I found this tutorial online https://kiljan.org/2020/03/27/vpn-as-wan-for-guest-network-on-openwrt/ which was pretty much what I needed.
It clearly explains how to separate two internal networks, and how to force traffic from one of the networks to only go through VPN.
My use case is the following: I am running a home assistant server and I put the server and all the third-party managed/untrusted devices on a network in which they don't communicate with my personal devices and don't access the internet outside of VPN tunnel, guest network being the untrusted and lan being the trusted. This works greats.
For the sake of convenience, I would like to access my server (fixed IP 192.168.41.111 in the guest network) from any host in the LAN network. But I am having hard time to figure out what is the simplest way to achieve this.
Do you guys have any tips? I am quite new in doing network stuff and openwrt
Hey @trendy thanks so much for help, I tried using pbr. But it's not working. I'm no network expert, but I have the feeling that the reason why it's not working is because according to the tutorial I followed I am running a script that implements policy-based routing whenever the guest network goes up or down.
#!/usr/bin/env sh
if=guest
dev=$DEVICE
table=$INTERFACE
if2dev() {
dev=$(uci get network.$1.ifname)
[ $(echo $dev | wc -w) -gt 1 ] && dev=br-$1
echo $dev
}
if [ "$INTERFACE" == "$if" ]; then
if [ "$ACTION" == "ifup" ]; then
ip rule add iif $dev lookup $table
elif [ "$ACTION" == "ifdown" ]; then
# Workaround for missing $DEVICE when interface is going down
dev=$(if2dev $if)
ip rule del iif $dev lookup $table
fi
fi
and once the vpn is up/down I add the default route to this routing table:
#!/usr/bin/env sh
table=guest
if [ "$script_type" == "route-up" ]; then
ip route add default via $route_vpn_gateway dev $dev table $table proto static
elif [ "$script_type" == "route-pre-down" ]; then
ip route del default via $route_vpn_gateway dev $dev table $table proto static
fi
With my little knowledge on the subject, I think that what I have to do is to modify the first script to:
Whenever guest interface is up I also let the all traffic coming from 192.168.1.0/24 to reach my server (192.168.41.200).
When the guest interface is started this script adds a new routing rule which will state that all packets from this interface must use a separate routing table. By default new routing rules are made with a higher priority. Therefore the guest interface will be unable to use the main routing table. When the interface is stopped the script also cleans up the rule.
So I believe that pbr is changing the main routing table, but given this self-made policy based routing, my guest network is using a different routing table.
Does that make sense? If so what could be the command to let all traffic go to my home server?
The VPN-PBR is creating additional routing tables according to each available gateway and assigns the hosts to these tables depending on the rules.
You should not run any other policy routing scripts, as they will conflict with each other.
When I set PBR to a specific client the client no longer can access internet, which probably means that WAN is correctly blocked but something is wrong with the routing. One note on that is on the network that all clients are routed to VPN (which the scripts I sent above) they'll have access to internet (through vpn of course).
That was what I thought. Given my scenario is actually simpler, don't you think that editing the routing table would be enough? Or there's something that using PBR package will do that the simple script won't be able to do it?
I am reading the docs on how to use ip rule but so far I couldn't graps. something like ip rule add from 192.168.1.0/24 priority 41 table guest I am not sure if this is correct though.
There are two issues to this, you need the LAN network to route to the guest network for the 192.168.41.0/24 network, and then you need a firewall rule that allows forwarding from LAN to 192.168.41.111 in the guest network. (actually 3, you need the guest network to route to the LAN network for return packets)