The directions below will result in a configuration where there is an access point called librecmc and which the traffic goes direct to the ISP and a 2nd access point named guest_VPN where the traffic is tunneled through our PenguinVPN 2.0 WireGuard service. Traffic on the LAN port will not go through the VPN.
If you are interested in a router with this setup pre-configured and ready to use contact sales and we can get you a custom invoice. At the time of this write-up this was not a configuration option that could be selected with the purchase of a router.
Note: The following documentation was last vetted under libreCMC 6.2 on a TPE-R1300 wireless router.
Note: Make sure you are starting from a clean / default libreCMC configuration. You can reset a router by going to System > Backup / Flash Firmware and clicking the Perform reset... button.
First follow our directions for setting up PenguinVPN 2.0 on libreCMC 6.x
Connect an ethernet cable between the LAN port on a TPE-R1300 router and a computer's ethernet port, connect power, antenna, etc.
Open a web browser and enter https://192.168.10.1 into the address bar, hit enter. Accept any security warning and continue to login.
There is no default password on the router. It's advisable to set one.
Go to Network > Interfaces
CLick Add new interfaces.. button
Enter lan_vpn in Name box
Select Static address from the protocol drop down box
In the Device box enter br-lan_vpn and hit enter (under custom)
Click Create interface button
In the IPv4 address box enter 192.168.4.1
In the IPv4 netmask select 255.255.255.0
Click the DHCP Server tab
Click the Set up DHCP server button
Click the Advanced Settings tab
In the DHCP-Options box enter 6,8.8.8.8
Click the + button
Click the Save button
Go to Network > Wireless
Click the Add button
Select Access Point in the Mode drop down box if not the default already
Enter the desire ESSID, example guest_VPN
In the Network drop down box select lan_vpn:
Click the Wireless Security tab
In the Encryption drop down box select WPA2-PSK (strong security)
Enter librecmc in the key box, or otherwise choose a more approirate strong password for the access point
Click the Save button
Go to Network > Firewall
Click the Add button under Zones
In the Name box enter WGZONE
Select reject on input and forward
Select accept on output
Check the boxes that say masquerading and mss clamping
In the Covered networks drop down box select WGINTERFACE
Click the Save button
Go to Network > Firewall
Click the Add button under Zones
Enter lan_vpn in the Name box
Select accept for the iInput, Output and Forward drop down boxes
In the Covered networks drop down box select lan_vpn
In the Allow forward to destination zones drop down box select WGZONE WGINTERFACE
Click the Save button
Go to Network > Interfaces
Click the Edit button next to WGINTERFACE
Uncheck the box that says Use default gateway
Click the Save button
Open a terminal and ssh into the router:
ssh root@192.168.3.1
The default password is the word 'none' without the quotes
Once logged in use vi to edit the network config file like so:
vi /etc/config/network
Add the following lines at the end of the file.
You can use the arrow keys to get to the bottom and tap the a key to switch to edit mode and then copy and paste these lines:
config rule
option in 'lan_vpn'
option lookup '1742'
config route
option interface 'WGINTERFACE'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '1742'
Don't forget to save, escape key, and enter wq! [enter key]
Go to Network > Firewall
Click the Edit button under Zones next to LAN => WAN
Uncheck all boxes in the Allow forward to destination zones: drop down and then check the WAN WAN: box
Click the Save button
Click the Save and apply button
Go to System > Reboot and click the Perform reboot button
Please note it's advisable to change the password for the librecmc and guest_VPN SSIDs in Network > Wireless. Click the edit button and then go to the Wireless Security tab to change the password.
To set a router password go to System > Administration