VPN-Lite Router Manual


  • VPN-Mini Router
  • default ip address is 192.168.1.1
  • Include one USB cable and short lan cable
  • NOT include power adapter

Max.300Mbps Wi-Fi Speed
1 x Toggle button
1 x Ethernet Ports (Ethernet Speed 10/100Mbpsi , one LAN and one WAN port)

  • Power Input Type-C USB, 5V/2A
  • Operating Temperature 0 ~ 40C (32 ~ 104F)
  • Storage Temperature -20 ~ 70C (-4 ~ 158F)
  • default login : root  without password
  • default SSID : VPN-LiteMR  without password

  • VPN-Lite 4G Router
  • default ip address is 192.168.2.1
  • Include one USB cable and short lan cable
  • NOT include power adapter
  • NOT include 3.7v 1000mah AAA size lithium battery (each one)
  • NOT include wireless accessories and module

Max.300Mbps Wi-Fi Speed
1 x on/off button
1 x 2.0 USB Port
1 x Toggle button
1 x Ethernet Ports (Ethernet Speed 10/100Mbps)

  • Power Input Type-C USB, 5V/3A
  • Operating Temperature 0 ~ 40C (32 ~ 104F)
  • Storage Temperature -20 ~ 70C (-4 ~ 158F)
  • default login : root  without password (backup user: admin and password: admin)
  • default SSID : VPN-Lite4G  without password
  • First put SIM card in to router . Second turn on router power button.(EG25-GGB global 4G LTE module)

Login  http://ip-address/cgi-bin/luci/  Go to → below screen.
Login http://ip-address/cgi-bin/luci/ → Status → Overview → (Display Router information)
Login http://ip-address/cgi-bin/luci/ → Status → Firewall → Firewall Status → (Display Firewall IPv4 or IPv6 Status) 
Login http://ip-address/cgi-bin/luci/ → Status → Routes → Routes Status → (Display ARP, IPv4 and IPv6 routing table Status)
Login http://ip-address/cgi-bin/luci/ → Status → System Log → (Display Sys-Log)
Login http://ip-address/cgi-bin/luci/ → Status → Kernel Log → (Display Kernel-Log)
Login http://ip-address/cgi-bin/luci/ → Status → Processes → (Display currently command running status)
Login http://ip-address/cgi-bin/luci/ → Status → Realtime Graphs → (Display Load,Traffic,Wireless,Connections live status)
Login http://ip-address/cgi-bin/luci/ → Status → VnStat Traffic Monitor → VnStat Graphs → (Display Traffic information)
Login http://ip-address/cgi-bin/luci/ → Status → WireGuard Status → WireGuard Status → (Display WireGuard VPN Status) 

Login http://ip-address/cgi-bin/luci/ → System → System → (General Settings, Logging,Time, Synchronization, Language and Style)
Login http://ip-address/cgi-bin/luci/ → System → Administration → (Router Password, SSH Access, SSH-Keys)
Login http://ip-address/cgi-bin/luci/ → System → Software → (Display Free space, Update or Install Package)
Login http://ip-address/cgi-bin/luci/ → System → Startup → (Change Service Status)
Login http://ip-address/cgi-bin/luci/ → System → Scheduled Tasks → (manually scheduled tasks or Linux cron Job)
Login http://ip-address/cgi-bin/luci/ → System → LED Configuration → (Change LED Status)
Login http://ip-address/cgi-bin/luci/ → System → Backup / Flash Firmware → (Backup , Restore setting, reset defaults)
Login http://ip-address/cgi-bin/luci/ → System → Custom Commands → (Add Commands to button)
Login http://ip-address/cgi-bin/luci/ → System → Reboot → (Perform reboot)

Login http://ip-address/cgi-bin/luci/ → VPN → OpenConnect VPN → (Peer Others Firewall or Router SSL-VPN(need a professional network engineer for configuration))
Login http://ip-address/cgi-bin/luci/ → VPN → OpenVPN → (Display OpenVPN Status (Configuration by CLI Command))
Login http://ip-address/cgi-bin/luci/ → VPN → VPN Policy Routing → (Add Route for VPN (normal users can igorne))

Login http://ip-address/cgi-bin/luci/ → Services → Dynamic DNS → (Configuration Dynamic DNS)
Login http://ip-address/cgi-bin/luci/ → Services → Adblock → (Configuration Adblock)
Login http://ip-address/cgi-bin/luci/ → Services → Wake on LAN → (Turn on the computer by Lan)
Login http://ip-address/cgi-bin/luci/ → Services → ttyd → (Command Line, CLI interface on the Web)
Login http://ip-address/cgi-bin/luci/ → Services → SNMPD → (Configuration SNMP)
Login http://ip-address/cgi-bin/luci/ → Services → Tinyproxy → (Configuration Tinyproxy)

Login http://ip-address/cgi-bin/luci/ → Network → Interfaces → (Configuration Interfaces, IP and Physical Settings, Add or Delete Interface)
Login http://ip-address/cgi-bin/luci/ → Network → Wireless → (Configuration WiFi, Add or Delete WiFi Interface)
Login http://ip-address/cgi-bin/luci/ → Network → DHCP and DNS → (Configuration DHCP and DNS)
Login http://ip-address/cgi-bin/luci/ → Network → Hostnames → (Configuration IP address and Hostnames(normal users can igorne))
Login http://ip-address/cgi-bin/luci/ → Network → Static Routes → (Configuration Static IPv4 or IPv6 Routes)
Login http://ip-address/cgi-bin/luci/ → Network → Firewall → (Configuration Firewall - Zone Settings, Port Forwards , (Command Line Interface, or CLI, for ebtables and iptables)
Login http://ip-address/cgi-bin/luci/ → Network → Diagnostics → (Network Utilities, Ping, Traceroute, Nslookup)
Login http://ip-address/cgi-bin/luci/ → Network → QoS → (Configuration Quality of Service)

Login http://ip-address/cgi-bin/luci/ → Bandwidth Monitor → Display → (Display private networks)
Login http://ip-address/cgi-bin/luci/ → Bandwidth Monitor → Configuration → (Configuration Netlink Bandwidth Monitor)
Login http://ip-address/cgi-bin/luci/ → Bandwidth Monitor → Backup → (Backup / Restore, Netlink Bandwidth Monitor)

Login http://ip-address/cgi-bin/luci/ → Statistics → Graphs → (Display SNMP Graphs (Live!))
Login http://ip-address/cgi-bin/luci/ → Statistics → Setup → (Configuration Collectd Settings)

Login http://ip-address/cgi-bin/luci/ → Logout → (Close)


Support protocol

  • IEEE 802.1Q (VLAN) br-lan without tag
  • Dynamic Routing Protocols (OSPF, RIP ,ISIS, BGP)
  • OpenVPN (site to site VPN OR Layer2 VPN multi-site)
  • Wireguard (VPN multi tunnel)
  • PPtP (VPN multi tunnel)
  • Keepalive (VRRP for redundancy active and standby, Unsupport VPN)
  • Softflow(NetFlow)
  • SNMP v2
  • Wake on Lan
  • SSH
  • LLDP

 


The Internet Assigned Numbers Authority (IANA) has assigned several address ranges to be used by private networks.

Address ranges to be use by private networks are:

Class A: 10.0.0.0 to 10.255.255.255 
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
An IP address within these ranges is therefore considered non-routable, as it is not unique. Any private network that needs to use IP addresses 
internally can use any address within these ranges without any coordination with IANA or an Internet registry. Addresses within this private address 
space are only unique within a given private network.

A computer device's IP address is unique (IP addresses cannot duplicate each other).


All addresses outside these ranges are considered public.
Subnet masks and IP Addresses
Mask IP Addresses Hosts Netmask
/31 2 2 255.255.255.254
/30 4 2 255.255.255.252
/29 8 6 255.255.255.248
/28 16 14 255.255.255.240
/27 32 30 255.255.255.224
/26 64 62 255.255.255.192
/25 128 126 255.255.255.128
/24 256 254 255.255.255.0
/23 512 510 255.255.254.0
/22 1024 1022 255.255.252.0
/21 2048 2046 255.255.248.0
/20 4096 4094 255.255.240.0
/19 8192 8190 255.255.224.0
/18 16384 16382 255.255.192.0
/17 32768 32766 255.255.128.0
/16 65536 65534 255.255.0.0

 


Login   http://ip-address/cgi-bin/luci/       Go to  Network Firewall Firewall - Zone Settings Default with two zone lan and wan

The goal of a router is to forward packet streams from incoming network interfaces to outgoing network interfaces. Firewall rules add another 
layer of granularity to what is allowed to be forwarded across interfaces - and additionally which packets are allowed to be inputted to, and 
outputted from, the router itself. This section discusses the relationships between the firewall code and the network interfaces.

At the heart of all routers is a hardware switch with a number of interface ports. When a packet enters one of the switch ports, the hardware 
switch matches a fixed field in the packet and forwards the packet to an output port which transmits it.

The switch generally uses the layer-2 destination MAC address in the packet to switch on. Each port has a cache of MAC addresses for stations 
reachable by (attached to) that port. Entries in the MAC cache gradually out, so must be re-discovered if used again. Layer-2 frames with a known 
destination MAC are switched to the desired LAN port. If the MAC is not present anywhere in the switch cache, a broadcast packet (e.g. ARP) is 
flooded to all LAN ports to discover which has access to the destination MAC.


OpenWrt routers have two types of LAN interface: wired Ethernet (IEEE802.3 or RFC894 Ethernet II, Ethernet II being the most common) and wireless Ethernet (IEEE802.11.)


The wired LAN ports each map directly to a single switch port. Generally there is one 802.11 Wi-Fi port attached to a Wi-Fi radio chip (2.4Ghz, 5Ghz). 
Each handles one or more IEEE802.11 standard protocols (e.g. 802.11a, 802.11n) and ancillary support for wireless networks (e.g. 802.11s mesh networking). 
The Wi-Fi chips convert the 802.11 signal into a canonical ethernet frame injected into the switch port for routing. All Wi-Fi stations connected to the 802.11 
Access Point use the same radio(s) and the same switch port.

  • LAN bridge

The LAN bridge combines the WLAN interface(s) with the wired LAN ports to create a single logical network. In the interface configuration 
set option type bridge or in LuCI Network→Interfaces→LAN Bridge interfaces box and select the physical interfaces to bridge together. 
All switch ports in the bridge will act as a single network.

The new pseudo-interface has a br- prepended to the interface name, generally br-lan.

* Use bridging when combining WLAN and wired Ethernet ports. Otherwise partition the ports into VLANs.

  • Firewall Zones

The firewall of an OpenWrt router is able to collect interfaces into zones to more logically filter traffic. A zone can be configured to 
any set of interfaces but generally there are at least two zones: lan for the collection of LAN interfaces and wan for the WAN interfaces.

This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces:

A rule for a packet originating in a zone must be entering the router on one of the zone's interfaces,
A rule for a packet being forwarded to a zone must be exiting the router on one of the zone's interfaces.
* recognize the zone concept does not significantly simplify a simple SOHO router with a single br-lan interface and a single wan interface. Each interface has a one-to-one mapping with a zone.

More detail please refer OpenWRT  or  go to https://openwrt.org/   →   Firewall and network interfaces

iptables modules and ebtables firewall on Miscellaneous


Non-Overlapping Channels

Each channel on the 2.4 GHz spectrum is 20 MHz wide. The channel centers are separated by 5 MHz, and the entire spectrum is only 100 MHz wide. This means the 11 channels have to squeeze into the 100 MHz available, and in the end, overlap.

############################## If you need more information about Wireless networks, Please refer to the internet by search engine. ###################################

In this article you will see how to configure your device to become a Wi-Fi extender/repeater/bridge.

In some cases, the wireless drivers used in OpenWrt do not support "Layer 2" bridging in client mode with a specific "upstream" 
wireless system. When this occurs, one approach is to route the traffic between LAN and the upstream wireless system. Broadcast traffic, 
such as DHCP and link-local discovery like mDNS are generally not routable.

When other options don't work, the relayd package implements a bridge-like behavior for IPv4 (only), complete with DHCP and broadcast relaying. This configuration can be done through SSH
Secure Shell
(remote terminal) or through Luci GUI.

In this article you will see how to configure your device to become a Wi-Fi extender/repeater/bridge.

In some cases, the wireless drivers used in OpenWrt do not support "Layer 2" bridging in client mode with a specific "upstream" wireless system. 
When this occurs, one approach is to route the traffic between LAN and the upstream wireless system. Broadcast traffic, such as DHCP and link-local 
discovery like mDNS are generally not routable.

When other options don't work, the relayd package implements a bridge-like behavior for IPv4 (only), complete with DHCP and broadcast relaying. This configuration can be done through SSH
Secure Shell
(remote terminal) or through Luci GUI.

relayd package is of course needed, and luci-proto-relay is optional for the LuCI Web Interface.

Disconnect this router from your main network after successfully installing the above packages.

Alternatively, follow the steps described below to install the relayd packages over the new wwan wireless link.

Updated with new screenshots from OpenWrt 21.02.

To build a simple Wi-Fi repeater (a device that extends the same Wi-Fi network's coverage) it's a good choice to use the same Wi-Fi network name (SSID) 
as the one of your main router along with encryption, password, and so on. This ensure the wireless devices connected to your (wider) network will automatically 
stay connected to the best Wi-Fi network.

Alternatively, you can also choose to have a different SSID name/encryption/password.

Setting up a Wi-Fi network at this stage is not necessary if you just want a "Wifi bridge". ie. a device designed to only connect ethernet devices to your existing Wi-Fi network.

For simplicity and best chance of success, the instructions below are only for setting up a Wifi bridge device. A computer with an ethernet connection is required.



LAN Interface


As shown in the above image, the LAN interface must be set in a different subnet than the Wi-Fi network you are connecting to.

  • Do NOT wire the router to your main router.
  • Reset the router to return to default openwrt settings.
  • Connect a computer to a LAN port and log into LuCI web UI at 192.168.1.1.
  • Set LAN protocol as static address (default setting)
  • Assign an IP address in a different subnet (e.g. 192.168.2.1). Click Save.
  • Disable DHCP for the LAN interface (as it does prevent relayd from working). Click Save.
  • (May be required in certain case) set Gateway address and Use custom DNS servers using IP address of the primary router (e.g. 192.168.1.1)
  • Click Save and Apply.
  • Set your PC's ethernet port with a static IP 192.168.2.10 and default gateway 192.168.2.1, then connect again to the router ethernet.


When you finish all of the following steps, remember to reset your PC's IP address back to the original address (or DHCP), otherwise you won't have 
Internet access! (note: The router won't route traffic from the 192.168.2.0/24 subnet)

Wi-Fi


We will now set up the client Wi-Fi network, the configuration needed to connect to another Wi-Fi network.

  • Disconnect any ethernet cable between this router and the main router
  • Navigate to the wireless networks page, and click on Scan button for the desired radio.

Login   http://ip-address/cgi-bin/luci/       Go to  Network Wireless Wireless Overview radio0 Generic 802.11bg Scan ← Click Button

  • Choose the Wi-Fi network you want to connect to from the page and click Join Network.
  • Enter the Wi-Fi password, leave the "name of new network" as "wwan" and select lan firewall zone.
  • Click Save.
  • Click Save & Apply.

