My man! Very nice video. Easy to follow.. Exactly what I needed. Thanks for this! I ran into the issue "Error: bridge 'vmbr1' does not exist". when starting up openwrt. For all the people having the same issue: The solution is to click on the 'Apply Configuration' button when creating a new Linux Bridge @ 1.37min into the video Subscribed to the channel!
@8:13 -- you skippped something. You have to run 'fw4 reload' after opening the port(s), and really should have opened 443 as well. You also skipped applying the configuration when creating vrbm1(someone else pointed that out in the comments, or I probably wouldn't have figured that one out)
PIA supports WireGuard as OpenWrt also does. It is much faster and easier to configure. There is no reason to use OpenVPN today except where WireGuard is not supported yet.
@@NovaspiritTech Quite a strange move from PIA. WireGuard users require less computing power from servers, they should prioritize them. But in this case you obviously have no choice.
Nice detailed video. Currently running a complex docker stack doing the same thing with VPN and ARR utilities. Since I already have a Proxmox server, this looks much more manageable. Will set this up this weekend and test.
I cannot start the container, fails with Error: "lxc_create_network_priv: 3427 No such device - Failed to create network device" but I can't find any information on this error. Which device 'doesn't exist'? EDIT: Ah you have to click "Apply Configuration" in the Network menu after creating vmbr1.
Just visiting this and adding the DNS options should be dhcp-option DNS X.X.X.X you have dhcp option DNS X.X.X.X as the text. Just a heads up for anyone else struggling to get the vpn started
Followed this and it worked. A few things I had to do differently to get it working (also using PIA): 1. Don’t add the “dhcp option DNS” entries in the config file. 2. Under network>interfaces change tun0 to unmanaged and choose device: eth adapter tun0 3. Edit lan interface firewall settings to assign it to the lan zone
That last statement that you made about running ONE VM, which runs Docker, and then running your services and applications via that ONE IP address is probably THE BEST explanation as to why you might want to run the Docker (application) containers inside of a VM vs. running multiple containers, where each container runs its own, individual service. Thank you!!! I appreciate this. I never realised this.
First off, thank you. I couldn't have accomplished much without great content like this. What is a possible way to make openwrt's IP static? After getting everything running smoothly for several weeks, a proxmox update happened and the IP address on "wan" changed from .111 to something else (the main IP of the openwrt lxc. Network > Interfaces > wan). All other services' IP addresses also changed. I figured this was solvable by making "wan" have a Static IP instead of DHCP. I edited the network of the openwrt lxc (vmbr0) in Proxmox to have a static IP and Gateway. After restarting the CT, there was no effect. Then I went into the openwrt webgui, Network > Interfaces > wan. I tried changing "wan" from DHCP to static. I gave it the IP, Gateway, and Mask. This seemed to block all traffic on the vpn, although it successfully made the openwrt IP static as well as the other services. I then went into my router and reserved .111 for openwrt. Restarted containers, but the dependent services still had no internet connection. What is a possible way to make openwrt's IP static?
Great video! Love running this as a container. I struggled with opening up the webui via the wan interface, but found this openwrt forum post from jwmullally to be helpful. Literally copy paste from the container's command line and profit. This works from a clean install: uci add firewall rule uci set firewall.@rule[-1].name='Allow-Admin' uci set firewall.@rule[-1].enabled='true' uci set firewall.@rule[-1].src='wan' uci set firewall.@rule[-1].proto='tcp' uci set firewall.@rule[-1].dest_port='22 80 443' uci set firewall.@rule[-1].target='ACCEPT' uci commit firewall service firewall restart
Hey I'm having a problem with Setting LAN Interface. The container I used to test does not get the ip address I given it through the openwrt Network>Interface (time stamp 9:11). Any help would be great! thank you
Followed this and it worked A few things I had to do differently to get it working (also using PIA): 1. Don’t add the “dhcp option DNS” entries in the config file. 2. Under network>interfaces change tun0 to unmanaged and choose device: eth adapter tun0 3. Edit lan interface firewall settings to assign it to the lan zone
Can you explain what you are doing/why when for the tunnel? tunnel to/from what? surely if you have 2 network interfaces that's all you need? Even if not what do all the parameters mean exactly?
5:30 What do those 2 additional lines added to the container config file actually do? Those lines appear to be lifted verbatim from the Proxmos wiki for "OpenVPN in LXC" article. Adding those two lines prevented my container from starting because my bridge didn't exist. I took those lines off and, at least, my container boots up now. Could it have anything to do with my server only having one ethernet port?
Such a pity I haven't found this video before I spent a whole weekend configuring NAT and port forwarding by hand with iptables. Very great explanation.
I am so excited, I already use PIA and proxmox and have been wanting to setup a router for VPN so I don't have to enable it every time I want to use it on my Mac. I want to instead setup a bitttorrent service in a proxmox container and have it always using a vpn.
