Interface excluded from VPN -> No Internet access when VPN Client is Connected

I am currently trying to get a router (Linksys WRT3200ACM / LEDE Reboot 17.01.4 r3560-79f57e422d) setup so that I can ship it off to a friend of mine. Requirements (among other things) are what you may expect from the title of the thread: Primary LAN -> VPN/WAN; Guest LAN -> WAN.

EDIT: It doesn't matter what interface I pick to exclude from the VPN. Whether it is the Guest or the LAN, clients connected to the interface which does not forward to the VPN are unable to access the internet.

There are several threads that are along the same lines of what I am trying to do, but none were of any help to my situation:

I have it setup with two SSIDs per radio, one for the Primary and another for Guest. There are no VLANs in place at this time (VLANs were disabled during Troubleshooting). Feels like it should be a pretty simple setup.

Primary: 192.168.45.x / CC_Secure_02
Guest: 192.168.46.x / CC_Guest_02

Where I'm at:

  • Successful connection to the VPN provider (PrivateInternetAccess)
  • Successful routing of Primary LAN traffic through VPN
  • No internet access on the Guest LAN whenever the VPN is connected

Note: I have been testing internet connectivity from smartphone (Android 7.0 / Chrome).

Config files:

/etc/config/network
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddf:9527:7461::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.45.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option peerdns '0'
        option dns '8.8.8.8 8.8.4.4'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'
        option peerdns '0'
        option reqaddress 'try'
        option reqprefix 'auto'
        option dns '2001:4860:4860::8888 2001:4860:4860::8844'

config switch
        option name 'switch0'
        option reset '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6'
        option vid '2'

config interface 'guest'
        option ifname 'guest'
        option proto 'static'
        option ipaddr '192.168.46.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option type 'bridge'

config interface 'vpn'
        option proto 'none'
        option ifname 'tun0'
/etc/config/firewall
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport 'WEB_PORT'
        option dest_ip '192.168.45.1'
        option dest_port '80'
        option name 'Allow-Admin-WAN'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport 'SSH_PORT'
        option dest_ip '192.168.45.1'
        option dest_port 'SSH_PORT'
        option name 'Allow-SSH-WAN'

config zone
        option network 'guest'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option name 'guest'

config rule
        option name 'guestzone_DHCP'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option src 'guest'

config rule
        option name 'guestzone_DNS'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option src 'guest'

config forwarding
        option dest 'wan'
        option src 'guest'

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'vpn'
        option input 'REJECT'
        option masq '1'
        option network 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'vpn'
        option src 'lan'
/etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
/etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'CC_Secure_02'
        option encryption 'psk2+ccmp'
        option key 'KEY_HIDDEN'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
        option htmode 'HT20'
        option country 'US'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'CC_Secure_02'
        option encryption 'psk2+ccmp'
        option key 'KEY_HIDDEN'

config wifi-device 'radio2'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'LEDE'
        option encryption 'none'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'CC_Guest_02'
        option network 'guest'
        option encryption 'psk2+ccmp'
        option key 'KEY_HIDDEN'

config wifi-iface
        option device 'radio1'
        option mode 'ap'
        option ssid 'CC_Guest_02'
        option network 'guest'
        option encryption 'psk2+ccmp'
        option key 'KEY_HIDDEN'
/etc/config/openvpn
config openvpn 'US_SeattleWA_AES_256_CBC_UDP'
        option dev 'tun0'
        option nobind '1'
        option verb '3'
        option comp_lzo 'yes'
        option persist_tun '1'
        option persist_key '1'
        option client '1'
        option remote 'us-seattle.privateinternetaccess.com'
        option auth_user_pass '/etc/openvpn/credentials.txt'
        option resolv_retry 'infinite'
        option proto 'udp'
        option tls_client '1'
        option mute_replay_warnings '1'
        option auth_nocache '1'
        option remote_cert_tls 'server'
        option enabled '1'
        option port '1197'
        option cipher 'AES-256-CBC'
        option crl_verify '/etc/openvpn/crl.rsa.4096.pem'
        option ca '/etc/openvpn/ca.rsa.4096.crt'
        option auth 'SHA256'

I apologize if the configs are all over the place, but I've been at this all day, pulling from all over the net trying to wrap this part of the project.

The Guest Network is my next to last hurdle, with configuring DDNS as my last step. I am setting it up so that I can make changes remotely (in case there are issues), but I want it to arrive with a functional Guest Network that does not pass through the VPN.

Note: I plan to disable the Web_Admin port forwarding rule before I send this off, and will access remotely via SSH / encrypted key-pair.

I anticipate that certain PIA-incompatible services (e.g. Netflix/Hulu) will need to be accessed through the router, and my friend is not savvy enough to log in and turn the VPN on/off (nor would that really even help, as the VPN seems to turn back ON after I hit the "Stop" button by itself.. resolv_retry=infinite?).

Any help would be greatly appreciated. Thank you in advance for reading.

1 Like

Why doesn't anyone answer? Is it because nobody cares or nobody knows the solution?

I'm guessing: The forum is busy and so most people haven't even seen the question as it rapidly sank down below other more active questions.

Since I'm not sure what you're doing here, can you tell me how it is that you're adjusting your routes to force traffic over the VPN?

I'm at a bit of loss as to what you're looking for help with... Guest -> WAN access?

  • Add options dns '8.8.8.8 8.8.4.4' to the guest interface in /etc/config/network
    • Currently, the guest network has no DNS server.

Generally speaking, wan should not be assigned a DNS address... that would go under lan, and any other interface you want internet access to/from.

