How to set routing to OpenVPN interface

I Installed OpenWrt to TP-Link MR6400 v1 device. I setup internet access successfully.
I installed OpenVPN with Luci support and I created client VPN connection to my server on the internet. I am able to ping from TP-link device to VPN server .

I am not able to setup routing from private addresses to VPN server
I tried to setup new item in routing table in OpenWrt and route command shows:        *        U     0      0        0 tun0

and I also setup routing item on VPN server:   UG    0      0        0 tun0

but ping from LAN to VPN server is not functional.

How to setup routing from LAN through VPN client gateway to VPN server ?

Additional info:
I installed tcpdump on both sides of VPN channel - on TP-Link device and on internet server. tcpdump is listening on VPN's tun0 interface on both sides. I tried ping from TP-Link device with -I switch (defined source IP):

ping -I

and on internet server side I tried ping to TP-link's private address:

ping -I

I see in tcpdump output that packets are routed to VPN channel but they are not detected on opposite side of channel. It is the same for both directions TP-Link -> server, server -> TP-Link. It seems like VPN channel is not able to accept packets from different subnet than, maybe there is needed some special settings in Open VPN configuration ?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

The VPN tunnel needs to be in a firewall zone, and forwarding from LAN to that zone allowed.

To use symmetric routing, the VPN server must have a route back to your LAN, e.g. via installed at the server.

With a commercial VPN service, you generally can't install symmetric return routes on their server, so it is necessary to NAT your LAN into the VPN tunnel. That is done in the firewall, by enabling masquerade on the vpn zone.

1 Like

Yes, I created interface based on tun0 device and put it to separate zone "vpn" on TP-Link (OpenWrt Firewall) and I allowed forwarding between zones lan->vpn and vpn->lan.
My topology:

TP-Link LAN: , VPN Client IP:  <=== VPN ===> VPN Server IP:
(Server contains only public IP and above VPN IP)

On the server I tried first ping to TP-Link device's IP on LAN interface


first with this item in routing table:   UG    0      0        0 tun0

and then I changed it to:   UG    0      0        0 tun0

In both cases I see on server's tcpdump that packet is outgoing through tun0 but on TP-Link's tcpdump I don't see incoming packets. You wrote that second one is right, but still it is not functional.

It looks like firewall issue, have you configured forward from lan to vpn?

Yes, forwarding lan->vpn and vpn->lan is set. Maybe it needs special settings in advanced configuration ?

I can ping from PC on the lan to client VPN interface

OK, 'client VPN interface' does not matter, it is IP of router itself, although another interface.

Give sections from /etc/config/firewall for vpn zone, and corresponding forwardings.

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'tun'
        option masq_allow_invalid '1'
        list device 'tun0'
        list subnet ''
config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

Remove all of these. With the newer list device syntax, it is unnecessary to create an "unmanaged" network to link the VPN into the firewall. So also remove the tun network definition from /etc/config/network. OpenVPN will handle instantiating and configuring the tun0 device.

On the server, a client config directory should be used to make OpenVPN aware of the remote LAN. OpenVPN will then install routes directly as the client connects.

Ok, I stopped VPN and removed vpn interface created by me. I also removed vpn firewall zone and created new one vpn zone based on "Covered subnets" option with value
I created again forwardings lan->vpn and vpn->lan like on above image and started VPN.
Pings from LAN to VPN server are not functional.
On TP-Link's tcpdump -i tun0 I see packets going into tun0 interface but on VPN server's tcpdump -i tun0 no packet comes.
Only pings from TP-Link to VPN server and vice versa are functional.

Add masquerading, see section for wan.

1 Like

Thanks, when I setup masquerading I can ping from LAN to VPN server.

But I need routable subnets LAN/VPN. All hosts on VPN need to have access to all hosts on the LAN and vice versa, like on attached topology. I found that OpenVpn has option for one-to-one NAT and I successfully tried it, so VPN can map private addresses from 192.168.1.X to 10.8.0.X. A bit problem is that every host on needs separate VPN channel to server and static LAN's IPs must be synced with IPs assigned by VPN server but better than nothing.

Still I am thinking why client VPN's subnet is not normally routable like another subnet on ethernet interface ? Is it property of VPN product or Linux network architecture ?

                                                           internet server with VPN server
        LAN                   TL-Link with VPN client
                            +-----------------------+         +-----------------+     PC connected to internet
PC1 ( --+---|-lan,    |         |                 |       +--------------_-+
                        |   |                       |         |                 |       |                |
PC2 ( --+   |       tun0, -|-- VPN --|- tun0, -|--VPN--|- tun0, | 
                            |                       |         |                 |       |                |
                            |        wan,   |         |  eth0,  |       +----------------+
                            +-----------------------+         +-----------------+              |
                                          |                            |		               |
                                          |                            |		               |
                                          +-------- internet ----------+------- internet ------+

I've never used that firewall option. I wonder if it is actually breaking things by not allowing IPs to travel in the vpn. As I said before, remove that line.

This use case will not require any NAT. If all your IP subnets are independent you can use plain symmetric routing.

You wrote: "The VPN tunnel needs to be in a firewall zone..."

and that option is needed to define vpn zone for firewall. Result is the same when I define zone by device "tun0".
When I remove forwardings lan->vpn/vpn->lan from firewall then I receive destination unreachable when pinging from LAN..
I did not try it with desktop Linux, maybe it is a bit different than in OpenWrt case and desktop is able to route from LAN to VPN's subnet... but I need to use small device in this case.

So the best solution I found with OpenWrt is that I need to setup above forwardings plus I need to setup 1:1 NAT mapping in OpenVPN client configuration. Ideal solution should be without such mapping. (or without firewall's NAT like written by @ulmwind)

It is RoutedLans, iroute:

1 Like

@ulmwind Thank you very much, I found only short info about OpenVPN internal routing table in OpenVPN options help and not able to find more about that, so it can help I am going to try it.

Great ! I tried it, I can use one OpenVPN channel for whole LAN.

Thank you @ulmwind and @mk24 for your help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.