Nice video! I followed step by step on a machine a month ago and got it working. Need to move to a newer better machine. i have been pulling my hair out for a week. I follow along and even make sure my new machine has same parameters as previous. I can't get it to work? The PIA open VPN instance won't start. Looking at the "tun0" in interfaces, it shows "Error: Network device is not present". I am stuck. Any thoughts? I have pictures :)
i have retried on the same server setting up a 2nd lxc and even used the original rootfs file. the common theme i keep seeing is when i create tun0... it shws as "Error: Network device is not present".
@@markdickey7807 I've found the typo. On the Video he missed to type "-" in: dhcp-options DNS 10.0.0.241 so in console log the error occur, author should definetly write consistently the instructions...
@@krysc4d thanks but didn't help - just retried on a new system. i get to the point of starting the PIA. I don't think at this point it is a PIA issue, because it tells me "Tun0" interface doesn't exist back in network interfaces. i restarted the interface and still nothing
@@moonfall84 yes - i found a solution. you have to change ownership of tunnel in your pve host. "chown 100000:100000 /dev/net/tun" i just found this solution like YESTERDAY
Amazing video series on proxmox. thank you for these helpful videos. Question: How can we put just prawlarr behind the VPN and let other containers running directly ? When I tried this way, I am not able to get other prawlarr to talk/detect other containers. I am using RDT client so I don't need that behind VPN as I am getting direct downloads. Any suggestion or help will be highly appreciated.
Hi @NovaspiritTech Thank you for the wonderful content as always. Regarding the network adapters issue, it was because you forgot to apply the network interface changes (Network bridge vmbr0) after adding the bridge. have a great day.
2 месяца назад
Thank you I set it up as you guided. And even got the PIA. One question how do you activate port forwarding since without it it is pretty much useless.
A few things I had to do differently to get it working (also using PIA): 1. Don’t add the “dhcp option DNS” entries in the config file. 2. Under network>interfaces change tun0 to unmanaged and choose device: eth adapter tun0 3. Edit lan interface firewall settings to assign it to the lan zone
@@RuiCardona2k no in Network>Interfaces edit the lan interface, under firewall settings click the drop down menu to assign the lan interface to the lan firewall zone. This will allow traffic on your lan interface
@@dsb2 Gotcha, that's already what it defaults to for me. Though no matter what I do even though I can connect to the VPN I just can't seem to access the test http server through the VPN
having troubles getting internet access through the vmbr1 adapter. in OpenWRT i see packets and data flowing through eth1 but nothing will show in the active dhcp leases section. if anyone has any pointers it would be very helpful. Thanks!
Adding another reply that fixed it for me: Go to the Interface you set, hit edit and go to the firewall tab. Set the lan zone. This made it so I could get an IPv4 on the services using the vmbr1 bridge
I have been trying to figure out a way to run a wireguard client on proxmox, and filter all traffic through openwrt/pia for weeks. End goal would be to connect to wireguard proxmox ct, have that connection all go through openwrt/pia. So far I have wireguard and openwrt/pia setup, wireguard ct runs traffic through openwrt/pia, but I am unable to connect to wireguard client remotely.
Thanks for the excellent video. Got Openwrt running like this for a few months now and would like to update to a newer openwrt version. What is the easiest way to do this?
Can I do the same, passing through openWRT, with a real computer as you did with the lxc container? Basically, I wanna use the openwrt lxc as a real router.
i did everything as you described with the exception that i use wireguard. The wireguard handshake goes through but my LXC containers that use vmbr1 can't seem to go through the IP of the VPN
This might be a "dumb" or "obvious" question, but I'm new to the stuff so, bear w/ me! Does this "open my network" to the big bad internet? I'm trying to maintain locked-down security as best as I can, running anything "outward" via Cloudflare. Because this is in a CT in Proxmox, does this create a vulnerability in my network elsewhere, or just for anything on this vlan?
Your physical router (the main entry to your network) is the one that decides what is open to the big bad internet. If you don't have any ports open in your physical router you're fine.
I've got a bit of an odd situation on my end, and I haven't been able to find a solution to it. I'm running a cluster of 4 nodes with a CEPH pool to allow for HA. I've put together the openwrt router on node 2, any CTs put in node 2 and connected to vmbr1 work perfectly, no issues. However, obviously when trying to run a CT on another node I won't be able to connected to that router. I hope I'm just missing something simple, but any ideas would be appreciated.
Thank you very much for your video. Everything works great, even ProtonVPN does what it should. Now I still have a problem. It's probably because I didn't quite understand what the LAN interface with the IP 10.50.50.1 is used for. So I can run my qbittorrent LXC exclusively via ProtonVPN, but I can no longer reach the qbittorrent web interface via 192.168.1.40:8090. The IP 10.50.50.101:8090 assigned by openwrt cannot be reached either. Does anyone have a tip on what I am doing wrong?
