn-router stops at the vpn-router with error message written above

Re: Forward Wifi through OpenVPN Interface

e-horn wrote:

The ping from VPN-Router works. The traceroute from my PC connected to Lan-port of the vpn-router stops at the vpn-router with error message written above

Can you write the full error message here? It can be in the original language, you don't need to translate it.

If you connect your PC to the OpenWRT router over WLAN, what happens then? Does the same problem occur?

Re: Forward Wifi through OpenVPN Interface

I will post a screenshot of the error later. If I connect my tablet via wlan then the there appears the message that I should login to wlan?! (tablet is connected and got the right ip,subnet,gateway). Internet access doesn't work

Re: Forward Wifi through OpenVPN Interface

e-horn wrote:

If I connect my tablet via wlan then the there appears the message that I should login to wlan?! (tablet is connected and got the right ip,subnet,gateway). Internet access doesn't work

Since we did not configure anything like this into the OpenWRT, then there are two possible explanations: either you are connecting to the wrong WLAN, or your VDSL-router (or Internet service provider) is generating the login page and requesting for login credentials.

If it is the latter case, then I am not surprised that your traceroute or ping attempts from the PC did not work: the ISP is blocking your traffic because you have not logged in yet.

You should really consult your ISP for details on the Internet connection.

17 (edited by e-horn 2017-05-17 20:36:41)

Re: Forward Wifi through OpenVPN Interface

Hello, now I tested your configuration with an fresh open-wrt (reset router) and than add your config files.
The same result sad
Here are the screenshot:
h**p://imagizer.imageshack.com/img924/8882/qbdHHM.png
[traceroute from my PC with correct IP, Gateway, Subnet]

I'm not sure what you mean with consulting my ISP, I dont understand what he have to do with this. Internet-Access works, but configuration doesn't.
On my tablet (android) there appears the message that I should login to network (like it does when you want to access an hotspot and you have to enter a password for internet-access...)

Re: Forward Wifi through OpenVPN Interface

e-horn wrote:

Hello, now I tested your configuration with an fresh open-wrt (reset router) and than add your config files.
The same result sad
Here are the screenshot:
h**p://imagizer.imageshack.com/img924/8882/qbdHHM.png
[traceroute from my PC with correct IP, Gateway, Subnet]

Something really strange is going on here.

In my configuration files, the OpenWRT router's address in the local network should be 192.168.2.1, and the DHCP server should be enabled. Client addresses should be between 192.168.2.10 and 192.168.2.160. In your screenshot, the first hop goes to 192.168.0.9, which is completely bizarre.

Are you sure your PC is configured correctly so it gets the IP address and gateway via DHCP from the OpenWRT router? What does the command 'ipconfig /all' show on the PC?

I'm not sure what you mean with consulting my ISP, I dont understand what he have to do with this. Internet-Access works, but configuration doesn't.
On my tablet (android) there appears the message that I should login to network (like it does when you want to access an hotspot and you have to enter a password for internet-access...)

Sorry, this was my mistake. I understood your message incorrectly, and thought that when you open a browser on the tablet, then you see a login page. What you probably meant was the small Wi-fi icon with a question mark over it. That just signals a connectivity error.

19 (edited by Antek 2017-05-19 15:17:12)

Re: Forward Wifi through OpenVPN Interface

One thing which I didn't consider at first is the switch device on your router. According to the initial configuration you showed, there was a switch device on the router. The configuration that I posted omits the switch settings completely.

This may lead to a situation where the switch device is left to an unconfigured or uninitialized state, and causes misbehavior in your network.

To show the configuration of the switch, use SSH to connect to the router, and issue the following command:

swconfig list

This will show you available switch devices on the router, which have been identified by the kernel. If there is just one switch device, you can use

swconfig dev <device name> show

to display the status information from the switch.

With the help of your laptop, you can plug an Ethernet cable to each of the LAN and the WAN ports in sequence, issuing the above 'show' command between each connection to see what the physical port layout looks like. When you plug in a cable that is connected to a laptop, the corresponding port should show a "Link up" status in the output of the 'show' command.

Note that usually one port of the switch is always in "Link up" state, even when no cables were connected. This port is the CPU-facing port.

Looking back at the situation, I really should've thought about this before.. Silly me..  I made the assumption that the LAN and WAN interfaces are separate at the hardware level, but this may not be the case at all smile

To understand why this might be a problem, look at this diagram: https://wiki.openwrt.org/doc/uci/network/switch