OpenWRT on GL-AR150 + Guest Wifi over OpenVPN (2023)

Written by pmd - - no comments

⚫ Installed last available OpenWRT on AR150

login as: xxxx
root@'s password:

BusyBox v1.35.0 (2023-04-27 20:28:15 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 OpenWrt 22.03.5, r20134-5f15225c1e

Source: [OpenWrt Wiki] GL.iNet GL-AR150

⚫ Expected configuration

The router will get access to internet by connecting to a Wifi network available around using wlan0 interface.
The router will spread two independant Wifi network :

  1. First Wifi will connect users on br-lan interface
    br-lan users will have access to internet through wlan0
  2. Second Wifi will connect users on br-lan2 interface
    br-lan2 users will have access to internet exclusively through tun0 interface (VPN)

⚫ Configuring Guest Wifi

Source: Guest Wi-Fi using LuCI (I didn't need to touch anything in Network > Firewall > Traffic Rules)

⚫ Installing OpenVPN and set first configuration

⚪ Installing OpenVPN

# opkg update
# opkg install openvpn-openssl ip-full luci-app-openvpn

Source: OpenWrt setup with NordVPN | NordVPN support

⚪ Configuring NordVPN

Download a NordVPN configuration : Server recommended by NordVPN | NordVPN

Go to VPN > OpenVPN

Under the “OVPN configuration file upload” section name the VPN connection in the “Instance name” field (I named it “nordvpn”.) After that, click on the Browse button, locate the downloaded server file and click Upload.

In the “OpenVPN instances” section, click the Edit button next to the instance you have just created.

Illustration #01 about previous steps

In the lower field, enter your NordVPN service credential username and password into separate lines.


Now, copy the path to the credentials file that is given right above the field containing the credentials and paste it next to the “auth-user-pass” line in the “Config file” section above. It should look like this: auth-user-pass /etc/openvpn/nordvpn.auth

Click on the Save button at the bottom.

Illustration #02 about previous steps

Go to Network > Interfaces

Select the Add new interface… button and name it “nordvpntun”.
Click on the “Protocol” dropdown menu and choose “Unmanaged”.
In the “Interface” dropdown, enter the name “tun0” at the bottom -- custom -- field and press the Enter key.
Click the “Create interface” and Save buttons.

Go to Network > Firewall

Click the “Add” button and adjust it as follows:

  1. Name it “vpnfirewall”;
  2. Set the “Input” option as “Reject”;
  3. Leave “Output” as “Accept” and “Forward” as “Reject”;
  4. Check the “Masquerading” option;
  5. Check the “MSS clamping” option;
  6. From the “Covered Networks” dropdown menu choose “nordvpntun”;
  7. In the “Allow forward from source zones” dropdown menu, choose “lan”;
  8. Click the “Save” button.

In the “Zones” section, find the zone named “lan”, and click on the “Edit” button.

In the “Allow forward to destination zones” dropdown check the “nordvpntun” entry.

Go to Network > DHCP and DNS

In the “General Settings” tab, find the “DNS forwardings” option and enter DNS addresses there. Addresses could be:

  • NordVPN DNS : and | Source 1
  • OpenDNS : and | Source 1, 2
  • Google DNS : and | Source 1

Go to the “Resolv and Hosts Files” tab, check the “Ignore resolve file” checkbox, and click the “Save & Apply” button.

You can verify which DNS server you are actually requested data to by using ths website : DNS leak test

Go to VPN > OpenVPN

In the “OpenVPN instances” section, check the “Enable” option next to the NordVPN option in the list, and click the “Save & Apply” button.

See Illustration #01 for final setup.

Now all you internet paquets should go through the VPN link.

⚪ Creating to chose which paquets should go through VPN

In your OpenVPN configuration file, you need to add these both lines:

  • route-noexec
    => so OpenVPN will not modify main routing table itself
  • route-up /etc/openvpn/
    => so OpenVPN will execute this file where we will add some rules and routes for vpn routing table
# /etc/openvpn/
# chmod +x /etc/openvpn/

# This website to know what environmental-variables are available.

# Inspiration :

echo "$dev : $ifconfig_local -> $ifconfig_remote gw: $route_vpn_gateway" | logger

# Checks to see if there is an IP routing table named 'vpn', create if missing
if [ $(cat /etc/iproute2/rt_tables | grep vpn | wc -l) -eq 0 ]; then
    echo "100     vpn" >> /etc/iproute2/rt_tables
    echo "IP routing table named 'vpn' created" | logger