I tried to work out a few solutions with ChatGPT. The suggestions, which all failed, were: 1. firewall rules : forwarding 10.50.50.1/24 to 192.168.0.1/24 2. IP Masquarading 3. policy routing It all sounds logical, but it just doesn't work. I probably have a major thinking error somewhere.
thank you - Question - how do you prevent the Container from access the internet if the VPN is not work or down? if you stop the open vpn instance it bypasses vpn and connects to isp IP address. thank you
Hi Novaspirit, Great video! I use ProtonVPN and am curious if the OpenWRT setup is similar. Are there any extra packages needed to integrate ProtonVPN with OpenWRT?
I have a 5G broadband modem which supports wifi 6 but doesn't really have a good customisation options, I'm thinking of following this approach by installing open-wrt to use the customisation options and route the traffic back to the modem to use the internet. is that achievable.
I have a strange issue where once the VPN is enabled I lose HTTP access to the OpenWRT UI. I can get it back by disabling the tun0 via console, breaking the PIA connection. Are there additional rules required to retain my HTTP access via the WAN IP?
I am also having this issue. As soon as I enable the PIA VPN and save, the web interface tanks. I posted on OpenWRT about this, but since this is a fork, they blew me off.
This is a great video! I have one question, how do you update it to a newer version? I also notice in the logs, that i get TLS error: TLS Handshake failed and TLS Error: TLS key negotiation failed to occur within 60 seconds..... Any idea what might cause this
I found my mistake, i took the wrong bridge in proxmox.... i'am also running Sophos XG as a VM and picked that bridge, should also work, but need to figure that out first
If I add the lxc to the vmbr1 the vpn works and still have internet, but....how do you access the service if the previous local ip+port does not work anymore? Only works when I change back the vmbr1 to vmbr0
Reply to myself for those on the same situation: I have added the vmbr0 with th local ip and local ip access, and asign a static ip, and now I can access the service internaly while having public ip from the vpn
@@RufusCubano THANK YOU! This had my head spinning for days. I watched Dons video a dozen times, literally frame by frame to see what I had missed. I too could not access any of the service portals after assigning vmbr1. I could not figure out how Don was able to access the portals with the 192.xx addy when the lxc container had a 10.50.xx address. Yes, I forwarded the port number to the internal 10.50.xx addy, but the fact remains the container still had a different IP! I could hit any container if I opened my test VM on vmbr1 by using the 10.50.xx IP, but not with the 192.xx IP. It took me a few tries to understand what you had done, but I finally figured it out. I added a new network to the service lxc, in this case, I named it 'deluge' I forced the same MAC that my Opensense reported, I tied it to Bridge vmbr0, gave it the same static IP I assigned it in my Opensense with a /24 CDIR, left the gateway BLANK. It worked. I get a VPN address and can access the services using the IPs I statically assigned in my Opensense. I also deleted the PORT FORWARDING entries, as they're no longer needed.
Got this working OK, However I cannot access the web UI's of CT that are on this created LAN from any other PC outside that LAN (my normal network) Is there a firewall config to achieve this?
Help. I managed to get tunneling working. However, if I want to ping to a tunneled container, let say 10.50.50.235. I can't reach it. Probably my normal network is operating from 192.168.178.*. Did I miss a step somewhere?? Do I need to add a route somewhere?
Hello! very nice video and amazing tutorials. I did this setup, but I have a problem, i use Nord VPN as my provider, and each time I turn on the VPN connection, I cannot access my virtual router through the designated ip... from LAN. I have a VM attached to that router, and from there is working. can anyone help me to figure this out, why is this happening? As soon I stop the VPN connection, I can access my router from LAN..
Hi there. My wifi card can run in AP mode. How can i make openwrt make use of that? Im not 100% sure if i need to run it as a LXC container or a VM. Im comfortable installing openwrt butnakeays failed to log into gui until you told me why, the firewall rules. I appreciate thst tip! Just need the WiFi to work. My setup is a bit different. My router/firewall is OPNsense and i just purely need OpenWRT as an AP. I could always get use other AP points in roaming and mesh. Would probably use batman in openwrt but i would love to be able to use the WiFi card as an AP
This one is great!! Followed up till I press start VPN, and it doesn't start. I did modify the dhcp line - is 'dhcp-option DNS 10.0.0.241' correct??? I think it is ..
Thanks for the video, as a constructive critisism (?), wait a second or 2 on the command line, it was hard following you, you were going too fast for me! ;) Having said that, I'm getting an error trying to connect the machine to the vmbr1 bridge, for some reason, it doesn't hit OpenWRT at all, and can't get thier ip; I'm unsure where to look
aparently in 8.2.2 the /etc/config/firewall file doesn't exist on a clean install, how to access openwrt now,stumped... I'm trying to access/use my spare real Ethernet ports 1x10Gb as the openwrt wan/to the real existing lan-wan, + 2x5Gb ports, & 2x2.5Gb ports in this machine aka a 6 port openwrt router including the mboard port
Got this working but how do you put a killswitch in place? If the VPN happens to go down, all traffic will now go outside your normal router gateway which is exactly what you don't want here.
