Configure OpenVPN only on some LAN ports

andyp · June 30, 2020, 12:39am

Hi

I have a D-Link DWR-921 (WiFi router with inbuild 3G/4G).

Installed 19.07.3 no issues. 3G working, and I have OpenVPN working as well (LAN and WiFi).

Issue: I would like to make two of the LAN ports not use the VPN. With help I have achieved this with an Archer C7 - but no luck so far on this device.

My original DHCP, firewall and network configuration is:


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wwan wan6'
	list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb8:dd48:fbae::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'ec:ad:e0:20:a5:10'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'ec:ad:e0:20:a5:0f'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'wwan'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option apn 'wapaccess.co.nz'

I have tried making these config changes below - all LAN stops working......


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	
config dhcp 'lan2'
	option interface 'lan2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'


config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	list network 'lan2'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wwan wan6'
	list device 'tun0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb8:dd48:fbae::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '1.1.1.1'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'ec:ad:e0:20:a5:10'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	list dns '8.8.8.8'
	list dns '8.8.4.4'


config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'ec:ad:e0:20:a5:0f'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 0 1'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 4'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '6t 2 3'
	option vid '3'


config interface 'wwan'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option apn 'wapaccess.co.nz'
	
config interface 'lan2'
	option type 'bridge'
	option ifname 'eth1.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '4.4.4.4'
	list dns '1.1.1.1'

config rule
	option in 'lan2'
	option lookup '100'

config route
	option interface 'wan'
	option target '0.0.0.0'
	option gateway '192.168.0.1'
	option netmask '0.0.0.0'
	option table '100'

config route
	option interface 'lan'
	option target '192.168.1.0'
	option netmask '255.255.255.0'
	option table '100'

Any assistance greatly appreciated!
Thank you, Andrew

eduperez · June 30, 2020, 7:43am

Each device has a different switch layout, if you tried to copy the configuration from one device to another, you can render some ports inoperative.

This is your default setup:

Ports 0, 1, 2, 3 are LAN, port 4 is WAN, and port 6 is CPU. Also, VLAN 1 is for LAN and VLAN 2 for WAN. You want to put some LAN ports on VLAN 3 for LAN2:

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 6t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

Kherby · June 30, 2020, 8:20am

Maybe you should give VPN Policy-Based Routing a try:

It's a different approach but it might also make possible changes in the future easier for you...

andyp · June 30, 2020, 9:08am

Hi Eduardo

Thank you. I have made the changes you suggest. Two of the LAN ports are now working correctly on my OpenVPN.

Unfortunately the other two LAN ports (which I hope will be not through the VPN) come up as 'identifying.... no internet', then 'unidentified network, no internet'.

Luci, network, interfaces LAN2 says: Error: Network device is not present.

Some screen captures from Luci for LAN2 attached.

Thank you again, Andrew


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb8:dd48:fbae::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '1.1.1.1'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'ec:ad:e0:20:a5:10'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	list dns '8.8.8.8'
	list dns '8.8.4.4'


config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'ec:ad:e0:20:a5:0f'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 6t'


config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '2 3 6t'


config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'


config interface 'wwan'
	option proto 'qmi'
	option device '/dev/cdc-wdm0'
	option apn 'wapaccess.co.nz'
	
config interface 'lan2'
	option type 'bridge'
	option ifname 'eth1.3'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '4.4.4.4'
	list dns '1.1.1.1'

config rule
	option in 'lan2'
	option lookup '100'

config route
	option interface 'wan'
	option target '0.0.0.0'
	option gateway '192.168.0.1'
	option netmask '0.0.0.0'
	option table '100'

config route
	option interface 'lan'
	option target '192.168.1.0'
	option netmask '255.255.255.0'
	option table '100'

eduperez · June 30, 2020, 12:06pm

When you connect a device to LAN2, does it acquire an IP address? A DNS server?

trendy · June 30, 2020, 1:43pm

Must be eth0.3

Also remove the

	list dns '8.8.8.8'
	list dns '4.4.4.4'
	list dns '1.1.1.1'

from lan and lan2 interfaces. They are reachable from wan only and they should be just there.

andyp · June 30, 2020, 9:58pm

Hi.

With the change to eth0.3 LAN2 is now working, and I get an IP address (correct range 192.168.3.x) + internet connection.

Unfortunately LAN2 is going through my VPN, rather than bypassing it. What have I missed to separate it out?

