I am trying to use my openwrt router to connect to my home network and i can connect to the vpn server but i need to forward or bridge the vpn so everything that comes through the router either through the wired switch or the wifi then routed through the vpn.
More simply clients —> router (vpn client) —> vpn server.
It doesnt matter if i can access resources on my home network with it just that its tunneled through my home network so i appear to be using my home IP address. Im also unsure whether to use tap or tun. Any help would be appreciated.
By the way im using all command line because i have a 4mb flash router so i had to build a custom image without the gui so i could fit openvpn.
I have some firewall rules setup to try and foward the traffic but i think what i need is probably a bridge since im using tap currently. I also have redirect-gateway-def1 in my openvpn config file. I guess what i am asking is how to create a bridge for my purposes.
my current etc/config/firewall file contains these lines which pertain to the vpn.
config zone
option name 'VPN_client1'
option masq '1'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'VPN_client1'
config forwarding
option dest 'lan'
option src 'VPN_client1'
config forwarding
option dest 'VPN_client1'
option src 'lan'
From the computer hooked up to the router it can ping the router and thats it.
btw this question was kicked off serverfault so im posting it here.
Btw my openvpn server is running on ddwrt on my home router using tun.
Best Answer
So, from what I understand, you already have an OpenVPN server up and running.
As for
tunandtap: Both server and clients need to use the same configuration. If you do not need Ethernet Bridging, usetun, because it introduces less overhead.First, we’ll update your network configuration to include the VPN interface:
This is required for integrating the VPN connection into OpenWrt’s network system. Of course, if you’re using
tap, you’ll have to change the interface totap0.Next, optionally, remove the following lines from
/etc/config/firewall:This ensures that no LAN traffic ever leaves the router over the regular internet uplink. This is not required, of course.
In the same file, add a new zone and configure forwarding:
Using
MASQUERADEandtunmakes this configuration easy, because the VPN server does not need to know about the routers clients and we also do not need bridging, reducing overhead. Theforwardingsection allows LAN traffic to be routed over your VPN connection.Up next is your VPN configuration. There are some things to keep in mind.
Since we explicitly specified the interface we expect the VPN connection to use, we’ll have to do the same in your VPN configuration:
It seems you already have it, but for others, again—we need to redirect traffic through the VPN connection. OpenVPN already offers a great option for this:
This option also ensures that your VPN server can still be reached.
If your OpenVPN configuration contains the following line, remove it:
After making these changes, reboot your router. Remember: If you removed the
forwardingsection, you won’t be able to access the internet now.Now, start OpenVPN:
If everything works fine now, you can permanently enable OpenVPN:
Do keep in mind though: OpenVPN depends on the date and time being correct to check whether certificates are valid. Your router probably doesn’t have a real time clock, meaning it starts at Jan 1 1970 every time. It then depends on internet NTP servers to get the current date and time. This means that OpenVPN will not connect until this is completed, because your certificates are not valid on Jan 1 1970.