### inside openwrt LXC - to allow network access to web interface # install nano to make life pleasant!! opkg update opkg install nano nano /etc/config/firewall config rule option src wan option dest_port 80 option proto tcp option target ACCEPT ## Save and reboot
Does anybody else have the problem that the VPN tunnel doesn't automatically reconnects? While my ISP Router renews it's public IP address at night my vpn tries to reconnect but fails(timeout). I have to manually restart it...
When I follow this video, and are about to start my CT, to config the firewall, I do get this error: failed waiting for client: timed out TASK ERROR: command '/usr/bin/termproxy 5900 --path /vms/100 --perm VM.Console -- /usr/bin/dtach -A /var/run/dtach/vzctlconsole100 -r winch -z lxc-console -n 100 -e -1' failed: exit code 1.. Any ide what that can be? And how I fix that?
Yes, it came down to OpenWRT and my PC being on different VLANs. Just needed to create a static route from the PC VLAN to OpenWRTs VLAN. If you want more info I’d be happy to share.
If anyone else (like me) was having issues starting the openwrt LXC because of an error stating that vmbr1 does not exist, make sure you click "apply configuration" under the node network tab.
My man! Very nice video. Easy to follow.. Exactly what I needed. Thanks for this! I ran into the issue "Error: bridge 'vmbr1' does not exist". when starting up openwrt. For all the people having the same issue: The solution is to click on the 'Apply Configuration' button when creating a new Linux Bridge @ 1.37min into the video
Subscribed to the channel!
Thank you kind Sir! Just save my time!
👌
Thank you@@kmi3c
Thanks for the tip, because of that missing "apply configuration" my container was not booting.
There are not enough Like buttons for me to press !!!
This is the answer.
@8:13 -- you skippped something. You have to run 'fw4 reload' after opening the port(s), and really should have opened 443 as well.
You also skipped applying the configuration when creating vrbm1(someone else pointed that out in the comments, or I probably wouldn't have figured that one out)
Thanks, that saved me some time
thank you! I figured out the config part on my own, then spent 15ish minutes trying to figure out the fw4 reload
Thanks!
Thanks!
omg thank you so much, I was going crazy trying to figure out what I missed
Two days ago I gave up on installing OpenWRT in LXC. With your instructions I now did manage to get it running. Thanks!
PIA supports WireGuard as OpenWrt also does. It is much faster and easier to configure. There is no reason to use OpenVPN today except where WireGuard is not supported yet.
Wireguard on pia seems to be limited to 10mbs while I'm able to achieve 20mbs with openvpn. Not sure why so I stuck with using openvpn instead
@@NovaspiritTech Quite a strange move from PIA. WireGuard users require less computing power from servers, they should prioritize them. But in this case you obviously have no choice.
Nice detailed video. Currently running a complex docker stack doing the same thing with VPN and ARR utilities. Since I already have a Proxmox server, this looks much more manageable. Will set this up this weekend and test.
I cannot start the container, fails with Error: "lxc_create_network_priv: 3427 No such device - Failed to create network device" but I can't find any information on this error. Which device 'doesn't exist'? EDIT: Ah you have to click "Apply Configuration" in the Network menu after creating vmbr1.
Thanks man, this helped me a ton!
I missed it too - this one should probably be at the top :D
Just visiting this and adding the DNS options should be dhcp-option DNS X.X.X.X you have dhcp option DNS X.X.X.X as the text. Just a heads up for anyone else struggling to get the vpn started
Thanks a lot!
This was also huge. Not sure how it worked on video but this fixed my issue.
Thanks so much! I wonder how it worked for him? huh
This absolutely needs to be higher up. Without this comment, I would've given up. Thanks @cwalton00.
huge.
I have no internet access after setting up the LAN interface 9:20. Please help!
Followed this and it worked.
A few things I had to do differently to get it working (also using PIA):
1. Don’t add the “dhcp option DNS” entries in the config file.
2. Under network>interfaces change tun0 to unmanaged and choose device: eth adapter tun0
3. Edit lan interface firewall settings to assign it to the lan zone
Do you have a document or a link to go to follow the directions you are mentioning in this video?
That last statement that you made about running ONE VM, which runs Docker, and then running your services and applications via that ONE IP address is probably THE BEST explanation as to why you might want to run the Docker (application) containers inside of a VM vs. running multiple containers, where each container runs its own, individual service.
Thank you!!!
I appreciate this.
I never realised this.
Or maybe if it's possible to run those dockers in a container instead of a vm to really squeeze the size and resources than a vm
@@kitsunesuzuka1029
That's a possibility as well.
I haven't tested that yet.
First off, thank you. I couldn't have accomplished much without great content like this.