There's nothing in the VPN config that would be blocking Guest -> WAN access while the router is connected to the VPN as a client. Easy enough to determine if it is:

  • Add a forwarding rule to allow Guest -> VPN access, connect to the VPN, then attempt accessing the internet via the Guest network.
    • If you can, there's a directive you can add to the VPN config to exclude the guest network, and it can be found in the OpenVPN man page
    • If you can't, I'm not sure how to troubleshoot that.

Connect to the guest wifi and ping 8.8.8.8 that will bypass DNS issues and test connectivity

I appreciate the responses. I was beginning to think I would have to slug this out on my own.

@dlakelan

can you tell me how it is that you’re adjusting your routes to force traffic over the VPN

The only thing I have intentionally done is mess with the firewall zone forwarding rules. LAN > VPN > WAN. Messed with that quite a bit, and now have it setup so that the "Guest" Network forwards to the VPN > WAN.

Pertaining to routing, I did try to attempt the directions on this page:

https://wiki.openwrt.org/doc/networking/routing

But I wanted to add the interface, as suggested by this post:

Which would not work. I am either not using the right names or I'm doing it completely wrong. The one time I did use a correct name, the response was something to the effect of, "that record/option already exists".

@JW0914

Add options dns '8.8.8.8 8.8.4.4' to the guest interface in /etc/config/network

I'll try this again, but when I was testing it before, it didn't make a difference. I believe that was a suggestion in one of the other threads I referenced. I added/removed DNS servers to every one of the interfaces to see if there was a magical combination that worked.

One thing I didn't realize when I was doing that was that "Masquerading" had to be enabled on all of the interfaces. So I will try adding the DNS server again.

Add a forwarding rule to allow Guest -> VPN access, connect to the VPN, then attempt accessing the internet via the Guest network.

Yes, I did do that before I came on here, and it did give me access to the net via the VPN tunnel.

If you can, there’s a directive you can add to the VPN config to exclude the guest network

I'll give that a thorough reading when I have a little more free time, as I couldn't find what you were referencing by searching the page for "exclude" or by scanning the page over quickly.

Here are my updated Config files:

/etc/config/network
config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddf:9527:7461::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.45.1'
        option type 'bridge'
        option ifname 'eth0'
        option dns '8.8.8.8 8.8.4.4'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6'
        option vid '2'

config interface 'guest'
        option type 'bridge'
        option ifname 'guest'
        option proto 'static'
        option ipaddr '192.168.46.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'vpn'
        option proto 'none'
        option ifname 'tun0'
/etc/config/firewall
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'wan wan6'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '9889'
        option dest_ip '192.168.45.1'
        option dest_port '80'
        option name 'Allow-Admin-WAN'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8998'
        option dest_ip '192.168.45.1'
        option dest_port '8998'
        option name 'Allow-SSH-WAN'

config zone
        option network 'guest'
        option output 'ACCEPT'
        option name 'guest'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config rule
        option name 'guestzone_DHCP'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option src 'guest'

config rule
        option name 'guestzone_DNS'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option src 'guest'

config zone
        option output 'ACCEPT'
        option name 'vpn'
        option network 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'vpn'
        option src 'guest'
/etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dhcp_option '6,209.222.18.222,209.222.18.218'
/etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'US'
        option channel '100'
        option isolate '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'CC_Secure_02'
        option encryption 'psk2+ccmp'
        option key 'REDACTED'
        option network 'lan'
        option isolate '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
        option htmode 'HT20'
        option country 'US'
        option channel '7'
        option isolate '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'CC_Secure_02'
        option encryption 'psk2+ccmp'
        option key 'REDACTED'
        option network 'lan'
        option isolate '0'

config wifi-device 'radio2'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
        option htmode 'VHT80'
        option disabled '1'
        option isolate '0'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option mode 'ap'
        option ssid 'LEDE'
        option encryption 'none'
        option isolate '0'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'CC_Guest_02'
        option network 'guest'
        option encryption 'psk2+ccmp'
        option key 'REDACTED'
        option isolate '0'

config wifi-iface
        option device 'radio1'
        option mode 'ap'
        option ssid 'CC_Guest_02'
        option network 'guest'
        option encryption 'psk2+ccmp'
        option key 'REDACTED'
        option isolate '0'

@JW0914

I believe you meant to write "option" (singular), correct?

Add options dns '8.8.8.8 8.8.4.4' to the guest interface in /etc/config/network

If not, I am definitely doing it wrong :wink:

EDIT:

Connecting to the interface not currently forwarding to the VPN (the LAN iface), and then trying to ping 8.8.8.8 results in "Reply from 192.168.45.1: Destination port unreachable."

Which was referenced in this post in one of the threads I sourced in my first post:

So DNS resolution isn't working, despite the option being set.

EDIT2:

Kind of interesting... the option dns 'x.x.x.x' directive wasn't passing to the connected client. Upon further investigation, I also discovered I had some DHCP DNS setting held over from the previous configuration (LAN > VPN > WAN) that I removed/updated. I had to set the DNS server with the "6" flag in /etc/config/dhcp to get it to pass the DNS servers on to the client.

Still no luck. Updated my configs to reflect current state.

EDIT3:

Because this router I am testing is downstream from another router (and therefore not directly connected to the ISP's WAN), I messed with a few more settings. Namely, I unset the flag on the WAN/WAN6 to "Use DNS servers advertised by peer".

I think I'm going to have to look into the routing angle more. With the VPN turned off, I had access to the internet. I think trying to chase this DNS angle is a waste of time.

1 Like

You have a situation such that when the VPN is up, you want packets coming from the main LAN to go via VPN, and packets coming from the guest LAN to go via WAN.

Routing based on coming from is called policy routing and you'll have to figure out how to set that up. Read up on it a bit, I'm not sure what the UCI settings are for policy routes (or if UCI even handles this) but I can tell you how to set them up with the "ip" command... read up to see if you can find any documentation on UCI config for policy routing.