Repeater mode with OpenVPN and second wifi with cameras

nnz · April 2, 2022, 10:14pm

Hi Everyone,

I am trying to figure out if gl.inet devices (Flint?) would suite my needs.

We have a wifi router which we can not touch (Router A) but we can connect to it on 2.4Ghz (SSID A). If it is possible I would connect to it with a Flint (Router B) for example in repeater mode, and create my own wifi network also on 2.4Ghz if possible (SSID B). The Flint router would connect out to an OpenVPN server so everything that is happening on SSID B would route through the VPN. Also I need to connect 2 wifi cameras to this Flint and I would like to reach them from the OpenVPN server side. For this somehow we need to solve the port forwarding from the OpenVPN network to the cameras so if some other client connects to the VPN from the other side we can connect to the cameras.

Wondering if this would be possible with just the Web UI or maybe need to dig into some OpenWRT configs?

Here is a quick drawing about it:

alzhao · April 4, 2022, 8:14am

It is very simple. Just do it from the UI.

Step 1: Set up repeater connect to your Router A.

Step 2: Set up vpn connect to your server. Be sure to enable “allow local access”

Step 3: Set up port forward on Flint from the vpn to lan.

nnz · April 5, 2022, 9:49pm

That is amazing. One more question:

If I have an IP camera connected to the router, is there any way to only allow the camera’s IP to talk to the OpenVPN server and don’t allow to camera to call home?

I can see that the GUI has a Firewall section but as I can see it is only for port forwarding into the network. But how to allow/block certain IP ranges or all? For that I need to enable LuCI?

alzhao · April 6, 2022, 8:12am

When you connect your IP Camera to your vpn server, all the data goes to the vpn server.

So the “call home” data of your Camera will go from the vpn server as well.

You may need to block the home server of the camera in your vpn server side. The router does not do this.

nnz · April 6, 2022, 8:26am

Wow not even if I turn on LuCI? What if I don’t use VPN and just want to block to camera to call home?

alzhao · April 6, 2022, 8:28am

I belive you can use adblock.

nnz · April 6, 2022, 9:42am

What? We need network level blocking here which I believe can be done in LuCI as can be done in standard OpenWRT.

nnz · April 8, 2022, 11:13pm

I got a test device and what I wanted is working.

Router can connect to a wifi in repeater mode and can connect and route traffic to the OpenVPN server.

I also added a rule into the LuCI Traffic Rules to Discard Forward:

Any traffic
From IP CAMERAIP in lan
To any host in any zone

This is now working because the camera cannot connect to the outside world. I verified this by checking it’s NTP and mail settings, it could not connect so all good.

However wondering which rule enables the camera to be reachable on the LAN and on the OVPN network? As I can reach it but the above rule should block it from everything, or not because something still allows the traffic to LAN and OVPN?

alzhao · April 12, 2022, 4:21am

When you connect vpn, there is a vpn zone in Luci’s firewall.

So you can allow data from vpn zone to lan.

But your camera may be able to call home from the vpn tunnel.

nnz · April 13, 2022, 2:49pm

Yeah that is why it is interesting as this rule blocks the camera to connect to the internet:

Any traffic
From IP CAMERAIP in lan
To any host in any zone

But it can connect to LAN and OVPN networks, but not to any IP outside of these network. This is why I am asking how this is possible.

alzhao · April 14, 2022, 2:21am

Sorry for my English.

I mean you cannot do it on the router side.

You should do it in the VPN server side.

If just need a simple answer: Impossible

nnz · April 14, 2022, 9:03am

Looks like it is working. The camera can not connect to the internet. I confirmed. Non of the camera’s services can reach the internet. So all good