What is a possible way to make openwrt's IP static?
After getting everything running smoothly for several weeks, a proxmox update happened and the IP address on "wan" changed from .111 to something else (the main IP of the openwrt lxc. Network > Interfaces > wan). All other services' IP addresses also changed. I figured this was solvable by making "wan" have a Static IP instead of DHCP. I edited the network of the openwrt lxc (vmbr0) in Proxmox to have a static IP and Gateway. After restarting the CT, there was no effect. Then I went into the openwrt webgui, Network > Interfaces > wan. I tried changing "wan" from DHCP to static. I gave it the IP, Gateway, and Mask. This seemed to block all traffic on the vpn, although it successfully made the openwrt IP static as well as the other services. I then went into my router and reserved .111 for openwrt. Restarted containers, but the dependent services still had no internet connection. What is a possible way to make openwrt's IP static?
Great video! Love running this as a container. I struggled with opening up the webui via the wan interface, but found this openwrt forum post from jwmullally to be helpful. Literally copy paste from the container's command line and profit.
This works from a clean install:
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Admin'
uci set firewall.@rule[-1].enabled='true'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='22 80 443'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
service firewall restart
This worked!
Worked perfectly 👍👍
Worked for me! Thanks
this solved everything thank you, i am able to gui now
Dude, thank you, as a complete PVE noob, followed Don's instructions to the letter, refused connection. Copy and pasted this and I'm in!
Hey I'm having a problem with Setting LAN Interface. The container I used to test does not get the ip address I given it through the openwrt Network>Interface (time stamp 9:11). Any help would be great! thank you
Followed this and it worked
A few things I had to do differently to get it working (also using PIA):
1. Don’t add the “dhcp option DNS” entries in the config file.
2. Under network>interfaces change tun0 to unmanaged and choose device: eth adapter tun0
3. Edit lan interface firewall settings to assign it to the lan zone
In the LAN interface that you created you need to assign it to a firewall group. Return to the interface, and assign the interface to the lan group.
Can you explain what you are doing/why when for the tunnel? tunnel to/from what? surely if you have 2 network interfaces that's all you need? Even if not what do all the parameters mean exactly?
Good stuff...it could also be your home router as well...multi-port nics can be pass-thru to another container
Pretty cool!
Keep em coming!!!!
or just make separated linux bridges
How would you go about moving media from the servers that are behind the virtual router to a physical NAS that's on your actual network then? 🤔
5:30 What do those 2 additional lines added to the container config file actually do? Those lines appear to be lifted verbatim from the Proxmos wiki for "OpenVPN in LXC" article.
Adding those two lines prevented my container from starting because my bridge didn't exist. I took those lines off and, at least, my container boots up now. Could it have anything to do with my server only having one ethernet port?
Such a pity I haven't found this video before I spent a whole weekend configuring NAT and port forwarding by hand with iptables. Very great explanation.
Great tudo, helped me a lot. Thanks to you I was able to automate the creation of this "route via VPN" feature on proxmox with Ansible and Terraform.
I am so excited, I already use PIA and proxmox and have been wanting to setup a router for VPN so I don't have to enable it every time I want to use it on my Mac. I want to instead setup a bitttorrent service in a proxmox container and have it always using a vpn.
Nice video! I followed step by step on a machine a month ago and got it working. Need to move to a newer better machine. i have been pulling my hair out for a week. I follow along and even make sure my new machine has same parameters as previous. I can't get it to work? The PIA open VPN instance won't start. Looking at the "tun0" in interfaces, it shows "Error: Network device is not present". I am stuck. Any thoughts? I have pictures :)
i have retried on the same server setting up a 2nd lxc and even used the original rootfs file. the common theme i keep seeing is when i create tun0... it shws as "Error: Network device is not present".
@@markdickey7807 I've found the typo. On the Video he missed to type "-" in: dhcp-options DNS 10.0.0.241 so in console log the error occur, author should definetly write consistently the instructions...
@@krysc4d thanks but didn't help - just retried on a new system. i get to the point of starting the PIA. I don't think at this point it is a PIA issue, because it tells me "Tun0" interface doesn't exist back in network interfaces. i restarted the interface and still nothing
@@markdickey7807 did you found a solution? I'm stucked at same point
@@moonfall84 yes - i found a solution. you have to change ownership of tunnel in your pve host. "chown 100000:100000 /dev/net/tun" i just found this solution like YESTERDAY
Great video, but you should zoom in your browser for Proxmox demos by at least 125%. Not all of us have 20/20 eyesight.
There is option to open as separate window so it will be fullscreen.
Great info. Any fail safe or a way to confirm if your vpn disconnects to auto reconnect?
Amazing video series on proxmox. thank you for these helpful videos.
Question:
How can we put just prawlarr behind the VPN and let other containers running directly ? When I tried this way, I am not able to get other prawlarr to talk/detect other containers. I am using RDT client so I don't need that behind VPN as I am getting direct downloads.
