Running OpenVPN Client on AP doesnt seem to work

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 83

PostPosted: Thu Jun 20, 2019 19:28    Post subject: Running OpenVPN Client on AP doesnt seem to work Reply with quote
So I've got 3 routers all running dd-wrt, 1 is the main router (connected to modem), 2 are access points connected to the main router by ethernet..

Im trying to configure one of the APs to run a OpenVPN client, which seems to work fine, no problems in the log, remote IP (showing in log) seems to be at the remote site, however when I connect to that AP (either wireless or hardwired) it doesnt seem to use the VPN connection; IP is my normal WAN IP and any internet traffic seems to run as per normal..

Is the above supposed to work? Can you set up 1 of the APs to run OpenVPN and run any traffic through that router (wifi or ethernet) over VPN?

I have not done any other configure/tweaks than setting up the OpenVPN Client config.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8025

PostPosted: Thu Jun 20, 2019 20:02    Post subject: Reply with quote
What determines whether a given client uses the VPN as its default gateway is what that client is using as its default gateway. And by default, every client is using the primary router, NOT the AP, as its default gateway!

IOW, if you want any given client to use the VPN rather than the primary router as its default gateway, then you have to change that client's default gateway to the LAN ip of the AP. And you can do that either manually on each client, or by reconfiguring DHCP to assign those specific clients to use the LAN ip of the AP as their gateway.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 83

PostPosted: Thu Jun 20, 2019 20:20    Post subject: Reply with quote
Thanks for you help, that makes sense.. But I have tried setting the gateway on my mobile's wifi connection, but it doesnt seem to work. internet works fine though (only not going over vpn)

Worth noting that my LAN IP is 192.168.0.3, but the Local Address for the VPN connection is: 10.74.x.x

A follow up question:

Should I be able to configure the DHCP server on the main router to set the gateway for a particular IP (I cant see such settings)? or do I need to configure the one on the AP (which is currently disabled).
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 83

PostPosted: Thu Jun 20, 2019 20:30    Post subject: Reply with quote
My trace route suggests the traffic is running through the AP first, then Main:

1 <1 ms * * 192.168.0.3
2 <1 ms <1 ms <1 ms 192.168.0.1
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8025

PostPosted: Thu Jun 20, 2019 20:51    Post subject: Reply with quote
scope2 wrote:
Thanks for you help, that makes sense.. But I have tried setting the gateway on my mobile's wifi connection, but it doesnt seem to work. internet works fine though (only not going over vpn)

Worth noting that my LAN IP is 192.168.0.3, but the Local Address for the VPN connection is: 10.74.x.x


Go to a shell (telnet/ssh) on the AP and verify that the following returns the VPN's public IP and NOT the ISP's public IP.

Code:
wget -qO - http://ipinfo.io/ip


As long as the AP is using the VPN as its own default gateway, any clients using the AP as their default gateway should likewise use the VPN.

Quote:
Should I be able to configure the DHCP server on the main router to set the gateway for a particular IP (I cant see such settings)? or do I need to configure the one on the AP (which is currently disabled).


There are several different ways to deal w/ the situation.

You can reconfigure the DHCP server on the primary router to make exceptions for those clients. In the following example, I've told the DHCP server to change the default gateway to the AP @ 192.168.1.2 for the specified static lease.

Code:
dhcp-option=tag:ap_gateway,3,192.168.1.2
dhcp-host=set:ap_gateway,af:33:f9:6a:dc:56,192.168.1.117,mypc,24h


I believe it will work without having to specify a static lease too, although I haven't actually confirmed it (I use static leases almost exclusively).

Code:
dhcp-option=tag:ap_gateway,3,192.168.1.2
dhcp-host=set:ap_gateway,af:33:f9:6a:dc:56


The above changes need to be added to the Additional DNSMasq Options field on the Services page.

Another option is to move the DHCP server to the AP, but then you're just making similar exceptions for the WAN/ISP. But in some cases, esp. when the large majority of clients will be using the VPN, perhaps that makes more sense.

Finally, you can always use PBR (policy based routing). For example, keep the DHCP server on the primary router, but implement PBR and redirect specific clients over to the AP for internet access. Or if you have the AP support the DHCP server, use the PBR field in the OpenVPN client of the AP to force specific clients over the VPN, while everything else uses the WAN (via the AP).

So there are a lot of ways to approach it. And what makes the most sense depends on several factors, such as do you even have the option to modify the behavior of the DHCP server on the primary router (many ppl don't because they're using OEM firmware, but at least in your case, because dd-wrt is essentially everywhere, you have many options).