Any additional thoughts much appreciated.

Thank you, Andrew

trendy · July 1, 2020, 6:09am

What is the output of ip -4 addr; ip -4 ro li tab all; ip -4 ru ?

andyp · July 1, 2020, 6:44am

Hi

This is with the LAN cable plugged into what I think should be a 'no VPN' LAN port.

Thank you


root@OpenWrt:~# ip -4 addr; ip -4 ro li tab all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
6: br-lan2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan2
       valid_lft forever preferred_lft forever
9: wwan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 1000
    inet 100.117.0.182/30 brd 100.117.0.183 scope global wwan0
       valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 100
    inet 10.8.0.14 peer 10.8.0.13/32 scope global tun0
       valid_lft forever preferred_lft forever
192.168.1.0/24 dev br-lan table 100 scope link
0.0.0.0/1 via 10.8.0.13 dev tun0
default via 100.117.0.181 dev wwan0  src 100.117.0.182
10.8.0.9 via 10.8.0.13 dev tun0  metric 1
10.8.0.13 dev tun0 scope link  src 10.8.0.14
100.117.0.180/30 dev wwan0 scope link  src 100.117.0.182
128.0.0.0/1 via 10.8.0.13 dev tun0
173.245.207.3 via 100.117.0.181 dev wwan0
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.3.0/24 dev br-lan2 scope link  src 192.168.3.1
local 10.8.0.14 dev tun0 table local scope host  src 10.8.0.14
broadcast 100.117.0.180 dev wwan0 table local scope link  src 100.117.0.182
local 100.117.0.182 dev wwan0 table local scope host  src 100.117.0.182
broadcast 100.117.0.183 dev wwan0 table local scope link  src 100.117.0.182
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
broadcast 192.168.3.0 dev br-lan2 table local scope link  src 192.168.3.1
local 192.168.3.1 dev br-lan2 table local scope host  src 192.168.3.1
broadcast 192.168.3.255 dev br-lan2 table local scope link  src 192.168.3.1
0:      from all lookup local
1:      from all iif br-lan2 lookup 100
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:~#

trendy · July 1, 2020, 7:18am

and where is that gateway you configured for the 0/0 route?

andyp · July 1, 2020, 7:29am

I am very sorry, but I really do not know (or understand may be more accurate....).

Can I include any other info to help with identifying the issue? Should I do this same capture with the LAN cable plugged into one of the 'other' (VPN expected) LAN ports?

trendy · July 1, 2020, 7:37am

You configured a gateway of 192.168.0.1 in the default route to bypass the vpn, but this gateway doesn't exist. The only alternative gateway I see is 100.117.0.181 from wwan.

andyp · July 1, 2020, 7:50am

Is there anything we can do to figure out why it does not exist?

trendy · July 1, 2020, 7:54am

Most likely you have not connected the wan interface.

andyp · July 1, 2020, 8:32am

I am really not sure where to do that.

I had a guess, and added this to the network file - with no change... But I really don't think that is what you meant......

config route
	option interface 'lan2'
	option target '192.168.1.0'
	option netmask '255.255.255.0'
	option table '100'

trendy · July 1, 2020, 9:24am

This route is fine to allow communication between lan and lan2, but doesn't solve the problem with the invalid gateway for the default route.

andyp · July 1, 2020, 9:30am

Any suggestions for solving the invalid gateway issue? Any info I can provide?

Thank you!

trendy · July 1, 2020, 9:36am

Either use 100.117.0.181 as gateway in the route or install VPN-PBR and let it handle the traffic management.

andyp · July 1, 2020, 10:31am

Ok, I had a light bulb moment - of course the 192.168.0.1 gateway was if I was plugged into my LAN at home - which I am not - I am using the 3G in the DWR-921...... and I guess the gateway IP may change?

So I installed 'VPN and WAN Policy-Based Routing' - Service Status [vpn-policy-routing 0.2.1-13]

I think I need to add this line to my openvpn config file?

OpenVPN tunnel configured with .ovpn file

Set the following to the appropriate section of your .ovpn file, right?

For OpenVPN 2.4 and newer client .ovpn file:

pull-filter ignore "redirect-gateway"

And then any hints as to using the VPN-PBR to do what I am trying to achieve?

Thanks again!

trendy · July 1, 2020, 10:52am

Sure does.

Not necessarily.

Create policies to configure the egress interface for each subnet.