First of all, thank you for your kind words, I appreciate it a lot!
Regarding the 2 MB backup limit - it's the intended design of our devices. It's possible to manually remove a bunch of unnecessary files in the compressed backup file to make sure it doesn't exceed 2 MB and then upload it as a backup but you have to be careful about which files to remove.
As for the VPN traffic routing:
1) we'll create 3 vpn tunnels along with 3 new interfaces, one for each vpn.
Correct, creating 3 VPN tunnels is a must before anything else. Once those VPN tunnels are up and running (connected), I recommend immediately logging onto the CLI and checking the names of the tunnels with "ifconfig" command. It's a must to at the very least enter the valid address in the "IPv4 address" field (which, in this case, is your local VPN tunnel address on your router side). I've double checked it and it is not mandatory to enter anything in the "IPv4 gateway" field, although I would recommend putting in the correct gateway (IP address of the remote VPN tunnel interface, not an external IP) just to make sure traffic always sent out the right way.
2) we'll assign each device to its new route via cli (vpn policy route)
Correct, this is the step to take after configuring 3 VPN tunnels and configuring 3 different interfaces for the new VPN tunnels.
I think I prefer to try the subnetting (split) option and this gives me the flexibility to add/move/remove devices from one subnet (hence vpn) or another. Is this viable?
Indeed, this is also a valid way to make things work. In that case it would be enough to define an entire subnet of, for example, 192.168.150.0/24 which would basically mean that any device that has an IP address starting with "192.168.150.*" would have its traffic routed via the VPN tunnel. In that case I'd recommend creating individual LAN subnets for seperate VPN tunnels.
Also, while I can't be certain about what might've caused you troubles with connectivity, I can make a couple of calculated guesses - either the firewall rule or routing were an issue. You may PM me for more details regarding this.
The thing with multiple vpn clients, they seem to run into trouble around the firewall. And access to the web (wan) gets blocked/rejected. What am I doing wrong? One vpn is ok, but two vpns block the wan. why?
If I understand correctly your devices can't reach the internet when connected to specific the VPN tunnel? If so, this may be an issue on the VPN server side. It's possible to test out whether the client configuration is working by using any standalone VPN client without involving the router, for example downloading a phone app, importing the configuration file and connecting with it to the VPN server via Wi-Fi and mobile data. If the internet works on the phone and your device shows a different external IP address (VPN servers' external IP) after these steps then there might be an issue with the router firewall or routes, otherwise it's a VPN server issue.
So, is this set of steps correct?
1) create 3 vpn tunnels (country1, country2, country3)
Yes, I'd like to note that the way these tunnels are named will be important later when configuring the physical names on the interfaces. These names are case-sensitive.
2) create 3 new lans (lan1, lan2, lan3) - how do I configure physical settings, etc? Or create plans instead? Steps?
As for the 3 new interfaces - you'd have to name them appropriately as well, these names will be important later when configuring the VPN routing policies. These names are case-sensitive too. Once interface configuration window opens up, swap the "Protocol" field to "Static" and enter the local IP address of your appropriate VPN tunnel in the "IPv4 address" field, everything else can be kept empty/default. After that, click on "Physical settings" on the left and click on the "Interface" field. There, select "--Custom--" field, then enter the name (case sensitive!) of your VPN tunnel that shows up in the "ifconfig" output in the CLI. Finally, move on to the "Firewall settings" and make sure to select the "openvpn" firewall zone for this interface, otherwise you may not be able to connect to the internet via your VPN tunnel. The exact same steps will apply for any other interface, except the IPv4 address and the interface names will differ.
3) how to configure firewall?
For this step, there are a few ways you can approach this task. First way is to create new LAN interfaces, then assign different physical port for the newly created interface but put every single LAN subnet under the same firewall zone "lan". This way you should still be able to access any LAN device from one subnet to another but at the same time, using the VPN routing policies, you could define which subnet to route to the internet via VPN and which - via your ISP's gateway.
Example #1: LAN1 port would serve IP addresses in range from 192.168.1.100 to 192.168.1.200 and route every device traffic in that subnet via your ISP IP. LAN2 port would serve IP addresses in range from 192.168.50.100 to 192.168.50.200 and any device in that subnet would have its traffic routed via the specified VPN tunnel.
