Openwrt

Details
Written by: Super Utilizador
Category: Não categorizados
Hits: 152

To create a well-structured network with the devices you have and meet your goals (like OpenVPN on specific devices), we can break this down into a few steps. The best network configuration will depend on your usage requirements and the flexibility you need for future changes.

Step 1: Choosing the Best Network Topolog

y

You have two main options:

Option 1: All devices connected to the operator router (via cable)

  • Advantages:
    • Simplified setup: Each router gets its own IP from the operator router.
    • No single point of failure: If one router has issues, the others remain unaffected.
    • Independent network management for each router.
  • Disadvantages:
    • Multiple subnets might exist, which can make communication between devices on different routers tricky.
    • You would need to configure OpenVPN separately on the Xiaomi AC2100 to apply only to specific devices.

Option 2: ASUS RT-AC68U in bridge mode (connected to the operator router), with Xiaomi and TP-Link Deco M5s connected to ASUS

  • Advantages:
    • Single network (managed by ASUS), making device-to-device communication seamless.
    • Simplified routing and control over all network traffic (you can centralize policies like firewall rules, VPN settings).
    • Easier to implement OpenVPN rules because all the devices will be under the ASUS router’s network.
  • Disadvantages:
    • ASUS becomes a single point of failure for all the devices behind it.
    • More complex configuration, as you will need to set up the ASUS router in bridge mode (to avoid double NAT) and configure proper DHCP or static routing.

Recommendation:
Go with Option 2 (ASUS in bridge mode). This provides more flexibility, especially when implementing specific configurations like OpenVPN and managing traffic based on IP addresses.

Step 2: Setting Up ASUS in Bridge Mode

  1. Disable the DHCP server on the ASUS router to avoid conflicts with the operator router.
    • Access the ASUS router via SSH or web interface.
    • Navigate to the Network > Interfaces > LAN.
    • Under DHCP Server settings, disable the DHCP.
  2. Set the ASUS router to bridge mode:
    • Go to Network > Interfaces and change the WAN interface to bridged mode.
    • Set the LAN interface to provide IPs from the operator router (or leave it static if you prefer).
  3. Connect the Xiaomi and TP-Link Deco M5 routers to the ASUS via Ethernet.
    • These devices will automatically receive an IP address from the ASUS router.

Step 3: OpenVPN on the Xiaomi AC2100 (to specific devices)

Since you want the OpenVPN to work only for devices connected via cable or to specific IP addresses, you can achieve this by creating firewall rules and routing policies.

  1. Set up OpenVPN on the Xiaomi AC2100:
    • Follow the OpenVPN guide on OpenWRT to configure OpenVPN. Ensure that the VPN service starts correctly.
    • You will need the OpenVPN package installed:bashopkg update opkg install openvpn-openssl luci-app-openvpn
    • Copiar código
    • Configure the openvpn.conf file as needed (for example, with your VPN provider's config or your own).
  2. Restrict VPN to wired devices:
    • Identify the IP addresses or MAC addresses of devices connected via Ethernet.
    • Use PBR (Policy-Based Routing) to route only certain devices through the VPN.
    Install the luci-app-vpn-policy-routing package:After installation:
    • Go to Services > VPN Policy Routing in the LuCI web interface.
    • Create rules to route traffic from specific IP addresses or MAC addresses through the VPN interface.
  3. bashopkg install luci-app-vpn-policy-routing
  4. Copiar código
  5. Alternative: VPN for a Specific Subnet (e.g., Wired Devices Only):
    • You can use VLANs to segment wired and wireless traffic.
    • Configure VLANs on Xiaomi to have separate VLANs for wired and wireless clients. Apply the VPN only to the VLAN for wired devices.

Step 4: Configure TP-Link Deco M5 Units

  • Set both TP-Link Deco M5 units in AP (Access Point) mode:
    • You can disable their routing functionality since they will be behind the ASUS router.
    • In AP mode, they will pass the traffic to the ASUS router without performing NAT.
    • Go to Network > Interfaces and set them up as DHCP clients (or assign static IPs if desired).

Step 5: Static IP Assignment (Optional but Recommended)

To make things easier to maintain:

  • Assign static IPs to devices that you want to manage through the OpenVPN (or route differently). You can do this via the DHCP settings on the ASUS router:
    • Go to Network > DHCP and DNS > Static Leases.
    • Add the MAC addresses of devices you want to assign static IPs to.

Final Notes:

  • VPN Configuration: To ensure VPN works on specific devices or segments, the Xiaomi AC2100 should handle VPN routing rules. If devices are segmented into subnets or VLANs, the Xiaomi AC2100 can apply VPN policies more cleanly.
  • ASUS Router Stability: Since the ASUS RT-AC68U will handle most of the traffic, ensure it's stable and has enough processing power to handle VPN passthrough if needed.
  • Monitoring: Use tools like luci-app-statistics or iftop to monitor traffic and ensure your configuration is working as expected.


 

To set up the network with the ASUS RT-AC68U as the main router (in bridged mode) and other devices (Xiaomi AC2100, TP-Link Deco M5s) connected to the ASUS, follow this step-by-step plan. I will guide you on what configuration files you will need, as well as which router to configure first and how to proceed.

Step-by-Step Plan:

1. Configure the ASUS RT-AC68U (Main Router)

The ASUS will act as the main router, distributing IP addresses and routing traffic for the network. You’ll set this up first because the other devices (Xiaomi and TP-Link routers) will depend on this setup.

1.1 Disable DHCP on ASUS

This will prevent double NAT issues and allow the operator router to handle DHCP and IP assignment.

