I configured my router to work with OpenVPN. Currently, all of my client (lan, wifi) are forwarded with OpenVPN. I'm looking for a way, if I can create another WiFI which would not forward with OpenVPN mean time OpenVPN WiFi will also running, In a word, there will two WiFi.

* One will act as OpenVPN client WiFi
* Another will act like without OpenVPN WiFi.

I tried to create another WiFi interface and tried to create firewall rules for it, but the problem is it has no internet connection. Meantime another OpenVPN is working ok. Here is my network configuration

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9d:4e67:19e1::/48'

config interface 'lan'
        option ifname 'eth1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'
        option dns '8.8.8.8 8.8.8.8'
        option delegate '0'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option clientid '1'
        option peerdns '0'
        option dns '8.8.8.8 8.8.4.4'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4'

config interface 'encryption'
        #VPN Interface
        option proto 'none'
        option ifname 'tun0'
        option delegate '0'

config interface 'noneyc'
       #Non VPN Interface
        option _orig_ifname 'radio0.network2'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option dns '8.8.8.8 8.8.4.4'
        option delegate '0'

and Here is Firewall configuration

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'lan'

config zone
    option name 'wan'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'wan wan6'

config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config include
    option path '/etc/firewall.user'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config include 'miniupnpd'
    option type 'script'
    option path '/usr/share/miniupnpd/firewall.include'
    option family 'any'
    option reload '1'

config zone
    option name 'encryption'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option masq '1'
    option mtu_fix '1'
    option network 'encryption'

config zone
    option name 'noneyc'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option network 'noneyc'
    option forward 'ACCEPT'

config forwarding
    option dest 'encryption'
    option src 'lan'

config forwarding
    option dest 'wan'
    option src 'lan'

config forwarding
        option dest 'wan'
        option src 'noneyc'

Here is Wireless configuration -

config wifi-device 'radio0'
    option type 'mac80211'
    option hwmode '11g'
    option path 'platform/ar934x_wmac'
    option country 'BD'
    option htmode 'HT40'
    option txpower '20'
    option channel '6'

config wifi-iface
    option device 'radio0'
    option network 'lan'
    option mode 'ap'
    option ssid 'Encrypted'
    option encryption 'psk2+ccmp'
    option key 'ItsPassword'

config wifi-iface
    option device 'radio0'
    option mode 'ap'
    option ssid 'Non Encrypted'
    option network 'noneyc'
    option encryption 'psk2+ccmp'
    option key 'ItsPassword'

How can I fix that issue?

(Last edited by lostphoenix on 14 May 2017, 20:11)

Correct me if I am wrong, but it seems your configuration should already allow clients connecting either through LAN or through WLAN with the "Encrypted" SSID to communicate with the Internet simply by not having an OpenVPN client program active?

If read your configuration rules correctly, traffic is forwarded from the LAN zone to both the 'Encrypted' zone where the OpenVPN server sits, and to the 'WAN' zone which connects outside. The latter route should get picked up by all clients who are not using an OpenVPN client program in your network.

Regardless of above, your OpenVPN configuration on the router, and your DHCP & dnsmasq config may also play a part in your scenario. Perhaps their content can provide clues on why things are not working the way you intended?

(Last edited by Antek on 15 May 2017, 10:59)

Yeah, I created rules to start openvpn in startup in /etc/rc/local
So it means if VPN server off anyhow it LAN will use WAN directly, but if VPN Server up LAN will use VPN Server throught WAN. Here LAN mean Enceypted (Wifi interface) along with LAN.

With it would LAN and Encrypted zone to WAN (Ecrypted zone as VPN zone)

My questing is is there anyway to create two interface one with vpn another just genaral wifi in such situation?

Based on what you have said so far, I presume that you have an OpenVPN client running on your router device that creates a VPN tunnel to a remote site, and this remote site's OpenVPN server is sending back a 'push redirect-gateway' command, which causes your local OpenVPN client to re-write the default gateway settings on your router, and instead re-direct all outgoing traffic through the VPN tunnel. See OpenVPN MAN page https://openvpn.net/index.php/open-sour … npage.html and search for "redirect-gateway" to find the details.

If this is the case, then you might want to look first at this OpenVPN instruction page on how to ignore this setting: https://community.openvpn.net/openvpn/w … ectGateway

After ignoring the setting you'd need to remove the forwarding rules in your OpenWRT config, and replace them with explicit routing rules that direct all outgoing traffic arriving from the LAN and "Encrypted" SSID WLAN to the VPN tunnel, while all outgoing traffic arriving from the new "Unencrypted" SSID WLAN you're about to create should be routed to the WAN.

Last but not least, you need to add routing and filtering rules to the WAN interface so traffic can come back, too.

Sounds like a complicated setup, but with lots of manual-reading and careful planning, it can be pulled off

If I disable push redirect-gateway from server side, it seems VPN runs ok in my router but "Encrypted" interface has no packet in or out, In word router didn't get OpenVPN Server IP.

Looking at your configuration, the OpenVPN client is apparently sitting in the "Encryption" zone. There are no firewall rules allowing traffic to pass from this zone towards WAN, or towards any other zone for that matter. There is a forwarding rule which allows traffic from "LAN + Encrypted SSID" to pass to the "Encryption" zone. I am somewhat unsure if your OpenVPN client can even reach the OpenVPN target server. If it can, then there must be something, somewhere, which puts the OpenVPN client into a suitable zone for this purpose, or a configuration tidbit which is too permissive so traffic works even when it shouldn't.

When I read through the UCI documentation regarding firewalls (https://wiki.openwrt.org/doc/uci/firewa … orwardings), there was some ambiguity on what the "FORWARD" accept option in the zone configuration does. Earlier in the documentation it says this option allows forwarding traffic between interfaces assigned to this zone, but later on in the same doc, there is an example which says that this option enables traffic to be forwarded between zones.

If the latter is true, then your firewall config is way too permissive for the intention you are trying to achieve. If the latter is not true, then the OpenVPN client should not be able to initiate communication with the OpenVPN server at all. In your first post, you stated that a connection was already being established, so perhaps the 'push redirect-gateway' command from the OpenVPN server was doing much more than anticipated?

this may be off topic, but maybe i can get some insight on this?
my buddy went into their firewall , then in this GENERAL SETTINGS tab he unchecked(disabled) syn flood & drop invalid packets
then set INPUT, OUTPUT ,FORWARD, all to accept

then below that is  firewall zones
and he set all (input ,output,forward) to accept with only masquerading enabled and mss clamping unchecked
what it looks like can be seen here -> imgur.com/a/cMboQ
did he disable the firewall? or what exactly did he do here by setting all to accept (fyi: packets were dropping every few minutes even when doing something simple like pinging google, so we thought it may be a firewall thing , set all to accept and he hasn't had packets dropped since doing this)

the default settings were= syn flood & drop invalid packets checked
input=accept, output=accept, forward=reject
WAN= input=reject, output=accept, forward=reject

(Last edited by meneedlowping on 24 Jun 2017, 15:59)