You will land in the client Wi-Fi settings page. Edit as required.
The most important settings are on the Operating Frequency line.

  • Set the Mode to Legacy if you are connecting to a Wi-Fi g network, or N if you are connecting to a Wi-Fi n (and so on).
  • Set the Width to the same value that you set on the Wi-Fi you are connecting to (to avoid bottlenecking the connection for no reason).
  • Do NOT change the wifi channel number !

You will land in the client Wi-Fi settings page. Edit as required.
The most important settings are on the Operating Frequency line.

  • Set the Mode to Legacy if you are connecting to a Wi-Fi g network, or N if you are connecting to a Wi-Fi n (and so on).
  • Set the Width to the same value that you set on the Wi-Fi you are connecting to (to avoid bottlenecking the connection for no reason).
  • Do NOT change the wifi channel number !

 

You will land in the client Wi-Fi settings page. Edit as required.
The most important settings are on the Operating Frequency line.

  • Set the Mode to Legacy if you are connecting to a Wi-Fi g network, or N if you are connecting to a Wi-Fi n (and so on).
  • Set the Width to the same value that you set on the Wi-Fi you are connecting to (to avoid bottlenecking the connection for no reason).
  • Do NOT change the wifi channel number !
  • Go to Network Firewall:

Click Save & Apply button.

Warning: These actions will also automatically remove any redundant firewall traffic and port forwarding rules.

 

More detail please refer OpenWRT or go to https://openwrt.org/   →  Wi-Fi extender / repeater / bridge configuration      or     Wi-Fi extender / repeater / bridge configuration 

 


LAN Port eth0 connect to WAN 
Login http://ip-address/cgi-bin/luci/ 
Go to → Network → Interfaces → LAN → CLICK Edit → Interfaces >> LAN → TAB Physical Settings → Interface → UNSELECTED **Ethernet Adapter: "eth0" (lan)** → CLICK Save
Go to → Network → Interfaces → WAN or Add new interface... ( WAN ) → CLICK Edit → Interfaces → WAN → TAB Physical Settings → Interface → SELECTED **Ethernet Adapter: "eth0" (WAN)** → CLICK Save
Go to → Network → Firewall → Firewall - Zone Settings → wan → CLICK Edit → Covered networks → WAN → CLICK Save → AFTER CLICK Save & Apply

Accessing the modem through the router
This article relies on the following:

Accessing web interface / command-line interface
Managing configs / packages / services / logs

web interface Please refer https://openwrt.org/ Log into your router running OpenWrt
command-line interface Please refer https://openwrt.org/ SSH access for newcomers
configs Please refer https://openwrt.org/ The UCI system
packages Please refer https://openwrt.org/ Managing packages
services Please refer https://openwrt.org/ Managing services
logs Please refer https://openwrt.org/ Managing services

Introduction

  • This how-to describes the method for accessing the modem connected to your OpenWrt router.
  • It helps to reach the administrative interface of a DSL/DOCSIS modem operating in the bridge mode.
  • The prerequisite is to know the modem's IP address, port/protocol and username/password.

Goals 

  • Access the modem operating in the bridge mode through the router.

Web interface instructions
Assuming your modem's IP address is 192.168.100.1 and it is connected to the router's WAN interface.

  1. Navigate to LuCI → Network → Interfaces.
  2. Click Add new interface... and specify:
    • Name: modem
    • Protocol: Static address
    • Interface: @wan
  3. Click Create interface.
  4. On the General Settings tab specify:
    • IPv4 address: 192.168.100.2
    • IPv4 netmask: 255.255.255.0
  5. Navigate to LuCI → Network → Firewall.
  6. Under General Settings tab, scroll down to Zones.
  7. Edit the wan zone.
    • Open Covered Networks list box.
    • Add modem
  8. Click Save, then Save & Apply.

At this point the modem should be reachable from any host in the LAN.


Command-line instructions
Assuming your modem's IP address is 192.168.100.1 and it is connected to the router's WAN interface.

Set up a static WAN alias and assign it to the WAN zone.

# Configure firewall
uci add_list firewall.@zone[1].network="modem"
uci commit firewall
/etc/init.d/firewall restart

# Configure network
uci -q delete network.modem
uci set network.modem="interface"
uci set network.modem.device="@wan"
uci set network.modem.proto="static"
uci set network.modem.ipaddr="192.168.100.2"
uci set network.modem.netmask="255.255.255.0"
uci commit network
/etc/init.d/network restart

# Configure firewall
uci add_list firewall.@zone[1].network="modem"
uci commit firewall
/etc/init.d/firewall restart

# Configure network
uci -q delete network.modem
uci set network.modem="interface"
uci set network.modem.device="@wan"
uci set network.modem.proto="static"
uci set network.modem.ipaddr="192.168.100.2"
uci set network.modem.netmask="255.255.255.0"
uci commit network
/etc/init.d/network restart

More information Please go to https://openwrt.org/  → WAN (Internet access)

 


NAT examples
The fw4 application has extensive support for NAT filterning. NAT is a powerful feature and is credited with extending the life of the IPv4 protocol.

As with other firewall section, this section will not delve into NAT background and theory. Some useful links for this are:

https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html
https://www.karlrupp.net/en/computer/nat_tutorial
https://www.systutorials.com/816/port-forwarding-using-iptables/
OpenWrt supports DNAT, SNAT, MASQUERADING.

NAT diagnostics
See Netfilter Management for analyzing the netfilter rules and investigating conntrack sessions.

NAT example configurations
This section contains typical uses of the fw4 NAT features

Port forwarding for IPv4 (DNAT)
The goal of this rule is to redirect all WAN-side SSH access on port 2222 to a the SSH (22) port of a single LAN-side station.

config redirect
option target DNAT
option src wan
option dest lan
option proto tcp
option src_dport 2222
option dest_ip 192.168.10.20
option dest_port 22
option enabled 1
To test from a WAN-side station (STA1), SSH on port 2222 to a non-existent IPv4 address on the LAN-side network:

ssh -p 2222 192.168.10.13 hostname; cat /proc/version
When the rule is enabled STA2 will reply with its hostname and kernel version. When the rule is disabled, the connection is refused.

The passionate reader will ask "So what netfilter rules does this create?"

iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: @redirect[0]" -j DNAT --to-destination 192.168.10.20:22
...
iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.10.0/255.255.255.0 -d 192.168.3.185/255.255.255.255 -m tcp --dport 2222 -m comment --comment "!fw3: @redirect[0] (reflection)" -j DNAT --to-destination 192.168.10.20:22
The first rule matches packets coming in the WAN-side if on TCP port 2222 and jumps to the DNAT filter to translate the destination to 192.168.10.20:22. 
The second rule matches packets coming in from the LAN-side to the WAN-side if on TCP port 2222. The DNAT target uses the same --to-destination parameters 
as the first rule to find the "reflection" in the conntrack table.

The next thought of the passionate reader is "So what is IN the conntrack table?"

ipv4 2 tcp 6 117 TIME_WAIT src=192.168.3.171 dst=192.168.10.13 sport=51390 dport=2222 packets=21 bytes=4837 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=51390 packets=23 bytes=4063 [ASSURED] mark=0 use=2
This record shows the WAN-side src=STA1 and dst=192.168.10.13:2222 and the reverse direction LAN-side src=STA2:22 src=STA1.

DNAT to translate a LAN-side address on the WAN-side
This redirect rule will cause the router to translate the WAN-side source of 1.2.3.4 to the LAN-side STA2 and route the ICMP echo to it. The rule is reflexive in that STA2 will be translated by to 1.2.3.4 on the WAN-side.

config redirect
option src wan
option src_dip 1.2.3.4
option proto icmp
option dest lan
option dest_ip 192.168.10.20
option target DNAT
option name DNAT-ICMP-WAN-LAN
option enabled 1
LAN-side public server


Due to the high visibility of a public server, it may warrant putting it/them in a fw4 DMZ.
All redirection requires some form of NAT and connection tracking. For public servers behind the firewall the DNAT target is used to 
translate the public IP address on the WAN-side to the private address of the server in the LAN-side.

config redirect
option target DNAT
option src wan
option src_dport 25
option proto tcp
option family ipv4
option dest lan
option dest_ip 192.168.10.20
option dest_port 2525
option name DNAT-MAIL-SERVER
option enabled 1
In this example, STA2 is running an email server (e.g. postfix) listening on port 2525 for incoming email.

This redirect rule states: any incoming traffic from the wan on port 25, redirect to STA1 port 2525.

To verify what is going on dump /proc/net/nf_conntrack to observe the dynamic connnection for incoming traffic. There can be quite a few conntrack records in it so we will search on just the ones using port 2525:

...
ipv4 2 tcp 6 7436 ESTABLISHED src=192.168.3.171 dst=192.168.3.11 sport=41370 dport=25 packets=4 bytes=229 src=192.168.10.20 dst=192.168.3.171 sport=2525 dport=41370 packets=3 bytes=164 [ASSURED] mark=0 use=2
...
The connection is coming from STA1 port 25 to the DUT and is translated to STA2 on port 2525 with a response destination to STA1.

The relevant traffic matches the DNAT conntrack state which is allowed to traverse zones by OpenWrt firewall, so no extra permissive rules are required.

Source NAT (SNAT)
The goal of this rule is to translate the source IP address from a real station to a fictitious one on port 8080.

config redirect
option target SNAT
option src lan
option dest wan
option proto tcp
option src_ip 192.168.10.20
option src_dip 192.168.10.13
option dest_port 8080
option enabled 1
To test:

use netcat to listen on the STA1, the WAN-side station: nc -l 8080
use netcat to connect on the STA2, the LAN-side station: nc -v 192.168.3.171 8080
Type something on the LAN-side station and see it echoed on the WAN-side station. Check the connection on the WAN-side station using netstat -ntap and see the line:

tcp 0 0 192.168.3.171:8080 192.168.10.13:47970 ESTABLISHED 16746/nc
The WAN-side station shows the SNAT address connecting to it on port 8080!

When used alone, Source NAT is used to restrict a computer's access to the internet while allowing it to access a few services by forwarding what appears 
to be a few local services, e.g. NTP, to the internet. While DNAT hides the local network from the internet, SNAT hides the internet from the local network.

MASQUERADE
This is the most used and useful NAT function. It translates a local private network on the LAN-side to a single public address/port num on the WAN-side 
and then the reverse. It is the default firewall configuration for every IPv4 router. As a result it is a very simple fw4 configuration

The LAN-side uses a private network. The router translates the private addresses to the router address:port and the netfilter conntrack module manages the connection.

The masquerade is set on the WAN-side

config zone
option name 'wan'
list network 'wan'
....
option masq '1'
Simple, no?

The router will generally get its WAN ip address from the upstream DHCP server and be the DHCP server (and usually DNS server) for LAN stations. 
The network configuration file defines the private network and the dhcp configuration file defines how the OpenWrt router assigns LAN-side IPv4 addresses.

When MASQUERADE is enabled, all forwarded traffic between WAN and LAN is translated. Essentially, there is very little that can go wrong with the MASQUERADE firewall rules.

Dump /proc/net/nf_conntrack to inspect the current MASQUERADE connections. The following connection tracks SSH (22) access from STA1 to STA2.

ipv4 2 tcp 6 4615 ESTABLISHED src=192.168.3.171 dst=192.168.10.20 sport=60446 dport=22 packets=27 bytes=1812 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=60446 packets=21 bytes=2544 [ASSURED] mark=0 use=2
MASQUERADE supports two or more private LAN zones

Transparent proxy rule (external)
not tested

The following rule redirects all LAN-side HTTP traffic through an external proxy at 192.168.1.100 listening on port 3128. 
It assumes the lan address to be 192.168.1.1 - this is needed to masquerade redirected traffic towards the proxy.

config redirect
option src lan
option proto tcp
option src_ip !192.168.1.100
option src_dport 80
option dest_ip 192.168.1.100
option dest_port 3128
option target DNAT

config redirect
option dest lan
option proto tcp
option src_dip 192.168.1.1
option dest_ip 192.168.1.100
option dest_port 3128
option target SNAT
FTP passthrough
See also: kmod-nf-nathelper

opkg update
opkg install kmod-nf-nathelper
/etc/init.d/firewall restart
SIP passthrough
See also: kmod-nf-nathelper-extra

opkg update
opkg install kmod-nf-nathelper-extra
/etc/init.d/firewall restart

Login http://ip-address/cgi-bin/luci/ Go to → Network → Firewall → Port Forwards → Add → NAT Port forwarding → ...................................

More information please go to https://openwrt.org/  → Router vs switch vs gateway and NAT

 


4G-Router / Mini-Router eth0 connected switch port support 802.11Q trunk 

Configure the vlan ID by default in the LAN zone configuration. br-lan assigns to eth0 on a mini-router or 4G-router. 

Below is an example of router VLAN ID and IP Address configurations and information.
show-vlan-trunk display br-lan ip address and perfix subnet , MAC address information ( br-lan without vlan tag)
set-vlan-dhcp     configure vlan-id interface with DHCP client. 
set-vlan-trunk    configure vlan-id interface with static IP address with perfix subnet
set-vlan-muilt    configure vlan-id interface more than one vlan-id assign static IP address with perfix subnet (each vlan ID has a different network. NOT duplicate each other.)

below is management switch interface fa1/0/13 configuration as trunk 802.11Q connected to VPN-Lite router LAN port

Switch#show running-config interface fa1/0/13
Building configuration...

Current configuration : 97 bytes
!
interface FastEthernet1/0/13
switchport trunk encapsulation dot1q
switchport mode trunk
end

Switch#show ip interface brief 
Interface IP-Address OK? Method Status Protocol 
Vlan1000 10.0.0.230 YES NVRAM up up 
....................................


Switch#ping 10.0.0.228

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.228, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/9 ms
Switch#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
Switch#

root@VPN-Lite:~# show-ip-interface

lo inet 127.0.0.1/8
br-lan inet 192.168.1.1/24
br-wwan inet 172.31.255.228/24
br-vlan_1000 inet 10.0.0.228/24


lo inet6 ::1/128
br-lan inet6 fe80::e695:6eff:fe46:f083/64
br-vlan_1000 inet6 fe80::e695:6eff:fe46:686e/64

The switch support 802.11Q or trunk encapsulation dot1q configuration switch port connected to a 4G-VPN-Lite Router or Mini-VPN-Lite Router .
Untag VLAN connected to router br-lan and VLAN ID 172 with tag connect to router vlan172. 
That switch assigned an untagged vlan on the switch port and connected other devices to the router's br-lan to go to the internet by VLAN 172.