Any suggestion or help will be highly appreciated.
would it not be more secure to just use nginx proxy manager, and not put holes into the firewall?
Hi @NovaspiritTech
Thank you for the wonderful content as always.
Regarding the network adapters issue, it was because you forgot to apply the network interface changes (Network bridge vmbr0) after adding the bridge.
have a great day.
Thank you I set it up as you guided. And even got the PIA. One question how do you activate port forwarding since without it it is pretty much useless.
THX for sharing this.
I think it makes sense to define a dedicted host NIC and assign this to the LXC running OpenWRT as WAN with passthrough device.
Not really as OpenWRT doesn't make any use of hardware offload
A few things I had to do differently to get it working (also using PIA):
1. Don’t add the “dhcp option DNS” entries in the config file.
2. Under network>interfaces change tun0 to unmanaged and choose device: eth adapter tun0
3. Edit lan interface firewall settings to assign it to the lan zone
This worked perfectly! Thank you!
Thank you. It worked for me as well. @@boot487
"3. Edit lan interface firewall settings to assign it to the lan zone " You mean add tun0 to the lan=>wan entry in the firewall?
@@RuiCardona2k no in Network>Interfaces edit the lan interface, under firewall settings click the drop down menu to assign the lan interface to the lan firewall zone. This will allow traffic on your lan interface
@@dsb2 Gotcha, that's already what it defaults to for me. Though no matter what I do even though I can connect to the VPN I just can't seem to access the test http server through the VPN
After changing the firewall config file at 7:57 you need to execute cmd line /etc/init.d/firewall reload
having troubles getting internet access through the vmbr1 adapter. in OpenWRT i see packets and data flowing through eth1 but nothing will show in the active dhcp leases section. if anyone has any pointers it would be very helpful. Thanks!
im having a similar issue, did you ever figure it out?
Did you figure anything out? Having the same issue atm
Adding another reply that fixed it for me: Go to the Interface you set, hit edit and go to the firewall tab. Set the lan zone. This made it so I could get an IPv4 on the services using the vmbr1 bridge
@@CrazyTheDe Huge, that was the trick
Make a wireguard client video
I have been trying to figure out a way to run a wireguard client on proxmox, and filter all traffic through openwrt/pia for weeks. End goal would be to connect to wireguard proxmox ct, have that connection all go through openwrt/pia. So far I have wireguard and openwrt/pia setup, wireguard ct runs traffic through openwrt/pia, but I am unable to connect to wireguard client remotely.
is there any benefit to setting up openwrt in proxmox if i already have a vpn setup on my home router going into the server?
I've been thinking about doing this to put some services on different vlans... Didn't get a managed switch yet.
Thanks for the excellent video. Got Openwrt running like this for a few months now and would like to update to a newer openwrt version.
What is the easiest way to do this?
Can I do the same, passing through openWRT, with a real computer as you did with the lxc container? Basically, I wanna use the openwrt lxc as a real router.
Thanks for the demo and info, awesome video, have a great day
How can I change the default IP to the openwrt access and change it to a custom static ip?
Were you able to get this to work with a static IP?
wireguard is more easier to setup, thanks for the demo man !
Awesome video. I am able to get all the steps done but once I try to start the container I get an error: lxc_start: 2114 Failed to spawn container
i did everything as you described with the exception that i use wireguard. The wireguard handshake goes through but my LXC containers that use vmbr1 can't seem to go through the IP of the VPN
This might be a "dumb" or "obvious" question, but I'm new to the stuff so, bear w/ me!
Does this "open my network" to the big bad internet? I'm trying to maintain locked-down security as best as I can, running anything "outward" via Cloudflare. Because this is in a CT in Proxmox, does this create a vulnerability in my network elsewhere, or just for anything on this vlan?
Your physical router (the main entry to your network) is the one that decides what is open to the big bad internet. If you don't have any ports open in your physical router you're fine.
Thanks so much for this video, you really helped me out tremendously
Great Video I just have a question everything works until I start the vpn I lose the webui to openwrt i followed the instructions.
I've got a bit of an odd situation on my end, and I haven't been able to find a solution to it. I'm running a cluster of 4 nodes with a CEPH pool to allow for HA. I've put together the openwrt router on node 2, any CTs put in node 2 and connected to vmbr1 work perfectly, no issues. However, obviously when trying to run a CT on another node I won't be able to connected to that router. I hope I'm just missing something simple, but any ideas would be appreciated.
Were you able to find a solution for this?
Thank you very much for your video. Everything works great, even ProtonVPN does what it should.
Now I still have a problem. It's probably because I didn't quite understand what the LAN interface with the IP 10.50.50.1 is used for.
So I can run my qbittorrent LXC exclusively via ProtonVPN, but I can no longer reach the qbittorrent web interface via 192.168.1.40:8090. The IP 10.50.50.101:8090 assigned by openwrt cannot be reached either.