  1. SSH into the ASUS RT-AC68U:
  2. bashssh This email address is being protected from spambots. You need JavaScript enabled to view it..1.2
  3. Copiar código
  4. Edit the /etc/config/dhcp file to disable the DHCP server on the LAN interface. You can use Nano to edit the file:
  5. bashnano /etc/config/dhcp
  6. Copiar código
  7. Look for the following section:Modify this section to disable DHCP:
  8. bashconfig dhcp 'lan' option interface 'lan' option ignore '1'
  9. Copiar código
  10. bashconfig dhcp 'lan' option interface 'lan' option start '100' option limit '150' option leasetime '12h'
  11. Copiar código
  12. Save and close the file with Ctrl + X, then press Y and Enter.
  13. Restart the networking service to apply changes:
  14. bash/etc/init.d/network restart
  15. Copiar código
1.2 Set the WAN Interface to Bridged Mode

In bridged mode, the ASUS RT-AC68U will pass traffic from the operator router, allowing the operator router to handle routing for internet traffic.

  1. Edit the /etc/config/network file:bashnano /etc/config/network
  2. Copiar código
  3. Find the WAN interface configuration and modify it like this:bashconfig interface 'wan' option ifname 'eth0.2' option proto 'dhcp' option type 'bridge'
  4. Copiar código
  5. Also, configure the LAN interface for the ASUS router. If you want the ASUS to have a static IP (recommended for management):bashconfig interface 'lan' option ifname 'eth0.1' option proto 'static' option ipaddr '192.168.1.2' option netmask '255.255.255.0' option gateway '192.168.1.1' # Operator router's IP option dns '192.168.1.1' # Operator router as DNS server
  6. Copiar código
  7. Save and close the file, then restart the network service:bash/etc/init.d/network restart
  8. Copiar código

Now, the ASUS RT-AC68U will pass all traffic through to the operator router, and the operator router will handle DHCP, DNS, and routing.

1.3 Connect Other Devices to ASUS

Once the ASUS RT-AC68U is in bridge mode, connect the other devices (Xiaomi and TP-Link Deco M5s) via Ethernet cables to the ASUS LAN ports. These devices will receive IP addresses from the operator router.

2. Configure the Xiaomi AC2100 (VPN Router)

The Xiaomi AC2100 will handle OpenVPN for specific devices. You will need to set up OpenVPN and configure Policy-Based Routing (PBR) to apply VPN only to devices connected via cable or with specific IPs.

2.1 Set Static IP for Xiaomi Router

Set a static IP for the Xiaomi AC2100 so you can easily manage it. This can be done from the ASUS router’s DHCP settings or via SSH on the Xiaomi AC2100 itself.

  1. SSH into the Xiaomi router:bashssh This email address is being protected from spambots. You need JavaScript enabled to view it..1.3
  2. Copiar código
  3. Edit the /etc/config/network file:bashnano /etc/config/network
  4. Copiar código
  5. Set a static IP for the Xiaomi router:bashconfig interface 'lan' option ifname 'eth0' option proto 'static' option ipaddr '192.168.1.3' option netmask '255.255.255.0' option gateway '192.168.1.2' # ASUS Router's IP option dns '192.168.1.2'
  6. Copiar código
  7. Save and close the file, then restart the network service:bash/etc/init.d/network restart
  8. Copiar código
2.2 Install and Configure OpenVPN
  1. Install the OpenVPN package and web interface on the Xiaomi router:bashopkg update opkg install openvpn-openssl luci-app-openvpn
  2. Copiar código
  3. Upload your OpenVPN .ovpn configuration file to /etc/openvpn/ on the Xiaomi router, then edit the OpenVPN config:bashnano /etc/openvpn/myvpn.conf
  4. Copiar código
  5. Set up the OpenVPN configuration as needed for your VPN provider. Example:bashclient dev tun proto udp remote vpn-server.example.com 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/client.crt key /etc/openvpn/client.key remote-cert-tls server cipher AES-256-CBC comp-lzo verb 3
  6. Copiar código
  7. Enable the OpenVPN service to start at boot:bash/etc/init.d/openvpn enable /etc/init.d/openvpn start
  8. Copiar código
2.3 Set Up Policy-Based Routing (PBR)

You only want the VPN to affect specific devices. We’ll use Policy-Based Routing to achieve this.

  1. Install the VPN Policy Routing package:bashopkg install luci-app-vpn-policy-routing
  2. Copiar código
  3. Configure PBR in the LuCI interface:
    • Navigate to Services > VPN Policy Routing.
    • Add rules based on IP addresses or MAC addresses. For example:
      • Devices with specific IPs (connected via cable) will use the VPN.
      • Devices connected via Wi-Fi will bypass the VPN.

3. Configure the TP-Link Deco M5 Units

These units will act as access points. You need to configure them in AP mode so that they do not perform NAT or routing, and only provide wireless access.

  1. SSH into each TP-Link Deco M5 unit:
  2. bashssh root@<DecoM5_IP>;
  3. Copiar código
  4. Disable DHCP on the Deco M5s:Set option ignore '1' for the LAN interface to disable DHCP.
  5. bashnano /etc/config/dhcp
  6. Copiar código
  7. Set up static IPs for each Deco unit (optional but recommended):Configure static IPs similar to the Xiaomi router.
  8. bashnano /etc/config/network
  9. Copiar código
  10. Set the Deco units in Access Point (AP) mode from the LuCI web interface or by disabling routing functionality through OpenWRT settings.

Step-by-Step Summary:

  1. ASUS RT-AC68U: Configure bridge mode and disable DHCP.
  2. Xiaomi AC2100: Set up OpenVPN and Policy-Based Routing to apply VPN to specific devices or subnets.
  3. TP-Link Deco M5s: Configure in Access Point mode and disable DHCP.

Let me know if you'd like any specific configuration files or if you encounter issues during setup!