Configuring server behind VPN

sklv · December 25, 2018, 9:07pm

Hi,
Previously I had a (HTTP,DNS) server in my LAN, and as my router's default route was via my public IP, traffic from the server to WAN clients was correctly routed.

I have set up a VPN and now my default route is via my VPN. This means replies from my server are now routed via the VPN gateway, which prevents HTTP and other services from working properly.

What I'm trying to achieve:

LAN clients such as desktop and wifi clients have their traffic routed via the default VPN gateway.
WAN HTTP,DNS traffic to my public IP gets routed to my server.
WAN HTTP,DNS traffic from my server gets routed via my public IP and public gateway, not the VPN gateway.

What I have done so far:
Added a 3rd VLAN tag to my switch to allow me to configure the port my server is plugged into separately:
Screenshot_2018-12-25%20OpenWrt%20-%20Switch%20-%20LuCI
Added an interface called SERVER to manage the server connection:

Added a firewall zone called host and allowed traffic to be forwarded to and from lan and wan. I'm under the impression this should allow lan members to ping host members and vice versa.
Screenshot_2018-12-25%20OpenWrt%20-%20General%20Settings%20-%20LuCI
Set my server's IP and gateway to 10.0.1.2 and 10.0.1.1.

What is happening:
My server can ping my 10.0.0.1 and 10.0.1.1 which are my LAN and SERVER device IPs.
My server can't ping my LAN clients other than my router.

Why can't I ping my LAN clients from my server?
Assuming I was able to ping, how could I configure my WAN interface to be the default route for SERVER interface traffic?
Is there an easier way of doing this?

psherman · December 25, 2018, 9:20pm

Screenshots don't provide enough information. Please post the following files:
/etc/config/network
/etc/config/firewall
/etc/config/openvpn (or if not that specific file, the openvpn config file for your server)
and your openvpn client config file.

sklv · December 25, 2018, 9:25pm

Sure.
/etc/config/network

	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.0.1'
	option dns '10.0.0.2'
	option delegate '0'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '78:a3:51:30:bc:e6'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'
	option dns '10.0.0.2'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '78:a3:51:30:bc:e7'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0 1 2 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'
	option vid '2'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '51820'
	option delegate '0'
	option private_key '***'
	list addresses '10.99.162.198/32'

config wireguard_wg0
	option endpoint_port '51820'
	option persistent_keepalive '21'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option public_key 'TMOEAxpcv5xz+PvcvqP0Iy4+px+hrCJUJHGcy45DVQI='
	option endpoint_host '185.200.118.100'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '3 6t'

config interface 'server'
	option ifname 'eth0.3'
	option proto 'static'
	option ipaddr '10.0.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option force_link '0'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option network 'wan'
	option family 'ipv4'
	option input 'REJECT'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option src 'wan'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'vpn'
	option masq '1'
	option mtu_fix '1'
	option network 'wg0'
	option input 'REJECT'
	option family 'ipv4'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'host'
	option network 'server'
	option forward 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'host'

config forwarding
	option dest 'host'
	option src 'lan'

config forwarding
	option dest 'vpn'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'host'

My VPN config is contained in /etc/config/network.
Let me know if you need any more info.

psherman · December 25, 2018, 9:28pm

thanks. I can't help, though -- I'm not familiar with Wireguard (I'm good with OpenVPN). Hopefully someone else can help out.