Example : WAN and LAN use the same LAN Port as below.

root@VPN-Lite:~# set-vlan-trunk
Please type vlan id number here: (VLAN-ID 2-4000)
172

Please type IP ADDRESS here:
172.31.255.111

Please type SUBNET prefix here: (by default 24 range 8-30)
24

push ENTER KEY


root@VPN-Lite:~#

Login  http://ip-address/cgi-bin/luci/
Go to → Network → Firewall → Firewall - Zone Settings → WAN unselect Masquerading → LAN => vlan_172 → Save → Save & Apply
Go to → Network → Firewall → Firewall - Zone Settings → vlan_172 select Masquerading → Save → Save & Apply

br-lan go to vlan 172 to the ineternet 

root@VPN-Lite:~# cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.200.1'
option netmask '255.255.255.0'
option ip6assign '60'

config device 'lan_eth0_dev'
option name 'eth0'

config device
option type '8021q'
option ifname 'eth0'
option vid '172'
option name 'vlan172'

config interface 'vlan_172'
option type 'bridge'
option ifname 'vlan172'
option macaddr 'c0:c9:e3:ec:f2:70'
option proto 'static'
option ipaddr '172.31.255.111'
option netmask '255.255.255.0'
option gateway '172.31.255.254'
list dns '8.8.8.8'
option broadcast '172.31.255.255'

root@VPN-Lite:~#

root@VPN-Lite:~# ping -c 3 google.com
PING google.com (142.251.220.78): 56 data bytes
64 bytes from 142.251.220.78: seq=0 ttl=115 time=15.107 ms
64 bytes from 142.251.220.78: seq=1 ttl=115 time=14.617 ms
64 bytes from 142.251.220.78: seq=2 ttl=115 time=16.045 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 14.617/15.256/16.045 ms
root@VPN-Lite:~#


192.168.1.1/24 br-lan Router1 WAN 172.16.0.1/30 connected to 172.16.0.2/30 WAN Router2 br-lan 192.168.2.1/24

Firewall configurations allow LAN-to-WAN and WAN-to-LAN traffic between Rouer1 and Rouer2.
Login http://ip-address/cgi-bin/luci/
Go to → Network → Firewall → Firewall - Zone Settings → LAN => WAN → Save → Save & Apply
Go to → Network → Firewall → Firewall - Zone Settings → WAN => LAN → Save → Save & Apply

Router1 br-lan 192.168.1.0/24 route to Router2 br-lan 192.168.2.0/24
Router2 br-lan 192.168.2.0/24 route to Router1 br-lan 192.168.1.0/24

Static Route  GUI 
Router1 
Login http://ip-address/cgi-bin/luci/
Go to → Network → Static Routes → Static IPv4 Routes - Add → Interface : WAN → Target 192.168.2.0 → IPv4-Netmask: 255.255.255.0 → IPv4-Gateway: 172.16.0.2 → Save → Save & Apply
Router2
Login http://ip-address/cgi-bin/luci/
Go to → Network → Static Routes → Static IPv4 Routes - Add → Interface : WAN → Target 192.168.1.0 → IPv4-Netmask: 255.255.255.0 → IPv4-Gateway: 172.16.0.1 → Save → Save & Apply

OR
Static Route  CLI
root@Router1:~# vtysh
Router1# configure terminal
Router1(config)# ip route 192.168.2.0/24 172.16.0.2
Router1(config)# end
Router1# write
Router1# exit
root@Router1:~#

root@Router2:~# vtysh
Router2# configure terminal
Router2(config)# ip route 192.168.1.0/24 172.16.0.1
Router2(config)# end
Router2# write
Router2# exit
root@Router2:~#

OSPF
root@Router1:~# vtysh
Router1# configure terminal
Router1(config)# router ospf
Router1(config-router)# network 172.16.0.0/30 area 0.0.0.0
Router1(config-router)# network 192.168.1.0/24 area 0.0.0.0
Router1(config)# end
Router1# write
Router1# exit
root@Router1:~#

root@Router1:~# vtysh
Router2# configure terminal
Router2(config)# router ospf
Router2(config-router)# network 172.16.0.0/30 area 0.0.0.0
Router2(config-router)# network 192.168.2.0/24 area 0.0.0.0
Router2(config)# end
Router2# write
Router2# exit
root@Router2:~#

This page provided a simple example and did not display different Dynamic Routing between each other.
If you need more OSPF , RIP , BGP , ISIS routing protocol theory, please go to the internet using a search engine.

 


MAC OS

  • open system preferences
  • open energy saver
  • click on power adapter
  • enable the wake on lan network

this should work only on sleep of mac

Linux


install ethtool
sudo apt-get install ethtool -y
get mac address and interface
ip a
this must show error
sudo ethtool -s INTERFACE wol g
install wake on lan
sudo apt-get install wakeonlan -y
send magic package to enable wake on lan
wakeonlan MAC
create wol service
sudo vim /etc/systemd/system/wol.service
configure wol service
[Unit]
Description=Configure Wake On LAN

[Service]
Type=oneshot
ExecStart=/sbin/ethtool -s INTERFACE wol g

[Install]
WantedBy=basic.target
reload daemon
sudo systemctl daemon-reload
enable and start the wol.service
sudo systemctl enable wol.service; sudo systemctl start wol.service

 


Wake-on-LAN

Just to give you a quick overview of why you would find this useful:

  • On-demand access to files and resources on a network - you don't have to keep a computer turned all the while.
  • Energy efficiency, you will see a reduction in your utility bills since you don't have to keep your system on all the time.
  • Great for remotely managing a computer, so you can access a computer that might be across the room or upstairs.

How does it work?

With wake-on-LAN enabled, your computer will "listen" for a "magic packet" containing its MAC address while it is in sleep mode. 
The computer can be woken up by sending it a magic packet from another device on the network. Again, you can find out more about the feature here.

What are the requirements?

Your computer might not have all the requirements for this feature that will include the following:

  • Ethernet connection.
  • A peer-to-peer network between two or more computers.
  • The computer must be in either Sleep or Hibernation mode for this to work.

Enabling Wake on LAN on Windows 10

Press Windows key + X to bring up the hidden quick access menu and select Device Manager.

Expand Network adapters in the device tree, select your Ethernet adapter, right-click it, and select Properties.

Then select the Power Management tab and check off all three boxes shown below.

[y] Allow the computer to turn off this device to save power
[y] Allow this device to wake the computer
[y] Only allow a magic packet to wake the computer

Next, select the Advanced tab, scroll down in the Property box, select Wake on Magic Packet, ensure it is enabled in the Value list box, and click OK.

Select Wake on Magic Pocket → Value: Enabled → OK

How to Configure Wake on LAN

To make things easy, I found this easy-to-use utility - simply called Wake-on-LAN which you can download here for free.

This handy utility requires minimal setup and is easy to configure.

Have the MAC address ready for the remote computer that you would like to wake up. To find the MAC address, ensure the PC is connected to your 
router via a wired Ethernet connection. Disconnect any wireless connections you may have been using.

Open the Network and Sharing Center from the Settings menu. In the upper-right pane, click on the Ethernet connection.¬†In the Ethernet Status window, 
click Details, and then you will see the physical MAC address.

After downloading and installing Wake-on-LAN, launch the utility and select File > New Host.

Under the Display Properties tab, enter the name of the machine and a group name if you wish.

Select Wake Up tab and enter the following information:

  • MAC Address of the remote machine
  • Select Broadcast IP
  • For broadcast, leave the default.
  • Enter the machine hostname for FQDN/IP - you can find this information for the remote machine under Windows key + X > System > Computer name:
  • Click in the IPv4 list box and select your physical Ethernet adapter
  • Click OK

How to wake up a computer:

Right-click the computer in the Wake on LAN utility and select "Wake Up" from the list.

That it! If you are having problems getting this to work, check out some of the troubleshooting tips below.

Troubleshooting Wake-on-LAN

If the computer is not waking up, there might be a couple of reasons.

Wake-on-LAN needs to be enabled in the computer BIOS or Firmware. To do that, you will need to consult your computer's documentation about loading your BIOS.

ThinkPad BIOS turn on power button and push F1 > Config tab > Network > Wake On Lan [AC Only] or [AC and Battery] > F10 

If you need more information and please go to the internet by search engine wake on lan + operation system name

Lan port or Ethernet port connected switch with other devices with the same vlan ID assigned these ports. Wake-on-Lan supports local network br-lan with an eth0 ethernet port only.

Enable Remote Desktop on Windows 11 from Settings To enable Remote Desktop on Windows 11 from the Settings app, use these steps:
Open Settings on Windows 11 → Click on System → Click the Remote Desktop page → Turn on the Remote Desktop toggle switch.

Enable RDP via System Settings in Windows 11
Let's take a closer look at how to turn on RDP on Windows 11 with the help of the standard Settings app.
Open Start → Settings.
In the Settings window, select "System". Then scroll down and click "Remote Desktop" on the right pane.
Click the toggle switch button to enable the Remote Desktop on your Windows 11 device. Confirm your action in the pop-up window.
Once done, your PC is set up to connect via RDP. To connect to the remote machine, you can use, for example, the new Remote Desktop app or classic Remote Desktop Connection.


MAC Enable or disable remote management using System Preferences
On the client computer, choose Apple menu > System Preferences, then click Sharing.
If you see a lock icon, click it and enter the name and password of a user with administrator privileges on the computer.
Select or deselect the Remote Management checkbox.

ssh remote Mini-Router or 4G-Router
enable-wol-multi This command is for interface br-lan connected; all devices allow ping.
sh wol-multi-on /root directory. This command is a one-time call to all devices turned on by Wake-On-Lan.

powershell shutdown /f /s /t 0 ← run this command to turn off the Windows system and save it to Shutdown.bat ← Click to Shutdown



OpenVPN Site-to-Site tunnel with auto-gen OSPF route between interface tunnel and br-lan (NOT SUPPORT with VRRP and Layer 2 VPN together on the same router).

The OpenVPN site-to-site tunnel with two different network designs for multi-site between one server or hub and two or more remote clients or spoke sites.
Example: The hub or Server Site is using the 192.168.1.0/24 network on the br-lan interface, and the spoke or client site is at 192.168.2.0/24 on 
the br-lan interface. When adding more spokes or client sites, the network should be 192.168.3.0/24 on the br-lan interface. OpenVPN tunnel network 
is using Class C 192.168.255.0/28 or Class B 172.16.1.0/28. Each tunnel's default configuration perfix is 30. Example 172.16.1.0/24 The tunnel 1 
network is 172.16.1.0/30, the tunnel 2 network is 172.16.1.4/30, and the tunnel 3 network is 172.16.1.8/30. 
The openvpn server tunnel1 with the default 1194 port and the second tunnel2 with the 1195 port........

 

4G mobile routers are not recommended to use VPN tunnels with OSPF routes because of unstable network connections. 
When VPN tunnel peers succeed on OSPF routes, they need to wait some minutes longer for OSPF adjacency.

Server (Hub) Router directly connected to the internet and enabled WAN-side SSH service. (VPN has to enable SSH for client sites to download configuration files.)
Server or Hub Router 
Login → http://ip-address/cgi-bin/luci/ → Go to → System → Administration → SSH Access → Add instance → Interface WAN → Port 2233 → Save → Save & Apply
Login → http://ip-address/cgi-bin/luci/ → Go to → Network → Firewall → Firewall - Zone Settings → wan → CHANGE Input reject to accept → Save → Save & Apply

Mini-Router br-lan 192.168.1.1/24 connected 192.168.1.254/24 home internet router to the internet to fix the real ip address or ddns. 
The home internet router has to configuration 192.168.1.1/24 port forward ssh 22 port to 2233 for and openvpn 1194-1198 range for 
different tunnels interfaces to the internet.
Or
Mini-Router connected to switch port supports 802.11Q trunk WAN and LAN using the same LAN Port as below. Please refer to the 802.11Q item.
run command: set-ovpn-s-t-s-server second time for tunnel 2 for testing only. Suggest one tunnel between two routers only.

Client (Spoke) VPN computer gateway
The PC computer device gateway with the VPN router IP address is 192.168.210.1

C:\>ipconfig

Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :

IPv4 Address. . . . . . . . . . . : 192.168.210.251
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.210.1


Server (Hub) VPN computer gateway
The PC device gateway with the VPN router IP address is 172.18.255.254

C:\>ipconfig

Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :

IPv4 Address. . . . . . . . . . . : 172.18.255.251
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.18.255.254

 

Hub or Server type command : set-ovpn-s-t-s-server

Server (Hub) Router WAN to the internet with public real ip address is 1.2.3.4 or replace ddns domain name.
A client (Spoke) router connected to the internet can peer at 1.2.3.4 SSH port 2233 and use OpenVPN service.


root@VPN-Lite:~# set-ovpn-s-t-s-server
Server OpenVPN site to site tun1-4 udp port number: ( default 1194 udp )
1194

Server tun1 ip address:
172.18.111.12

##### Please Enter Dynamic DNS (DDNS) Domain Name or internet public ip below: #####
1.2.3.4

## Please enter username (username can not with any punctuation) ##
user1
Changing password for ovpnuser1
New password: yourpassword1
Retype password: yourpassword1

root@VPN-Lite:~#

Other routers are Spoke or Client using command : set-ovpn-s-t-s-peer

root@VPN-ROUTER:~# set-ovpn-s-t-s-peer

## Ctrl + C STOP and exit ##
###############################################################
## ##
## Before have to run set-ovpn-s-t-s-server on other rotuer ##
## ##
###############################################################

###############################################################
OpenVPN s-to-s Server the REAL IP Address OR DDNS domain name:
1.2.3.4

###############################################################
Do you need to change SSH default port 22: (change others=y/Y)?
y

###############################################################
Please enter SSH port numebr here:

2233


###############################################################
Please enter OpenVPN username for scp download configure file

user1


Host '1.2.3.4' is not in the trusted hosts file.
(ssh-rsa fingerprint sha1!! 5f:b7:ab:41:fc:87:3c:5f:29:a4:f0:a4:c2:fd:c6:56:ad:ee:fa:df)
Do you want to continue connecting? (y/n) y
ovpnsuser1@1.2.3.4's password: yourpassword1
copenvpn 100% 186 0.2KB/s 00:00
cjob 100% 131 0.1KB/s 00:00
client_site_to_site.auth 100% 636 0.6KB/s 00:00
ovpnsuser1_network 100% 190 0.2KB/s 00:00
server_site_to_site.conf 100% 146 0.1KB/s 00:00
cping-ovpn-172.18.111.2.sh 100% 254 0.3KB/s 00:00
server_site_to_site.auth 100% 636 0.6KB/s 00:00
client_site_to_site.conf 100% 168 0.2KB/s 00:00
ovpnsuser1-s-t-s.info 100% 131 0.1KB/s 00:00
uci: Parse error (option/list command found before the first section) at line 15, byte 8
########################################
# dynamic-routing with br-lan , tun0 #
########################################

---------------------------------------

router ospf
ospf router-id 192.168.210.1
network 172.18.111.0/30 area 0.0.0.0
network 192.168.210.0/24 area 0.0.0.0

---------------------------------------
root@VPN-ROUTER:~#


Please wait for some minutes after can verfiy by command : show-ovpn-s-t-s-tunnel

show OpenVPN CLIENT Site to Site tunnel

root@VPN-ROUTER:~# show-ovpn-s-t-s-tunnel

##############################################################################
user1 udp 1194 server tun1 172.18.111.2 P-t-P: 172.18.111.1
------------------------------------------------------------------------------

tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.18.111.1 P-t-P:172.18.111.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1410 Metric:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:4212 (4.1 KiB) TX bytes:4684 (4.5 KiB)

------------------------------------------------------------------------------

interface tun1 MTU:1410 | if MTU is NOT 1410 and repeat it after a minute

------------------------------------------------------------------------------

ping from tun1 172.18.111.1 to server tun1 ip address: 172.18.111.2
PING 172.18.111.2 (172.18.111.2) from 172.18.111.1: 56 data bytes
64 bytes from 172.18.111.2: seq=0 ttl=64 time=29.063 ms
64 bytes from 172.18.111.2: seq=1 ttl=64 time=27.195 ms
64 bytes from 172.18.111.2: seq=2 ttl=64 time=26.583 ms

--- 172.18.111.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26.583/27.613/29.063 ms

------------------------------------------------------------------------------

ping from server br-lan ip add: 192.168.210.1 to other router-id
PING 172.18.255.254 (172.18.255.254) from 192.168.210.1: 56 data bytes
64 bytes from 172.18.255.254: seq=0 ttl=64 time=27.657 ms
64 bytes from 172.18.255.254: seq=1 ttl=64 time=26.176 ms
64 bytes from 172.18.255.254: seq=2 ttl=64 time=26.324 ms
64 bytes from 172.18.255.254: seq=3 ttl=64 time=26.515 ms

--- 172.18.255.254 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 26.176/26.668/27.657 ms

##############################################################################
show ospf database router id of br ip address and check duplicate


ello, this is Quagga (version 1.1.1).
opyright 1996-2005 Kunihiro Ishiguro, et al.

