I use a vpn on my computers, with just a configuration file (that I launch with openvpn ~/vpn/vpn-configfile.ovpn).
It works well on my computers, but now that I have a working router I want to have the VPN on the router itself, so all my devices can use the local network.
I’m not sure how to use reForis’ VPN so I just SSHed to root@turris.local and copied the vpn config file there, and typed openvpn vpn/vpn-configfile.ovpn from there.
It works, only problem is that after that I have zero connection to internet from my computer…
This part of the OpenWrt documentation seems to say that it’s normal, that I need to set the VPN network interface as public by assigning VPN interface to WAN zone.
But I don’t see that in Turris documentation, and anayway when I try to do what OpenWRT says I don’t have a “tun0” among the proposed interfaces.
The documentation by the VPN provider tells to type iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE for IPv4.
But when I do that I get iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE iptables v1.8.7 (nf_tables): Chain 'MASQUERADE' does not exist Try iptables -h’ or ‘iptables --help’ for more information.
`
On this forum they say (and it’s quite logical) that “MASQUERADE is a target, not the name of a chain. To give that error message, the program must have misparsed the rule.”
This website uses update-alternatives to fix the issue, but update-alternative isn’t a temporary change.
Would that be a good solution nevertheless ?
update-alternative isn’t found by the CLI, anyway.
The VPN provider told me to adapt the iptables rule to my nftables configuration, but I don’t even know what my nftables configuration is ?
I have basic notions of routing but used only on CISCO routers.
Also, from the answer to the command (the “iptables v1.8.7 (nf_tables)” part), should I deduce that iptables is actually a link to nftables ?
I found a syntax for nftables nft add rule nat postrouting ip saddr 10.5.6.0/24 oif eth0 masquerade but I don’t understand if using nft (obviously after changing the IP to my network’s) would mess up the rest of the configuration or not.
a) is this a VPN sold as a service (such as the Proton, Mullvad, IVPN - just to name few).
b) or is it a VPN set up doing for you the sharing of some existing connection (from the ISP) for a family/company.
(Basically building the private network for some devices you are about to let them in so the resources can be accessed by the members and it appears they are in one network regardless of the location.)
It is a VPN offered as a service, yes.
Does it change the configuration needed ?
Anyway the VPN support helped me by basically pointing me to the Turris documentation on how to get VPNs working via reForis.
I already tried beforehand and it didn’t work, but now I tried harder and after waiting for reconnection and then clicking on “edit” to add username and password, it decided to work.
Though, the Guest wifi network (on its own VLAN I guess ? I didn’t configure anything myself except by following the public guide) still doesn’t have access to the internet if I have the VPN running on the router.
Which isn’t exactly the purpose of a guest wifi, I must say.
I strongly advocate to using the Wireguard - it’s more effective in terms of speed.
There is this awesome guide - information also for how to set up the Firewall.
With the guest network, that need to be added into the zone I think (same as LAN) and should work.
Do believe that the VPN provider does allow Wireguard keys to be generated.
If so you can:
download the config file and drag&drop upload it to the configuration (I must delete DNS row in order to load it from the window, don’t know why).
Also there is a 2) Watchcat package - because the connection will fail sometimes this can manually reload connection (mode: Restart interface, add some IP to ping - for example the DNS server of VPN provider once per 3 minutes, chose that interface, and modem manager).
That will make it all automatic with just a minute of disruption in case of VPN will fail.
As bonus there is 3) PRB (policy based routing) and this can make it happen such way the IPTV/STB/Game consoles won’t be router through VPN, but the WAN/ISP and the rest of traffic (PC, tablets, phones) will remain inside tunnel.
Killswitch option in that case can’t be configured - as per PBR FAQ: ’ The service does NOT support the “killswitch” router mode’
This 3 steps will make maximum out of the VPN with the ease of use and also avoiding the unnecessary traffic go through VPN as well less captcha.