This is why having the VPN run on the AP is generally discouraged. It makes things more complicated. Place all those clients behind a routed config rather than a bridged config, even if it's a second router, and you eliminate all this complexity.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh


Last edited by eibgrad on Fri Jun 21, 2019 5:52; edited 3 times in total
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8025

PostPosted: Thu Jun 20, 2019 20:53    Post subject: Reply with quote
scope2 wrote:
My trace route suggests the traffic is running through the AP first, then Main:

1 <1 ms * * 192.168.0.3
2 <1 ms <1 ms <1 ms 192.168.0.1


If you don't tell me from *where* you're doing the trace (from a shell on the AP itself? from a client on the same network?), it's difficult to comment.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8025

PostPosted: Fri Jun 21, 2019 5:54    Post subject: Reply with quote
FYI, I had forgotten that dd-wrt doesn't typically support named dhcp options, so I had to change the following:

Code:
dhcp-option=tag:ap_gateway,option:router,192.168.1.2



to ...


Code:
dhcp-option=tag:ap_gateway,3,192.168.1.2

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3523
Location: Netherlands

PostPosted: Fri Jun 21, 2019 8:56    Post subject: Reply with quote
Some points to consider when setting up a VPN client on a WAP (https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point) be sure to disable DHCP and set Gateway and local DNS to primary router.

If I remember correctly for a VPN client on a WAP you need a different NAT rule:
Code:
iptables -t nat -I POSTROUTING   -o tun1 -j SNAT --to $(nvram get lan_ipaddr)


kill switch when using a VPN client on a WAP:
Code:
iptables -I FORWARD -i br0 -o br0 -j REJECT


Kill switch when using PBR:
Code:
iptables -I FORWARD -i br0 -s 192.168.1.100 -o br0 -j REJECT


If you make an unbridged VAP on a WAP then this is routed via the VPN by default so no need to set a different gateway for that


At least my DDWRT version (the big build > 16 MB) supports the dhcp names so for me this worked in the past:
dhcp-option=tag:altdnsgw,option:router,192.168.0.2
dhcp-host= 00:18:a2:b5:43:09,set:altdnsgw,192.168.0.92,PC-Download,infinite

_________________
Routers: Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 83

PostPosted: Fri Jun 21, 2019 9:20    Post subject: Reply with quote
eibgrad wrote:
scope2 wrote:
Thanks for you help, that makes sense.. But I have tried setting the gateway on my mobile's wifi connection, but it doesnt seem to work. internet works fine though (only not going over vpn)

Worth noting that my LAN IP is 192.168.0.3, but the Local Address for the VPN connection is: 10.74.x.x


Go to a shell (telnet/ssh) on the AP and verify that the following returns the VPN's public IP and NOT the ISP's public IP.

Code:
wget -qO - http://ipinfo.io/ip



Thanks for the detailed response. I will have a look at the DHCP Server side of things when I get a minute.

The command above confirms the AP's IP is the VPN one, and I did manage to get VPN working by changing the Gateway on my Apple TV this morning - so your changes appear to work fine.

I will have a further play to see how best set things up.

I did attempt to follow a wiki article about setting up a Virtual AP using the VPN - that way I can just connect to "Wifi-NoVPN" if I want WAN access, and "Wifi-VPN" if I want to go over VPN.. That didnt go too well, but I will pick up where I left off and perhaps ask some questions a bit later. Smile

Thanks for the help so far.
scope2
DD-WRT User


Joined: 12 Jul 2017
Posts: 83

PostPosted: Fri Jun 21, 2019 15:47    Post subject: Reply with quote
I have set up an unbridged VAP as suggested by @egc and that seems to work fine.

Quick question.. With an unbridged VAP, is it hard work to get access to the LAN (files on NAS)? Or will I need to set up a bridged VAP and go that route?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3523
Location: Netherlands

PostPosted: Fri Jun 21, 2019 16:02    Post subject: Reply with quote
scope2 wrote:
I have set up an unbridged VAP as suggested by @egc and that seems to work fine.

Quick question.. With an unbridged VAP, is it hard work to get access to the LAN (files on NAS)? Or will I need to set up a bridged VAP and go that route?


You now have internet access via your VPN but normally (and to get access to the rest of your network) you have to add the following rule:
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


As always first set the rule from the CLI (putty) and if it works then Administration/Commands Save Firewall

As the VAP is on a different subnet there is no Windows discovery but you should be abe to get to your NAS by IP address

_________________
Routers: Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum