This is the situation: a local network connected to the internet via a DSL router/switch. This switch is connected to a router with OpenWRT (call it OpenRouter). OpenRouter is then connected to a network device.
OpenRouter should give this network device an IP (internal, via DHCP of OpenRouter). But OpenRouter should act as an OpenVPN client in such a way that the network device sends all traffic through OpenRouter and the DSL router/switch over the internet to a remotely located OpenVPN server. Is this possible with OpenWRT? How? OpenWRT should NOT be the OpenVPN server, just the client. OpenRouter should thus get two IPs (one from the DHCP server in the local network or a static one and one from the OpenVPN server (eg 10.8.0.7))... Thanks

Yes, I have a location where I have a WRT unit running OpenVPN client.  It has a certificate and connects to an OpenVPN server running on Linux box at another location.  Key of 2048 bits recommended for medium security without slowing down initial connection setup TOO much.  The server configuration hands it a static IP and routing information.  Punch a few holes in the firewall software and I have full routing between locations so hosts in each location can access the other.  I have to keep a hosts table updated on each side but since the number of hosts is fairly small this is not a problem.  I much prefer a routed OpenVPN instead of bridged so there is not chatty sharing of silly broadcast packets only what is needed goes across the VPN.

(Last edited by vincentfox on 12 Jun 2007, 17:29)

Interesting! Would you care posting configuration for this? Iptables or anything else useful? Do you also use an external router (ie not the OpenWrt device as router)? thanks

Don't have the time to post a tutorial on OpenVPN, sorry.  There are plenty of those on the internet.  Just letting you know it is indeed possible on these routers.  The hardware is sufficient to the task assuming you aren't trying to shove a lot of data through there and bog down the CPU.  I don't see why another layer of NAT would matter as long as the 2 devices can reach each other.

Here's how you do it:

Set up the router as an openvpn client.  Make sure you use routed vpn, and make sure the vpn server isn't in the same subnet as the vpn client network.

Remove the rule that does NAT to the internet interface on the client.  Instead of doing NAT, forward those packets to the router on the other end of the VPN tunnel.  It should know how to get the packets to the internet.

The biggest tip: make sure you have the two subnets working first, then go from there.

If you can't have different subnets, change the NAT rule to send packets to tap0 (I think that's the interface) instead of $WAN.

You might leak DNS requests, too, but I'm not sure how you want that setup.

Thanks. Why tap0 and not tun?

Also, what port should I use on the WRTSL54GS (this is the OpenWRT router which is only connected to the real local router)?

By "I think that's the interface," I meant it might be tun.  It is tun; I just couldn't think of the name.

I'd tie all the vlans together and make it a 5 port switch.

Since it isn't the real router, remember that your DHCP server needs to hand out it's IP address as the default gateway.  Since it is indeed the openvpn client, it will serve as a router.

By all traffic, do you mean all traffic including internet, or all LAN traffic?

(Last edited by exobyte on 12 Jun 2007, 20:24)

Thanks. A silly question maybe, but is there a way to get the OpenWRT router to redirect all trafic through a proxy on the internet instead of an OpenVPN Server on the internet?

http://tldp.org/HOWTO/TransparentProxy.html explains how to do it for just http traffic.  I'm sure there's a how to out there for sockets--just search for "transparent proxy."  You might just have to make the iptables rule look like this:

iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! <lan network> -j REDIRECT --to-port 1080

Remember to do the same for UDP.

That works for an http proxy, but I'm not sure a socks proxy works the same way.  Please do the search.

(Last edited by exobyte on 13 Jun 2007, 16:49)

What version of White Russian should I install on the WRTSL54GS for this purpose? The PPTP or the PPPOE one? The router won't connect directly to the internet though, but will be connected to a switch, and that switch to an internet enabled router...

How do I do this exactly? Thanks

I succesfully installed an OpenVPN client on my router (WRTSL54GS). From within SSH on the OpenWRT router, I can perfectly use it (the OpenVPN server is on the internet). However, when I connect  a pc to the router, it does not seem to use the OpenVPN client connection, but just uses the standard connection (provided by a different router which is located "behind" the OpenWRT router). The router gets an IP, such as 10.8.0.5 from the OpenVPN server. The router then gives a different IP to a client, such as 10.10.10.234. I think I need to add some routing, but how? Thanks