Example #2: another way to do this would be to create seperate LAN zones for different subnets in the firewall section and then only permit LAN traffic within the same LAN subnet and deny output/input to any other LAN subnet on your device. This can be accomplished by creating new firewall zone while configuring the interface itself by going to the "Firewall settings", selecting "--Custom--" field and entering any firewall zone name for the new subnet. Once that's done, it's necessary to configure firewall in a slightly more extensive way by navigating to Network>Firewall settings. Once there, edit the newly created zone (or create one if it's not there yet), set the "Input" and "Output" fields as "Accept" for this new zone, then add the "openvpn" zone in the field "Allow forward to destination zones". Also, double check that in the "Covered networks" field it shows your newly created LAN interface. Once all of that is done, apply changes. I have to warn you that if your VPN tunnel goes down, you won't have any internet on your devices, which belong to the new subnet, at all.
4) via cli install package, set rules
Are those the steps?
Correct. Installing the package will be Those are the steps for individual hosts. If you want to set a rule for the entire subnet, you can accomplish this by modifying the subnet in VPN policy rule. For example, to apply the routing rule for the entire subnet of 192.168.5.0, you would have to create the following policy:
uci add vpn-policy-routing policy
uci set [email protected][-1].name="Route_VPN_subnet"
uci set [email protected][-1].src_addr="192.168.5.0/24"
uci set [email protected][-1].interface="vpn1"
You may notice that these commands are nearly the exact same as the ones I've posted before, except this way you will be able to route any device with an IP address starting from 192.168.5.1 to 192.168.5.254 via the specified VPN tunnel.
So, to recap, if you wish to do VPN routing per host, follow these steps:
1) Head over to Services>Network>OpenVPN and create a new VPN tunnel, configure and wait for the tunnel to estalish connection to the VPN server
2) Log in to the CLI, type in "ifconfig" and check the name of the tunnel and the assigned IP address for it
3) Go back to the router web UI, go to Network>Interfaces. Name and add a new interface for the VPN interface
4) Once the interface creation window opens, select "Static" as your protocol and enter the IPv4 address of your VPN tunnel on the router side (from "ifconfig" output), leave everything else as-is
5) Go to "Physical settings", in the "Interface" field select "--Custom--" and then enter the name of your tunnel (from "ifconfig" output), click enter once you've entered it
6) Then, click on "Firewall settings" and assign the "openvpn" zone for this interface. Once done, save and apply the configuration.
7) Lastly, go back to the router CLI, run the commands given in my previous post in order and remember to specify exact IP addresses of every device that should have its internet traffic routed via the VPN tunnel
8)*Optional, but I recommend binding a static IP to MAC (static lease) of the LAN device to make sure the LAN IP address remains consistent on specific devices. You can do that by editing the LAN interface and setting a static lease there.
This should be enough for specific hosts configuration.
In case you'd like to do a full subnet split-tunnel, the article I've linked before (https://wiki.teltonika-networks.com/wikibase/index.php?title=OpenVPN_traffic_split) should be enough to guide you through the configuration process but I'll make sure to summarize it here as well to make things clealer:
1) Head over to Services>Network>OpenVPN and create a new VPN tunnel, configure and wait for the tunnel to estalish connection to the VPN server
2) Log in to the CLI, type in "ifconfig" and check the name of the tunnel and the assigned IP address for it
3) Go back to the router web UI, go to Network>Interfaces. Name and add a new interface for the VPN interface
4) Once the interface creation window opens, select "Static" as your protocol and enter the IPv4 address of your VPN tunnel on the router side (from "ifconfig" output), leave everything else as-is
5) Go to "Physical settings", in the "Interface" field select "--Custom--" and then enter the name of your tunnel (from "ifconfig" output), click enter once you've entered it
6) Then, click on "Firewall settings" and assign the "openvpn" zone for this interface. Once done, save and apply the configuration.
7) After that, navigate to Network>VLAN>Port based, then click on "Add" and once you see a new VLAN ID (3), set one LAN port from "Untagged 1" to "Untagged 3". I recommend setting the third LAN port (LAN).
8) Navigate back to the Network>Interfaces, create the new LAN interface (for example "LAN3"). Yet again, select protocol "Static", then configure the IPv4 address and DNS servers of the new LAN
9) Go to "Physical settings", select "eth0.3" as your interface, make sure the firewall settings have "lan" set as its zone. Then, click on "Setup DHCP server" and save the configuration
10) Lastly, go back to the router CLI, run the commands given above in order and (for this configuration example) remember to specify the entire subnet that should have its internet traffic routed via the VPN tunnel this time
Once this example is done, any device that you plug into LAN3 port of your router will have an IP address of the OpenVPN server. This device can be anything - a PC, a TV, or even a switch to increase the amount of available physical ports for other devices.
I hope it makes clearer, even if a little because this can get rather confusing really quickly. Once again, since this is a huge wall of text, if you run into any trouble or have any additional questions about this configuration, let me know and I'll try to assist you as best I can. You may also send me a private message in case there's any necessity to go into configuration details and questions from your side.
Have a brilliant day,
TP.
