Hello everyone,
I am using an OpenWRT router (Netgear R7800 - OpenWrt 23.05.5 r24106-10cc5fcd00) configured as an Access Point in my network. Here's an overview of my setup:
- The router primarily acts as a "dumb AP" for the
lan
zone.
- It connects to a VPN service using OpenVPN, creating a zone called
wan_vpn
(with masquerading enabled).
- There’s an additional zone,
vpn
, dedicated to the guest Wi-Fi network, which forwards traffic to wan_vpn
.
Simplified it look like this:
Now, here’s my challenge:
I want to allow devices in the Guest LAN (vpn
zone) to access one specific server in my lan
zone, located at 192.168.0.6
on port 8096
.
I assumed this could be done by creating a traffic rule in LuCI to allow forwarding from the vpn
zone to the IP 192.168.0.6:8096
in the lan
zone. However, I can't seem to get it working.
Does anyone have experience with a similar setup or know what I might be missing? Any help would be greatly appreciated!
Thanks in advance!
edit:
I have some doubts that the return traffic can pass because I assume that on the fritzbox there is no rule that redirects the traffic of the network 192.168.41.0/24 to the router 192.168.0.5
ps: I assume you will need to create a static route on fritzbox
see this example taken from the internet:
change the following rule and relaunch the firewall
it should work... (for forward traffic from 192.168.41.0/24 to 192.168.0.6)
config rule
option name 'Allow_Jellyfin_from_guest_net_to_8096_port'
option src 'vpn'
option dest 'lan'
option target 'ACCEPT'
list dest_ip '192.168.0.6'
option family 'ipv4'
option dest_port '8096'
list proto 'tcp'
list proto 'udp'
a tip also create a rule for icmp traffic (to test connectivity):
config rule
option name 'Allow_ping_from_guest_to_lan'
option family 'ipv4'
list proto 'icmp'
list icmp_type 'echo-request'
option src 'vpn'
option target 'ACCEPT'
option dest 'lan'
service firewall reload
before proceeding with the following procedure I invite you to read this so that you can consciously choose what you want ...
https://openwrt.org/docs/guide-user/network/switch_router_gateway_and_nat
ps: unless you plan to enable VPN zone masking be careful by doing this all the hosts on the VPN network would have full access to everything as they would be masked as coming from 192.168.0.5
config zone
option log '1'
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vpn'
option masq '1'
Hi ncompact,
thanks for your fast and detailed reply.
At first I thought: "Damn, AM I STUPID! Of course I am missing the static route in the main lan-router for passing back the traffic into the 192.168.41.0/24 network".
But after I added that route and writing the rules as you suggested: "nothing" changed.
But now after your ICMP-rule I could see that a tracepath to 192.168.0.6 goes to 192.168.41.1 and then goes to 10.12.5.0 (wan_vpn).
So the interface vpn (192.168.41.1) is not able to reach 192.168.0.0/24 though the routing table of the openWRT box looks like this:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 br-lan
10.12.5.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
192.168.41.0 0.0.0.0 255.255.255.0 U 0 0 0 bridge-vpn
Only to be sure about your masquerading-paragraph: that's a different approach instead of plain routing between the networks, isn't it?
did you do the tracepath from a host on the VPN network 192.168.41.x or on the OpenWrt router?
masking and routing are two similar but different things
usually masking is used when you have reliable and secure network segments where even if the traffic is masked there can be no security holes ...
routing between different segments is allowed or prohibited if there can be security holes or you want to have the possibility of preventing or allowing the transit of packets from different networks
the choice is yours
Ah, okay. So we'll stick to the routing approach.
To your question:
I did the tracepath from a linux-client in the VPN network (the guest wifi).
I assume you have openvpn installed on openwrt router you have the option to stop it and try again...
That's it. If it's stopped 192.168.0.6:8096 is reachable from the vpn-network.
But that leads to the next problem. The OpenVPN-Connection is essential for this network as is the gateway for it... Hmm, why btw... where is that configured?
Guess I have to look into the openVPN-config. Any general idea?
I assume so ...
but unfortunately my time zone is different and for me it's time to go to sleep
in the meantime can you provide which guide you used to create a vpn connection:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client
https://openwrt.org/docs/guide-user/services/vpn/openvpn/server
or something else?
Nevermind... you gave me a ton of hints... Thanks for that!
I used something different. But I just saw ... the openVPN-Script calls this upon start-stop:
!/usr/bin/env sh
table=vpn
if [ "$script_type" == "route-up" ]; then
ip route add default via $route_vpn_gateway dev $dev table $table proto static
elif [ "$script_type" == "route-pre-down" ]; then
ip route del default via $route_vpn_gateway dev $dev table $table proto static
fi
Have a good sleep!
I'll think about it tomorrow...
The solution seems to be to add two IPv4 Routing Rules:
1: from 192.168.0.0/24 lookup main
2: from 192.168.41.0/24 lookup main
which forces the use of the main routing table and thereby prevents packages to be routed by the default route (set in the vpn table by the OpenVPN-script)
Does thqt sound reasonable? Or am I making a huge mistake?
I also found a script which is invoked when inteface 'vpn' is started/stopped:
root@OpenWrt:~# cat /etc/hotplug.d/iface/99-vpn
#!/usr/bin/env sh
if=vpn
dev=$DEVICE
table=$INTERFACE
if2dev() {
dev=$(uci get network.$1.ifname)
[ $(echo $dev | wc -w) -gt 1 ] && dev=br-$1
echo $dev
}
if [ "$INTERFACE" == "$if" ]; then
if [ "$ACTION" == "ifup" ]; then
ip rule add iif $dev lookup $table
elif [ "$ACTION" == "ifdown" ]; then
# Workaround for missing $DEVICE when interface is going down
dev=$(if2dev $if)
ip rule del iif $dev lookup $table
fi
fi
It also messes with rules. still have to figure out what it does...
Ah okay... got it:
It forces all incoming packets on bridge-vpn to use the routing table vpn.
So I guess my two higher priorized rules seem to be okay in my setup I guess.
If anyone has a good reason for not doing it like this... please don't hesitate to comment.