I'd like to have my openvpn client interface be the default gateway (If the VPN goes down, I am ok with the router routing traffic over the primary or secondary WAN interfaces).
I have successfully setup mwan3 with the two WAN ports (and tested), and then added a open vpn client to the router (i've tested the vpn client setup with my laptop and confirmed that it works).
The VPN client does connect, but its not clear to me what I should do next to achieve the stated goal.
I assume I should add the interface i created for the vpn tun to my mwan3 managed interfaces, but it seems that if mwan3 is installed before a interface is created, it cannot use it (I get the No metric set! message in the interface table in the manager UI, and the vpn is reported as down even when its not).
Do I have to reinstall mwan3 for it to see my vpn interface properly?
No, you should set the metric on the VPN interface, in /etc/config/network.
ah ok. I did do that via the UI, but it doesn't seem to register with mwan3
I had the same problem when i setup my second wan. I had installed mwan3 before creating the wan1 interface. after creating the wan1 interface and ensuring the metric was set via the UI, mwan3 was not able to see the metric.
So, you are saying, just edit the file, and it should be good to go?
Using the UCI, I confirmed that the vpn interface has the lowest metric
With mwan3, there is no requirement that the VPN has the lowest metric, because mwan3 will create a new routing table with the VPN as the only interface available, and apply it to the traffic that is configured to go through the VPN. However, there is a requirement that the metric is unique, and that the actual metric matches the configured one. Also there is a soft requirement (if you want to use mwan3 to define which traffic should bypass the VPN) that the existing default route is not removed by the VPN software. These requirements can translate into some non-trivial OpenVPN options that need to be added.
First of all, please add the
pull-filter ignore redirect-gateway option, to prevent the other end from pushing configuration incompatible with mwan3. We'll provide our own replacement.
Second, please be aware that
redirect-gateway def1 option is incompatible with mwan3, because mwan3 looks for new default routes, while this option causes two separate routes for bottom and top halves of the IP address space be installed instead. I would actually recommend removing all
redirect-gateway options and replacing them with
redirect-private, so that the original gateway is kept for mwan3.
redirect-private, we need to make sure that the default route through the VPN exists, with the correct metric. For that, an explicit
route command is needed.
This yields (tested on the desktop with the free VPN from vpngate.net, 50 is the metric, everything else is verbatim):
pull-filter ignore redirect-gateway
route 0.0.0.0 0.0.0.0 vpn_gateway 50
Thank you for the guidance. I tested the new settings with my AWS Client VPN endpoint service and it worked as expected.
I am still not able to get mwan3 to recognize the vpn interface metric (after using both the UI and UCI to set and confirm the metric on the vpn interface, and rebooting it)
Do I need to uninstall mwan3 and reinstall?
No, you don't.
Please provide the output of
ip route with the VPN connected.
I was able to get mwan3 to read the vpn interface's metric by deleting and recreating the vpn interface. Perhaps there is another way, but that seemed to work.
I reduced the vpn_gateway metric from 50 to 10 in the ovpn config.
Here is the output from
default via 192.168.0.33 dev tun0 metric 10
default via 192.168.20.1 dev lan1 proto static src 192.168.20.100 metric 30
192.168.0.32/27 dev tun0 proto kernel scope link src 192.168.0.34
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.20.0/24 dev lan1 proto static scope link metric 30
Does mwan3 detect the vpn as online now?
Yes, it works now. Apologies for leaving that out of the last comment!
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.