Ahoy ahoy friends.
Currently i am working quite successful on my setup. Now i'd like to connect my remote sites i got, my grandma's house, as well as my second home in Brazil with my Hub router, the place where i am now.
That's how i want it to work.
By default the peers should receive an ip from the 192.168.8.0/24 subnet for their tun interface. Furthermore, they should only be able to reach the advertised peer, so it's the hub 192.168.8.1.
For the creation of further routes the iBGP connection should be used, and the hub is acting as a iBGP route reflector.
This works quite okay this far, but unfortunately when i try to reach from the hub's side, some destination on the spoke's side, it says something like "administratively prohibited."
That's the guide i have used, i have modified the client config a little, in order to prevent the creation of a default route through the tunnel.
Is there a way to bind a client to a specific static address, like 192.168.8.254?
Routes are being advertised through BGP, but ICMP traffic doesn't go through from Server to Client, from Client to Server it works!
When i do a ping instead of traceroute to the connected spoke it works.
Even though, when pinging a subnet, connected to the spoke, the ping even doesn't go through the tunnel, so it doesn't reach the spoke at all.
Is there something like AllowedIPs in Wireguard, on OpenVPN as well, in order to enable the reachability to other subnets through the tunnel?
root@OpenWrt:~# tcpdump -i tun0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes 20:11:37.474080 IP 192.168.8.1 > 192.168.165.1: ICMP echo request, id 26007, seq 18, length 64 20:11:38.474125 IP 192.168.8.1 > 192.168.165.1: ICMP echo request, id 26007, seq 19, length 64 20:11:39.474168 IP 192.168.8.1 > 192.168.165.1: ICMP echo request, id 26007, seq 20, length 64 20:11:40.474215 IP 192.168.8.1 > 192.168.165.1: ICMP echo request, id 26007, seq 21, length 64 20:11:41.474257 IP 192.168.8.1 > 192.168.165.1: ICMP echo request, id 26007, seq 22, length 64
OpenWrt# traceroute 192.168.8.2 traceroute to 192.168.8.2 (192.168.8.2), 30 hops max, 46 byte packets 1 192.168.8.2 (192.168.8.2) 22.416 ms !C 26.838 ms !C 25.135 ms !C
traceroute to 192.168.8.2 (192.168.8.2), 30 hops max, 60 byte packets 1 OpenWrt.lan (192.168.3.1) 0.164 ms 0.143 ms 0.176 ms 2 192.168.8.2 (192.168.8.2) 16.433 ms !X 18.658 ms !X 18.967 ms !X
OpenWrt# show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, P - PIM, A - Babel, N - NHRP, > - selected route, * - FIB route K>* 0.0.0.0/0 via 192.168.154.1, bonding-i0.1100, src 192.168.154.2 C>* 10.0.0.0/24 is directly connected, Hub B>* 10.8.0.0/24 [20/0] via 192.168.8.2, tun0, 09:06:56 C>* 10.10.10.10/32 is directly connected, lo C>* 10.192.0.1/32 is directly connected, bonding-i0 C>* 127.0.0.0/8 is directly connected, lo C>* 172.20.32.0/19 is directly connected, eth4.110 C>* 172.20.192.0/19 is directly connected, bonding-i0.320 C>* 172.20.224.0/19 is directly connected, bonding-i0.340 C>* 192.168.2.0/24 is directly connected, bonding-i0.2 O 192.168.3.0/24 [110/10] is directly connected, bonding-i0.3, 09:17:03 C>* 192.168.3.0/24 is directly connected, bonding-i0.3 C>* 192.168.8.0/24 is directly connected, tun0 K * 192.168.154.0/24 is directly connected, bonding-i0.1100 C>* 192.168.154.0/24 is directly connected, bonding-i0.1100 B>* 192.168.165.0/24 [20/0] via 192.168.8.2, tun0, 09:06:56 K * 192.168.178.0/24 is directly connected, bonding-i0.2100 C>* 192.168.178.0/24 is directly connected, bonding-i0.2100 C>* 192.168.200.0/24 is directly connected, bonding-i0.200
server.conf (On the OpenWrt hub)
user nobody group nogroup dev tun port 1194 proto udp server 192.168.8.0 255.255.255.0 topology subnet client-to-client keepalive 10 60 persist-tun persist-key push "dhcp-option DNS 192.168.8.1" push "dhcp-option DOMAIN lan" push "redirect-gateway def1" push "persist-tun" push "persist-key"
client.conf for the iBGP enabled devices.
dev tun nobind client remote unix-supremacy.org 1194 udp auth-nocache remote-cert-tls server
BGP config Hub:
! ! Zebra configuration saved from vty ! 2021/05/11 13:30:29 ! password topsecret log syslog informational ! router bgp 64511 bgp router-id 10.10.10.10 no bgp default ipv4-unicast redistribute connected neighbor 192.168.8.2 remote-as 64510 neighbor 192.168.8.2 update-source lo0 neighbor 192.168.8.2 activate neighbor 192.168.8.2 route-reflector-client neighbor fd48:48:48:48::2 remote-as 64510 neighbor fd48:48:48:48::2 activate neighbor fd48:48:48:48::2 route-reflector-client ! address-family vpnv4 network 172.20.64.0/24 rd 64510:1 tag 0 neighbor 192.168.8.2 activate neighbor 192.168.8.2 route-reflector-client exit-address-family ! address-family ipv6 network fdfb:9584:eb33::/48 redistribute connected neighbor fd48:48:48:48::2 activate exit-address-family exit ! access-list FILTER-BGP-1 deny 192.168.3.0/24 access-list FILTER-BGP-1 permit any access-list vty permit 127.0.0.0/8 access-list vty deny any ! ip prefix-list DENY-TRUSTED seq 5 deny 192.168.3.0/24 ! route-map FILTER-BGP-1 deny 10 match ip address prefix-list DENY-TRUSTED ! line vty access-class vty !
In the near future i'll receive a MPLS link as well for connecting with eBGP in order to connect our lab in my ISP's network (My employer). I'd like to establish a VRF based setup on my OpenWrt device to create seperate instances for different interfaces and links on my OpenWrt device, or is OpenWrt not able to work with MPLS labels? Is there some extension to do so?
Thanks in advance.