Try to set a specific port in the VPN configuration, e.g 1194 for Amsterdam and 1195 for Basel. Then use 127.0.0.1 as local address and the above port to classify the traffic.
Just to get this straight.
You have one wan interface, eth0.2 and you set up 2 VPN tunnels tun0 and tun1, that connect to the internet via your ISP over eth0.2. Is this correct so far?
Then what are these PP_VPN1 and PP_VPN2 interfaces?
You have one wan interface, eth0.2 and you set up 2 VPN tunnels tun0 and tun1, that connect to the internet via your ISP over eth0.2. Is this correct so far?
That's right.
Then what are these PP_VPN1 and PP_VPN2 interfaces?
PP_VPN1 is tun0 and PP_VPN2 is tun1.
/etc/config/Network:
config interface 'PP_VPN1'
option proto 'none'
option ifname 'tun0'
option auto '1'
config interface 'PP_VPN2'
option proto 'none'
option ifname 'tun1'
option auto '1'
I have created PP_VPN1 and PP_VPN2 interface, because I can not choose in VPN policy routing package tun0 and tun1. I can only choose interfaces there.
I misunderstood what you wanted to achieve. For better understanding post here the whole configs from network, firewall, OpenVPN as well as ip -4 addr; ip -4 route; ip -4 rule; ip -4 route list table all
You are doing it correctly but most likely there is some issue with splitting the 0/0 into 0/1 and 128/1.
root@OpenWrt:~# ip -4 addr; ip -4 route; ip -4 rule; ip -4 route list table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 109.91.78.187/22 brd 109.91.79.255 scope global eth0.2
valid_lft forever preferred_lft forever
10: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.0.80.248/24 brd 10.0.80.255 scope global tun1
valid_lft forever preferred_lft forever
11: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.3.5.252/24 brd 10.3.5.255 scope global tun0
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.3.5.1 dev tun0
0.0.0.0/1 via 10.0.80.2 dev tun1
default via 109.91.76.1 dev eth0.2 proto static src 109.91.78.187
10.0.80.0/24 dev tun1 proto kernel scope link src 10.0.80.248
10.3.5.0/24 dev tun0 proto kernel scope link src 10.3.5.252
82.199.134.162 via 109.91.76.1 dev eth0.2
85.17.28.145 via 109.91.76.1 dev eth0.2
109.91.76.0/22 dev eth0.2 proto kernel scope link src 109.91.78.187
128.0.0.0/1 via 10.3.5.1 dev tun0
128.0.0.0/1 via 10.0.80.2 dev tun1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
0: from all lookup local
32760: from all fwmark 0x30000 lookup 203
32761: from all fwmark 0x20000 lookup 202
32762: from all fwmark 0x10000 lookup 201
32766: from all lookup main
32767: from all lookup default
default via 109.91.76.1 dev eth0.2 table 201
default via 10.3.5.252 dev tun0 table 202
default via 10.0.80.248 dev tun1 table 203
0.0.0.0/1 via 10.3.5.1 dev tun0
0.0.0.0/1 via 10.0.80.2 dev tun1
default via 109.91.76.1 dev eth0.2 proto static src 109.91.78.187
10.0.80.0/24 dev tun1 proto kernel scope link src 10.0.80.248
10.3.5.0/24 dev tun0 proto kernel scope link src 10.3.5.252
82.199.134.162 via 109.91.76.1 dev eth0.2
85.17.28.145 via 109.91.76.1 dev eth0.2
109.91.76.0/22 dev eth0.2 proto kernel scope link src 109.91.78.187
128.0.0.0/1 via 10.3.5.1 dev tun0
128.0.0.0/1 via 10.0.80.2 dev tun1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 10.0.80.0 dev tun1 table local proto kernel scope link src 10.0.80.248
local 10.0.80.248 dev tun1 table local proto kernel scope host src 10.0.80.248
broadcast 10.0.80.255 dev tun1 table local proto kernel scope link src 10.0.80.248
broadcast 10.3.5.0 dev tun0 table local proto kernel scope link src 10.3.5.252
local 10.3.5.252 dev tun0 table local proto kernel scope host src 10.3.5.252
broadcast 10.3.5.255 dev tun0 table local proto kernel scope link src 10.3.5.252
broadcast 109.91.76.0 dev eth0.2 table local proto kernel scope link src 109.91.78.187
local 109.91.78.187 dev eth0.2 table local proto kernel scope host src 109.91.78.187
broadcast 109.91.79.255 dev eth0.2 table local proto kernel scope link src 109.91.78.187
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
I have removed "option proto 'none'" from both interfaces. Problem is still unchanged.
Gateway addresses don't seem right. They should be 10.3.5.1 and 10.0.80.2
Try to delete these routes,add them manually correctly and try again.
