So, I had a few issues on my router:
- No VPN
- I had to use a different setting In Apple Mail on all of my devices when at home from when outside
The issue started when I upgraded my router. New OpenWRT firmware and all settings got lost.
Installing OpenVPN is easy enough, just do some ‘opkg update; opkg install openvpn’. There are enough resources on the internet about easy-pki to build your basic CA infra and generate some keys for the server and clients.
Getting things to work was a bit more effort. I was planning on bridging the VPN into the LAN. But well, a routed VPN seems to be a bit easier to get going. And really, there is no reason why a routed VPN can’t work.
Issue 1: pushing the route. I don’t want everything to go via the VPN, so I needed to know how to push routes. Eventually google knows the answer:
uci add_list openvpn.sample_server.push=“route 172.16.6.0 255.255.255.0”
That is different from setting the default route, but it works.
Issue 2: pushing DNS. Well, there are again plenty resources on the web on how to do that, but for some reason dnsmasq just doesn’t reply, or the replies don’t reach the VPN client. So, I setup a DNS resolver on the my Synology NAS. That one does reply to VPN clients. So despite all the help google had to offer, I resolved to another resolver.
uci add_list openvpn.sample_server.push=“option DNS <Synology NAS>”
uci add_list openvpn.sample_server.push=“option DOMAIN pipsworld.nl”
Left me with some firewall issues. By default the VPN is not in a zone. So, I had to add the VPN to the internal zone. I don’t really recall how I did this, but I think I eventually added The following line to the “lan” zone:
list device ‘tun0’
This left me with forwarding from the VPN to the LAN not actually working, so I added an additional section:
option src ‘lan‘
option dest ’lan‘
My other issue was a bit different. I had never configured the ‘local’ parameter in dnsmasq, leaving it to the default setting of ‘/lan/‘, and had selected ‘int.pipsworld.nl’ as my internal domain. While that worked fine most of the time, my mailserver was internally known by a different hostname and IP-address than externally. Finally the solution was simple: drop the ‘int.’ Part of the internal domain and add some cname records to the dhcp configuration. Of course, the latter part is not in the GUI, but running some command line is not a big deal:
uci add dhcp cname
uci set dhcp.@cname[-1].cname=“mail.pipsworld.nl,www.pipsworld.nl,www.fam-post.nl”
uci set dhcp.@cname[-1].target=“classified”
uci commit dhcp
This was a much better solution than adding the ‘reflection’ option to the DNAT firewall rules.