Can't get Default Routing to work for OpenConnect

Hi!

Network: WAN<--->Router(192.168.0.1)<--->OpenWRT router(192.168.1.1)<-->User (192.168.1.219)
Goal: redirect all traffic from user 192.168.1.219 through Openconnect VPN

I can't get OpenConnect default routing to work correctly. I tried all possible tutorials I could find. Despite all my attempts traffic from the client is passing directly through WAN interface completely ignoring OC VPN interface.

If I enable default routing for OpenConnect, then OC interface connects to remote VPN and establishes connection, however RX counter is not increasing, only TX increases. Also I can't ping from the router using command

root@OpenWrt:~# ping -I vpn-oc0 google.com

If default routing checkbox is unchecked, both TX and RX counters work and I can ping from the router through OpenConnect interface

root@OpenWrt:~# ping -I vpn-oc0 google.com
PING google.com (142.250.179.142): 56 data bytes
64 bytes from 142.250.179.142: seq=0 ttl=55 time=207.012 ms
64 bytes from 142.250.179.142: seq=1 ttl=55 time=206.295 ms 

Routing table (when default routing checkbox is unchecked):

root@OpenWrt:~# ip route
default via 192.168.0.1 dev eth0.2 proto static src 192.168.0.115 
10.10.10.0/24 dev vpn-oc0 proto static scope link 
192.168.0.0/24 dev eth0.2 proto kernel scope link src 192.168.0.115 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 

Any ideas how to troubleshoot this issue and route all traffic through OpenConnect VPN?

When default routing for a vpn interface is enabled, there should be a (usually automatically created) static route for the vpn server via the wan interface.

I believe in your case that route is missing, which breaks the connection. Try creating it manually.

uci add network route
uci set network.@route[-1].target='$OC_Server_IP'
uci set network.@route[-1].interface='wan'
uci set network.@route[-1].gateway='192.168.0.1'
uci commit network
service network restart
1 Like

Hi Pavel! Thanks for helping.

now my routing table is the following

default via 192.168.0.1 dev eth0.2  src 192.168.0.115 
10.10.10.0/24 dev vpn-oc0 scope link 
54.224.XX.XX via 192.168.0.1 dev eth0.2 
192.168.0.0/24 dev eth0.2 scope link  src 192.168.0.115 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 

/etc/config/network

config interface 'oc0'        
        option proto 'openconnect'
        option server 'vpn.REDACTED.com'
        option username 'vpn'  
        option password 'REDACTED'
        option vpn_protocol 'anyconnect'
        option defaultroute '0'
                  
config route                   
        option target '54.224.XX.XX'
        option interface 'wan'
        option gateway '192.168.0.1'

/etc/config/firewal

config zone                        
        option name 'oc'                        
        option forward 'REJECT'    
        option output 'ACCEPT'                    
        option input 'REJECT'      
        option masq '1'               
        option mtu_fix '1'                  
        option device 'vpn-oc0'           
        option family 'ipv4'                           
                                              
config forwarding                            
        option name 'lan-oc'              
        option dest 'oc'                           
        option src 'lan'                           
        option family 'ipv4'                          

However traffic still not passing through the tunnel when tested from the client (192.168.1.183)

Update:

after setting default route for oc0 interface, client traffic started to flow through VPN tunnel

ip route

root@OpenWrt:~# ip route
default dev vpn-oc0 scope link 
10.10.10.0/24 dev vpn-oc0 scope link 
54.224.XX.XX via 192.168.0.1 dev eth0.2 
192.168.0.0/24 dev eth0.2 scope link  src 192.168.0.115 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 

on Client

curl ifconfig.me
54.224.XX.XX

However now the issue is different: some websites load with no issues, e.g. google.com, however when I try to load forum.openwrt.org or speedtest.net, the browser just hangs forever. It seems like webites behind cloudflare are either not loading at all or load after very long delay. At the same time when I use the same VPN configuration from the clinet (Ubuntu) they load just fine.
Is there a chance OpenWRT is blocking some traffic flow through VPN?

Here's an example trying to load https://www.speedtest.net/ over VPN

calls to https://play.google.com/log?format=json&hasfast=true&authuser=0 all fail from the browser, however if I run the same request through curl, response is returned correctly

When you have these spurious problems with some websites loading others not or slowly/hanging my first thoughts go to either IPv6 or MTU problems.

after setting mtu 1434 on my WiFI connection, all issues seem to be gone. Thank you for your help!

1 Like