VPN-ROUTER# show ip ospf database

OSPF Router with ID (192.168.210.1)

Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Link count
10.0.0.10 10.0.0.10 424 0x80000017 0xfe8f 2
10.0.0.15 10.0.0.15 429 0x8000000b 0xc019 1
10.0.0.18 10.0.0.18 1046 0x800000fa 0x7f9c 2
172.16.255.100 172.16.255.100 1143 0x80002a96 0x3dc6 1
172.16.255.254 172.16.255.254 15 0x800210c5 0x28c6 4
172.17.255.254 172.17.255.254 1566 0x80058483 0x7c63 4
172.18.255.254 172.18.255.254 21 0x800ca490 0xf754 5
172.31.255.14 172.31.255.14 431 0x80001a97 0x1ee7 2
172.31.255.26 172.31.255.26 431 0x80000015 0xacdd 2
192.168.199.1 192.168.199.1 407 0x80000420 0x8ed6 3
192.168.210.1 192.168.210.1 13 0x800027be 0xa3ba 3
192.168.211.1 192.168.211.1 1747 0x80000f64 0x438d 3

Net Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum
10.0.0.17 172.31.255.26 431 0x8000000c 0x1a3f
172.16.255.100 172.16.255.100 1493 0x80000214 0x3aeb
172.31.255.222 172.18.255.254 458 0x800000fe 0x8237

AS External Link States

Link ID ADV Router Age Seq# CkSum Route
172.16.111.2 172.16.255.100 1263 0x80001b64 0x08a1 E2 172.16.111.2/32 [0x0]
172.16.111.3 172.16.255.100 503 0x80001b64 0xfdaa E2 172.16.111.3/32 [0x0]
172.16.111.4 172.16.255.100 1423 0x80001b62 0xf7b1 E2 172.16.111.4/32 [0x0]
172.16.111.5 172.16.255.100 423 0x80001b63 0xebbb E2 172.16.111.5/32 [0x0]
172.16.111.6 172.16.255.100 993 0x80001b62 0xe3c3 E2 172.16.111.6/32 [0x0]
172.16.111.7 172.16.255.100 1463 0x80001867 0xd8cb E2 172.16.111.7/32 [0x0]
192.168.198.0 172.16.255.100 993 0x800029be 0x50ee E2 192.168.198.0/24 [0x0]

VPN-ROUTER#

root@VPN-ROUTER:~# show-route
====================================================================================
Show Routing Table
====================================================================================


Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN-ROUTER# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
172.18.255.254 200 Full/DROther 34.578s 172.18.111.2 tun1:172.18.111.1 0 0 0
VPN-ROUTER#

====================================================================================


Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN-ROUTER# show ip rip status
VPN-ROUTER#

====================================================================================


Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN-ROUTER# show ip bgp neighbors
VPN-ROUTER#

====================================================================================


Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN-ROUTER# show ip bgp nexthop
Current BGP nexthop cache:
VPN-ROUTER#

====================================================================================


Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN-ROUTER# show isis neighbor
VPN-ROUTER#

====================================================================================

Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN-ROUTER# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, P - PIM, A - Babel,
> - selected route, * - FIB route

K>* 0.0.0.0/0 via 172.17.255.254, wlan0
O>* 10.0.0.0/24 [110/30] via 172.18.111.2, tun1, 00:01:39
C>* 127.0.0.0/8 is directly connected, lo
O>* 172.16.111.2/32 [110/1111] via 172.18.111.2, tun1, 00:01:38
O>* 172.16.111.3/32 [110/1111] via 172.18.111.2, tun1, 00:01:38
O>* 172.16.111.4/32 [110/1111] via 172.18.111.2, tun1, 00:01:38
O>* 172.16.111.5/32 [110/1111] via 172.18.111.2, tun1, 00:01:38
O>* 172.16.111.6/32 [110/1111] via 172.18.111.2, tun1, 00:01:38
O>* 172.16.111.7/32 [110/1111] via 172.18.111.2, tun1, 00:01:38
O>* 172.16.222.4/30 [110/30] via 172.18.111.2, tun1, 00:01:39
O>* 172.16.255.0/24 [110/30] via 172.18.111.2, tun1, 00:01:39
O>* 172.17.111.1/32 [110/40] via 172.18.111.2, tun1, 00:01:39
O>* 172.17.111.2/32 [110/30] via 172.18.111.2, tun1, 00:01:39
O 172.17.255.0/24 [110/30] via 172.18.111.2, tun1, 00:01:39
C>* 172.17.255.0/24 is directly connected, wlan0
O 172.18.111.0/30 [110/20] via 172.18.111.2, tun1, 00:01:39
C>* 172.18.111.0/30 is directly connected, tun1
O 172.18.111.2/32 [110/10] is directly connected, tun1, 00:01:59
C>* 172.18.111.2/32 is directly connected, tun1
O>* 172.18.111.4/30 [110/20] via 172.18.111.2, tun1, 00:00:39
O>* 172.18.255.0/24 [110/20] via 172.18.111.2, tun1, 00:01:39
O>* 172.31.255.0/24 [110/20] via 172.18.111.2, tun1, 00:01:39
O>* 192.168.198.0/24 [110/1111] via 172.18.111.2, tun1, 00:01:38
O>* 192.168.199.0/24 [110/40] via 172.18.111.2, tun1, 00:01:39
O 192.168.210.0/24 [110/10] is directly connected, br-lan, 00:02:08
C>* 192.168.210.0/24 is directly connected, br-lan
O>* 192.168.211.0/24 [110/40] via 172.18.111.2, tun1, 00:01:39
VPN-ROUTER#

====================================================================================

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.255.254 0.0.0.0 UG 0 0 0 wlan0
10.0.0.0 172.18.111.2 255.255.255.0 UG 20 0 0 tun1
172.16.111.2 172.18.111.2 255.255.255.255 UGH 20 0 0 tun1
172.16.111.3 172.18.111.2 255.255.255.255 UGH 20 0 0 tun1
172.16.111.4 172.18.111.2 255.255.255.255 UGH 20 0 0 tun1
172.16.111.5 172.18.111.2 255.255.255.255 UGH 20 0 0 tun1
172.16.111.6 172.18.111.2 255.255.255.255 UGH 20 0 0 tun1
172.16.111.7 172.18.111.2 255.255.255.255 UGH 20 0 0 tun1
172.16.222.4 172.18.111.2 255.255.255.252 UG 20 0 0 tun1
172.16.255.0 172.18.111.2 255.255.255.0 UG 20 0 0 tun1
172.17.111.1 172.18.111.2 255.255.255.255 UGH 20 0 0 tun1
172.17.111.2 172.18.111.2 255.255.255.255 UGH 20 0 0 tun1
172.17.255.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
172.18.111.0 0.0.0.0 255.255.255.252 U 0 0 0 tun1
172.18.111.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
172.18.111.4 172.18.111.2 255.255.255.252 UG 20 0 0 tun1
172.18.255.0 172.18.111.2 255.255.255.0 UG 20 0 0 tun1
172.31.255.0 172.18.111.2 255.255.255.0 UG 20 0 0 tun1
192.168.198.0 172.18.111.2 255.255.255.0 UG 20 0 0 tun1
192.168.199.0 172.18.111.2 255.255.255.0 UG 20 0 0 tun1
192.168.210.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.211.0 172.18.111.2 255.255.255.0 UG 20 0 0 tun1

====================================================================================
root@VPN-ROUTER:~#


The interface br-lan changed its IP address and needed to update the dynamic route configuration manually.

OpenVPN server or client router with another zone and login to the web admin firewall page allow ovpn to other and other to ovpn.

Login http://ip-address/cgi-bin/luci/
Go to → Network → Firewall → Firewall - Zone Settings → ovpn zone => other → Save → Save & Apply
Go to → Network → Firewall → Firewall - Zone Settings → other => ovpn zone → Save → Save & Apply

This page does not include an example VPN network design for a dual Server or hub router at the same site and a dual Client or spoke router at the same site with dual tunnels.

OpenVPN requires high CPU resources.

OpenVPN Site-to-Site Sumary:
1). Setup the server and Client br-lan IP addresses with the default configuration. (g.e.: Server/Hub br-lan 192.168.1.1/24, 
first client/spoke br-lan 192.168.2.1/24, second client/spoke br-lan 192.168.3.1/24, different networks for each other)
2). Server/Hub Mini-Router: enable SSH for the WAN side and change other port numbers (e.g., enable SSH port 2233 for 
directed internet or NAT port forward SSH and OpenVPN service ports).
3). Hub or Server type command : set-ovpn-s-t-s-server → setup OpenVPN port number(default 1194) tunnel ip address 172.16.255.1
4). Hub or Server public ip-address or DDNS domain name.
5). Hub or Server configuration site name and password for remote client-site.
6). Client or Sopke run set-ovpn-s-t-s-peer
7). Client or Sopke Enter Hub or Server public ip-address or DDNS domain name and SSH port number.
8). Client or Sopke Enter own site name and password.
9). Client or Sopke and Hub or Server after some munites show-ovpn-s-t-s-tunnel


PPtP VPN supports Site-to-Site or Multi-Site (NOT SUPPORT with VRRP together on same router)

PPtP VPN Site-to-Site or Multi-Site ppp interface with auto-gen OSPF route between interface ppp* (* can be different numbers 1, 2 or 3) and br-lan.
PPTP VPN is not recommended. PPtP VPN sometimes is not stable and needs a reboot of the server and Client to fix the issue. But always use a PPTP VPN for testing.
PPTP VPN client's router: all traffic passes to the server router and goes to the internet.

The PPtP VPN Site-to-Site or Multi-Site ppp* and br-lan interfaces have different network designs for each of the routers or sites.
Example: The hub or Server Site is using the 192.168.1.0/24 network on the br-lan interface, and the spoke or client site is at 192.168.2.0/24 
on the br-lan interface. When adding more spokes or client sites, the network should be 192.168.3.0/24 on the br-lan interface
PPtP VPN ppp* interface network subnet perfix is 24 (cannot be changed by default). PPtP VPN interfaces need to assign different networks to each other's sites.

4G mobile routers are not recommended to use VPN tunnels with OSPF routes because of unstable network connections. 
When VPN tunnel peers succeed on OSPF routes, they need to wait a few minutes longer for OSPF adjacency.

A PPtP Server or Hub router with NAT port forwarding needs to forward three different protocols.
1). SSH port 22 forwards to real IP or DDNS port 2233. 
2). PPtP port 1723 forwards to real IP or DDNS port 1723. 
3). GRE protocol forwards to real IP or DDNS GRE protocol 

Delivery protocols GRE packets that are encapsulated within IP directly use IP protocol type 47 in the IPv4 header's Protocol field. 
For performance reasons, GRE can also be encapsulated in UDP packets.

Server (Hub) Router directly connected to the internet and enabled WAN-side SSH service. (VPN has to enable SSH for client sites to download configuration files.)
Server or Hub Router 
Login → http://ip-address/cgi-bin/luci/ → Go to → System → Administration → SSH Access → Add instance → Interface WAN → Port 2233 → Save → Save & Apply
Login → http://ip-address/cgi-bin/luci/ → Go to → Network → Firewall → Firewall - Zone Settings → wan → CHANGE Input reject to accept → Save → Save & Apply



Example : PPtP VPN 172.17.111.0/24 for VPN tunnel

Server or Hub Router

Server (Hub) Router WAN to the internet with public real ip address is 1.2.3.4 or replace ddns domain name.
A client (Spoke) router connected to the internet can peer at 1.2.3.4 SSH port 2233 and use PPtP and GRE service.

root@My-WAN:~# set-pptp-server

Server tunnel ip address:
172.17.111.222

##### Please Enter Dynamic DNS (DDNS) Domain Name or internet public ip below: #####

1.2.3.4

###################################################################
## Please enter username (username can not with any punctuation) ##

pptpvpn

###################################################################
## Please enter password ##


## Please enter same password again

Please wait for a moment !