# Remove any previous rules in the 'vpn' routing table
#/sbin/ip rule | sed -n 's/.*\(from[ \t]*[0-9\.]*\).*vpn/\1/p' | while read RULE
/sbin/ip rule | grep vpn | sed -n 's@.*\(from[ \t]*[0-9\./]*\)@\1@p' | while read RULE
    echo "remove old rule:   /sbin/ip rule del ${RULE}" | logger
    /sbin/ip rule del ${RULE}
# Remove any previous routes in the 'vpn' routing table
echo "remove old routes: /sbin/ip route flush table vpn" | logger
/sbin/ip route flush table vpn

# Search route for traffic coming from in table 'vpn'
# (unicast: This rule type simple causes the kernel to refer to the
# specified routing table in the search for a route.)
echo "adding rule:       /sbin/ip rule add from table vpn" | logger
/sbin/ip rule add from table vpn

# Search route for traffic going to in table 'vpn'
echo "adding rule:       /sbin/ip rule add to table vpn" | logger
/sbin/ip rule add to table vpn

# Use 'vpn' table as default for tun0
echo "adding route:      /sbin/ip route add table vpn default dev ${dev}" | logger
/sbin/ip route add table vpn default dev ${dev}

# Route traffic from/to on br-lan2 using the 'vpn'.
# table. ( is the source address for outgoing packets)
echo "adding route:      /sbin/ip route add dev br-lan2 proto kernel scope link src table vpn" | logger
/sbin/ip route add dev br-lan2 proto kernel scope link src table vpn

# Logging default rules
echo "/sbin/ip rule -----------" | logger
/sbin/ip rule  | logger

# Logging default route table
echo "/sbin/ip route show -----------" | logger
/sbin/ip route show  | logger

# Logging vpn route table
echo "/sbin/ip route show table vpn ----------" | logger
/sbin/ip route show table vpn | logger

Thanks to logger, we can check what happened during execution of when OpenVPN connected to the server:

$ logread | tail -n 30


⚫ Updating NordVPN configuration

I made this shell script to easily update the configuration using recommended server by NordVPN :

# chmod +x /etc/openvpn/


# recuperation du serveur recommandé par NordVPN
RecommendedServer=$(curl --silent --interface tun0 '' | jq --raw-output '.[0].hostname' | awk -F. '{print $1}')
echo "Recommended server by NordVPN:"
echo $RecommendedServer

# récupération de la configuration
echo "Trying to get server configuration$ ..."
DownloadingServerConfFile=$(curl --silent --interface tun0 --write-out "%{http_code}" -o $OpenVpnConfFile$
if [ $DownloadingServerConfFile -eq 200 ]
   echo "OK $DownloadingServerConfFile"
   echo "NOK $DownloadingServerConfFile"

# modification de la configuration pour ajouter password + route no-exec + route-up
echo "Trying to modify $OpenVpnConfFile configuration file..."
echo "$OpenVpnConfFile before modification:"
echo "----------"
echo "[...]"
sed -n '/auth-user-pass/{p;n;p}' $OpenVpnConfFile
echo "[...]"
echo "----------"
echo "Trying to modify $OpenVpnConfFile configuration file..."
sed -i 's@auth-user-pass@auth-user-pass /etc/openvpn/nordvpn.auth\nauth-nocache\nroute-noexec\nroute-up /etc/openvpn/' $OpenVpnConfFile
echo "$OpenVpnConfFile after modification:"
echo "----------"
echo "[...]"
sed -n '/auth-user-pass/{p;n;p;n;p;n;p;n;p}' $OpenVpnConfFile
echo "[...]"
echo "----------"

# redemarrage de openvpn
echo "Trying to restart OpenVPN..."
/etc/init.d/openvpn restart
sleep 1
echo -n "Waiting for tun0 interface..."
while [ $(ifconfig | grep -c tun0) == 0 ]
   echo -n "."
   sleep 1
t=$(ping -c 10 -I tun0 | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+')
if [ $t != 0 ]; then
   echo "OK. Done."
   echo -n "Public IP: "
   curl --interface wlan0
   echo -n "VPN IP:    "
   curl --interface tun0
   echo "Something went wrong."
echo "Last log:"
echo "----------"
logread | tail -n 30
echo "----------"

Comments are closed.