Does anyone have a tip on what I am doing wrong?
I tried to work out a few solutions with ChatGPT.
The suggestions, which all failed, were:
1. firewall rules : forwarding 10.50.50.1/24 to 192.168.0.1/24
2. IP Masquarading
3. policy routing
It all sounds logical, but it just doesn't work. I probably have a major thinking error somewhere.
thank you - Question - how do you prevent the Container from access the internet if the VPN is not work or down? if you stop the open vpn instance it bypasses vpn and connects to isp IP address. thank you
cant ping from lan to google or any other netowrks...do i need to add in nat or any routes? followed exact same steps
Found a solution to that?
Hi Novaspirit,
Great video! I use ProtonVPN and am curious if the OpenWRT setup is similar. Are there any extra packages needed to integrate ProtonVPN with OpenWRT?
Hi Mate, I got mine set on pfsense (proton connected using openvpn) and use openwrt just for the wifi part
Nice video but I'm still thinking about security issues of running OpenWrt as LXC containers instead of full VM as an edge device...
I have a 5G broadband modem which supports wifi 6 but doesn't really have a good customisation options, I'm thinking of following this approach by installing open-wrt to use the customisation options and route the traffic back to the modem to use the internet. is that achievable.
I have a strange issue where once the VPN is enabled I lose HTTP access to the OpenWRT UI. I can get it back by disabling the tun0 via console, breaking the PIA connection. Are there additional rules required to retain my HTTP access via the WAN IP?
I have the same issue. Did you find a solution?
I am also having this issue. I assume a firewall issue since I can access via other VMs.
Anyone have a solution?
I am also having this issue. As soon as I enable the PIA VPN and save, the web interface tanks. I posted on OpenWRT about this, but since this is a fork, they blew me off.
how would i pass through a couple network cards using this method?
Thanks Don.
This is a great video! I have one question, how do you update it to a newer version?
I also notice in the logs, that i get TLS error: TLS Handshake failed and TLS Error: TLS key negotiation failed to occur within 60 seconds.....
Any idea what might cause this
I found my mistake, i took the wrong bridge in proxmox.... i'am also running Sophos XG as a VM and picked that bridge, should also work, but need to figure that out first
can you make a video with wireguard? i know that the speed at pia is not very fast but others are fast enough.
thnx in advance
If I add the lxc to the vmbr1 the vpn works and still have internet, but....how do you access the service if the previous local ip+port does not work anymore? Only works when I change back the vmbr1 to vmbr0
Reply to myself for those on the same situation: I have added the vmbr0 with th local ip and local ip access, and asign a static ip, and now I can access the service internaly while having public ip from the vpn
@@RufusCubano THANK YOU! This had my head spinning for days. I watched Dons video a dozen times, literally frame by frame to see what I had missed. I too could not access any of the service portals after assigning vmbr1. I could not figure out how Don was able to access the portals with the 192.xx addy when the lxc container had a 10.50.xx address. Yes, I forwarded the port number to the internal 10.50.xx addy, but the fact remains the container still had a different IP! I could hit any container if I opened my test VM on vmbr1 by using the 10.50.xx IP, but not with the 192.xx IP. It took me a few tries to understand what you had done, but I finally figured it out. I added a new network to the service lxc, in this case, I named it 'deluge' I forced the same MAC that my Opensense reported, I tied it to Bridge vmbr0, gave it the same static IP I assigned it in my Opensense with a /24 CDIR, left the gateway BLANK. It worked. I get a VPN address and can access the services using the IPs I statically assigned in my Opensense. I also deleted the PORT FORWARDING entries, as they're no longer needed.
Got this working OK, However I cannot access the web UI's of CT that are on this created LAN from any other PC outside that LAN (my normal network)
Is there a firewall config to achieve this?
Help. I managed to get tunneling working. However, if I want to ping to a tunneled container, let say 10.50.50.235. I can't reach it. Probably my normal network is operating from 192.168.178.*. Did I miss a step somewhere?? Do I need to add a route somewhere?
Hello! very nice video and amazing tutorials. I did this setup, but I have a problem, i use Nord VPN as my provider, and each time I turn on the VPN connection, I cannot access my virtual router through the designated ip... from LAN. I have a VM attached to that router, and from there is working. can anyone help me to figure this out, why is this happening? As soon I stop the VPN connection, I can access my router from LAN..
I’m having the exact same issue. Did you ever find a resolution?
Can you make a separate video on networks how to separate your vms?
Hi there. My wifi card can run in AP mode. How can i make openwrt make use of that? Im not 100% sure if i need to run it as a LXC container or a VM. Im comfortable installing openwrt butnakeays failed to log into gui until you told me why, the firewall rules. I appreciate thst tip! Just need the WiFi to work.
