DSA network settings for VPN

Andy99 · February 18, 2023, 7:11pm

Hello everyone,

I'm little struggling with VPN network settings. I was following the guide from here Traffic is dropped for IPsec with firewall4, but there is something, what I don't understand. I have a router ASUS RT-N56U, which has different ports

	asus,rt-n56u)
		ucidef_add_switch "switch0" \
			"0:lan" "1:lan" "2:lan" "3:lan" "4:wan" "8@eth0"
		;;

like for the router defined in example. The main problem I see with configuration lan1:u* and switch which are not matching with mine.

config interface 'loopback'
  option device 'lo'
  option proto 'static'
  option ipaddr '127.0.0.1'
  option netmask '255.0.0.0'

config globals 'globals'
  option ula_prefix 'fdf2:c9c9:6256::/48'

config device
  option name 'br-lan'
  option type 'bridge'
  list ports 'eth0.1'

config device
  option name 'eth0.1'
  option macaddr '16:da:e9:f8:9d:39'

config interface 'lan'
  option device 'br-lan'
  option proto 'static'
  option netmask '255.255.255.0'
  option ip6assign '60'
  option ipaddr '10.0.0.1'
  option delegate '0'

config device
  option name 'eth0.2'
  option macaddr '14:da:e9:f8:9d:38'

config interface 'wan'
  option device 'eth0.2'
  option proto 'dhcp'

config interface 'wan6'
  option device 'eth0.2'
  option proto 'dhcpv6'
  option auto '0'
  option reqaddress 'try'
  option reqprefix 'auto'

config switch
  option name 'switch0'
  option reset '1'
  option enable_vlan '1'

config switch_vlan
  option device 'switch0'
  option vlan '1'
  option ports '0 1 2 3 8t'

config switch_vlan
  option device 'switch0'
  option vlan '2'
  option ports '4 8t'

Basically, what I wanted to achieve is, that local network will stay on 10.0.0.x and VPN on 10.0.1.x . Once you connect over VPN, you will be able to use ISP (internet) from WAN port. But I guess, this will be possible by firewall rules as well.

Could someone provide me a configuration which could achieve it?

Thank you

trendy · February 19, 2023, 5:10pm


config switch_vlan
  option device 'switch0'
  option vlan '1'
  option ports '0 1 2 8t'

config switch_vlan
  option device 'switch0'
  option vlan '3'
  option ports '3 8t'

config device
  option name 'eth0.3'
  option macaddr '16:da:e9:f8:9d:40'

config device
  option name 'br-vpn'
  option type 'bridge'
  list ports 'eth0.3'

config interface 'vpn'
  option device 'br-vpn'
  option proto 'static'
  option netmask '255.255.255.0'
  option ip6assign '60'
  option ipaddr '10.0.1.1'
  option delegate '0'

Andy99 · February 19, 2023, 6:24pm

Thank you for that.
But why is required to define a new eth.03 network? I guess, that VPN doesn't require to have a static port.

Andy

psherman · February 19, 2023, 7:20pm

@trendy (please correct me if I'm wrong here) was probably suggesting that based on the premise of your original question... VLANs (via swconfig/DSA) are not required for VPNs at all. However, they can be useful if you want an easy way to put certain devices on a network that will use the VPN and other devices on a different network that will bypass the tunnel. Combining VLANs + policy based routing makes this simple to achieve.

trendy · February 19, 2023, 7:41pm

Maybe I misunderstood the requirements, because you were referring to ports on your first post.
If you only need a wifi network for the vpn uplink, then you can ignore all these and proceed with the ip rules and routes.

Borromini · February 19, 2023, 7:48pm

The topic starter is confusing DSA syntax with the actual swconfig setup of his device.

@Andy99 The very code you quoted defines a swconfig based switch setup. You do not need anything DSA (nor is the underlying code relevant to your desire to set up a VPN).

Andy99 · February 19, 2023, 7:49pm

Ok, maybe I didn't specify it precisely. I wanted to have an virtual VPN network with 10.0.1.x network to be accessible from WAN.

trendy · February 19, 2023, 7:52pm

So you want a vpn server on OpenWrt?
If so, there are many examples in the wiki.

Andy99 · February 19, 2023, 7:55pm

The VPN server settings is not a problem. I've just followed the guide from here https://openwrt.org/docs/guide-user/services/vpn/strongswan/roadwarrior#etcconfigfirewall. I just need a network part.

psherman · February 19, 2023, 8:01pm

What's on this network... it's not really clear what purpose of the 10.0.1.0/24 network should serve in your setup...

Your lan appears to be 10.0.0.0/24.

Do you want the remote device to have an address in that 10.0.1.0/24 network? Or are there other resources you will host on that netowork?

Or a better question might be this:

What is the purpose of your road warrior VPN?
- Are you trying to use resources on your lan while you are away from home?
- Are you trying to use the internet via your home ISP (useful for bypassing geo restrictions, etc.)
- something else?

trendy · February 19, 2023, 8:14pm

rightsourceip = the pool of internal addresses to use for the VPN clients. You may want to assign multiple clients IPs from a subnet that doesn't overlap any of your private LANs (on 10.0.0.0/24), like in this example, setting to something like 10.0.1.0/24. Note that if you have only ONE client connecting, you could use 10.0.1.100**/32** instead, which means that only 1 single host can connect and it will be given that address 10.0.1.100. Otherwise, if you like the clients to be part of the same private subnet you can set this to a single address or a subnet portion that is free and not overlapping with DHCP ranges. Finally, you may alternatively set this to %dhcp and configure /etc/strongswan.d/charon/dhcp.conf accordingly if you want the client's addresses to be released by DHCP.

Here is your network.
If you don't understand why is that, better prefer other protocols, like wireguard or openvpn.

Andy99 · February 19, 2023, 8:18pm

Exactly, I wanted to be able to connect to my local network from Internet via mobile... . My local devices will have IP from 10.0.0.x and the VPN devices will have,10.0.1.x range.

psherman · February 19, 2023, 8:22pm

So the addresses your remote devices get is a function of the vpn config, not the interfaces defined as ‘local’ networks.

Andy99 · February 19, 2023, 9:13pm

Aha, so maybe I was wrong for the whole time. So why is the network needed then? If you need to route data, don't you need a network?

psherman · February 19, 2023, 10:17pm

Typically you would create a network to be able to associate the vpn’s network with a firewall zone.

Depending on the vpn protocol, you may not even need to create a network at all. In the case of OpenVPN, you can actually tie the tunnel directly as a device to a firewall zone. Or you can create a network but make it unmanaged.

Andy99 · February 20, 2023, 5:54am

Yes, that's the reason, why I was asking for help. I'm not going to use a OpenVPN. So my question is is still valid I guess.

psherman · February 20, 2023, 6:16am

I was simply using OpenVPN as an example. You mentioned Strongswan, which I have never used... so I'm not going to be able to help there, but I'm still pretty sure that you're setting up a subnet within the VPN server config itself, and that you don't need to create a network in the 'local' context (I could be wrong, though). Wireguard works slightly differently in that you define the WG VPN in the network file itself, but it is 'self contained' insofar as not neeting to be attached to another network.

Andy99 · February 25, 2023, 6:15pm

Ok, I tried to used the Strongswan, but it didn't work. There were some errors, like unsupported protocol, so I decided to switch to OpenVPN. It's working without any problems, which didn't require some special settings.

So I guess, we can close this. But anyway thank you for your support.

psherman · February 25, 2023, 6:24pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

system · March 7, 2023, 6:25pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.