Running OpenVPN Client on AP doesnt seem to work

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 90

PostPosted: Thu Jun 20, 2019 19:28    Post subject: Running OpenVPN Client on AP doesnt seem to work Reply with quote
So I've got 3 routers all running dd-wrt, 1 is the main router (connected to modem), 2 are access points connected to the main router by ethernet..

Im trying to configure one of the APs to run a OpenVPN client, which seems to work fine, no problems in the log, remote IP (showing in log) seems to be at the remote site, however when I connect to that AP (either wireless or hardwired) it doesnt seem to use the VPN connection; IP is my normal WAN IP and any internet traffic seems to run as per normal..

Is the above supposed to work? Can you set up 1 of the APs to run OpenVPN and run any traffic through that router (wifi or ethernet) over VPN?

I have not done any other configure/tweaks than setting up the OpenVPN Client config.
Sponsor
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 90

PostPosted: Thu Jun 20, 2019 20:20    Post subject: Reply with quote
Thanks for you help, that makes sense.. But I have tried setting the gateway on my mobile's wifi connection, but it doesnt seem to work. internet works fine though (only not going over vpn)

Worth noting that my LAN IP is 192.168.0.3, but the Local Address for the VPN connection is: 10.74.x.x

A follow up question:

Should I be able to configure the DHCP server on the main router to set the gateway for a particular IP (I cant see such settings)? or do I need to configure the one on the AP (which is currently disabled).
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 90

PostPosted: Thu Jun 20, 2019 20:30    Post subject: Reply with quote
My trace route suggests the traffic is running through the AP first, then Main:

1 <1 ms * * 192.168.0.3
2 <1 ms <1 ms <1 ms 192.168.0.1
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6161
Location: Netherlands

PostPosted: Fri Jun 21, 2019 8:56    Post subject: Reply with quote
Some points to consider when setting up a VPN client on a WAP (https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point) be sure to disable DHCP and set Gateway and local DNS to primary router.

If I remember correctly for a VPN client on a WAP you need a different NAT rule:
Code:
iptables -t nat -I POSTROUTING   -o tun1 -j SNAT --to $(nvram get lan_ipaddr)


kill switch when using a VPN client on a WAP:
Code:
iptables -I FORWARD -i br0 -o br0 -j REJECT


Kill switch when using PBR:
Code:
iptables -I FORWARD -i br0 -s 192.168.1.100 -o br0 -j REJECT


If you make an unbridged VAP on a WAP then this is routed via the VPN by default so no need to set a different gateway for that


At least my DDWRT version (the big build > 16 MB) supports the dhcp names so for me this worked in the past:
dhcp-option=tag:altdnsgw,option:router,192.168.0.2
dhcp-host= 00:18:a2:b5:43:09,set:altdnsgw,192.168.0.92,PC-Download,infinite

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 90

PostPosted: Fri Jun 21, 2019 9:20    Post subject: Reply with quote
eibgrad wrote:
scope2 wrote:
Thanks for you help, that makes sense.. But I have tried setting the gateway on my mobile's wifi connection, but it doesnt seem to work. internet works fine though (only not going over vpn)

Worth noting that my LAN IP is 192.168.0.3, but the Local Address for the VPN connection is: 10.74.x.x


Go to a shell (telnet/ssh) on the AP and verify that the following returns the VPN's public IP and NOT the ISP's public IP.

Code:
wget -qO - http://ipinfo.io/ip



Thanks for the detailed response. I will have a look at the DHCP Server side of things when I get a minute.

The command above confirms the AP's IP is the VPN one, and I did manage to get VPN working by changing the Gateway on my Apple TV this morning - so your changes appear to work fine.

I will have a further play to see how best set things up.

I did attempt to follow a wiki article about setting up a Virtual AP using the VPN - that way I can just connect to "Wifi-NoVPN" if I want WAN access, and "Wifi-VPN" if I want to go over VPN.. That didnt go too well, but I will pick up where I left off and perhaps ask some questions a bit later. Smile

Thanks for the help so far.
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 90

PostPosted: Fri Jun 21, 2019 15:47    Post subject: Reply with quote
I have set up an unbridged VAP as suggested by @egc and that seems to work fine.

Quick question.. With an unbridged VAP, is it hard work to get access to the LAN (files on NAS)? Or will I need to set up a bridged VAP and go that route?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 6161
Location: Netherlands

PostPosted: Fri Jun 21, 2019 16:02    Post subject: Reply with quote
scope2 wrote:
I have set up an unbridged VAP as suggested by @egc and that seems to work fine.

Quick question.. With an unbridged VAP, is it hard work to get access to the LAN (files on NAS)? Or will I need to set up a bridged VAP and go that route?


You now have internet access via your VPN but normally (and to get access to the rest of your network) you have to add the following rule:
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


As always first set the rule from the CLI (putty) and if it works then Administration/Commands Save Firewall

As the VAP is on a different subnet there is no Windows discovery but you should be abe to get to your NAS by IP address

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard Client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum