OpenWrt Forum Archive

Topic: Need OpenVPN on router configured as LAN only interace access point

The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Reference: https://forum.openwrt.org/viewtopic.php?id=68947

I am now trying to set up this same "access point only" configured Buffalo device as an OpenVPN server.   The main router on my network is a telco fiber optic modem router which of course cannot run OpenWrt or OpenVpn.   on this new "access point only router", I have copied all the configuration files and firewall rules from working "routing" router and all the OpenWrt/OpenVpn set up from another Buffalo router that is working in a conventional configuration of WAN routing to LAN.   OpenVPN on that conventional "routing" router works well.   This "routing" router directly faces the ISP connection via its WAN port, and it routes as normal..

II am now working at a second location, remote from the example I just explained but with a copy of all the configuration data from the setup that works.  At this new location as I have explained in prior posts, this OpenWrt setup has a LAN only entry in the Interface list and a static IP of 192.168.1.250 with the DHCP server disabled.   (It also gained a VPN entry after I added all the needed Optware for OpenVPN).   On my telco modem I have port forwarded 1194 to IP Address 192.168.1.250, the IP of the "access point only" functioning router.   At this moment I copied all the VPN configuration files over to this router (LAN interface only) and I would like it to receive the traffic on port 1194 off the local LAN (in the same manner it receives it off the WAN at the other location I coped the configuration from) and offer a connection to that same LAN to remote clients.

It's not working.   Can this even be done ?   (before I spend any more time on it?)   

I guess the first step would be to get the VPN server to listen for port 1194 on the local LAN like it typically does while listening on the WAN.   Since there is no WAN interface configured after I deleted (this is just serving as an access point), how can it listen to the LAN instead?

Maybe I need to bridge the WAN and LAN together?   Would that make it work?   I wouldn't know how to begin to do this, bridge the two together with them both a single subnet.

I discovered this write up which takes a much more complicated approach to making a router a dumb access point: https://wiki.openwrt.org/doc/recipes/dumbap

Will it perhaps be a better setup to try to get OpenVPN working?  Again my telco fiber modem router is forwarding packets on 1194 to my OpenWrt router IP address.   I want the OpenVPN to interface that to the local LAN, just like if the OpenWRT router was the main one facing the Internet.

On my setup, I didn't follow this procedure but cheated by just disabling everything in the Interfaces table but LAN, disabling DHCP server and just plugging in the LAN cable from the main router in the LAN switch which coincidentally gave me a quick setup up access point only which so far has proven taxing for attempting to use also as a OpenVPN server.

(Last edited by DonJuane on 10 Feb 2018, 17:24)

OK, I finally completed the procedures on this page https://wiki.openwrt.org/doc/recipes/dumbap

Note that even though I followed the "gui" instructions, using the gui did not bridge the WAN port of my Buffalo until I went in via WinSCP, edited /etc/config/network

config interface 'lan'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.3.250'
    option gateway '192.168.3.1'
    option dns '192.168.3.1'
    option _orig_ifname 'eth0.1 eth1 wlan0'
    option _orig_bridge 'true'
    option ifname 'eth0 eth0.1 eth1'       #  <======== perhaps the gui would do this but I couldn't figure out how so I just entered it manually and saved the file, using winSCP.

Also note that I could not ping from the router console without deleting both the WAN entries under Interfaces.   Once the WAN interfaces were deleted, I could use ping, telnet, etc.

Great news is, I can VPN into the dumb APN (which is also running OpenVPN), but I can only reach known IP addressed, or the DNS doesn't seem to be resolving.

Note that the OpenVPN server config for this device is a mirror image off another similar model Buffalo OpenVPN server that is working.   I can now tunnel in to this LAN only access point (with the newly installed OpenVPN server) and I can access IP addresses on the remote tunneled-to subnet with no problems.   What the issue is, is that the remote DNS doesn't seem to working via the tunnel out of the subnet.

Server config/OpenVpn:

config openvpn 'myvpn'
    option enabled '1'
    option verb '3'
    option port '1194'
    option proto 'udp'
    option dev 'tun'
    option server '10.8.0.0 255.255.255.0'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/server.crt'
    option key '/etc/openvpn/server.key'
    option dh '/etc/openvpn/dh2048.pem'
    option keepalive '10 120'
    option status '/var/log/openvpn-status.log'
    list push 'route 192.168.3.0 255.255.255.0'
    list push 'redirect-gateway def1'
    list push 'dhcp-option DNS 192.168.3.1'

Note here that 192.168.3.1 is the gateway address of the master telco fiber optic router.   Note that this same exact profile and setup works on a similar piece of hardware located at another site and works to forward the DNS where this doesn't.   The difference in the two is at the other site, the similar hardware is the master router where the one I am having problems with is OpenVPN installed on OpenWRT configured as a "dumb APN".

