Hub & Spoke OpenVPN / MPLS possible in OpenWrt?

Ahoy ahoy friends.
Currently i am working quite successful on my setup. Now i'd like to connect my remote sites i got, my grandma's house, as well as my second home in Brazil with my Hub router, the place where i am now.
That's how i want it to work.
By default the peers should receive an ip from the subnet for their tun interface. Furthermore, they should only be able to reach the advertised peer, so it's the hub
For the creation of further routes the iBGP connection should be used, and the hub is acting as a iBGP route reflector.
This works quite okay this far, but unfortunately when i try to reach from the hub's side, some destination on the spoke's side, it says something like "administratively prohibited."
That's the guide i have used, i have modified the client config a little, in order to prevent the creation of a default route through the tunnel.
Is there a way to bind a client to a specific static address, like

Routes are being advertised through BGP, but ICMP traffic doesn't go through from Server to Client, from Client to Server it works!
When i do a ping instead of traceroute to the connected spoke it works.

Even though, when pinging a subnet, connected to the spoke, the ping even doesn't go through the tunnel, so it doesn't reach the spoke at all.
Is there something like AllowedIPs in Wireguard, on OpenVPN as well, in order to enable the reachability to other subnets through the tunnel?

root@OpenWrt:~# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
20:11:37.474080 IP > ICMP echo request, id 26007, seq 18, length 64
20:11:38.474125 IP > ICMP echo request, id 26007, seq 19, length 64
20:11:39.474168 IP > ICMP echo request, id 26007, seq 20, length 64
20:11:40.474215 IP > ICMP echo request, id 26007, seq 21, length 64
20:11:41.474257 IP > ICMP echo request, id 26007, seq 22, length 64

OpenWrt# traceroute
traceroute to (, 30 hops max, 46 byte packets
 1 (  22.416 ms !C  26.838 ms !C  25.135 ms !C
traceroute to (, 30 hops max, 60 byte packets
 1  OpenWrt.lan (  0.164 ms  0.143 ms  0.176 ms
 2 (  16.433 ms !X  18.658 ms !X  18.967 ms !X

OpenWrt# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, P - PIM, A - Babel, N - NHRP,
       > - selected route, * - FIB route

K>* via, bonding-i0.1100, src
C>* is directly connected, Hub
B>* [20/0] via, tun0, 09:06:56
C>* is directly connected, lo
C>* is directly connected, bonding-i0
C>* is directly connected, lo
C>* is directly connected, eth4.110
C>* is directly connected, bonding-i0.320
C>* is directly connected, bonding-i0.340
C>* is directly connected, bonding-i0.2
O [110/10] is directly connected, bonding-i0.3, 09:17:03
C>* is directly connected, bonding-i0.3
C>* is directly connected, tun0
K * is directly connected, bonding-i0.1100
C>* is directly connected, bonding-i0.1100
B>* [20/0] via, tun0, 09:06:56
K * is directly connected, bonding-i0.2100
C>* is directly connected, bonding-i0.2100
C>* is directly connected, bonding-i0.200

server.conf (On the OpenWrt hub)

user nobody
group nogroup
dev tun
port 1194
proto udp
topology subnet
keepalive 10 60
push "dhcp-option DNS"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"

client.conf for the iBGP enabled devices.

dev tun
remote 1194 udp
remote-cert-tls server

BGP config Hub:

! Zebra configuration saved from vty
!   2021/05/11 13:30:29
password topsecret
log syslog informational
router bgp 64511
 bgp router-id
 no bgp default ipv4-unicast
 redistribute connected
 neighbor remote-as 64510
 neighbor update-source lo0
 neighbor activate
 neighbor route-reflector-client
 neighbor fd48:48:48:48::2 remote-as 64510
 neighbor fd48:48:48:48::2 activate
 neighbor fd48:48:48:48::2 route-reflector-client

 address-family vpnv4
 network rd 64510:1 tag 0
 neighbor activate
 neighbor route-reflector-client
 address-family ipv6
 network fdfb:9584:eb33::/48
 redistribute connected
 neighbor fd48:48:48:48::2 activate
access-list FILTER-BGP-1 deny
access-list FILTER-BGP-1 permit any
access-list vty permit
access-list vty deny any
ip prefix-list DENY-TRUSTED seq 5 deny
route-map FILTER-BGP-1 deny 10
 match ip address prefix-list DENY-TRUSTED
line vty
 access-class vty

In the near future i'll receive a MPLS link as well for connecting with eBGP in order to connect our lab in my ISP's network (My employer). I'd like to establish a VRF based setup on my OpenWrt device to create seperate instances for different interfaces and links on my OpenWrt device, or is OpenWrt not able to work with MPLS labels? Is there some extension to do so?

Thanks in advance.

1 Like

1 Like

Well, i don't know what so say haha but it has fixed my issue :joy: Thanks a lot friend!!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.