1

I am trying to use my openwrt router to connect to my home network and i can connect to the vpn server but i need to forward or bridge the vpn so everything that comes through the router either through the wired switch or the wifi then routed through the vpn. More simply clients ---> router (vpn client) ---> vpn server.

It doesnt matter if i can access resources on my home network with it just that its tunneled through my home network so i appear to be using my home IP address. Im also unsure whether to use tap or tun. Any help would be appreciated.

By the way im using all command line because i have a 4mb flash router so i had to build a custom image without the gui so i could fit openvpn.

I have some firewall rules setup to try and foward the traffic but i think what i need is probably a bridge since im using tap currently. I also have redirect-gateway-def1 in my openvpn config file. I guess what i am asking is how to create a bridge for my purposes. my current etc/config/firewall file contains these lines which pertain to the vpn. 

config zone
option name 'VPN_client1'
option masq '1'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'VPN_client1'

config forwarding
option dest 'lan'
option src 'VPN_client1'

config forwarding
option dest 'VPN_client1'
option src 'lan'

From the computer hooked up to the router it can ping the router and thats it. btw this question was kicked off serverfault so im posting it here.

Btw my openvpn server is running on ddwrt on my home router using tun.

Improve this question
5
  • Do you want to redirect internet access through your VPN connection? Is there any specific reason for turning on MASQUERADE on your VPN connection?
    – Daniel B
    Commented Oct 16, 2014 at 5:25
  • i was just following a tutorial to be honest im not quite sure what masquerade does. Yes i want to redirect internet access to use the vpn instead of the wan connection.
    – bob riley
    Commented Oct 16, 2014 at 16:26
  • @danielB im also still very confused as to what interface to use, tun or tap
    – bob riley
    Commented Oct 16, 2014 at 19:06
  • 1
    I’ll try to write a proper answer this weekend. I’m rather wasted right now, sorry. :)
    – Daniel B
    Commented Oct 16, 2014 at 19:09
  • lol you can try now i dont care if its a little jumbled, haha im very impatient. I have just tried so many different methods and none have worked.
    – bob riley
    Commented Oct 16, 2014 at 19:29

1 Answer 1

Reset to default
1

So, from what I understand, you already have an OpenVPN server up and running.

As for tun and tap: Both server and clients need to use the same configuration. If you do not need Ethernet Bridging, use tun, because it introduces less overhead.

First, we’ll update your network configuration to include the VPN interface:

config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'

This is required for integrating the VPN connection into OpenWrt’s network system. Of course, if you’re using tap, you’ll have to change the interface to tap0.

Next, optionally, remove the following lines from /etc/config/firewall:

config forwarding
        option src              lan
        option dest             wan

This ensures that no LAN traffic ever leaves the router over the regular internet uplink. This is not required, of course.

In the same file, add a new zone and configure forwarding:

config zone
        option name             vpn
        list   network          'vpn'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1

config forwarding
        option src              lan
        option dest             vpn

Using MASQUERADE and tun makes this configuration easy, because the VPN server does not need to know about the routers clients and we also do not need bridging, reducing overhead. The forwarding section allows LAN traffic to be routed over your VPN connection.

Up next is your VPN configuration. There are some things to keep in mind.

Since we explicitly specified the interface we expect the VPN connection to use, we’ll have to do the same in your VPN configuration:

dev tun0

It seems you already have it, but for others, again—we need to redirect traffic through the VPN connection. OpenVPN already offers a great option for this:

redirect-gateway def1

This option also ensures that your VPN server can still be reached.

If your OpenVPN configuration contains the following line, remove it:

persist-tun

After making these changes, reboot your router. Remember: If you removed the forwarding section, you won’t be able to access the internet now.

Now, start OpenVPN:

/etc/init.d/openvpn start

If everything works fine now, you can permanently enable OpenVPN:

/etc/init.d/openvpn enable

Do keep in mind though: OpenVPN depends on the date and time being correct to check whether certificates are valid. Your router probably doesn’t have a real time clock, meaning it starts at Jan 1 1970 every time. It then depends on internet NTP servers to get the current date and time. This means that OpenVPN will not connect until this is completed, because your certificates are not valid on Jan 1 1970.

Improve this answer
6
  • Not sure whats wrong with my OpenWRt router but its not working using all the steps provided. I cant ping anything being a client of the router with openvpn connected on it. Also for some reason i cant even get an ip from the router if i have the wan cable plugged in before i turn it on. Even wiereder if i dont ssh into the router soon after i start it up i cant ssh into it at all. Also i cant get openvpn to connect unless i restart the firewall on the router first with "/etc/init.d/firewall restart". Really dont understand what the issue is with the router i already reset all the settings onc
    – bob riley
    Commented Oct 19, 2014 at 5:46
  • didnt want to double comment but i ran out of space my server logs also indicate a soft reset " SIGUSR1[soft connection-reset]" every couple of minutes. So maybe theres a firewall issue with my router? not sure
    – bob riley
    Commented Oct 19, 2014 at 5:56
  • Perhaps you made some mistake in creating your custom OpenWrt version. What’s your router’s make and model? I recommend you disable OpenVPN for the moment and get regular WAN to work.
    – Daniel B
    Commented Oct 19, 2014 at 10:12
  • Its a tp link wr841n v9.
    – bob riley
    Commented Oct 19, 2014 at 16:00
  • reflashed router with firmware that i remade but seems like i didnt make to much progress. I cant ssh in at all when the wan cable is plugged in for some reason. I can ssh in whenever wan isnt plugged in though. Im also able to connect to my vpn without any issue now but my computer still cannot ping anything when plugged into the lan ports. Pinging 10.8.0.1(vpn gateway) when the router first starts(only time i can do anything) yields :reply from 10.8.0.3 destination host unreachable, reply from 192.168.1.1 destination net unreachable, destination port unreachable
    – bob riley
    Commented Oct 22, 2014 at 1:22

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .