DD-WRT in 2nd Router

[clevoir 3]

For years I had OpenVPN running on a router running DD-WRT, which was connected to a PPPOE modem, using AirVPN

Now my ISP (BT) is forcing me to use their own router as phone calls are now set to VOIP

I have set the ISP router wiih a fixed IP of 192.168.1.254, and a DMZ of 192.168.1.2

OpenVPN router is set with fixed IP of 192.168.1.2, Gateway 192.168.1.254 and DNS of 10.4.0.1

LAN port of ISP router is connected to WAN port of OpenVPN router

However the OpenVPN router can't establish a VPN connection, with it stating that the AirVPN server can't be resolved

All OpenVPN settings on the router are the same as before, except I have changed WAN settings from PPPOE to Static IP + router IP was changed from 192.168.1.1 to 192.168.0.1 and ongoing DNS was from 192.168.1.x to 192.168.0.1

I'd be grateful for any help.

[SurprisedItWorks 52]

I'm going to assume here that you are using a modern dd-wrt build and not some legacy thing.  OpenVPN in dd-wrt has improved a lot in recent years, especially securitywise, so it matters.

In any case your fundamental problem is that at the time you are trying to resolve the AirVPN server address, shortly after boot, you have no DNS service yet, because you have set it to use the 10.4.0.1 DNS IP provided by Air.   You can't use Air to provide an IP needed to connect to Air!  As long as you solve the boot-time issue, you should not need to use 10.4.0.1 explicitly at all (except as a placeholder to make the static-IP WAN setup complete) because the OpenVPN in (a modern) dd-wrt will automatically add the Air server IP to the top of the list of DNS servers as soon as the tunnel is up.

What I do in my router to solve the boot-time issue with OpenVPN is to add this to the "Additional Options" window in the DNSmasq section of GUI>Services>Services:

     server=/airservers.org/airdns.org/1.1.1.2

To fully understand such extra dnsmasq commands, see the dnsmasq man page published online by thekelleys.org.uk, the dnsmasq creators. This particular command specifies that all *.airservers.org and *.airdns.org names and only those are looked up at Cloudflare's 1.1.1.2 malware-screened  DNS server.  You can use 1.1.1.1 or 9.9.9.9 (excellent option) or other personal favorite DNS-server IP here.  The point is that the DNS server you specify here is one available before the OpenVPN tunnel is up.  While these lookups will not be hidden inside the tunnel, it matters little privacywise, as your ISP can see you are connecting to a particular Air server anyway. 
 

[clevoir 3]

Thanks I'll give this a go, I am using the latest DD-WRT version for my router -  Netgear R7800

I assume that I need to specify 1.1.1.2 in lieu of 10.4.0.1 in the router settings, in addition to adding server=/airservers.org/airdns.org/1.1.1.2

 

[clevoir 3]

I've tried your suggestion, and OpenVPN still can't resolve the AirVPN server?

In the DNS section of the OpenVPN router I have tried 0.0.0.0 (i.e. blank), 192.168.1.254 (IP Address of ISP router), 1.1.1.2 and 8.8.8.8

There appears to be no traffic through the WAN port of the OpenVPN router

My ISP router can see the OpenVPN router and states CONNECTED

 

[SurprisedItWorks 52]

Does your setup work when you disable the OpenVPN client?  Best get that working first.  Never best to try lots of new stuff at once if you can avoid it.

And what is "Remote IP" are you using in the OpenVPN setup?  Is it a name that exists in the public DNS system, like foo.airservers.org for entry 1 of (hypothetical) server foo or nl3.vpn.airdns.org for the NL country option?  Or is it one that does not exist in the DNS system, like foo3.airservers.org (an error I have made in the past)?  Can you resolve your remote name using dig (linux) or nslookup (dd-wrt or windows)?  I certainly don't mean to be insulting, but I'm grasping at straws with the limited visibility into things one has at a distance!

If you specify 1.1.1.2 (or 8.8.8.8 or whatever) as the main DNS setting in Basic Settings, you shouldn't need the special server= option at all, because you should be using 1.1.1.2 all the time.

I have to admit that I'm not real familiar with the static-IP WAN setup in dd-wrt, having always used the "Automatic Configuration - DHCP" option myself.  Are you certain your ISP equipment is OK with your static setup?  Have you tried the DHCP setup (which moves the DNS settings further down the page)?  I'm not sure in that case how to properly handle the DMZ, but then I'm not clear on why you even need/want a DMZ in the first place.  Most setups don't need this, especially if the DMZ'ed router is exclusively for VPN use.  Is this for some small speed gain in the ISP equipment by bypassing its firewall?  Your speed is likely to be sufficiently limited by OpenVPN in the R7800 that a DMZ wouldn't matter.

So maybe the simplest experiment is a DHCP WAN with no DMZ, with a DNS server like 8.8.8.8 or 1.1.1.1 or 1.1.1.2 as Static DNS 1, with your 192.168.0.1/24 as Local IP Address in the little Router IP section (with Gateway and Local DNS there left at the default 0.0.0.0) and of course "Use dnsmasq for DNS" checked.  Get that working without VPN (boot the ISP equipment several minutes before powering on the R7800), then enable the VPN and see where things are.  IF that works, try replacing the Static DNS 1 with 10.4.0.1 and adding the special server= line.

I'm leaning back on my skis a bit here (and as all skiers know, that's a good way to land on your rear end), as I've always used PBR (policy based routing) with my OpenVPN setups and have zero experience with OpenVPN instead covering all router traffic.  There might be important subtleties of setup that I'd know nothing about, so if anyone does have a clue, do speak up.

[clevoir 3]

I've set WAN as DHCP Automatic, and OpenVPN now connects OK + I can now access the internet from this router

I have also removed the DMZ from my ISP router too

However if I search for my IP using a laptop connected the OpenVPN router, it's the ISP IP and not Air VPN.

I tried putting 10.4.0.1 as the LAN DNS, but this has no effect?

I've tried adding in your server line but this also has no effect
 

[clevoir 3]

I am managed to fix it, the Open VPN server has outgoing DHCP from 192.168.0.100

I set a policy based rule of 192.168.0.100/24 and now traffic is being routed via the AirVPN.

[SurprisedItWorks 52]

There's some question as to whether it's really OK in dd-wrt to include the router's own IP in the (source) PBR spec.  When I started with OpenVPN in 2019, it was definitely NOT OK, but I'm not sure how much has changed since then.

What I do is start DHCP at 191.168.0.128 with a maximum of 64 leases.  Then in the VPN setup I specify a source PBR range of 192.168.0.128/26 so that it includes exactly those 64 IP addresses that can be assigned by DHCP.  (I was careful to not include the .0 or .1 or .255 addresses.) If I want static IPs for any of my devices, I assign them IPs like 191.168.0.X with 1 < X < 128.  If I want that static IP to be routed through the VPN, I add it to the PBR spec (separate line).  If I want it to bypass the VPN (perhaps a TV that will do streaming from services that do not permit VPNs), I leave it out of the PBR spec.

The whole point of PBR is to be able to run route some clients' traffic through the VPN while allowing some clients' traffic onto the internet directly. 

Anyway, I'm very glad to hear that you made real progress and have something going that seems to work for you.  Good luck to you.

[clevoir 3]

Thank you