## Please enter same password again

Please wait for a moment !
5549 /usr/sbin/pptpd -c /var/etc/pptpd.conf --fg -o /var/etc/options.pptpd
root@My-WAN:~#


Server or Hub Router 
Login → http://ip-address/cgi-bin/luci/ → Go to → System → Administration → SSH Access → Add instance → Interface WAN → Port 2233 → Save → Save & Apply
Login → http://ip-address/cgi-bin/luci/ → Go to → Network → Firewall → Firewall - Zone Settings → wan → CHANGE Input reject to accept → Save → Save & Apply


Client or Spoke router ( set-pptp-peer needs a server or hub router root user password. )

root@VPN:~# set-pptp-peer

###############################################################
OpenVPN s-to-s Server the REAL IP Address OR DDNS domain name:
1.2.3.4


###############################################################
Do you need to change SSH default port 22: (change others=y/Y)?
y

###############################################################
Please enter SSH port numebr here:

2233


Host '1.2.3.4' is not in the trusted hosts file.
(ssh-rsa fingerprint sha1!! 57:02:94:55:75:fa:64:a3:d9:25:de:18:45:23:9b:81:d2:b5:b2:9b)
Do you want to continue connecting? (y/n) y
root@1.2.3.4's password:   ###( NEED ENTER SERVER OR HUB ROUTER ROOT PASSWORD HERE )###
pptp.info 100% 202 0.2KB/s 00:00

Please wait for a moment !

cfg10ad58
cfg11ad58
Thu Jun 29 04:04:44 2023 daemon.info pppd[13966]: Plugin pptp.so loaded.
Thu Jun 29 04:04:44 2023 daemon.info pppd[13966]: PPTP plugin version 1.00
Thu Jun 29 04:04:44 2023 daemon.notice pppd[13966]: pppd 2.4.7 started by root, uid 0
Thu Jun 29 04:04:46 2023 daemon.info pppd[13966]: Renamed interface ppp0 to pptp-vpn
Thu Jun 29 04:04:46 2023 daemon.info pppd[13966]: Using interface pptp-vpn
Thu Jun 29 04:04:46 2023 daemon.notice pppd[13966]: Connect: pptp-vpn <--> pptp (1.2.3.4)
Thu Jun 29 04:04:46 2023 daemon.notice pppd[13966]: CHAP authentication succeeded
Thu Jun 29 04:04:46 2023 daemon.notice pppd[13966]: MPPE 128-bit stateless compression enabled
Thu Jun 29 04:04:46 2023 daemon.notice pppd[13966]: local IP address 172.17.111.2
Thu Jun 29 04:04:46 2023 daemon.notice pppd[13966]: remote IP address 172.17.111.1
13966 /usr/sbin/pppd nodetach ipparam vpn ifname pptp-vpn lcp-echo-interval 1 lcp-echo-failure 5 lcp-echo-adaptive +ipv6 nodefaultroute usepeerdns maxfail 1 user pptpvpn password pptppass ip-up-script /lib/netifd/ppp-up ipv6-up-script /lib/netifd/ppp6-up ip-down-script /lib/netifd/ppp-down ipv6-down-script /lib/netifd/ppp-down plugin pptp.so pptp_server 1.2.3.44 file /etc/ppp/options.pptp
14039 /usr/sbin/pppd nodetach ipparam vpn ifname pptp-vpn lcp-echo-interval 1 lcp-echo-failure 5 lcp-echo-adaptive +ipv6 nodefaultroute usepeerdns maxfail 1 user pptpvpn password pptppass ip-up-script /lib/netifd/ppp-up ipv6-up-script /lib/netifd/ppp6-up ip-down-script /lib/netifd/ppp-down ipv6-down-script /lib/netifd/ppp-down plugin pptp.so pptp_server 1.2.3.4 file /etc/ppp/options.pptp
root@VPN:~#
root@VPN:~#

Please wait for some minutes after can verfiy by command : show-pptp-tunnel and show-route

root@VPN:~# show-pptp-tunnel

This router is NOT PPtP Site to Site Server!


show PPtP Client Site to Site tunnel


################## PPtP Client Site to Site tunnel ###############
Thu Jun 29 04:04:44 2023 daemon.info pppd[13966]: Plugin pptp.so loaded.
Thu Jun 29 04:04:44 2023 daemon.info pppd[13966]: PPTP plugin version 1.00
Thu Jun 29 04:04:44 2023 daemon.notice pppd[13966]: pppd 2.4.7 started by root, uid 0
Thu Jun 29 04:04:46 2023 daemon.info pppd[13966]: Renamed interface ppp0 to pptp-vpn
Thu Jun 29 04:04:46 2023 daemon.info pppd[13966]: Using interface pptp-vpn
Thu Jun 29 04:04:46 2023 daemon.notice pppd[13966]: Connect: pptp-vpn <--> pptp (1.2.3.4)
Thu Jun 29 04:04:46 2023 daemon.notice pppd[13966]: CHAP authentication succeeded
Thu Jun 29 04:04:46 2023 daemon.notice pppd[13966]: MPPE 128-bit stateless compression enabled
Thu Jun 29 04:04:46 2023 daemon.notice pppd[13966]: local IP address 172.17.111.2
Thu Jun 29 04:04:46 2023 daemon.notice pppd[13966]: remote IP address 172.17.111.1
Thu Jun 29 04:04:53 2023 daemon.info pppd[13966]: No response to 5 echo-requests
Thu Jun 29 04:04:53 2023 daemon.notice pppd[13966]: Serial link appears to be disconnected.
Thu Jun 29 04:04:53 2023 daemon.info pppd[13966]: Connect time 0.2 minutes.
Thu Jun 29 04:04:53 2023 daemon.info pppd[13966]: Sent 421568 bytes, received 296 bytes.
Thu Jun 29 04:04:53 2023 daemon.err pppd[13966]: MPPE disabled
Thu Jun 29 04:04:53 2023 daemon.info pppd[13966]: Terminating on signal 15
Thu Jun 29 04:04:56 2023 daemon.notice pppd[13966]: Connection terminated.
Thu Jun 29 04:04:56 2023 daemon.notice pppd[13966]: Modem hangup
Thu Jun 29 04:04:56 2023 daemon.info pppd[13966]: Exit.
Thu Jun 29 04:04:56 2023 daemon.info pppd[14671]: Plugin pptp.so loaded.
Thu Jun 29 04:04:56 2023 daemon.info pppd[14671]: PPTP plugin version 1.00
Thu Jun 29 04:04:56 2023 daemon.notice pppd[14671]: pppd 2.4.7 started by root, uid 0
Thu Jun 29 04:04:57 2023 daemon.info pppd[14671]: Renamed interface ppp0 to pptp-vpn
Thu Jun 29 04:04:57 2023 daemon.info pppd[14671]: Using interface pptp-vpn
Thu Jun 29 04:04:57 2023 daemon.notice pppd[14671]: Connect: pptp-vpn <--> pptp (1.2.3.4)
Thu Jun 29 04:04:57 2023 daemon.notice pppd[14671]: CHAP authentication succeeded
Thu Jun 29 04:04:57 2023 daemon.notice pppd[14671]: MPPE 128-bit stateless compression enabled
Thu Jun 29 04:04:57 2023 daemon.notice pppd[14671]: local IP address 172.17.111.3
Thu Jun 29 04:04:57 2023 daemon.notice pppd[14671]: remote IP address 172.17.111.1
##################################################################
14671 /usr/sbin/pppd nodetach ipparam vpn ifname pptp-vpn lcp-echo-interval 1 lcp-echo-failure 5 lcp-echo-adaptive +ipv6 nodefaultroute usepeerdns maxfail 1 user pptpvpn password pptppass ip-up-script /lib/netifd/ppp-up ipv6-up-script /lib/netifd/ppp6-up ip-down-script /lib/netifd/ppp-down ipv6-down-script /lib/netifd/ppp-down plugin pptp.so pptp_server 1.2.3.4 file /etc/ppp/options.pptp
14673 /usr/sbin/pppd nodetach ipparam vpn ifname pptp-vpn lcp-echo-interval 1 lcp-echo-failure 5 lcp-echo-adaptive +ipv6 nodefaultroute usepeerdns maxfail 1 user pptpvpn password pptppass ip-up-script /lib/netifd/ppp-up ipv6-up-script /lib/netifd/ppp6-up ip-down-script /lib/netifd/ppp-down ipv6-down-script /lib/netifd/ppp-down plugin pptp.so pptp_server 1.2.3.4 file /etc/ppp/options.pptp
root@VPN:~#


root@VPN:~# show-route
====================================================================================
Show Routing Table
====================================================================================


Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL
172.17.255.254 1 Full/DROther 35.701s 172.17.111.1 pptp-vpn:172.17.111.3 0 0 0
VPN#

====================================================================================


Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN# show ip rip status
VPN#

====================================================================================


Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN# show ip bgp neighbors
VPN#

====================================================================================


Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN# show ip bgp nexthop
Current BGP nexthop cache:
VPN#

====================================================================================


Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN# show isis neighbor
VPN#

====================================================================================

Hello, this is Quagga (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

VPN# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, P - PIM, A - Babel,
> - selected route, * - FIB route

K>* 0.0.0.0/0 via 172.17.111.1, pptp-vpn
O>* 10.0.0.0/24 [110/30] via 172.17.111.1, pptp-vpn, 03:54:11
K>* 1.2.3.4 /32 via 172.31.255.1, wlan0
C>* 127.0.0.0/8 is directly connected, lo
O>* 172.16.111.2/32 [110/1111] via 172.17.111.1, pptp-vpn, 03:54:10
O>* 172.16.111.3/32 [110/1111] via 172.17.111.1, pptp-vpn, 03:54:10
O>* 172.16.111.4/32 [110/1111] via 172.17.111.1, pptp-vpn, 03:54:10
O>* 172.16.111.5/32 [110/1111] via 172.17.111.1, pptp-vpn, 03:54:10
O>* 172.16.111.6/32 [110/1111] via 172.17.111.1, pptp-vpn, 03:54:10
O>* 172.16.111.7/32 [110/1111] via 172.17.111.1, pptp-vpn, 03:54:10
O>* 172.16.222.4/30 [110/30] via 172.17.111.1, pptp-vpn, 03:54:11
O>* 172.16.255.0/24 [110/30] via 172.17.111.1, pptp-vpn, 03:54:11
O 172.17.111.1/32 [110/10] is directly connected, pptp-vpn, 03:58:26
C>* 172.17.111.1/32 is directly connected, pptp-vpn
O>* 172.17.255.0/24 [110/20] via 172.17.111.1, pptp-vpn, 03:54:11
O>* 172.18.111.0/30 [110/30] via 172.17.111.1, pptp-vpn, 03:54:11
O>* 172.18.255.0/24 [110/30] via 172.17.111.1, pptp-vpn, 03:54:11
O 172.31.255.0/24 [110/20] via 172.17.111.1, pptp-vpn, 03:54:11
C>* 172.31.255.0/24 is directly connected, wlan0
O>* 192.168.198.0/24 [110/1111] via 172.17.111.1, pptp-vpn, 03:54:10
O>* 192.168.199.0/24 [110/40] via 172.17.111.1, pptp-vpn, 03:54:11
O>* 192.168.210.0/24 [110/40] via 172.17.111.1, pptp-vpn, 03:54:11
O 192.168.211.0/24 [110/10] is directly connected, br-lan, 03:58:43
C>* 192.168.211.0/24 is directly connected, br-lan
VPN#

====================================================================================

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.17.111.1 0.0.0.0 UG 0 0 0 pptp-vpn
10.0.0.0 172.17.111.1 255.255.255.0 UG 20 0 0 pptp-vpn
1.2.3.4 172.31.255.1 255.255.255.255 UGH 0 0 0 wlan0
172.16.111.2 172.17.111.1 255.255.255.255 UGH 20 0 0 pptp-vpn
172.16.111.3 172.17.111.1 255.255.255.255 UGH 20 0 0 pptp-vpn
172.16.111.4 172.17.111.1 255.255.255.255 UGH 20 0 0 pptp-vpn
172.16.111.5 172.17.111.1 255.255.255.255 UGH 20 0 0 pptp-vpn
172.16.111.6 172.17.111.1 255.255.255.255 UGH 20 0 0 pptp-vpn
172.16.111.7 172.17.111.1 255.255.255.255 UGH 20 0 0 pptp-vpn
172.16.222.4 172.17.111.1 255.255.255.252 UG 20 0 0 pptp-vpn
172.16.255.0 172.17.111.1 255.255.255.0 UG 20 0 0 pptp-vpn
172.17.111.1 0.0.0.0 255.255.255.255 UH 0 0 0 pptp-vpn
172.17.255.0 172.17.111.1 255.255.255.0 UG 20 0 0 pptp-vpn
172.18.111.0 172.17.111.1 255.255.255.252 UG 20 0 0 pptp-vpn
172.18.255.0 172.17.111.1 255.255.255.0 UG 20 0 0 pptp-vpn
172.31.255.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
192.168.198.0 172.17.111.1 255.255.255.0 UG 20 0 0 pptp-vpn
192.168.199.0 172.17.111.1 255.255.255.0 UG 20 0 0 pptp-vpn
192.168.210.0 172.17.111.1 255.255.255.0 UG 20 0 0 pptp-vpn
192.168.211.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

====================================================================================
root@VPN:~#

root@VPN:~# ifconfig
br-lan Link encap:Ethernet HWaddr 40:3F:8C:85:14:E0
inet addr:192.168.211.1 Bcast:192.168.211.255 Mask:255.255.255.0
inet6 addr: fe80::423f:8cff:fe85:14e0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1501 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:118894 (116.1 KiB)

eth0 Link encap:Ethernet HWaddr 40:3F:8C:85:14:E0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:4203 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:418959 (409.1 KiB)
Interrupt:5

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1621 (1.5 KiB) TX bytes:1621 (1.5 KiB)

pptp-vpn Link encap:Point-to-Point Protocol
inet addr:172.17.111.3 P-t-P:172.17.111.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1482 Metric:1
RX packets:1980 errors:0 dropped:0 overruns:0 frame:0
TX packets:1916 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:151538 (147.9 KiB) TX bytes:130674 (127.6 KiB)

wlan0 Link encap:Ethernet HWaddr 40:3F:8C:85:14:E0
inet addr:172.31.255.32 Bcast:172.31.255.255 Mask:255.255.255.0
inet6 addr: fe80::423f:8cff:fe85:14e0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21091 errors:0 dropped:0 overruns:0 frame:0
TX packets:16895 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1452262 (1.3 MiB) TX bytes:1595360 (1.5 MiB)

root@VPN:~#

PPtP VPN server or client router with another zone and login to the web admin firewall page allow vpn to other and other to vpn.
Login http://ip-address/cgi-bin/luci/
Go to → Network → Firewall → Firewall - Zone Settings → vpn zone => other → Save → Save & Apply
Go to → Network → Firewall → Firewall - Zone Settings → other => vpn zone → Save → Save & Apply

The interface br-lan changed its IP address and needed to update the dynamic route configuration manually.


Remove PPTP configration by factory-default or Login http://ip-address/cgi-bin/luci/ Go to → System → Backup / Flash Firmware → Reset to defaults Perform reset → reboot 

root@My-WAN:~# factory-default

This page does not include an example VPN network design for a dual Server or hub router at the same site and a dual Client or spoke router at the same site with dual tunnels.

PPtP VPN Site-to-Site Sumary:
1). Setup the server and Client br-lan IP addresses with the default configuration. (g.e.: Server/Hub br-lan 192.168.1.1/24, 
first client/spoke br-lan 192.168.2.1/24, second client/spoke br-lan 192.168.3.1/24, different networks for each other)
2). Server/Hub Mini-Router: enable SSH for the WAN side and change other port numbers (e.g., enable SSH port 2233 for directed internet 
or NAT port forward SSH and PPtP service ports 1723, GRE protocol).
3). Hub or Server type command : set-pptp-server → setup tunnel ip address 172.16.255.1
4). Hub or Server public ip-address or DDNS domain name.
5). Hub or Server configuration PPtP login name and pptp password for remote client-site.
6). Client or Sopke run set-pptp-peer
7). Client or Sopke Enter Hub or Server public ip-address or DDNS domain name and SSH port number.
8). Client or Sopke Enter Server/Hub router root and roots's password.
9). Client or Sopke and Hub or Server after some munites show-pptp-tunnel


WireGuard support different system VPN software and Multi-Site. Please go to https://www.wireguard.com/install/

WireGuard VPN uses the kernel route as a static route and adds routes on the server or hub router and the client or spoke router to allow a go network.

4G suggests use for VPN client (spoke) routers only.


The WireGuard VPN Hub-to-Spoke or Multi-Site wg0 and br-lan interfaces have different network designs for each of the routers or sites.
Example: The hub or Server Site is using the 192.168.1.0/24 network on the br-lan interface, and the spoke or client site is at 192.168.2.0/24 
on the br-lan interface. When adding more spokes or client sites, the network should be 192.168.3.0/24 on the br-lan interface.
The WireGuard VPN wg0 interface network subnet perfix is 24 (cannot be changed by default). WireGuard VPN tunnnel interfaces need to assign 
different networks to each other's sites.