(Last edited by DonJuane on 11 Feb 2018, 07:29)

In summary, I can now tunnel into my "access point only - no WAN" router that I have successfully installed OpenVPN on.   However, I can only reach the address 192.168.3.250 which is the address of the (non-routing, configured AP only) router itself.   I cannot reach my gateway 192.168.3.1 or any other IP address on the subnet the router is attached to on it's local remote network.    Any ideas?

Telco Fiber Optic main routing gateway for home:
Gateway/Gui address: 192.168.3.1
Forwards: 1194 -> 192.168.3.250  (dumb/AP router, also running OpenVPN (OpenWRT)

Dumb/AP OpenWRT router config basics:

Optware installed:openvpn-openssl openvpn-easy-rsa

Firewall: Disabled (see Network below, LAN bridged to WAN eth0.1 to eth0)

Network:

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd7e:7c8b:6806::/48'

config interface 'lan'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.3.250'
    option gateway '192.168.3.1'
    option dns '192.168.3.1'
    option _orig_ifname 'eth0.1 eth1 wlan0'
    option _orig_bridge 'true'
    option ifname 'eth0.1 eth1 wlan0'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0 1 2 3 5t'

config interface 'vpn0'
    option ifname 'tun0'
    option proto 'none'
    option auto '1'

Openvpn:

config openvpn 'myvpn'
    option enabled '1'
    option verb '3'
    option port '1194'
    option proto 'udp'
    option dev 'tun'
    option server '10.8.0.0 255.255.255.0'
    option ca '/etc/openvpn/ca.crt'
    option cert '/etc/openvpn/server.crt'
    option key '/etc/openvpn/server.key'
    option dh '/etc/openvpn/dh2048.pem'
    option keepalive '10 120'
    option status '/var/log/openvpn-status.log'
    list push 'route 192.168.3.0 255.255.255.0'
    list push 'redirect-gateway def1'
    list push 'dhcp-option DNS 192.168.3.1'

Client:

client
dev tun
proto udp

remote-cert-tls server
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.3.1"

remote dynamicdns.dynu.net 1194

ca Client_ca.crt
cert client.crt
key client.key

ns-cert-type server

verb 3

Problem: Dumb/AP with OpenVPN running will not propagate to other IP addresses on subnet, can only tunnel into the single device on the network (192.168.3.250 alone), not even the gateway (192.168.3.1)

*** Correct option ifname to eth0.1 eth1 wlan0

(Last edited by DonJuane on 11 Feb 2018, 22:11)

OK, I tried something else.   I read in a non OpenWRT area on OpenVPN for Linux that the firewall must be available to route, so I re-enabled the firewall and I added the following which is used in my referenced regular router (home gateway) set that is working:

****** Other firewall data removed for clarity

config zone
    option name vpn
    option input ACCEPT
    option forward ACCEPT
    option output ACCEPT
      option network vpn0

config forwarding
    option src vpn
    option dest wan

config forwarding
        option src vpn
        option dest lan

config forwarding
        option src lan
        option dest vpn

Adding this changed nothing, the LAN was still bridged to the WAN port and I still could reach the DumbAP non-gateway router running Openvpn, 192.168.3.250 but could not reach any other IP address on the local subnet, including the main fiber gateway, 192.168.3.1

I also tried this, adding both VPN0 and TUN0 to my Network configuration:

config interface 'lan'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option ipaddr '192.168.3.250'
    option gateway '192.168.3.1'
    option dns '192.168.3.1'
    option _orig_ifname 'eth0.1 eth1 wlan0'
    option _orig_bridge 'true'
    option ifname 'eth0 eth0.1 eth1 tun0'

This locked out the VPN tunneling into the OpenVPN router altogether.

(Last edited by DonJuane on 11 Feb 2018, 18:37)

After more research, I'm thinking it can't be done, or at least it can't be done with my skills.  While my main gateway, a Huawei HG8245Q2 does provide some deep-technical capabilities to change routing tables, it is beyond my skill set.

The following narrative, with a key on "The vpn server will require firewall rules (redirects) on the openwrt gateway."   Since this combo fiber optic modem/router cannot run OpenWRT, this means that routing tables are not easily configured on this device.

Ref: https://wiki.openwrt.org/inbox/howto/vp … pn.gateway

(Last edited by DonJuane on 11 Feb 2018, 18:56)

One step closer.   I can now access via the tunnel from a test cell network and ping and browse to both the OpenVPN router 192.168.3.250 and the LAN address of my main gateway 192.168.3.1 (which I could not before).

I did this by adding this static route to the Huawei HG8245:

   

WAN Name    IP Address    Gateway    Subnet Mask
    br0    10.8.0.0    192.168.3.250    255.255.0.0

I still cannot access or ping anything else on my network.   Getting into the gateway via the tunnel is a large help, however.

(Last edited by DonJuane on 11 Feb 2018, 20:01)

The discussion might have continued from here.