My setup is a bit different. My router/firewall is OPNsense and i just purely need OpenWRT as an AP. I could always get use other AP points in roaming and mesh. Would probably use batman in openwrt but i would love to be able to use the WiFi card as an AP
This one is great!! Followed up till I press start VPN, and it doesn't start. I did modify the dhcp line - is 'dhcp-option DNS 10.0.0.241' correct??? I think it is ..
Hi Did yo get this working?
How can we modify this setup to ensure that there is a kill switch if vpn disconnects / fails?
whats the correct way of updating to newer version?
Could you do a opnsense video on this been wanting try it
Thanks for the video, as a constructive critisism (?), wait a second or 2 on the command line, it was hard following you, you were going too fast for me! ;) Having said that, I'm getting an error trying to connect the machine to the vmbr1 bridge, for some reason, it doesn't hit OpenWRT at all, and can't get thier ip; I'm unsure where to look
aparently in 8.2.2 the /etc/config/firewall file doesn't exist on a clean install, how to access openwrt now,stumped... I'm trying to access/use my spare real Ethernet ports 1x10Gb as the openwrt wan/to the real existing lan-wan, + 2x5Gb ports, & 2x2.5Gb ports in this machine aka a 6 port openwrt router including the mboard port
Got this working but how do you put a killswitch in place? If the VPN happens to go down, all traffic will now go outside your normal router gateway which is exactly what you don't want here.
How did you manage to get it working? openvpn doesn't start ?
@@alainsoppe6397 I ended up ditching this completely as I couldn't make it work.
Well, I think I dont need an additional NIC for vmbr1 but....yeah actually we need more than single NIC to implement this
im stuck on getting onto the website. for me i tried IP:80 and IP:443. it still doesnt work. any help would be great!
### inside openwrt LXC - to allow network access to web interface
# install nano to make life pleasant!!
opkg update
opkg install nano
nano /etc/config/firewall
config rule
option src wan
option dest_port 80
option proto tcp
option target ACCEPT
## Save and reboot
Don’t know why but this got it working for me. Thanks man
this was my solution aswell. thank you
Pin this. I spent hours debugging the issue and this fixed it.
I think what I missed was just not doing a reboot.
Thank you Steven
I assume, with a bit of tinkering, you could use a different VPN provider. I'll give it try with the one I'm subscribed to.
Do you know how passthrough PCIe M.2 WIFI card to LXC OpenWRT ? If your are the awnser you'r my god !!!
Were you able to find an answer for this?
My containers doesn't connect to internet. help pleaseeee!!! thanks!
I just keep getting - no sdn vnet ID specified (500) when trying to change the bridge.
fixed it for anyone else having the issue login as root
mmmm... i did everything but when i try to enter to wrt web ui, browser cant find it. help?
Does anybody else have the problem that the VPN tunnel doesn't automatically reconnects? While my ISP Router renews it's public IP address at night my vpn tries to reconnect but fails(timeout). I have to manually restart it...
I'm not able to find tun0, even able starting openvpn
Is someone having the same issue
Why not use the TTeck OpenWRT VM script rather than create it yourself???
it didn't work for me
I tried it and got to the point of starting the VM. It errored out saying vmbr1 doesn't exist even though I have applied the configuration.
When I follow this video, and are about to start my CT, to config the firewall, I do get this error: failed waiting for client: timed out
TASK ERROR: command '/usr/bin/termproxy 5900 --path /vms/100 --perm VM.Console -- /usr/bin/dtach -A /var/run/dtach/vzctlconsole100 -r winch -z lxc-console -n 100 -e -1' failed: exit code 1..
Any ide what that can be? And how I fix that?
I've got the same issue
thx for the video
Can someone help with the issue of losing GUI access after saving the VPN enable changes?
Hi did you manage to get this working?
Yes, it came down to OpenWRT and my PC being on different VLANs. Just needed to create a static route from the PC VLAN to OpenWRTs VLAN. If you want more info I’d be happy to share.
What Linux are you working on?
I'm on debian
If anyone else (like me) was having issues starting the openwrt LXC because of an error stating that vmbr1 does not exist, make sure you click "apply configuration" under the node network tab.
Also, if anyone is using NordVPN, they have a solid guide for this exact process, just search OpenWrt setup with NordVPN
THANKS!
I wish OPNsense would migrate to Linux
true, wish the same
I downloaded it to windows 11, and it got flagged with wacatac virus, strange.
How do i pass though smb?
Use Proxmox as the "man in the middle" for the container, it doesn't need to know that that mounted path is from another network; it should work
@@ericdemers7368 I've moved on to Gluetun and OMV, pass through usb to OMV and have it shared on the network with SMB
I have an answer to the question: the bridge 'vmbr1' does not exist
i think go back into pve network , and click apply configuration ?
@@martinottolangui4667 Thank You! I've spent hours trying to figure that out!
What gives? The overlays he puts up are different from what he types
Why bother with the router and not just install the VPN?
I think i know you, you went to cardozo ?