Making a Non-VPN connection aside a guest-VPN wifi

Ponu · September 7, 2020, 9:11pm

Hi,

I have a router on OpenWRT 19.07.
Il configured an OpenVPN client using the 4.1-b of this tutorial :
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci

All works well but all the trafic goes to the VPN.
I would like to have a non-VPN connection with 2 ethernet ports and a wireless network in parallel with a guest network (two ethernet ports and a dedicated wireless network).

The problem is that using the tutorial, I don't see how to disosiate wan from VPN ?

Does someone have an idea on how to ?

Sorry if I'm not clear, I'm a beginner and English is not my main language.
Thanks in advance for your help,

trendy · September 7, 2020, 9:17pm

You would need to isolate those two ports from the rest of the lan in a new vlan. Then create a new network interface for that new vlan. Then with a little help from pbr package you can select which source will use which connection.

Ponu · September 15, 2020, 8:21pm

Thanks a lot,

I started creating VLANS and it seems to work.
pbr is exactely wat I was looking for ! I searched for days the parameter to assign the VPN to an interface...
pbr i not trivial but at least I know where to look for. Id you have a tutorial, I'm interested^^

Regards,

trendy · September 16, 2020, 8:36am

In its readme there are a lot of examples and analytical instructions.

Ponu · September 26, 2020, 12:59am

Hi,

I read it but i can't find the VPN in the interfaces, I only have WAN and WAN6.
Do I have to rename it to tun ?
Where should I do that ?

in the ovpn file ? I already have a dev tun file
somewhere else ?

Thanks in advance,

vgaetera · September 26, 2020, 9:18am

https://openwrt.org/docs/guide-user/network/tunneling_interface_protocols#vpn-interfaces

trendy · September 26, 2020, 5:22pm

Tun* and tap* interfaces are supported by default.
What is the output of ip -4 addr; uci export vpn-policy-routing ?

Ponu · September 27, 2020, 6:12pm

Hi,

Here is the result :
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-VPN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 7.5.3.2/24 brd 7.5.3.255 scope global br-VPN
valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 8.4.2.1/24 brd 8.4.2.255 scope global br-lan
valid_lft forever preferred_lft forever
10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 8.4.2.27/24 brd 8.4.2.255 scope global eth0.2
valid_lft forever preferred_lft forever
36: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.200.0.22 peer 10.200.0.21/32 scope global tun0
valid_lft forever preferred_lft forever
package vpn-policy-routing

config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option src_ipset '0'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option iprule_enabled '0'
option webui_chain_column '0'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option webui_enable_column '1'
option webui_protocol_column '1'
list supported_interface 'UVPN_FR_TORRENT'

config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'

config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'

config policy
option interface 'wan'
option src_addr '7.5.3.2/24'
option src_port '0-6535'
option dest_addr '0.0.0.0/0'
option dest_port '0-6535'
option name 'UVPN_FR_TORRENT'

trendy · September 27, 2020, 9:52pm

What is this interface?

Not sure if it is a typo when you were masking the IPs but br-lan and eth0.2 seem to have the IP in the same subnet.

Ponu · September 28, 2020, 5:27pm

Hi,

I made br-vpn same as there is br-lan and attached it to the VLAN linking the port I want to pass through the VPN.

Should I remove it or do it diferently ?

Thx

trendy · September 28, 2020, 7:42pm

For sure it won't work with a tun interface. You'd need a tap interface for bridging.

vgaetera · September 28, 2020, 7:54pm

Ponu:

6: br-VPN
inet 7.5.3.2/24 brd 7.5.3.255 scope global br-VPN

8: br-lan
inet 8.4.2.1/24 brd 8.4.2.255 scope global br-lan

config policy
option interface 'wan'
option src_addr '7.5.3.2/24'

This doesn't look right to route the VPN network to the WAN.