Add route for Wireguard connection over OpenVPN

giulio · November 20, 2020, 9:21am

Hello!
I need to setup two different VPN services one on top of the other.
So here is how it should be:
openwrt->openvpn->wireguard->internet

Now I can easily achieve this by adding the two vpn interfaces and the editing the routes with a bash script:

ip route del <wireguard_server> dev eth0.2
ip route add <wireguard_server> dev openvpn
ip route del 0.0.0.0/0 dev openvpn_if
ip route add 0.0.0.0/0 dev wireguard_if

So the script delete the route that gets created automatically when openwrt tries to bring up the wireguard interface and change it to make the connection happen through OpenVPN. Then change the default route to Wireguard.
This actually works but I would like to understand how to do it via Luci or al least via /etc/config/network

Thanks!

trendy · November 20, 2020, 9:36am

This is a bit complicated and doesn't roll back when a vpn goes down.. Better use pbr package.

krazeh · November 20, 2020, 10:10am

Why? Seems overly complicated to run a VPN inside a VPN.

vgaetera · November 20, 2020, 2:26pm

cat << EOF >> /etc/openvpn/client.conf
pull-filter ignore redirect-gateway
route ${WG_SERV} 255.255.255.255 vpn_gateway
EOF

Also add a static route to the OVPN_SERV via ISP_GW:
https://openwrt.org/docs/guide-user/network/routes_configuration
And configure the default route via the WG interface.

giulio · November 20, 2020, 4:11pm

Thanks for the suggestion, I installed the package and I'm trying with it. The Netflix exclusion script is also a very nice addition.

Currently, I'm having some issues, here's how I have configured the policies:

Name_Remote addresses_Interface
Tunnel_<openvpn gateway>_WAN
WG Gateway_<wg gateway>_TUNNEL
WG_0.0.0.0/0_WG

And then enabled the script:
/etc/vpn-policy-routing.netflix.user

But then I'm unable to reach the internet

trendy · November 20, 2020, 4:14pm

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export vpn-policy-routing; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \

ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

giulio · November 20, 2020, 4:18pm

Should I do it without the routes set by my script or with it? And when policy based routing is enabled, right?

trendy · November 20, 2020, 4:24pm

Without anything extra from you, just the vpn-pbr running.