I have a setup with multiple subnetworks that I want to be able to cross. So lan is in range 192.168.20.0/32 and internal at 192.168.1.0/32 and lan should be able to access internal.
For exact setup see the post where I couldn't figure out how to do it.
The setup works perfectly fine - until I use a VPN client on my Ubuntu PC in the lan network. I use ProtonVPN application and once it's on, I can only reach to lan subnet - so 192.168.20.0/32 range - and I cannot reach any other local network. Once VPN is off - it works fine.
Is this expected behaviour or is it something ProtonVPN-specific? What options do I have to solve this? I imagine I could just make rules for local routes on my Ubuntu PC, to never go through tun0 with anything in 192.168.0.0/16 range probably? But that requires client-specific config which I want to avoid.
If you want fine grained control over which lan clients are going to use the VPN then use a PBR package on your router e.g. https://docs.openwrt.melmac.net/pbr/
That's what I thought too, that's why there's vpnlan and lan where vpnlan runs VPN on the router. But then I realized I'm also going to use my phone that always runs a VPN client. It'd be less than optimal to have to click through the phone to disable VPN, disable kill-switch every time I am in the network area
So I'm trying to figure ways to have a VPN client, but still be able to access all my local subnets.
My other idea was - if I can only reach the same subnet of 192.168.20.0/32 - how about I just have all my networks in that range? I think my setup only runs a single DHCP server, so it should be able to handle it without collisions. I just don't know how to split this subnet to like:
lan: from 192.168.20.0 to 192.168.20.63 (64 slots)
internal: from 192.168.20.64 to 192.168.20.127 (64 slots)
Another idea I had was to ask router to "proxy" the traffic for me. I don't know how proxy works to be honest, if it only redirects me or acts like a middle man that I talk to.
But if I was able to have such "middle man" in my subnet to just get my package and send it to the correct target destination, then get the response and send it to me (switching the source IP to it's own) then it would work too. I bet such thing exist but I don't know what to google even.
I do not think that is going to work, you still have two subnets and the phone will likely only allows traffic to its own subnet when the VPN client is active on your phone but this is the OpenWRT forum and not the Proton VPN client forum so perhaps ask there?
If you're using VPNs, it's important to know and understand what the routing rules on each device are, so that you can work out which rule/device "wins".
If you have a VPN client on an endpoint, e.g. your phone or your PC, and if that VPN client's behaviour is to route all traffic (i.e. 0.0.0.0/0) then the VPN client on your PC "wins" and your router has no say in the matter. By the time the traffic hits your router it's already encrypted for onward transmission to the VPN server. This is known as a full-tunnel VPN.
If you have a VPN client on an endpoint, e.g. your phone or your PC, and if that VPN client's behaviour is to route some traffic (e.g. only 172.16.0.0/12) then the VPN client on your PC will only send traffic matching its routing rule via the VPN and the rest of the traffic will be sent to the router for the router to decide what to do with it. This is known as a split-tunnel VPN.
Your situation will involve trade-offs and compromises, and it will be up to you where you want those trade-offs and compromises to be. You might not want client-specific configuration, but your hand might be forced.
Some VPN providers offer guidance for installing a VPN endpoint on your router instead of using a dedicated client on each device. I don't use ProtonVPN and don't know its foibles, so don't know if ProtonVPN offers such advice.
If you have the VPN endpoint on the router, then it means that every device which uses the router can also benefit from the VPN without needing its own VPN client installed. Plus, you can then use the router to apply granular routing rules without needing the client-specific configuration which you're trying to avoid. But doing so will involve learning a) whether ProtonVPN supports configuring your router as a VPN endpoint, and b) how to set up the routing and firewall rules to send your network traffic where you want it to go.
What about the proxy idea? I think it makes sense. I do have access to the subnet I'm connected to. Right?
If I had a proxy on my router that would direct my requests to other subnets it would be transparent to my Ubuntu PC - it should still think we are using the subnet it's connected to.
Right?
So I ask for 192.168.100.100, which is outside my subnet. But proxy sees the requests, makes the same request in my name and the result is sent back from the proxy - as if it came from 192.168.20.X.
It depends what traffic you want to proxy and why. "Proxy" is merely another term for "man in the middle" and can apply to any traffic.
For example, a DHCP Relay is a proxy. NAT is also a form of proxy. There are others.
You might find it useful to draw a diagram showing the physical paths (OSI layers 1 & 2) in your network. And then draw a second diagram showing the logical paths (OSI layers 3-7) of the traffic in your network. I often do this when I'm trying to troubleshoot something which "should" work but doesn't. Often the drawings reveal a gap in my understanding or an error that I've introduced which has hitherto gone unnoticed.
