Configure static route over open vpn (alternate routing table)

Hello

I put the following into /etc/config/network but it appears to have no effect:

config route 'vpnbell'
        option interface 'vpn'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option gateway '10.8.0.1'
        option table 'vpn'

I expected it to do the same thing as command:

ip route add default via 10.8.0.1 dev tun0 table vpn

which is working fine. Maybe the device tun0 isn't up (openvpn not connected yet) when the configuration file is parsed? Any other idea?

I do have a vpn interface defined (and working):

config interface 'vpn'
        option ifname 'tun0'
        option auto '1'
        option proto 'none'

as well as a "vpn" routing table in /etc/iproute2/rt_tables:

128     prelocal
255     local
254     main
253     default
10      vpn
0       unspec

the goal is to have a default route over the VPN only for a specific host.

thanks

Incorrect then.

config route
	option interface 'vpn'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option source '10.8.0.1'
	option table 'vpn'

(You also need a rule for something to use table no 10.)

Gateway and via are different things.

what's the difference?
I don't see any reference to "via" in https://openwrt.org/docs/guide-user/network/routes_configuration

OK I saw you added source. I'll try thanks.

1 Like

As above:

source == via
gateway == gateway

Hi

I have the following rule, which works fine:

config rule
        option src '192.168.29.2/32'
        option lookup 'vpn'

I tried your config as above, but the table is still empty (ip route show table vpn doesn't output anything)

I would have thought that source == src and gateway == via.

  • Is there a reason you just don't use 10?
  • Did you reboot or /etc/init.d/network reload?

You lost me here. That syntax would be incorrect in ip route - so not sure why you think it's correct in OpenWrt UCI.

The preferred source address when sending to destinations covered by the target

Example:

default via 10.1.1.1 dev eth0.2 proto static src 10.1.1.2

config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option source '10.1.1.2'
	option gateway '10.1.1.1'
	option table 'main'

Well vpn is an alias for 10, I thought it would be clearer. But I agree that it can be confusing with the interface.
I did reboot to apply changes.

Following your latest example, gateway in uCI seems to be the same parameter as "via" in ip route. So I still don't understand why the configuration in my first post doesn't work.
Am I forced to specify the source too?

For routes going to a Layer 3 tunnel, you don't need to specify a source nor gateway.

Again:

If you disagree and are configuring the opposite, that may be your issue.

OK it seems it doesn't work after a reboot, but if I perform an extra /etc/init.d/network reload it works.
It must have something to do with the fact that tun0 must be up before the ip route command is executed.

ip route show table vpn
default via 10.8.0.1 dev tun0

The configuration in my first post is valid and does what I expected.

1 Like

So the only permanent solution I found so far is to add the following code to a file in /etc/hotplug.d/iface/

#!/bin/sh
[ ifup = "$ACTION" -a vpn = "$INTERFACE" ] && {
        logger "Adding default route to VPN table"
        ip route add default via 10.8.0.1 dev tun0 table vpn
}
exit 0

Let me know if there is a better way (uCI) to acheive the same.

Although OpenVPN service doesn't interact properly with netifd, you can still use Hotplug as a workaround for static configuration.
However, more complicated cases such as dynamic setup require to utilize the OpenVPN-specific options to invoke hook scripts.

You can also use up/down scripts in OpenVPN config file.

2 Likes

Thanks,
It failed with the "up" directive in my openvpn client.conf. For some reasons it added arguments to my "ip" command and failed.

Thu Sep 12 16:46:16 2019 daemon.notice openvpn(custom_config)[10200]: /sbin/ip route add default via 10.8.0.1 dev tun0 table vpn tun0 1500 1553 10.8.0.3 255.255.255.0 init
Thu Sep 12 16:46:16 2019 daemon.err openvpn(custom_config)[10200]: WARNING: Failed running command (--up/--down): external program exited with error status: 1
Thu Sep 12 16:46:16 2019 daemon.notice openvpn(custom_config)[10200]: Exiting due to fatal error
Thu Sep 12 16:46:16 2019 daemon.notice netifd: Network device 'tun0' link is down
Thu Sep 12 16:46:16 2019 daemon.notice netifd: Interface 'vpn' has link connectivity loss
Thu Sep 12 16:46:16 2019 daemon.notice netifd: Interface 'vpn' is now down

However it did work with the "route-up" directive. Good idea, it saves one configuration file.

in the openvpn client configuration file, two lines were required:

route-up '/sbin/ip route add default via 10.8.0.1 dev tun0 table vpn'
script-security 2

According to the documentation I found "script-security 2" shouldn't be required to call ifconfig, ip and route, but it didn't work without it.

This may not work when you have multiple peers.
Also link scope routes work differently than global scope routes.

ip route show scope link
ip route show scope global

Did you notice this?

1 Like

onlink ? - yes, you're correct. As the gateway in that case could be the endpoint address or some other "hop" (depending on protocol).

1 Like

hello vgaetera,
Not sure to understand what you mean.
"up" and "route-up" are both OpenVPN-specific options to invoke hook scripts. Only the latter worked on my OpenWRT router. Somehow, additional arguments are being passed to the "up" command which makes it fail.

I also found this useful post: https://beenje.github.io/blog/posts/openvpn-source-based-routing/
but I am not sure all the commands listed there are required. I don't have a down script and it still seem to work fine.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.