Server (Hub) Router directly connected to the internet and enabled WAN-side SSH service. (VPN has to enable SSH for client sites to download configuration files.)
Server or Hub Router 
Login → http://ip-address/cgi-bin/luci/ → Go to → System → Administration → SSH Access → Add instance → Interface WAN → Port 2222 → Save → Save & Apply
Login → http://ip-address/cgi-bin/luci/ → Go to → Network → Firewall → Firewall - Zone Settings → wan → CHANGE Input reject to accept → Save → Save & Apply



The WireGuard Server or Hub router with NAT port forwarding needs to forward two different protocols.
1). SSH port 22 forwards to real IP or DDNS port 2222
2). VPN port any number forwards to real IP or DDNS port any number (Both sides use the same service port number.)


Example : WireGuard VPN 172.16.111.0/24 for VPN tunnel
Server br-lan with 172.16.255.100/24 

Server (Hub) Router WAN to the internet with public real ip address is 1.2.3.4 or replace ddns domain name.
A client (Spoke) router connected to the internet can peer at 1.2.3.4 SSH port 2222 and use WireGuard service.

Server or Hub Router Add Software Client

User1. All Traffic passes to the server site and goes to the internet.


enable WireGuard VPN by command: set-wgvpn-server


root@VPN-WIREGUARD:~# set-wgvpn-server


# Ctrl + C Stop wireguard server configuration at fist moment #
###################################################################
## Please enter IP Address for wireguard tunnel interface: e.g. ##
## private ip address: 192.168.248.1-254 by default prefix /24 ##
###################################################################
172.16.111.111


###################################################################
## Please enter wireguard UDP service port : 1024 - 65535 ##
443

root@VPN-WIREGUARD:~#

add user1 and password by command : set-wgvpn-app-mobile or set-wgvpn-nocheck-software

root@VPN-WIREGUARD:~# set-wgvpn-app-mobile
###################################################################
## Please enter The Internet public IP ADDRESS: or DDNS ##
1.2.3.4
1.2.3.4 is matching internet public ip address: 1.2.3.4

###################################################################
# Allow wireguard VPN client's all traffic route to Server (y/n)? #
y
###################################################################
## DO NOT DUPLICATE username below wireguard users ##
###################################################################

## Please enter username (username can not with any punctuation) ##
user1
Changing password for wguser1
New password:  yourpassword1
Retype password: yourpassword1
passwd: password for wguser1 changed by root



Complete and need reboot


root@VPN-WIREGUARD:~#


User2. Server br-lan Traffic passes to the server site only.


root@VPN-WIREGUARD:~# set-wgvpn-app-mobile
###################################################################
## Please enter The Internet public IP ADDRESS: or DDNS ##
1.2.3.4
1.2.3.4 is matching internet public ip address: 1.2.3.4

###################################################################
# Allow wireguard VPN client's all traffic route to Server (y/n)? #
n
###################################################################
## DO NOT DUPLICATE username below wireguard users ##
user1 wg0 ip address : 172.16.111.2/24
###################################################################

## Please enter username (username can not with any punctuation) ##
user2
Changing password for wguser2
New password: yourpassword2
Retype password: yourpassword2
passwd: password for wguser2 changed by root



Complete and need reboot


root@VPN-WIREGUARD:~#

Go to http://br-lan_ip_address/wgvpn/ and download vpn config file. Please import file into the WireGuard software app


http://br-lan_ip_address/wgvpn/
Index of /wgvpn/
../
modified: Fri, 30 Jun 2023 02:31:21 GMT
directory - 0.00 kbyte

user1_a.conf
modified: Fri, 30 Jun 2023 02:31:21 GMT
text/plain - 0.28 kbyte

user2_v.conf
modified: Fri, 30 Jun 2023 02:33:36 GMT
text/plain - 0.30 kbyte


Server or Hub Router Add multi-site router

add multi-site login name and password by command : set-wgvpn-user-router or set-wgvpn-nocheck-user-router

user3-user6 for different site

root@VPN-WIREGUARD:~# set-wgvpn-user-router
###################################################################
## Please enter The Internet public IP ADDRESS: or DDNS ##
1.2.3.4
1.2.3.4 is matching internet public ip address: 1.2.3.4

###################################################################
# Allow wireguard VPN client's router all traffic to Server (y/n)?#


by default client's router not allow all traffic to Server (n/N)!


###################################################################
## DO NOT DUPLICATE username below wireguard users ##
user1 wg0 ip address : 172.16.111.2/24
user2 wg0 ip address : 172.16.111.3/24
user3 wg0 ip address : 172.16.111.4/24
user4 wg0 ip address : 172.16.111.5/24
user5 wg0 ip address : 172.16.111.6/24
###################################################################

## Please enter username (username can not with any punctuation) ##
user6
Changing password for wguser6
New password: yourpassword6
Retype password: yourpassword6
passwd: password for wguser6 changed by root



Complete and need reboot


root@VPN-WIREGUARD:~# reboot
root@VPN-WIREGUARD:~#


completed adding a multi-site reboot server router


Client or Spoke router peer VPN by derfault allow from client router br-lan 192.168.198.1/24 go to Server Router br-lan

root@VPN-ROUTER:~# set-wgvpn-peer-multiple
###############################################################
Wireguard Server the REAL IP Address OR DDNS domain name:
1.2.3.4

###############################################################
Do you need to change SSH default port 22 (y/n): (change=y)!
y

###############################################################
Please enter SSH port numebr here:

2222


###############################################################
Please enter wireguard username for scp download configure file
user6

Host '1.2.3.4' is not in the trusted hosts file.
(ssh-rsa fingerprint sha1!! e1:72:58:cf:9f:e6:6e:34:be:cf:89:93:f2:72:1d:d5:89:7b:58:18)
Do you want to continue connecting? (y/n) y
wguser6@1.2.3.4's password: yourpassword6
wguser6.br-lan 100% 114 0.1KB/s 00:00
Please enter password again
wguser6@1.2.3.4's password: yourpassword6
wireguard.info 100% 75 0.1KB/s 00:00
wguser6.network 100% 599 0.6KB/s 00:00
wireguard.conf 100% 378 0.4KB/s 00:00
wguser6.private.key 100% 45 0.0KB/s 00:00
wguser6.preshare.key 100% 45 0.0KB/s 00:00
wguser6.br-lan 100% 114 0.1KB/s 00:00
wguser6.public.key 100% 45 0.0KB/s 00:00



Complete and auto run command : reboot


root@VPN-ROUTER:~#

Client or Spoke Router auto reboot

Server or Hub router need allow 192.168.198.0/24 to user6 remote site by command : set-wgvpn-ip-allow-on-server


root@VPN-WIREGUARD:~# set-wgvpn-ip-allow-on-server

## check multi wireguard site router br-lan network id first ##
###################################################################
## below list is wireguard mutli user's name ##

'user1'
'user2'
'user3'
'user4'
'user5'
'user6'

-------------------------------------------------------------------

network.wguser1.allowed_ips='172.16.111.2/32'
network.wguser1.route_allowed_ips='1'
network.wguser2.allowed_ips='172.16.111.3/32'
network.wguser2.route_allowed_ips='1'
network.wguser3.allowed_ips='172.16.111.4/32'
network.wguser3.route_allowed_ips='1'
network.wguser4.allowed_ips='172.16.111.5/32'
network.wguser4.route_allowed_ips='1'
network.wguser5.allowed_ips='172.16.111.6/32'
network.wguser5.route_allowed_ips='1'
network.wguser6.allowed_ips='172.16.111.7/32'
network.wguser6.route_allowed_ips='1'

## ##
###################################################################
## Please enter below list of wireguard mutli user's name ##


user6


___________________________________________________________________
Please enter network id and perfix e.g.: 192.168.1.0/24


192.168.198.0/24


Complete and please run command : reboot


###################################################################

network.wguser1.allowed_ips='172.16.111.2/32'
network.wguser1.route_allowed_ips='1'
network.wguser2.allowed_ips='172.16.111.3/32'
network.wguser2.route_allowed_ips='1'
network.wguser3.allowed_ips='172.16.111.4/32'
network.wguser3.route_allowed_ips='1'
network.wguser4.allowed_ips='172.16.111.5/32'
network.wguser4.route_allowed_ips='1'
network.wguser5.allowed_ips='172.16.111.6/32'
network.wguser5.route_allowed_ips='1'
network.wguser6.allowed_ips='192.168.198.0/24' '172.16.111.7/32'
network.wguser6.route_allowed_ips='1'

###################################################################
root@VPN-WIREGUARD:~#

Server or Hub router with OSPF route need to redistribute kernel

VPN-WIREGUARD# show running-config ospfd
password zebra
!
!
!
interface br-lan
!
interface erspan0
!
interface eth0
!
interface gre0
!
interface gretap0
!
interface lo
!
interface wg0
!
router ospf
redistribute kernel metric 1111
network 172.16.255.0/24 area 0.0.0.0
!
access-list vty permit 127.0.0.0/8
access-list vty deny any
!
line vty
access-class vty
!
VPN-WIREGUARD#
VPN-WIREGUARD# write

write for Save configuration 

Check OSPF advertised routes and go to another router on the server (hub) side to check route 192.168.198.0/24.

GL-AR750S# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, P - PIM, A - Babel, N - NHRP,
> - selected route, * - FIB route

S 0.0.0.0/0 [1/0] via 10.0.0.254, br-lan
K>* 0.0.0.0/0 via 10.0.0.254, br-lan
O 10.0.0.0/24 [110/10] is directly connected, br-lan, 04:00:35
C>* 10.0.0.0/24 is directly connected, br-lan
C>* 127.0.0.0/8 is directly connected, lo
O>* 172.16.111.2/32 [110/1111] via 10.0.0.17, br-lan, 00:00:40
O>* 172.16.111.3/32 [110/1111] via 10.0.0.17, br-lan, 00:00:40
O>* 172.16.111.4/32 [110/1111] via 10.0.0.17, br-lan, 00:00:40
O>* 172.16.111.5/32 [110/1111] via 10.0.0.17, br-lan, 00:00:40
O>* 172.16.111.6/32 [110/1111] via 10.0.0.17, br-lan, 00:00:40
O>* 172.16.111.7/32 [110/1111] via 10.0.0.17, br-lan, 00:00:40
O>* 172.16.222.4/30 [110/30] via 10.0.0.17, br-lan, 04:00:35
O>* 172.16.255.0/24 [110/30] via 10.0.0.17, br-lan, 04:00:35
O>* 172.17.111.1/32 [110/40] via 10.0.0.17, br-lan, 04:00:35
O>* 172.17.111.2/32 [110/30] via 10.0.0.17, br-lan, 04:00:35
O>* 172.17.255.0/24 [110/30] via 10.0.0.17, br-lan, 04:00:35
O>* 172.18.111.0/30 [110/30] via 10.0.0.17, br-lan, 04:00:35
O>* 172.18.255.0/24 [110/30] via 10.0.0.17, br-lan, 04:00:35
O>* 172.31.255.0/24 [110/20] via 10.0.0.17, br-lan, 04:00:35
S>* 172.31.255.25/32 [1/0] via 10.0.0.13, br-lan
S>* 172.31.255.100/32 [1/0] via 10.0.0.10, br-lan
S>* 172.31.255.101/32 [1/0] via 10.0.0.10, br-lan
S>* 172.31.255.102/32 [1/0] via 10.0.0.10, br-lan
S>* 172.31.255.103/32 [1/0] via 10.0.0.10, br-lan
O>* 192.168.198.0/24 [110/1111] via 10.0.0.17, br-lan, 00:00:40
O>* 192.168.199.0/24 [110/40] via 10.0.0.17, br-lan, 04:00:35
O>* 192.168.210.0/24 [110/40] via 10.0.0.17, br-lan, 04:00:35
O>* 192.168.211.0/24 [110/40] via 10.0.0.17, br-lan, 04:00:35
GL-AR750S#

Client or Spoke Router allow go other networks by command : set-wgvpn-ip-allow-on-server


root@VPN-ROUTER:~# set-wgvpn-ip-allow-on-server

## check multi wireguard site router br-lan network id first ##
###################################################################
## below list is wireguard mutli user's name ##
'server'
-------------------------------------------------------------------
network.wgserver.route_allowed_ips='1'
network.wgserver.allowed_ips='172.16.255.0/24' '172.16.111.0/24'
###################################################################
## Please enter below list of wireguard mutli user's name ##

server

___________________________________________________________________
Please enter network id and perfix e.g.: 192.168.1.0/24


10.0.0.0/24


Complete and please run command : reboot


###################################################################

network.wgserver.allowed_ips='10.0.0.0/24' '172.16.255.0/24' '172.16.111.0/24'
network.wgserver.route_allowed_ips='1'

###################################################################
root@VPN-ROUTER:~#

Client (spoke) router go to another network and edit by vi /etc/config/network


config interface 'wg0'
option proto 'wireguard'
option private_key 'IGDlmkyB/M6ecuwXM4qoZT72P3WkLVtqn1oRuCgV7Xc='
list addresses '172.16.111.7/24'

config wireguard_wg0 'wgserver'
list allowed_ips '10.0.0.0/24'
list allowed_ips '192.168.199.0/24'
list allowed_ips '192.168.210.0/24'
list allowed_ips '192.168.211.0/24'
list allowed_ips '172.31.255.0/24'
option public_key '+pJof2NSr7v8JVpAzWQbt+W98Dp2MXOIVqOqdj0PlFM='
option preshared_key 'pRrTvXmtJAc/I9B/psVAnPnYMlSDrL0F8QqA6HDxdJE='
option endpoint_host '1.2.3.4'
option endpoint_port '443'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '172.16.255.0/24'
list allowed_ips '172.16.111.0/24'
~
:wq

save and reboot 


Use the web interface to allow network passes. WireGuard VPN tunnel to another network

Login http://ip-address/cgi-bin/luci/
Go to → Network → Interface → WG0 → Edit → peer → Allowed IPs : add network-id and perfix number (10.0.0.0/24) → Save → Save & Apply

Add 0.0.0.0/0 to allow all traffic to go to the server router and the internet.

Not suggest creating a dual tunnel with the same site on both the server (hub) and client (spoke) side.

WireGuard VPN Muilt-Site Sumary:
1). Setup the server and Client router br-lan IP addresses with the default configuration. (g.e.: Server/Hub br-lan 192.168.1.1/24, 
first client/spoke br-lan 192.168.2.1/24, second client/spoke br-lan 192.168.3.1/24, different networks for each other)
2). Server/Hub Mini-Router: enable SSH for the WAN side and change other port numbers 
(e.g., enable SSH port 2233 for directed internet or NAT port forward SSH and WireGuard service ports 1024).
3). Hub or Server type command : set-wgvpn-server → setup WireGuard tunnel ip address 172.16.255.1 and port number(default 1024)
4). Hub or Server add mobile client type command : set-wgvpn-app-mobile public ip-address or DDNS domain name and username and user password.
5). Hub or Server add remote router client type command : set-wgvpn-user-router public ip-address or DDNS domain name and username and user password.
6). Client Mobile app import WireGuard VPN file (user.config and download from Setup the server http://Server IP/wgvpn/) 
7). Client or Sopke router run command: set-wgvpn-peer-multiple
8). Client or Sopke Enter Hub or Server public ip-address or DDNS domain name and SSH port number.
9). Client or Sopke Enter WireGuard site name and need enter two time enter site password.
10). Client or Sopke run command: show-wgvpn-client-tunnel and Hub or Server run command: show-wgvpn-server-tunnel
11). Hub or Server and Client or Sopke router need allow remote network allow traffic to remote site. 
(need manual command: set-wgvpn-ip-allow-on-server or on the web interface edit wg0). Remove WireGuard VPN from the web interface and reset defaults.

