meta data for this page
  •  

This is an old revision of the document!

First steps

To use SSH, first telnet to router and set root password.

Enable SSH on WAN

uci add firewall rule
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].proto=tcp
uci set firewall.@rule[-1].dest_port=22
uci commit firewall
/etc/init.d/firewall restart

Multiple WAN IP

same provider

There are two method defining multiple WAN IP https://wiki.openwrt.org/doc/uci/network#multiple_ip_addresses. In both cases, addresses are added to the same interface. It is not possible to create 2nd firewall zone, like WAN2, because all iptables rules are using physical interface name to connect iptables chain, and physical interface is the same.

Better is to create second OpenWRT interface “WAN2” but assign it to firewall zone “WAN”. To use other external IP firewall needs to be configured manually by /etc/firewall.user

OpenVPN

opkg install openvpn-openssl luci-app-openvpn openvpn-easy-rsa

Enable incoming OpenVPN connections: 

uci add firewall rule
uci set firewall.@rule[-1]._name=openvpn
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].proto=udp
uci set firewall.@rule[-1].dest_port=1194
uci commit firewall
 
echo "iptables -I OUTPUT -o tap+ -j ACCEPT" >> /etc/firewall.user
echo "iptables -I INPUT -i tap+ -j ACCEPT" >> /etc/firewall.user
echo "iptables -I FORWARD -o tap+ -j ACCEPT" >> /etc/firewall.user
echo "iptables -I FORWARD -i tap+ -j ACCEPT" >> /etc/firewall.user
mkdir -o /etc/openvpn
uci set openvpn.uservpn=openvpn
uci set openvpn.uservpn.config=/etc/openvpn/user-vpn.conf
uci set openvpn.uservpn.enable=1
uci commit openvpn

cat > /etc/openvpn/user-vpn.conf 

 port 1194
 proto udp
 dev tap0
 keepalive 10 120
 status /tmp/openvpn-status.log
 verb 3
 secret /etc/openvpn/secret.key

Add VPN to local LAN bridge: 

cat > /etc/init.d/openvpn-bridge
#!/bin/sh /etc/rc.common
 
    START=94
 
    start() {
        openvpn --mktun --dev tap0
        brctl addif br-lan tap0
        ifconfig tap0 0.0.0.0 promisc up
    }
 
    stop() {
        ifconfig tap0 0.0.0.0 down
        brctl delif br-lan tap0
        openvpn --rmtun --dev tap0
    }
 
 
chmod 755 /etc/init.d/openvpn-bridge 
/etc/init.d/openvpn-bridge enable
/etc/init.d/openvpn-bridge start
openvpn --genkey --secret /etc/openvpn/secret.key

Start VPN: 

/etc/init.d/openvpn enable
/etc/init.d/openvpn start

Issues

Problem: Port-forwarded traffic are always from router local IP instead of real external IP address. Solution: Disable masq option for LAN zone (should be only on WAN) zone