zorxd
September 12, 2019, 6:03pm
1
Hello
I put the following into /etc/config/network but it appears to have no effect:
config route 'vpnbell'
option interface 'vpn'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway '10.8.0.1'
option table 'vpn'
I expected it to do the same thing as command:
ip route add default via 10.8.0.1 dev tun0 table vpn
which is working fine. Maybe the device tun0 isn't up (openvpn not connected yet) when the configuration file is parsed? Any other idea?
I do have a vpn interface defined (and working):
config interface 'vpn'
option ifname 'tun0'
option auto '1'
option proto 'none'
as well as a "vpn" routing table in /etc/iproute2/rt_tables:
128 prelocal
255 local
254 main
253 default
10 vpn
0 unspec
the goal is to have a default route over the VPN only for a specific host.
thanks
Incorrect then.
config route
option interface 'vpn'
option target '0.0.0.0'
option netmask '0.0.0.0'
option source '10.8.0.1'
option table 'vpn'
(You also need a rule for something to use table no 10.)
Gateway
and via
are different things.
zorxd
September 12, 2019, 6:22pm
3
what's the difference?
I don't see any reference to "via" in https://openwrt.org/docs/guide-user/network/routes_configuration
OK I saw you added source. I'll try thanks.
1 Like
As above:
source == via
gateway == gateway
zorxd
September 12, 2019, 6:26pm
5
Hi
I have the following rule, which works fine:
config rule
option src '192.168.29.2/32'
option lookup 'vpn'
I tried your config as above, but the table is still empty (ip route show table vpn doesn't output anything)
I would have thought that source == src and gateway == via.
Is there a reason you just don't use 10
?
Did you reboot or /etc/init.d/network reload
?
You lost me here. That syntax would be incorrect in ip route
- so not sure why you think it's correct in OpenWrt UCI.
The preferred source address when sending to destinations covered by the target
Example:
default via 10.1.1.1 dev eth0.2 proto static src 10.1.1.2
config route
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option source '10.1.1.2'
option gateway '10.1.1.1'
option table 'main'
zorxd
September 12, 2019, 6:46pm
7
Well vpn is an alias for 10, I thought it would be clearer. But I agree that it can be confusing with the interface.
I did reboot to apply changes.
Following your latest example, gateway in uCI seems to be the same parameter as "via" in ip route. So I still don't understand why the configuration in my first post doesn't work.
Am I forced to specify the source too?
For routes going to a Layer 3 tunnel, you don't need to specify a source nor gateway.
Again:
If you disagree and are configuring the opposite, that may be your issue.
zorxd
September 12, 2019, 6:54pm
9
OK it seems it doesn't work after a reboot, but if I perform an extra /etc/init.d/network reload it works.
It must have something to do with the fact that tun0 must be up before the ip route command is executed.
ip route show table vpn
default via 10.8.0.1 dev tun0
The configuration in my first post is valid and does what I expected.
1 Like
zorxd
September 12, 2019, 7:22pm
10
So the only permanent solution I found so far is to add the following code to a file in /etc/hotplug.d/iface/
#!/bin/sh
[ ifup = "$ACTION" -a vpn = "$INTERFACE" ] && {
logger "Adding default route to VPN table"
ip route add default via 10.8.0.1 dev tun0 table vpn
}
exit 0
Let me know if there is a better way (uCI) to acheive the same.
Although OpenVPN service doesn't interact properly with netifd, you can still use Hotplug as a workaround for static configuration.
However, more complicated cases such as dynamic setup require to utilize the OpenVPN-specific options to invoke hook scripts.
ulmwind
September 12, 2019, 8:18pm
12
You can also use up/down scripts in OpenVPN config file.
2 Likes
zorxd
September 12, 2019, 8:56pm
13
Thanks,
It failed with the "up" directive in my openvpn client.conf. For some reasons it added arguments to my "ip" command and failed.
Thu Sep 12 16:46:16 2019 daemon.notice openvpn(custom_config)[10200]: /sbin/ip route add default via 10.8.0.1 dev tun0 table vpn tun0 1500 1553 10.8.0.3 255.255.255.0 init
Thu Sep 12 16:46:16 2019 daemon.err openvpn(custom_config)[10200]: WARNING: Failed running command (--up/--down): external program exited with error status: 1
Thu Sep 12 16:46:16 2019 daemon.notice openvpn(custom_config)[10200]: Exiting due to fatal error
Thu Sep 12 16:46:16 2019 daemon.notice netifd: Network device 'tun0' link is down
Thu Sep 12 16:46:16 2019 daemon.notice netifd: Interface 'vpn' has link connectivity loss
Thu Sep 12 16:46:16 2019 daemon.notice netifd: Interface 'vpn' is now down
However it did work with the "route-up" directive. Good idea, it saves one configuration file.
in the openvpn client configuration file, two lines were required:
route-up '/sbin/ip route add default via 10.8.0.1 dev tun0 table vpn'
script-security 2
According to the documentation I found "script-security 2" shouldn't be required to call ifconfig, ip and route, but it didn't work without it.
This may not work when you have multiple peers.
Also link
scope routes work differently than global
scope routes.
ip route show scope link
ip route show scope global
Did you notice this?
1 Like
onlink
? - yes, you're correct. As the gateway in that case could be the endpoint address or some other "hop" (depending on protocol).
1 Like
zorxd
September 13, 2019, 1:54pm
16
hello vgaetera,
Not sure to understand what you mean.
"up" and "route-up" are both OpenVPN-specific options to invoke hook scripts. Only the latter worked on my OpenWRT router. Somehow, additional arguments are being passed to the "up" command which makes it fail.
I also found this useful post: https://beenje.github.io/blog/posts/openvpn-source-based-routing/
but I am not sure all the commands listed there are required. I don't have a down script and it still seem to work fine.
system
Closed
September 23, 2019, 1:55pm
17
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.