If it works we can see what can be done to fix it permanently.
root@OpenWrt:~# ip -4 addr; ip -4 route; ip -4 rule; ip -4 route list table all
.
.
.
default via 10.3.6.243 dev tun0 table 202
default via 10.0.82.23 dev tun1 table 203
0.0.0.0/1 via 10.0.82.2 dev tun1
0.0.0.0/1 via 10.3.6.1 dev tun0
root@OpenWrt:~# ip ro del default via 10.3.6.243 table 202
root@OpenWrt:~# ip ro add default via 10.3.6.1 table 202
root@OpenWrt:~# ip ro del default via 10.0.82.23 table 203
root@OpenWrt:~# ip ro add default via 10.0.82.2 table 203
After that:
root@OpenWrt:~# ip -4 addr; ip -4 route; ip -4 rule; ip -4 route list table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 109.91.78.187/22 brd 109.91.79.255 scope global eth0.2
valid_lft forever preferred_lft forever
10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.3.6.243/24 brd 10.3.6.255 scope global tun0
valid_lft forever preferred_lft forever
11: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.0.82.23/24 brd 10.0.82.255 scope global tun1
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.0.82.2 dev tun1
0.0.0.0/1 via 10.3.6.1 dev tun0
default via 109.91.76.1 dev eth0.2 proto static src 109.91.78.187
10.0.82.0/24 dev tun1 proto kernel scope link src 10.0.82.23
10.3.6.0/24 dev tun0 proto kernel scope link src 10.3.6.243
82.199.134.162 via 109.91.76.1 dev eth0.2
85.17.28.145 via 109.91.76.1 dev eth0.2
109.91.76.0/22 dev eth0.2 proto kernel scope link src 109.91.78.187
128.0.0.0/1 via 10.0.82.2 dev tun1
128.0.0.0/1 via 10.3.6.1 dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
0: from all lookup local
32760: from all fwmark 0x30000 lookup 203
32761: from all fwmark 0x20000 lookup 202
32762: from all fwmark 0x10000 lookup 201
32766: from all lookup main
32767: from all lookup default
default via 109.91.76.1 dev eth0.2 table 201
default via 10.3.6.1 dev tun0 table 202
default via 10.0.82.2 dev tun1 table 203
0.0.0.0/1 via 10.0.82.2 dev tun1
0.0.0.0/1 via 10.3.6.1 dev tun0
default via 109.91.76.1 dev eth0.2 proto static src 109.91.78.187
10.0.82.0/24 dev tun1 proto kernel scope link src 10.0.82.23
10.3.6.0/24 dev tun0 proto kernel scope link src 10.3.6.243
82.199.134.162 via 109.91.76.1 dev eth0.2
85.17.28.145 via 109.91.76.1 dev eth0.2
109.91.76.0/22 dev eth0.2 proto kernel scope link src 109.91.78.187
128.0.0.0/1 via 10.0.82.2 dev tun1
128.0.0.0/1 via 10.3.6.1 dev tun0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 10.0.82.0 dev tun1 table local proto kernel scope link src 10.0.82.23
local 10.0.82.23 dev tun1 table local proto kernel scope host src 10.0.82.23
broadcast 10.0.82.255 dev tun1 table local proto kernel scope link src 10.0.82.23
broadcast 10.3.6.0 dev tun0 table local proto kernel scope link src 10.3.6.243
local 10.3.6.243 dev tun0 table local proto kernel scope host src 10.3.6.243
broadcast 10.3.6.255 dev tun0 table local proto kernel scope link src 10.3.6.243
broadcast 109.91.76.0 dev eth0.2 table local proto kernel scope link src 109.91.78.187
local 109.91.78.187 dev eth0.2 table local proto kernel scope host src 109.91.78.187
broadcast 109.91.79.255 dev eth0.2 table local proto kernel scope link src 109.91.78.187
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
I still use this script with kmod-ipt-nat6 package:
cat << EOF > /etc/firewall.nat6
iptables-save --table="nat" \
| sed -e "/\s[DS]NAT\s/d" \
| ip6tables-restore --table="nat"
EOF
uci -q delete firewall.nat6
uci set firewall.nat6="include"
uci set firewall.nat6.path="/etc/firewall.nat6"
uci set firewall.nat6.reload="1"
uci commit firewall
service firewall restart
If PC1 and PC2 use Amsterdam1 IPv4, then I have a Basel1 IPv6 on both sides.
If PC1 and PC2 use Basel1 IPv4, then I have a Amsterdam1 IPv6 on both sides.
Does your VPN provider allocate some IPv6 addresses?
The way it is should work. Tables 203 and 202 have precedence over the 201 and the main, so if you successfully classify something into these tables it is going only to the specific VPN tunnel. Show us once again the policy routing status you had in the beginning.