 


  • OpenVPN Layer2 VPN (bridge mode multi-site)


OpenVPN Layer 2 Muilt-Site (Bridge Mode). Remove OpenVPN Layer 2 VPN from the web interface and reset defaults.
OpenVPN Layer 2 Muilt-Site does NOT SUPPORT VRRP and Site-to-Site tunneling together running on the same router.
OpenVPN Layer 2 Muilt-Site Tunnel Tap100 Interface does NOT SUPPORT Multicast and Dynamic Route (OSPF, RIP, BGP, ISIS)
OpenVPN Layer 2 Multi-Site with single tunnel on the same server (hub) and client (sopke) sites only (does NOT SUPPORT dual tunnel design by default)

The OpenVPN Multi-Site (Bridge Mode) is running on the same network with a different IP address, with routers and computers next to each other.

Example: The hub or Server Site is using the 192.168.1.1/24 network on the br-lan interface, and the spoke or client site is at 192.168.1.2/24 
on the br-lan interface. When adding more spokes or client sites, the network should be 192.168.1.3/24 on the br-lan interface. 
The openvpn server tunnel tap100 with the default 1194 port

Server (Hub) Router directly connected to the internet and enabled WAN-side SSH service. (VPN has to enable SSH for client sites to download configuration files.)
Server or Hub Router
Login → http://ip-address/cgi-bin/luci/ → Go to → System → Administration → SSH Access → Add instance → Interface WAN → Port 2233 → Save → Save & Apply
Login → http://ip-address/cgi-bin/luci/ → Go to → Network → Firewall → Firewall - Zone Settings → wan → CHANGE Input reject to accept → Save → Save & Apply


Mini-Router br-lan 192.168.1.1/24 connected the 192.168.1.254/24 home internet router to the internet to fix the real IP address, 
or ddns. The home internet router has to configure 192.168.1.1/24 port forwarding, ssh 22 port to 2233, and openvpn 1194 for 
OpenVPN tunnel interfaces to the internet.

Or

The mini-Router connected to the switch port supports 802.11Q trunk WAN and LAN using the same LAN Port as below. Please refer to the 802.11Q item.

Server (Hub) and Client (Spke) VPN computers with the same network Same as Server (Hub) and Client (Spke) sites, all computers 
are connected to a switch with the same vlan ID on the same network.

Example: 
10.0.0.17/24 on the br-lan Hub router and 172.31.255.26/24 on the WAN to the internet (Need NAT port forwarding for SSH and OpenVPN)
10.0.0.100/24 on the br-lan Spoke router and 172.31.255.226/24 on the WAN to the internet

OpenVPN Bridge Mode VPN keypairs recommand 1024 bit.


Server (Hub) Router WAN to the internet with public real ip address is 1.2.3.4 or replace ddns domain name.
A client (Spoke) router connected to the internet can peer at 1.2.3.4 SSH port 2233 and use OpenVPN service.

Server (Hub) Router run command: set-bm-ovpn-server

root@VPN-Lite:~# set-bm-ovpn-server
ls: /etc/openvpn/bridgeclient.conf: No such file or directory
ls: /etc/openvpn/bridgeserver.conf: No such file or directory

#####################################################################
#### **** layer 2 VPN NOT Support VRRP protocol keepalived **** ####
#### **** keepalived auto disable and stop service **** ####
#####################################################################

##### Ctrl + C Stop and EXIT #####
#######################################################################################
##### Please Enter OpenVPN service udp port number: #####

Server OpenVPN site to muiltsite service udp port number: ( default 1194 udp )

1194


Choose a size in bits for your keypairs 2048=y or 1024=n (y/n)?
n

The bits for your keypairs is 1024 and take a long time for key gen !

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.+........................................+..................+.........+.......................................+................................................................................+..................................................................+......................................................................................................................................................+........................................................+.....................................+.+.+.........+.................................................................................................................................+......................................+.............................+........+........................+.......................................................+..........+......................+......+........................+........................+.................................................................................+.....................+.......................................................................................+...........................................+......................................................+.+........................................................................+.......................+.................................+......+.......+............................+........................................+..................................................+...............+.............................................+....+................................................+..........+.....................................................+.............+...........................+.............+..............................................................................+..+.................+..............................+.........+..........................+.........................+........................................................................................................+...............................................+........................................................+................................+....................................................+.................................................+.........................................+.....................................................................+...................................................................+....+......................................+.................................................................+........+...........+.....................+..........................................................................+....+..................................................................................+..............................................................................................+........................+.......+............................................................................+....+............+.............................+........................................+................................+.........................................................................................+............+.................+..................+..................+.............................................................................................................................................................................................................................................................+.......+..................................................................................................+......................................................................................+...............................+........+..................+....................................+...........................+......................................................................+...............................................................+.......................................................+................+...............+...........................................................................++*++*++*++*++*
Can't load /etc/openvpn/tmp/easyrsa/pki/.rnd into RNG
2012860036:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/etc/openvpn/tmp/easyrsa/pki/.rnd
Generating a RSA private key
..+++++
.+++++
writing new private key to '/etc/openvpn/tmp/easyrsa/pki/private/ca.key.XXXXlgBMEI'
-----
Generating a RSA private key
..............+++++
.......................+++++
writing new private key to '/etc/openvpn/tmp/easyrsa/pki/private/server.key.XXXXFiDBGI'
-----
Using configuration from /etc/easy-rsa/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server'
Certificate is to be certified until Jul 6 04:53:42 2033 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

--------- complete openvpn bridge mode server configure ----------

###*** Delete openvpn bridge mode configure Reset to defaults by web interface ***###

Complete and Please run command : reboot


root@VPN-Lite:~#

Server (Hub) Router add client (Spoke) for remote site name run command : set-bm-ovpn-client or set-bm-ovpn-nocheck-client

root@VPN-Lite:~# set-bm-ovpn-client
ls: /etc/openvpn/bridgeclient.conf: No such file or directory

The Internet connection public IP ADDRESS: 1.2.3.4

###################################################################
## Run set-bm-ovpn-server first for OpenVPN server enable ##

## Ctrl + C Stop wireguard multi site configuration ##
###################################################################
## Please enter The Internet public IP ADDRESS: or DDNS ##
1.2.3.4
1.2.3.4 is matching internet public ip address: 1.2.3.4

###################################################################
OpenVPN Bridge Mode router name list:
bridgeserver

###################################################################
Please enter other's router name:

user1

Generating a RSA private key
...+++++
...............+++++
writing new private key to '/etc/openvpn/tmp/easyrsa/pki/private/user1.key.XXXXDkNEco'
-----
Using configuration from /etc/easy-rsa/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'user1'
Certificate is to be certified until Jul 6 04:55:06 2033 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

--------- complete openvpn bridge mode server configure ----------

###*** Delete openvpn bridge mode configure Reset to defaults by web interface ***###

root@VPN-Lite:~#


Client (Spoke) remote site router run command : set-bm-ovpn-peer


root@Layer2-VPN-Spoke:~# set-bm-ovpn-peer
ls: /etc/openvpn/bridgeserver.conf: No such file or directory
ls: /etc/openvpn/bridgeclient.conf: No such file or directory

## Ctrl + C STOP and exit ##
###############################################################
###############################################################
OpenVPN BRIDGE Server the REAL IP Address OR DDNS domain name:
1.2.3.4

###############################################################
Do you need to change SSH default port 22 (y/n): (change=y)!
y

###############################################################
Please enter SSH port numebr here:

2233


###############################################################
Please enter openvpn bm client for scp download configure file
user1

Please enter OpenVPN BRIDGE Server Root passwd:

Host '1.2.3.4' is not in the trusted hosts file.
(ssh-rsa fingerprint sha1!! 02:fa:a7:51:ee:d5:7c:f0:1a:ce:81:4a:13:b5:1f:71:15:d6:7b:da)
Do you want to continue connecting? (y/n) y
root@1.2.3.4's password: ###( NEED ENTER SERVER OR HUB ROUTER ROOT PASSWORD HERE )###
user6.crt 100% 3836 3.8KB/s 00:00
openvpn 100% 183 0.2KB/s 00:00
ca.crt 100% 830 0.8KB/s 00:00
server.pem 100% 636 0.6KB/s 00:00
bridge-server.info 100% 71 0.1KB/s 00:00
bridgeclient.conf 100% 266 0.3KB/s 00:00
user6.key 100% 1704 1.7KB/s 00:00

--------- complete openvpn bridge mode client configure ----------

###*** Delete openvpn bridge mode configure Reset to defaults by web interface ***###

Complete and Please run command : reboot


root@Layer2-VPN-Spoke:~# 


root@Layer2-VPN-Spoke:~# show-bm-ovpn-tunnel

tap100 Link encap:Ethernet HWaddr BE:FD:EE:44:06:B4
inet addr:10.0.0.171 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1410 Metric:1
RX packets:2032 errors:0 dropped:0 overruns:0 frame:0
TX packets:939 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1033179 (1008.9 KiB) TX bytes:118936 (116.1 KiB)


#################################################################################

bridge name bridge id STP enabled interfaces
br-lan 7fff.ac15a23ca029 no eth0
tap100
brctl: invalid argument 'br-lan' to 'brctl'

root@Layer2-VPN-Spoke:~#


C:\>ipconfig

Windows IP Configuration


Mobile Broadband adapter Cellular:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : lan
IPv4 Address. . . . . . . . . . . : 10.0.0.182
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.100


C:\>
C:\>
C:\>ping 10.0.0.17

Pinging 10.0.0.17 with 32 bytes of data:
Reply from 10.0.0.17: bytes=32 time=17ms TTL=64
Reply from 10.0.0.17: bytes=32 time=8ms TTL=64
Reply from 10.0.0.17: bytes=32 time=18ms TTL=64
Reply from 10.0.0.17: bytes=32 time=12ms TTL=64

Ping statistics for 10.0.0.17:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 18ms, Average = 13ms

C:\>

###############################################################################################################################################################


In the second case, the server (Hub) and client (spoke) are disconnected from the internet.

Server (hub) router add client (spoke) remote site by command: set-bm-ovpn-nocheck-client


root@VPN-Lite:~# set-bm-ovpn-nocheck-client
ls: /etc/openvpn/bridgeclient.conf: No such file or directory

The WAN port connection IP ADDRESS:

###################################################################
## Run set-bm-ovpn-server first for OpenVPN server enable ##

## Ctrl + C Stop OpenVPN multi site configuration ##
###################################################################
## Please enter The Router WAN PORT IP ADDRESS: or DDNS ##
172.31.255.26

###################################################################
OpenVPN Bridge Mode router name list:
bridgeserver

###################################################################
Please enter other's router name:

user1

Generating a RSA private key
......+++++
............................+++++
writing new private key to '/etc/openvpn/tmp/easyrsa/pki/private/user1.key.XXXXiNECnO'
-----
Using configuration from /etc/easy-rsa/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'user1'
Certificate is to be certified until Jul 6 06:17:07 2033 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

--------- complete openvpn bridge mode server configure ----------

###*** Delete openvpn bridge mode configure Reset to defaults by web interface ***###

root@VPN-Lite:~#

Client (spoke) remote site router peer vpn by command: set-bm-ovpn-peer

root@VPN-Spoke:~# set-bm-ovpn-peer
ls: /etc/openvpn/bridgeserver.conf: No such file or directory
ls: /etc/openvpn/bridgeclient.conf: No such file or directory

## Ctrl + C STOP and exit ##
###############################################################
###############################################################
OpenVPN BRIDGE Server the REAL IP Address OR DDNS domain name:
172.31.255.26

###############################################################
Do you need to change SSH default port 22 (y/n): (change=y)!
n

###############################################################
Please enter openvpn bm client for scp download configure file
user1

Please enter OpenVPN BRIDGE Server Root passwd:

Host '172.31.255.26' is not in the trusted hosts file.
(ssh-rsa fingerprint sha1!! 74:4b:d7:d6:e5:02:92:84:ef:25:bc:29:18:42:9f:3d:d8:bc:4c:b5)
Do you want to continue connecting? (y/n) y
root@172.31.255.26's password: ###( NEED ENTER SERVER OR HUB ROUTER ROOT PASSWORD HERE )###
user1.key 100% 916 0.9KB/s 00:00
openvpn 100% 183 0.2KB/s 00:00
ca.crt 100% 830 0.8KB/s 00:00
server.pem 100% 636 0.6KB/s 00:00
bridge-server.info 100% 71 0.1KB/s 00:00
bridgeclient.conf 100% 266 0.3KB/s 00:00
user1.crt 100% 3085 3.0KB/s 00:00

--------- complete openvpn bridge mode client configure ----------

###*** Delete openvpn bridge mode configure Reset to defaults by web interface ***###

Complete and Please run command : reboot


root@VPN-Spoke:~#


C:\Users\x>ipconfig

Windows IP Configuration


Mobile Broadband adapter Cellular:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : lan
IPv4 Address. . . . . . . . . . . : 10.0.0.182
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.0.100


C:\>ping 10.0.0.17

Pinging 10.0.0.17 with 32 bytes of data:
Reply from 10.0.0.17: bytes=32 time=7ms TTL=64
Reply from 10.0.0.17: bytes=32 time=4ms TTL=64
Reply from 10.0.0.17: bytes=32 time=4ms TTL=64
Reply from 10.0.0.17: bytes=32 time=9ms TTL=64

Ping statistics for 10.0.0.17:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 9ms, Average = 6ms

C:\>


Remove the gateway IP address from the remote window computer and connect it to the server (hub) network.

C:\>ipconfig

Windows IP Configuration


Mobile Broadband adapter Cellular:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.0.0.222
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :


C:\>
C:\>ping 10.0.0.17

Pinging 10.0.0.17 with 32 bytes of data:
Reply from 10.0.0.17: bytes=32 time=15ms TTL=64
Reply from 10.0.0.17: bytes=32 time=6ms TTL=64
Reply from 10.0.0.17: bytes=32 time=13ms TTL=64
Reply from 10.0.0.17: bytes=32 time=7ms TTL=64

Ping statistics for 10.0.0.17:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 6ms, Maximum = 15ms, Average = 10ms

C:\>


OpenVPN Muilt-Site (Bridge Mode) Sumary:
1). Setup the server and Client br-lan IP addresses with the default configuration. (g.e.: Server/Hub br-lan 192.168.1.1/24, 
first client/spoke br-lan 192.168.1.2/24, second client/spoke br-lan 192.168.1.3/24, same network and different ip for each other.)
2). Server/Hub Mini-Router: enable SSH for the WAN side and change other port numbers 
(e.g., enable SSH port 2233 for directed internet or NAT port forward SSH and OpenVPN service ports).
3). Hub or Server type command : set-bm-ovpn-server → setup OpenVPN port number(default 1194) and keypaire (1024 bit)
4). Hub or Server add remote router type command : set-bm-ovpn-nocheck-client public ip-address or DDNS domain name.
5). Hub or Server configuration remote site name for remote client-site and reboot.
6). Client or Sopke run set-bm-ovpn-peer
7). Client or Sopke Enter Hub or Server public ip-address or DDNS domain name and SSH port number.
8). Client or Sopke Enter own site name and Hub or Server router root's password.
9). Client or Sopke and Hub or Server ping each others router br-lan interface or ifconfig tap100 check RX bytes:974187 (951.3 KiB) TX bytes:9820789 (9.3 MiB) traffic


  • VRRP keepalive ( NOT support with VPN on the same router at the same time )

The VRRP Keepalive set-keepalived-enable command is designed for two router LAN ports connected to a switch for redundancy, active and standby, 
to the internet. When active router hardware fails, auto-fairover switches the standby router to active immediately. 
( The OpenVPN Layer 2 VPN service and the VRRP KeepAlive service conflict with each other on same router. )

Not recomman VRRP router with WiFi access point when power or router down some wifi user can not connect to network. 

