I setup proxmox on my homeserver to virtualize my OpenWrt installation and some linux clients.
One of those linux clients will act as a download-vm, which should only be allowed to...
access the NAS in my LAN, hosted on the OpenWrt vm ==> WORKING
get internet access via OpenVPN, running on the OpenWrt vm
block WAN access ==> WORKING
3. To block WAN access I created the following rule
block-wan
config rule
option name 'Block-Download-VM-WAN'
list proto 'all'
option src 'lan'
list src_mac 'XX:XX:XX:XX:XX:XX'
option dest 'wan'
option target 'REJECT'
Which is working perfectly fine!
Is there anything else I could do to make sure the download-vm is unable to ever access the WAN interface?
2. route client via VPN
The OpenVPN instance has option route_nopull '1' in its config, because I only want specific clients to use the VPN.
To route the download-vm trough the VPN I use @stangri's vpn-pbr package.
config policy
option name 'download-vm'
option src_addr 'ho.me.ip.client'
option proto 'all'
option interface 'vpn'
The package works very well!
But... for safety reasons and to minimize errors I would like to achieve this without the vpn-pbr package.
How can I do this?
But just out of interest, how would this script look?
I know there is a route_up option in openvpn, which I could use for this.
route_up
#!/bin/sh
#
################################
# route clients via tun_airvpn #
################################
# wait for the tun interface to be up
sleep 5
# get ip address of vpn interface
VPN_ADDR="${ifconfig_local}"
if [ -z "${VPN_ADDR}" ]
then
VPN_ADDR="127.0.0.1"
fi
# add static route for clients
?????????
How do I add a static route?
Also which settings in /etc/network would be obsolete then?
The route, the rule or both?
I created a route up and down script based on the guide above...
But it doesn't seem to work.
running it via console gives this output.
root@OPENWRT-ROUTER:/etc/openvpn/client/airvpn# ./route_airvpn_up.sh
Routing client xx.xx.xx.249 traffic trough AirVPN
RTNETLINK answers: File exists
Error: either "to" is duplicate, or "airvpn" is a garbage.
Error: any valid address is expected rather than "dev".
up
#!/bin/sh
#
############################
# route_up script #
############################
# add static AirVPN routes #
############################
#
# this script adds static routes that route specific clients through AirVPN
# define clients
client_1=xx.xx.xx.249
# get tun interface config
tun_dev=$1
tun_mtu=$2
link_mtu=$3
ifconfig_local_ip=$4
ifconfig_remote_ip=$5
# add routes
# client_1
echo "Routing client $client_1 traffic trough AirVPN"
ip rule add from $client_1 priority 10 table airvpn
ip route add $client_1 dev $tun_dev table airvpn
ip route add default via $ifconfig_remote_ip dev $tun_dev table airvpn
ip route flush cache
down
#!/bin/sh
#
###############################
# route_down script #
###############################
# remove static AirVPN routes #
###############################
#
# this script removes static routes that route specific clients through AirVPN
# define clients
client_1=xx.xx.xx.249
# get tun interface config
tun_dev=$1
tun_mtu=$2
link_mtu=$3
ifconfig_local_ip=$4
ifconfig_remote_ip=$5
# remove routes
# client_1
echo "Delete client $client_1 traffic routing through AirVPN"
ip rule del from $client_1 priority 10 table airvpn
ip route del $client_1 dev $tun_dev table airvpn
ip route del default via $ifconfig_remote_ip dev $tun_dev table airvpn
ip route flush cache
What you are trying to do is to route packets towards the lan host via the tunnel.
Unless you have other networks apart from lan on the router, there is no need for adding a route other than the default.