Hi Guys,
Wondering if you can help me. I'm fairly new to OpenWRT so please bare with me.
I currently have a BT HomeHub 5 Type A with OpenWRT installed. This works great. I have installed openVPN and configured it to authenticate and initiate a tunnel following this guide https://openwrt.org/docs/guide-user/services/vpn/openvpn/client
However, I'm trying to get this to be a whole-site VPN so that ALL traffic on my LAN side can communicate through the VPN. The OpenWRT Hub is able to communicate fine with all devices on the LAN side of the server. However, none of the LAN Side for OpenWRT is able to communicate.
I suppose what i'm trying to ask is I need help to send all traffic on the 10.x.10.x subnet through the VPN and all other traffic out through the WAN. I don't want to route ALL traffic through the VPN as this will just slow down site searches. The router is able to communicate fine to do this but the LAN of the router is unable to communicate with the VPN at all.
I have attached a network topology diagram to help you understand. Ideally, rather than the OpenWRT router acting as a DHCP server, i would rather forward DHCP and DNS requests to the PfSense box on Site B. Although, if we can just get the tunnel traffic routes working for now, that would be great!
Any help would be appreciated!
If you have any questions just ask!
Thanks in advance.
Hi,
Site A : 192.168.1.x
Site B: 10.1.10.x
Openvpn 10.120.0.x
You need:
1 - NAT active on tun/tap interface on openwrt
2 - On Openwrt router a static route to subnet 10.1.10.0/24 using the server ip from openvpn ( I supose that is 10.120.0.1 ). All traffic to 10.1.10.0/24 will be send to pfSense over openvpn interface.
3 - NAT active on tun/tap interface on pfSense
4 - On pfSense a static route to subnet 192.168.1.0/24 using client ip from openvpn ( 10.120.0.2 ). All traffic to 192.168.1.0 will be send to Openwrt over openvpn interface.
With all this, the traffic between the subnet LAN will be NATed correctly over the openvpn. Internet traffic still be directed to the local internet connection. To reduce trouble it will be better that the openvpn ip to the openwrt will be fixed ( not dynamic )
Hi prdtabim,
Thanks for your response. It seems that OpenWRT does have the necessary IPv4 routing in place for this when looking at the routes within LuCi. Can you confirm how I enable (or check if its enabled) NAT on the tun/tap interface for PfSense & OpenVPN.
Also, i'm not sure how to add the static route on PfSense.
Thanks in advance,
Callum
Hi,
I'm not very familiar with pfSense. I believe that the routing is similar to openwrt/linux.
On openwrt you could use the GUI or list all needed commands ( route, iptables ) in Network -> Firewall -> Custom rules.
Openwrt side:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tun0 -j MASQUERADE
route add -net 10.1.10.0 netmask 255.255.255.0 gw 10.120.0.1
The 1st command allows NAT from the 192.168.1.0 subnet in the openvpn interface ( assuming tun0 as the name ).
The 2nd route all traffic to 10.1.10.0 subnet to the openvpn ip of the pfSense.
Try this first. If it works all needed is adapt to pfSense.
Ok so i did the first command, this went through successfully. The 2nd command came back with a message to say that it already exists. Did a reboot of the OpenWRT server, still can't access the OpenVPN server from the LAN side of OpenWRT. 
No, the solution is using routing plus NAT.
OK guys, so a friend of mine sent me this link:
https://community.openvpn.net/openvpn/wiki/RoutedLans
After reading the info in the link, it does seem this may be something I need to implement. Although, will this just change the way the OpenWRT Hub handles the traffic? As the hub seems to be doing everything right when trying to ping from it. Its just the LAN devices that aren’t. I guess I just need to have my LAN devices implement the same routes and NAT as the hub. Maybe I’m just over-complicating things?
The guide in that link seems to be very familiar in my set up, as I do want to have 3 sites linked this way (like in the guide). I want each subnet to be 10.1.10.0/24, 10.2.10.0/24 and 10.3.10.0/24. I have now changed the subnet of the Hub from 192.168.1.0/24 to 10.2.10.0/24 and the router IP is 10.2.10.1
Anyway, I found this box on the OpenVPN Server which I think is where I would input the config lines.
So in this box I have put the following:
route 10.2.10.0 255.255.255.0
route 10.3.10.0 255.255.255.0
push "route 10.1.10.0 255.255.255.0"
push "route 10.2.10.0 255.255.255.0"
push "route 10.3.10.0 255.255.255.0"
client-to-client
Is this correct? How would I then set the ‘iroute’ ccd file on the Hub? Would it need to be stored at a specific directory? Would it need a specific name? And what would I enter into the CCD file?
Would it just be ‘iroute 10.2.10.0 255.255.255.0’ ?
Thanks,
Callum