I've been a very happy dd-wrt user over many years and switched to LEDE some time ago since dd-wrt seems to have more or less died. I was very pleasantly surprised what's possible with LEDE / openWRT and have been extending the functionalities of my router ever since (dual-wan in failover configuration, VPN server, DynDNS, guest WLAN, VLANs to separate some of my smart home and media devices from the 'inner' LAN, ...).
This is all running fine and despite some long hours I always managed to get things to work.
A few infos about my setup:
Internet <--> LTE Modem/Router <--> LEDE Router <---> LAN
A port forward at the LTE router exposes the openVPN port from the LEDE router
LEDE Router Hardware: Linksys WRT1900ACS
LEDE Version: 17.01.4 r3560-79f57e422d
Now my newest endeavour is using the LEDE router as a VPN client (I'm using NordVPN, but that shouldn't make any difference to my issue). This also works fine - however...
I still want to run my openVPN server which on its own works perfectly; until I connect to NordVPN. Then any connection to the VPN server (e.g. via a mobile without LAN connection) fails as if the firewall prevented access to the VPN server.
My guess is that the routing configuration routes all outbound traffic via the NordVPN tunnel (tun0 in my case) and I should however ensure that the VPN server can respond to the client attempting to connect (via tun1).
I've been playing around with firewall settings and the kernel routing table directly - to no avail so far.
I'm not really a big networking expert so maybe I'm missing something rather trivial... Can someone please give me a hint as to how I need to change my firewall / routing settings to get the VPN server and client to work in parallel?
Does your LTE company allow incoming connections? Many of them block them completely. So the first thing would be to open some trivial port like ssh then test with a port scan site to see if it is really allowed.
Using route-nopull works in the sense that I can establish a connection to NordVPN and my local VPN server remains accessible from the outside. However, then by default all traffic is routed via the standard gateway (i.e. the LTE modem). I tried to at least copy the routing normally pulled for the NordVPN connection, playing around with the routing table. Somehow I must be missing the secret ingredient...
The solution was to introduce policy based routing and use different routing tables for traffic that should go via the NordVPN tunnel and traffic that should not.
I wasn't particularly selective and in a first step let all devices in my LAN access the internet via the VPN. I might change this in the future if I run into any issues for certain devices.
In any case, for each rule to ensure that traffic is routed via the VPN I also added rules for local traffic as well as traffic to clients of my VPN server.
In essence I did the following:
Modify the VPN client config by adding the following configuration:
route-nopull
script-security 2
up /etc/openvpn/nvpn-up.sh
down /etc/openvpn/nvpn-down.sh
Add the following scripts: nvpn-route.sh
#!/bin/sh
NVPN_TID="nvpn"
NVPN_GW="10.8.8.1"
NVPN_DEV="tun1"
IP_PATH="/etc/openvpn/ip.txt"
OVPN_NET="10.8.0.0/24"
# read ip ranges from text file
cat $IP_PATH | while read ip; do
# add route to NordVPN table
ip rule $1 from $ip table $NVPN_TID
# add local route to allow access in the LAN
ip rule $1 from $ip to ${ip:0:10}.0/24 table main
# add local routes to support inter-zone access
ip rule $1 from $ip to 192.168.10.0/24 table main
ip rule $1 from 192.168.10.0/24 to $ip table main
# add local route for local OpenVPN server
ip rule $1 from $ip to $OVPN_NET table main
done
# set NordVPN gateway
ip route $1 default via $NVPN_GW dev $NVPN_DEV table $NVPN_TID
# force changes
ip route flush cache
nvpn-up.sh
#!/bin/sh
/etc/openvpn/nvpn-route.sh add
nvpn-down.sh
#!/bin/sh
/etc/openvpn/nvpn-route.sh del
The actual IP ranges are read from a separate text file. I'm using CIDR notation, created with http://ip2cidr.com/.
can you share a lilnk for a howto for a OpenVPN NordVPN configuration?
If possible, i would like to run OpenVPN only for wireless connections and have the ethernet traffic untouched. Also i would prefer to have the connection to NordVPN undencrypted and as fast as possible. I need only a DNS in Germany for video streaming.
I'm new to Openwrt/LEDE and open for any ideas and input.
With the policy based routing approach I have documented in my post above you should be able to define rules for the ethernet based IP addresses in your LAN to bypass the VPN connection (you should use static DHCP leases for that).
I was following those rules already once with the effect, that the router was not responding anymore to anything and i had to reflash the firmware. Will follow them step by step again and try to find out which step caises this. One thing i already noticed is, that during the DNS configuration i have a bridge entry in the config file. My EA9500 is attached via WAN Port to one of the switch ports of my providers cablemodem/router
i dont get it to work. The EA9500 is behind my ISPs cablemodem router, connected via the ISPS LAN Port to the EA 9599s WAN Port. That configuration is fine and running. Up till the Moment i switch onthe OpenVPN connection. Then the internet connection collapses.
I put my network config file here to illustrate the differences to the NOrdVPN Tutorial. If anybody can help me out what to do i would be gratefull. The difference is in the WAN configuration as it says bridged and the ifname is different. That stays also after changing the dns entries as described in the Nordvpn tutorial:
Yes, i followed the NordVPN Tutorial you linked earlier, even before you posted it (already knew it). I did the same process several times. Only difference when i compare the config files as they should be is the wan area is the 'interface wan' area.
Also the main cablemodem router is set to IPSEC and PPTP Passthrough. The NordVPN Windows client from a PC connected directly to the cablemodem router works also and has a oerfect VPN connection.
Must be a problem in the EA 9500 configuration somewhere...
And your question just brought me to another idea. I just also tried the nordvpn client on a windows laptop connected to the EA9500. Works also perfect. So the following works:
Nordvpn Client PC Ethernet -> Cablemodem -> VPN Server OK
Nordvpn Client Laptop wireless -> EA9500 -> Cablemodem -> VPN Server OK
Nordvpn Client Laptop Ethernet -> EA9500 -> Cablemodem -> VPN Server OK
It has to be a problem in the ea 9500 configuration or the communication between ea9500 and the cablemodem limited to the ea 9500s openvpn adapter
I am trying to do same using Wireguard. I have a Wireguard server on remote VPS and I am able to connect to the Wireguard server from my Openwrt client.
I also have a Wireguard server in my Openwrt router.
My goal is to connect to the wireguard server installed on the openwrt router while the router is connected to the wireguard server on VPS.
Still unable to perform the connection.
All connections work fine is I do not activate both connections simultaneously. But as soon as I connect my wireguard client from openwrt to the VPS, the openwrt server on the router stops receiving connection from remote client.