What's new

Feature Request: Running an OpenVPN Server in AP-mode

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The weirdest thing is happening. I'm getting blocked trying to answer your question.
Your post is probably just triggering a keyword filter. That's particularly common when posting log files. Just upload the log files to pastebin and post the link.
 
This is what I found in the dnsmasq.conf file.

Code:
pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
bogus-priv
domain-needed
no-dhcp-interface=br0
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp

The file resolv.conf only contain one line:
nameserver 192.168.1.1

The file resolv.dnsmasq is empty.
 
Sorry, I should have been clearer. I was asking about the file on the router not the access point. Which one is this?

Anticipating the answer... I think you need to create a /jffs/configs/dnsmasq.conf.add file on the router as follows:
Code:
interface=tun21

If the file already exists then just add the line to the end of that file.

This will allow the router's DNS server to respond to requests coming in from the VPN interface.

Sorry, I've just realised that this suggestion is stupid because the router doesn't have a tun21 interface, that is on the AP in this scenario.

Of course, in theory you don't need to do this at all. Instead you could use a different VPN push command to bypass the router's DNS altogether.
Code:
push "dhcp-option DNS 8.8.8.8"
 
Last edited:
This file is from the access point.

I did try using the Google 8.8.8.8 address, using the push command, but that didn't help ether.

Just to make sure I also created a port forwarding rule for port 53. But I drew a blank there as well.

Maybe it's better to take break and return to the topic when and if there is a fresh idea.

For what it's worth. Thank you! I wouldn't have gotten this far without your help.
 
Just a thought. You'll probably need to create a static route on the router to the VPN tunnel, otherwise the LAN traffic won't know how to return.

Network = 10.8.0.0
Netmask = 255.255.255.0
Gateway = 192.168.1.14
Interface = LAN
 
Last edited:
It was a request for a new feature that started this thread. I never had the intention to run it as a hack, even if it had worked, and it still might. A proof of concept was in my mind only the first step towards a fully integrated OpenVPN Server capability in AP-mode.

I have a few other devices to test with. If and when I have something new to add to the conversation, I will update this thread.
 
I can ping both the firewall (192.168.1.1) and the AP (192.168.1.14) from my iPhone.

I think the challenge is twofold. First you have to have access to the local network, and I think this has been accomplished. Secondly you have to have access to the internet, and it's where it fails.

If I enable the feature "Advertise DNS to clients", it should take care of providing the OpenVPN client with a DNS. The problem is that the ip-address of the AP and the OpenVPN Server is not the main ip-address of the network. I have a separate firewall where this ip-address resides. The rt-ac86u is a router and wired to host the main ip-address of the network. In this scenario it doesn't.

If I add - push "dhcp-option DNS 192.168.1.1" - to Custom Configuration, the OpenVPN Server will be assigned the main ip-address as DNS. However, it will not propagate to the clients. Or rather, it will but second in order. The ip-address of the AP (192.168.1.14) will effectively block the the use of the main ip-address (192.168.1.1) as DNS.

It's a Catch 22.
 
It was a request for a new feature that started this thread. I never had the intention to run it as a hack, even if it had worked, and it still might. A proof of concept was in my mind only the first step towards a fully integrated OpenVPN Server capability in AP-mode.

Understood.

So far though the changes required to the AP would be a) enabling the VPN Server menu tab, and b) pushing the correct DNS server.

Other changes (yet to be confirmed) would have to be made on the LAN's router, whatever that device may be.

P.S. I've removed my first suggestion in post #25 as I realised it was nonsense.
 
Last edited:
I've managed to configure a working OpenVPN Server on my Asus RT-AC86U, behind another router/firewall with a public ip-address. The reason for this setup was that I was using the Asus as an access point (AP). The RT-AC86U has got quite a powerful cpu with hardware accelerated AES and I wanted to put it to better use than just have it idling.

https://www.snbforums.com/threads/openvpn-performance-of-the-rt-ac86u.41217/page-2#post-351407

First I tried a setup with it in AP mode. Then I tried with nat, DHCP and the firewall disabled. None of it worked. The way I got it to work was with the Asus RT-AC86U in router mode and dubble nat.

1. On the router/firewall: I port forwarded (in this case) port 1194 (udp) and in DHCP assigned a static ip-address based on the macadress of the wan port of the Asus router. The router/firewall will need a ddns adress.

2. On the Asus: Under the wan tab, I assigned the static ip-adress from the port forwarding on the router/firewall to wan. For default gateway and dns server1 I assigned the ip-address of the router/firewall. I also made a port forward of port 1194 (external port) and the same ip-address used for wan (internal IP address) and (protocol) udp. Then just configure an Open VPN Server and edited in the ddns address from the router/firewall in the client.ovpn file and that was it. YMMV
 
Last edited:
Thanks for the update @miroco. Glad to hear you found a solution.

I will mention that the port forwarding on the Asus (step 2) is unnecessary. It's only required on the primary router. ;)
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top