I Installed OpenWrt to TP-Link MR6400 v1 device. I setup internet access successfully.
I installed OpenVPN with Luci support and I created client VPN connection to my server on the internet. I am able to ping from TP-link device to VPN server 10.8.0.1 .
I am not able to setup routing from private addresses 192.168.1.0/24 to VPN server 10.8.0.1.
I tried to setup new item in routing table in OpenWrt and route command shows:
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
and I also setup routing item on VPN server:
192.168.1.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
but ping from LAN to VPN server is not functional.
How to setup routing from LAN through VPN client gateway to VPN server ?
I installed tcpdump on both sides of VPN channel - on TP-Link device and on internet server. tcpdump is listening on VPN's tun0 interface on both sides. I tried ping from TP-Link device with -I switch (defined source IP):
ping -I 192.168.1.1 10.8.0.1
and on internet server side I tried ping to TP-link's private address:
ping -I 10.8.0.1 192.168.1.1
I see in tcpdump output that packets are routed to VPN channel but they are not detected on opposite side of channel. It is the same for both directions TP-Link -> server, server -> TP-Link. It seems like VPN channel is not able to accept packets from different subnet than 10.8.0.0/24, maybe there is needed some special settings in Open VPN configuration ?
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text
</> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
The VPN tunnel needs to be in a firewall zone, and forwarding from LAN to that zone allowed.
To use symmetric routing, the VPN server must have a route back to your LAN, e.g. 192.168.1.0/24 via 10.8.0.2 installed at the server.
With a commercial VPN service, you generally can't install symmetric return routes on their server, so it is necessary to NAT your LAN into the VPN tunnel. That is done in the firewall, by enabling masquerade on the vpn zone.
Yes, I created interface based on tun0 device and put it to separate zone "vpn" on TP-Link (OpenWrt Firewall) and I allowed forwarding between zones lan->vpn and vpn->lan.
TP-Link LAN: 192.168.1.0/24 , VPN Client IP: 10.8.0.2 <=== VPN ===> VPN Server IP: 10.8.0.1
(Server contains only public IP and above VPN IP)
On the server I tried first ping to TP-Link device's IP on LAN interface
first with this item in routing table:
192.168.1.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0
and then I changed it to:
192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
In both cases I see on server's tcpdump that packet is outgoing through tun0 but on TP-Link's tcpdump I don't see incoming packets. You wrote that second one is right, but still it is not functional.
It looks like firewall issue, have you configured forward from lan to vpn?
Yes, forwarding lan->vpn and vpn->lan is set. Maybe it needs special settings in advanced configuration ?
I can ping from PC on the lan
192.168.1.11 to client VPN interface
OK, 'client VPN interface 10.8.0.2' does not matter, it is IP of router itself, although another interface.
Give sections from /etc/config/firewall for vpn zone, and corresponding forwardings.
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'tun'
option masq_allow_invalid '1'
list device 'tun0'
list subnet '10.8.0.0/24'
option src 'vpn'
option dest 'lan'
option src 'lan'
option dest 'vpn'
Remove all of these. With the newer
list device syntax, it is unnecessary to create an "unmanaged" network to link the VPN into the firewall. So also remove the
tun network definition from /etc/config/network. OpenVPN will handle instantiating and configuring the tun0 device.
On the server, a client config directory should be used to make OpenVPN aware of the remote LAN. OpenVPN will then install routes directly as the client connects.
Ok, I stopped VPN and removed vpn interface created by me. I also removed vpn firewall zone and created new one vpn zone based on "Covered subnets" option with value
I created again forwardings lan->vpn and vpn->lan like on above image and started VPN.
Pings from LAN to VPN server are not functional.
tcpdump -i tun0 I see packets going into tun0 interface but on VPN server's
tcpdump -i tun0 no packet comes.
Only pings from TP-Link to VPN server and vice versa are functional.
Add masquerading, see section for wan.
Thanks, when I setup masquerading I can ping from LAN to VPN server.
But I need routable subnets LAN/VPN. All hosts on VPN need to have access to all hosts on the LAN and vice versa, like on attached topology. I found that OpenVpn has option for one-to-one NAT and I successfully tried it, so VPN can map private addresses from 192.168.1.X to 10.8.0.X. A bit problem is that every host on 192.168.1.0 needs separate VPN channel to server and static LAN's IPs must be synced with IPs assigned by VPN server but better than nothing.
Still I am thinking why client VPN's subnet is not normally routable like another subnet on ethernet interface ? Is it property of VPN product or Linux network architecture ?
internet server with VPN server
LAN TL-Link with VPN client
+-----------------------+ +-----------------+ PC connected to internet
PC1 (192.168.1.11/24) --+---|-lan,192.168.1.1/24 | | | +--------------_-+
| | | | | | |
PC2 (192.168.1.12/24) --+ | tun0, 10.8.0.2 -|-- VPN --|- tun0,10.8.0.1 -|--VPN--|- tun0,10.8.0.3 |
| | | | | |
| wan, 184.108.40.206 | | eth0, 220.127.116.11 | +----------------+
+-----------------------+ +-----------------+ |
| | |
| | |
+-------- internet ----------+------- internet ------+
I've never used that firewall option. I wonder if it is actually breaking things by not allowing 192.168.1.0 IPs to travel in the vpn. As I said before, remove that line.
This use case will not require any NAT. If all your IP subnets are independent you can use plain symmetric routing.
You wrote: "The VPN tunnel needs to be in a firewall zone..."
and that option is needed to define vpn zone for firewall. Result is the same when I define zone by device "tun0".
When I remove forwardings lan->vpn/vpn->lan from firewall then I receive destination unreachable when pinging from LAN..
I did not try it with desktop Linux, maybe it is a bit different than in OpenWrt case and desktop is able to route from LAN to VPN's subnet... but I need to use small device in this case.
So the best solution I found with OpenWrt is that I need to setup above forwardings plus I need to setup 1:1 NAT mapping in OpenVPN client configuration. Ideal solution should be without such mapping. (or without firewall's NAT like written by @ulmwind)
@ulmwind Thank you very much, I found only short info about OpenVPN internal routing table in OpenVPN options help and not able to find more about that, so it can help I am going to try it.
Great ! I tried it, I can use one OpenVPN channel for whole LAN.
Thank you @ulmwind and @mk24 for your help.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.