Hub & Spoke OpenVPN / MPLS possible in OpenWrt?

Ahoy ahoy friends.
Currently i am working quite successful on my setup. Now i'd like to connect my remote sites i got, my grandma's house, as well as my second home in Brazil with my Hub router, the place where i am now.
That's how i want it to work.
By default the peers should receive an ip from the 192.168.8.0/24 subnet for their tun interface. Furthermore, they should only be able to reach the advertised peer, so it's the hub 192.168.8.1.
For the creation of further routes the iBGP connection should be used, and the hub is acting as a iBGP route reflector.
This works quite okay this far, but unfortunately when i try to reach from the hub's side, some destination on the spoke's side, it says something like "administratively prohibited."
That's the guide i have used, i have modified the client config a little, in order to prevent the creation of a default route through the tunnel.
Is there a way to bind a client to a specific static address, like 192.168.8.254?

Routes are being advertised through BGP, but ICMP traffic doesn't go through from Server to Client, from Client to Server it works!
EDIT:
When i do a ping instead of traceroute to the connected spoke it works.

Even though, when pinging a subnet, connected to the spoke, the ping even doesn't go through the tunnel, so it doesn't reach the spoke at all.
Is there something like AllowedIPs in Wireguard, on OpenVPN as well, in order to enable the reachability to other subnets through the tunnel?

root@OpenWrt:~# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
20:11:37.474080 IP 192.168.8.1 > 192.168.165.1: ICMP echo request, id 26007, seq 18, length 64
20:11:38.474125 IP 192.168.8.1 > 192.168.165.1: ICMP echo request, id 26007, seq 19, length 64
20:11:39.474168 IP 192.168.8.1 > 192.168.165.1: ICMP echo request, id 26007, seq 20, length 64
20:11:40.474215 IP 192.168.8.1 > 192.168.165.1: ICMP echo request, id 26007, seq 21, length 64
20:11:41.474257 IP 192.168.8.1 > 192.168.165.1: ICMP echo request, id 26007, seq 22, length 64

OpenWrt# traceroute 192.168.8.2
traceroute to 192.168.8.2 (192.168.8.2), 30 hops max, 46 byte packets
 1  192.168.8.2 (192.168.8.2)  22.416 ms !C  26.838 ms !C  25.135 ms !C
traceroute to 192.168.8.2 (192.168.8.2), 30 hops max, 60 byte packets
 1  OpenWrt.lan (192.168.3.1)  0.164 ms  0.143 ms  0.176 ms
 2  192.168.8.2 (192.168.8.2)  16.433 ms !X  18.658 ms !X  18.967 ms !X

OpenWrt# show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, P - PIM, A - Babel, N - NHRP,
       > - selected route, * - FIB route

K>* 0.0.0.0/0 via 192.168.154.1, bonding-i0.1100, src 192.168.154.2
C>* 10.0.0.0/24 is directly connected, Hub
B>* 10.8.0.0/24 [20/0] via 192.168.8.2, tun0, 09:06:56
C>* 10.10.10.10/32 is directly connected, lo
C>* 10.192.0.1/32 is directly connected, bonding-i0
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.20.32.0/19 is directly connected, eth4.110
C>* 172.20.192.0/19 is directly connected, bonding-i0.320
C>* 172.20.224.0/19 is directly connected, bonding-i0.340
C>* 192.168.2.0/24 is directly connected, bonding-i0.2
O   192.168.3.0/24 [110/10] is directly connected, bonding-i0.3, 09:17:03
C>* 192.168.3.0/24 is directly connected, bonding-i0.3
C>* 192.168.8.0/24 is directly connected, tun0
K * 192.168.154.0/24 is directly connected, bonding-i0.1100
C>* 192.168.154.0/24 is directly connected, bonding-i0.1100
B>* 192.168.165.0/24 [20/0] via 192.168.8.2, tun0, 09:06:56
K * 192.168.178.0/24 is directly connected, bonding-i0.2100
C>* 192.168.178.0/24 is directly connected, bonding-i0.2100
C>* 192.168.200.0/24 is directly connected, bonding-i0.200

server.conf (On the OpenWrt hub)

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"

client.conf for the iBGP enabled devices.


dev tun
nobind
client
remote unix-supremacy.org 1194 udp
auth-nocache
remote-cert-tls server

BGP config Hub:

!
! Zebra configuration saved from vty
!   2021/05/11 13:30:29
!
password topsecret
log syslog informational
!
router bgp 64511
 bgp router-id 10.10.10.10
 no bgp default ipv4-unicast
 redistribute connected
 neighbor 192.168.8.2 remote-as 64510
 neighbor 192.168.8.2 update-source lo0
 neighbor 192.168.8.2 activate
 neighbor 192.168.8.2 route-reflector-client
 neighbor fd48:48:48:48::2 remote-as 64510
 neighbor fd48:48:48:48::2 activate
 neighbor fd48:48:48:48::2 route-reflector-client

!
 address-family vpnv4
 network 172.20.64.0/24 rd 64510:1 tag 0
 neighbor 192.168.8.2 activate
 neighbor 192.168.8.2 route-reflector-client
 exit-address-family
!
 address-family ipv6
 network fdfb:9584:eb33::/48
 redistribute connected
 neighbor fd48:48:48:48::2 activate
 exit-address-family
 exit
!
access-list FILTER-BGP-1 deny 192.168.3.0/24
access-list FILTER-BGP-1 permit any
access-list vty permit 127.0.0.0/8
access-list vty deny any
!
ip prefix-list DENY-TRUSTED seq 5 deny 192.168.3.0/24
!
route-map FILTER-BGP-1 deny 10
 match ip address prefix-list DENY-TRUSTED
!
line vty
 access-class vty
!

In the near future i'll receive a MPLS link as well for connecting with eBGP in order to connect our lab in my ISP's network (My employer). I'd like to establish a VRF based setup on my OpenWrt device to create seperate instances for different interfaces and links on my OpenWrt device, or is OpenWrt not able to work with MPLS labels? Is there some extension to do so?

Thanks in advance.

1 Like

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#site-to-site

1 Like

Well, i don't know what so say haha but it has fixed my issue :joy: Thanks a lot friend!!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.