VRRP example: Router1 br-lan 10.0.0.10/24 for active VRRP and Router2 br-lan 10.0.0.17/24 for standby VRRP. 

Router1 as below
root@Internet-WRT:~# del-keepalived-config
Delete keepalived configure and stop vrrp service? (y/n)?

y

Confirm remove keepalived vrrp service and configure !!

root@Internet-WRT:~# del-keepalived-config

###############################################################################

This is router already removed keepalived.conf configure and service !

###############################################################################

root@Internet-WRT:~#

root@Internet-WRT:~# set-keepalived-enable
+---------------------+-------------------------------------------+
| Interface | IP Address/Prefix |
+---------------------+-------------------------------------------+
| br-lan | 10.0.0.10/24 |
| wlan0 | 172.31.255.10/24 |
+---------------------+-------------------------------------------+
###################################################################

The Internet connection public IP ADDRESS: 1.2.3.4
traceroute check next hop ip 172.31.255.254

###################################################################
Ctrl + C = STOP and EXIT
###################################################################
Please enter monitor fixed ip address:

172.31.255.254

172.31.255.254 can monitor by ping

###################################################################
Please enter vrrp interface name:

br-lan

###################################################################
br-lan : 10.0.0.10 vrrp ip have to same network 10.0.0.0/24
###################################################################
Please enter vrrp virtual ip address:
10.0.0.254

root@Internet-WRT:~#
root@Internet-WRT:~# show-keepalived

####################################################

VRRP Master interface br-lan 10.0.0.10
VRRP Virtual IP : 10.0.0.254

####################################################

root@Internet-WRT:~#


Router 2 as below


root@VPN-Lite:~# del-keepalived-config
Delete keepalived configure and stop vrrp service? (y/n)?
y
Confirm remove keepalived vrrp service and configure !!
root@VPN-Lite:~#


root@VPN-Lite:~# set-keepalived-peer
+---------------------+-------------------------------------------+
| Interface | IP Address/Prefix |
+---------------------+-------------------------------------------+
| br-lan | 10.0.0.17/24 |
| wlan0 | 172.31.255.26/24 |
+---------------------+-------------------------------------------+

###################################################################
Ctrl + C = STOP and EXIT
###################################################################
Please enter vrrp monitor fixed ip address:

172.31.255.1

172.31.255.1 can monitor by ping

###################################################################
Please enter vrrp interface name:

br-lan

###################################################################
br-lan : 10.0.0.17 vrrp ip have to same network 10.0.0.0/24
###################################################################
Please enter vrrp virtual ip address:

10.0.0.10


Please enter root password:

Host '10.0.0.10' is not in the trusted hosts file.
(ssh-rsa fingerprint sha1!! 4b:65:ae:9f:04:99:af:c5:b9:fc:b7:ad:2a:aa:09:0e:f1:a4:fc:dc)
Do you want to continue connecting? (y/n) y
root@10.0.0.10's password:
authenticate 100% 7 0.0KB/s 00:00
keepalived.conf 100% 336 0.3KB/s 00:00
ping.sh 100% 758 0.7KB/s 00:00
template.vrrp 100% 2323 2.3KB/s 00:00
vrrp-status 100% 460 0.5KB/s 00:00
vrrp.info 100% 116 0.1KB/s 00:00

root@VPN-Lite:~#
root@VPN-Lite:~# show-keepalived

####################################################

VRRP Backup interface br-lan 10.0.0.17
VRRP Neighbor IP : 10.0.0.10

####################################################

root@VPN-Lite:~#

Run this command: "set-keepalived-peer" after one minute. active this command: show-keepalived .

VRRP keepalive summary :
1). both router br-lan with same network and different ip address (g.e.: Internet-WRT router br-lan 10.0.0.10/24 and VPN-Lite router br-lan 10.0.0.17/24 connected to same switch)
2). vrrp active router run command: set-keepalived-enable (auto monitor wan ip 172.31.255.254 and enter br-lan interface with VRRP virtual ip 10.0.0.254)
3). backup vrrp router run command: set-keepalived-peer (monitor fixed ip address 172.31.255.1 and enter vrrp active router ip address or vrrp ip address and active router root's password)
4). vrrp active and standby router run command: show-keepalived (display vrrp status)


Miscellaneous topics for cli command.

iptables modules (Firewall modules)
There are many modules e. g. connection track / NAT modules (prefixed with "nf") and matching extension
modules (prefixed with xt) for iptables to handle packets of some special protocols and support more
conditions for rule matching.


root@VPN-Lite:~# iptables -nvL INPUT --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 900 75600 ACCEPT all -- * * 127.0.0.0/8 0.0.0.0/0
2 8 1077 ACCEPT all -- * * 1.1.1.1 0.0.0.0/0
3 8 1077 ACCEPT all -- * * 8.8.8.8 0.0.0.0/0
4 0 0 ACCEPT all -- * * 210.3.59.65 0.0.0.0/0
5 0 0 ACCEPT all -- * * 210.3.59.74 0.0.0.0/0
6 0 0 ACCEPT all -- * * 224.0.0.0/8 0.0.0.0/0
7 0 0 ACCEPT all -- * * 222.22.222.222 0.0.0.0/0
8 0 0 ACCEPT all -- * * XXX.XXX.XX.0/20 0.0.0.0/0
9 90970 26M ACCEPT all -- * * 10.0.0.0/8 0.0.0.0/0
10 449K 66M ACCEPT all -- * * 172.16.0.0/12 0.0.0.0/0
11 0 0 ACCEPT all -- * * 192.168.0.0/16 0.0.0.0/0
12 0 0 ACCEPT all -- * * 10.0.0.0/24 0.0.0.0/0
13 0 0 ACCEPT all -- * * 123.245.50.227 0.0.0.0/0
14 0 0 ACCEPT all -- * * 132.154.18.124 0.0.0.0/0
15 0 0 DROP all -- * * 31.41.0.0/16 0.0.0.0/0
16 0 0 DROP all -- * * 152.89.0.0/16 0.0.0.0/0
17 0 0 DROP all -- * * 62.233.0.0/16 0.0.0.0/0
18 0 0 DROP all -- * * 112.96.0.0/16 0.0.0.0/0
19 0 0 DROP all -- * * 120.246.0.0/16 0.0.0.0/0
20 0 0 DROP all -- * * 220.174.0.0/16 0.0.0.0/0
21 6 304 DROP all -- * * 62.122.0.0/16 0.0.0.0/0
22 0 0 DROP all -- * * 185.11.0.0/16 0.0.0.0/0
23 29469 1768K DROP all -- * * 139.144.0.0/16 0.0.0.0/0
24 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
25 1188 97829 input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom input rule chain */
26 1026 82809 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
27 70 3272 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 /* !fw3 */
28 4 1354 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
29 158 13666 zone_wan_input all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
root@VPN-Lite:~#



If you are configuring limit for a longer interval e.g. "--limit60/hour", you can add e. g.
"--limit-burst 5" (default value) to prevent a hacker used up all the 60 usage with in a
short interval. (It uses bucket and token for calculation where the limit value is the refill rate
and the limit-burst is the bucket size).

taken burst [ooooo] ---> match take out one taken limit short moment connection time.


iplimit This extension also limits the number of times that a rule can match but it applies to the
packets of parallel simultaneous connections with the same source IP address.


iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m iplimit --iplimit-above 5 -j DROP


Since it supports iplimit-above only, it is used in a DROP / REJECT rule above the
normal mle allowing the connection. (Note: Fedora's kernel does not have this module)


nth This extension is used for load balancing in port forwarding where a packet is port-forwarded
to different internal hosts. (Note: Fedora's kernel have the module statistics and the usage is
"-m statistic --mode nth" instead of "-m nth") load balance


root@Bridge-VPN:~# cat /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

# iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -i eth0 -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type destination-unreachable -s 0/0 -i eth0 -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type time-exceeded -s 0/0 -i eth0 -j ACCEPT
# iptables -A INPUT -p icmp -i eth0 -j DROP




# USA United States Sprint 208.67.222.222
iptables -A INPUT -s 127.0.0.1/8 -j ACCEPT
iptables -A INPUT -s 1.1.1.1 -j ACCEPT
iptables -A INPUT -s 8.8.8.8 -j ACCEPT
iptables -A INPUT -s 208.67.222.222 -j ACCEPT # OpenDNS
iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT

iptables -A INPUT -s XX.XX.0.0/16 -j DROP
iptables -A INPUT -s XXX.XX.0.0/16 -j DROP
iptables -A INPUT -s XXX.XXX.0.0/16 -j DROP

root@Bridge-VPN:~#


Login http://ip-address/cgi-bin/luci/ → Network → Firewall → Custom Rules (Tab) → Firewall - Custom Rules → EDIT → Save

ebtables (Firewall modules)
Configuring Linux As Bridge Device
A network bridge is a Link Layer (Layer-2) device which forwards trafiic between networks based on MAC addresses. It is a link layer device 
since it makes forwarding decisions based on tables of MAC addresses which it builds by learning what hosts are connected to each network.

Linux can be configured as a software bridge to emulate a hardware hub / switches in connecting two networks together to form a larger network. 
The following shows a simple example both notepad at the two ends are in the same network 10.0.0.8

You can configure the bridge manually or through configuration files:
Assuming that the network interfaces are configured with protocol none and has no IP addreses. The following shows the abrct command to create the bridge manually:


ebtables -A FORWARD -d 00:0c:29:8f:1c:ee -j DROP


After the above configuration, you can no longer access ClientB from your Windows PC. ClientB cannot access any host in your home network since the reply packets are blocked.

The following removes the rule and allows ClientB frames again.

ebtables -F FORWARD

Assume that you want to SSH to Router
ebtables -A FORWARD -p IPv4 --ip-destination 10.0.0.70 --ip-protocol tcp --ip-destination-port 22 -j DROP

set-tcpdump-protocol for tcpdump to capture the packets of current network interface

commands: show-iptraf, iptraf-ng, show-top-traffic, iftop for troubshorting, Softflow configure and display commands: set-netflow-config and show-netflow-config, 
SNMP edit on Web interface Login http://ip-address/cgi-bin/luci/ → Services → SNMPD → (Configuration SNMP).

show-network-id-prefix   give ip and prefix or submask check network-id and broadcast. display is a private ip address or an Internet Protocol address (ipv4)

sed-editor for linux replace words in text file

show-lldp-neighbors  The LLDP Neighbor Information page contains information that was received from neighboring devices..

show-udp-tcp display router UDP and TCP port

show-dhcp-binding display DHCP client ip address.

Serial Console 
screen /dev/ttyUSB0 115200
picocom -b 115200 /dev/ttyUSB0
minicom




vi editor,
i. Command mode: In Command mode, user inputs from the keyword are regarded as vi command keys which are used to e.g. open / save a file, searching for keywords, navigate, quit Vi ...etc.

ii. Insert mode : In Insert mode, user inputs nom the keyword appear as the content ofthe file. When you are in insert mode, the word "INSERT" appears at the bottom left corner.


Inlnsert mode: Press [Esc] to change to Command mode. The word "INSERT" disappears
indicating that you are now in Command mode.


Remarks : Although the most common way to enter Insert mode is to press "i", there are other ways to
enter Insert mode from Command mode.

Assume your cursor is at the position (at the character "e") shown below:

[root@localhost ~]# vi /etc/rsyslog.conf

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")




vi insert | Description
----------------|----------------------------------------
vi -i |for insert here
vi -a |for insert next text
vi -o |for insert next line begine
vi -O |for insert upside line begine
vi -I |for insert that line begine
vi -A |for insert that line end side.
vi -R |for replace mode



h is equivalent to press LEFT-ARRROW key to move cursor LEFT
j is equivalent to press DOWN-ARRROW key to move cursor DOWN
k is equivalent to press UP-ARRROW key to move cursor UP
l is equivalent to press RIGHT-ARRROW key to move cursor RIGHT
[CTRL] + b moves one page up
[CTRL] + f moves one page down

:0 moves to home
:$ moves to end

:/ Search
N Search Back
n Search Forward

:r filename insert other text file from here
:!<command> e.g.: :!ls /etc
:r!<command> e.g.: :r! ifconfig 


dd Cuts/ Deletes a complete line at your current cursor position.
3dd Cuts/ Deletes 3 lines (i.e. the current line at the cursor and the 2 more lines following)

yy Copies the complete line at your cursor position to buffer.
3yy Copies 3 lines (i.e. the current line at the cursor and the 2 more lines following).
p The uppercase "P" pastes from buffer before / above your cursor position.
P The lowercase "p" pastes from buffer after/ below your cursor position.
u Undoes last edit

number G Go number of line



Conclusion
Esc + Ctrl + End : Jump end of file
Hit Esc + Ctrl + Home : Jump start of file
Press Esc + gg : Go to top the file
Esc + G : Go to bottom of the file
Esc + G + A : Go to bottom of the file and in append text mode. In other words, jump to last line and start writing code/text.
Hit Esc + A + $ : Go to bottom of the file and end of line.

The following shows the keys for text manipulation in Command mode:
dd Cuts/ Deletes a complete line at your current cursor position.
3dd Cuts/ Deletes 3 lines (i.e. the current line at the cursor and the 2 more lines following)

yy Copies the complete line at your cursor position to buffer.
3yy Copies 3 lines (i.e. the current line at the cursor and the 2 more lines following).
p The uppercase "P" pastes from buffer before / above your cursor position.
P The lowercase "p" pastes from buffer after/ below your cursor position.
u Undoes last edit

All file operation commands (except "ZZ") begin with ":" colon
:e<filename> Opens a file. For example:

- After you have invoked the command "vi" without specify a tile as parameter.
- You want to change the file for editing. (If you have modified the content of
the existing file, you need to use the override symbole "!" i.e.
":e!<filename>" to discard the modified content.)

:e! for Open other file 

:w Saves (Writes) modified content to a file

:w! Saves (Writes) modified content to a file and overriding tile system security if you
are the tileowner or root. For example, you are the owner of a tile with permission
"444", you can open this Hle for editing and save it with "w I " command without
the need to invoke "chmod u+w" before editing and "chmod u-w" after editing.

:q Quits Vi
:q! Quits Vi without saving the modiied content
:wq Saves tile and then quits Vi
:wq! Saves file with overriding tile system security and then quits Vi

:x OR zz Quits Vi and it will also saves the file first if content has been modified


Need more information? Go to the internet search engine vi editor linux.