Allow only VPN & LAN network for client

new script

new_up
#!/bin/sh
#
############################
# route_up script          #
############################
# add static AirVPN routes #
############################
#
# this script adds static routes that route specific clients through AirVPN

# define clients
client_1=xx.xx.xx.249

# get tun interface config
tun_dev=$1
tun_mtu=$2
link_mtu=$3
ifconfig_local_ip=$4
ifconfig_remote_ip=$5

# add routes
# client_1
echo "Routing client $client_1 traffic trough AirVPN"
ip rule add from $client_1 priority 10 table airvpn
ip route add default via $ifconfig_remote_ip dev $tun_dev table airvpn
ip route flush cache
root@OPENWRT-ROUTER:/etc/openvpn/client/airvpn# ./route_airvpn_up.sh
Routing client xx.xx.xx.249 traffic trough AirVPN
RTNETLINK answers: File exists
Error: any valid address is expected rather than "dev".

If the rule exists then you should not add it again.
Run the commands manually to verify what works and what needs to be fixed.
I would also print all those variables to verify that the correct arguments are passed to the ip commands.

I got it working now!
Used some command from my old thread where I tried to bind transmission (running on OpenWrt) to my vpn. Bind Transmission to VPN using VPN Policy-Based Routing

The problem was that the environmental variables can of course not be called from outside the openvpn instance as they get passed over to the script.
So I added another line which needs to be used if one wants to call the script manually to see if it is working. It is also possible to always read the gateway address from ifconfig of dev_tun but I prefer to use the environmental variables.

route_up.sh
#!/bin/sh
#
############################
# route_up script          #
############################
# add static AirVPN routes #
############################
#
# this script adds static routes that route specific clients through AirVPN

# get tun interface config
tun_dev=tun_airvpn

# read gateway from ifconfig, f.e. when manually calling the script
# gateway=`ifconfig | grep -A 5 "tun_airvpn" | grep "inet addr:" | cut -d: -f2 | awk '{ print $1}'`

# get gateway from OpenVPN environmental variables
gateway=${ifconfig_local}

# define clients
client_1=xx.xx.xx.249

# add routes
# client_1
echo "Routing client $client_1 traffic trough AirVPN"
ip rule add from $client_1 priority 10 table airvpn
ip route add $client_1 dev $tun_dev table airvpn
ip route add default via $gateway dev $tun_dev table airvpn
ip route flush cache
route_down.sh
#!/bin/sh
#
###############################
# route_down script           #
###############################
# remove static AirVPN routes #
###############################
#
# this script removes static routes that route specific clients through AirVPN

# get tun interface config
tun_dev=tun_airvpn

# read gateway from ifconfig, f.e. when manually calling the script
# gateway=`ifconfig | grep -A 5 "tun_airvpn" | grep "inet addr:" | cut -d: -f2 | awk '{ print $1}'`

# get gateway from OpenVPN environmental variables
gateway=${ifconfig_local}

# define clients
client_1=xx.xx.xx.249

# remove routes
# client_1
echo "Delete client $client_1 traffic routing through AirVPN"
ip rule del from $client_1 priority 10 table airvpn
ip route del $client_1 dev $tun_dev table airvpn
ip route del default via $gateway dev $tun_dev table airvpn
ip route flush cache

Are there any lines that I can remove which are unnecessary?

# add routes
ip rule add from $client_1 priority 10 table airvpn
ip route add $client_1 dev $tun_dev table airvpn
ip route add default via $gateway dev $tun_dev table airvpn
ip route flush cache

# remove routes
ip rule del from $client_1 priority 10 table airvpn
ip route del $client_1 dev $tun_dev table airvpn
ip route del default via $gateway dev $tun_dev table airvpn
ip route flush cache

EDIT:
I just notized that with these rules I am unable to access the webserver (pyload, qbittorrent) running on the client from my Wireguard network. With VPBR it is working.

What I meant is to add an echo "client_1: $client_1 , tun_dev: $tun_dev" etc. line in the script to print out the variables.

Then better use VPN-PBR.

Of course I could, but I guess there is just one static route missing.

The last time I checked from remote while beeing connected to my home network via wireguard.
This time I checked it directly from my LAN network. With my static rules I can still access the web interfaces from my LAN, but non from remote.
So I guess I just need another route from the wireguard network to the .249 host.

You need a route to the lan subnet via the lan interface.

How would this rule look? Wouldn't I need a rule from my host to the wireguard network?
Sorry, but I am not that familiar with routing tables.

The host I am trying to reach has xx.xx.54.249
My LAN has xx.xx.54.0
From remote I connect via wireguard and the clients get IPs in the xx.xx.56.0 network

I already explained to you that you need a route for the lan subnet (the x.x.54.0/24 as you mentioned) via the lan interface.

1 Like

I finally got everything working!
The thing that was missing was a static rule to my wireguard "server" subnet via the wireguard interface which sustains access to the webinterfaces (running on the vpn enabled client).

route_up.sh
#!/bin/sh
#
############################
# route_up script           #
#############################
# add static OpenVPN_routes #
#############################
#
# this script enables routing specific clients through OpenVPN

# vpn config
vpn_provider=AirVPN
vpn_interface=tun_airvpn
vpn_table_priority=10
vpn_table=airvpn

# read vpn gateway from ifconfig, necessary when manually calling the script
vpn_gateway=`ifconfig | grep -A 5 "$vpn_interface" | grep "inet addr:" | cut -d: -f2 | awk '{ print $1}'`

# get vpn gateway from OpenVPN environmental variables
#vpn_gateway=${ifconfig_local}

# remote access
remote_interface=wg_server
remote_subnet=xx.xx.56.0/24

# OpenVPN enabled clients
client_1=xx.xx.54.249

# add routes
# client_1
echo "Routing client $client_1 through $vpn_provider"
ip rule add from $client_1 priority $vpn_table_priority table $vpn_table
ip route add $client_1 dev $vpn_interface table $vpn_table
ip route add default via $vpn_gateway dev $vpn_interface table $vpn_table
echo "Sustain remote access to client $client_1 during connection to $vpn_provider"
ip route add $remote_subnet dev $remote_interface table $vpn_table
echo "Flushing previous routing table"
ip route flush cache
route_down.sh
#!/bin/sh
#
################################
# route_down script            #
################################
# remove static OpenVPN routes #
################################
#
# this script disables routing specific clients through OpenVPN

# vpn config
vpn_provider=AirVPN
vpn_interface=tun_airvpn
vpn_table_priority=10
vpn_table=airvpn

# read vpn gateway from ifconfig, necessary when manually calling the script
vpn_gateway=`ifconfig | grep -A 5 "$vpn_interface" | grep "inet addr:" | cut -d: -f2 | awk '{ print $1}'`

# get vpn gateway from OpenVPN environmental variables
#vpn_gateway=${ifconfig_local}

# remote access
remote_interface=wg_server
remote_subnet=xx.xx.56.0/24

# OpenVPN enabled clients
client_1=xx.xx.54.249

# remove routes
# client_1
echo "Stop routing client $client_1 route through $vpn_provider"
ip rule del from $client_1 priority $vpn_table_priority table $vpn_table
ip route del $client_1 dev $vpn_interface table $vpn_table
ip route del default via $vpn_gateway dev $vpn_interface table $vpn_table
echo "Remove remote access to client $client_1 during connection to $vpn_provider"
ip route del $remote_subnet dev $remote_interface table $vpn_table
echo "Flushing previous routing table"
ip route flush cache

Thank you very much @trendy for all your hints and solutions !!!
One last thing I need to annoy you with... Could you verify that these rules don't harm any other clients in my main network?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.