[Solved] Multiple VPN connections and routing (setup) issue

Hello,

I want that three different systems access the internet in different ways:

Name - Sys-IP - VPN - Interface
test100 - 192.168.1.100 - tun-vpncl - vpncl (should be default for all)
test101 - 192.168.1.101 - tun-vpnde - vpnde
test102 - 192.168.1.102 - novpn - wan

Approach

  1. the Linksys 1900acs v2 got a clean install of openwrt 19.07.03.

  2. additional software installed
    openvpn-easy-rsa 3.0.4-1
    openvpn-openssl 2.4.7-2
    luci-app-openvpn 20.1555.55664
    openssh-sftp-server 8.0p1-1
    Update of all other packages and reboot

  3. openvpn client config
    I have used the openvpn files of my provider and added "pull-filter ignore redirect-gateway".
    IP subnet is different. Both tcp connections can be established.

  4. virtual network adapters
    I added following and it seems to work:

config interface 'vpncl'
option proto 'none'
option ifname 'tun-vpncl'
option delegate '0'

Issue

How do I config the routing (table) for my setup?
I have tried different approaches but nothing worked so far. I only managed to configure that all the traffic is routed through one VPN connection. Of course, I am new with openwrt and there are many recommendations. So, what is the right or best approach to configure the routing for multiple VPNs?

BR Martin

I think that mwan can solve the problem given that the VPN interfaces work in the WAN side.

Thank you for your fast feedback.

So far I have already tried a couple of approaches, which I found in the internet.
This also includes the instructions of Leow Kah Man but even doing it twice from scratch did not work for me. The instructions are great but as a beginner with openwrt it seems I need more details;-)

https://www.leowkahman.com/2016/06/19/conditional-multiple-openvpn-routing-hostname-ip/

That is why I am asking for what is the best approach and more details.
I think that is easier as posting all details from my mwan3 approach - expect you are interested in a longer description?

BR Martin

You need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.

The easiest would be #2.

2 Likes

thank you!

pbr looks good and I will try it.

1 Like

Short update - SUCCESS!

the setup was really easy and the first test was successful.

Again thank you for the hint to pbr.

I am glad you got it working!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

Two related beginners questions:

1 where is the correct place to change the default routing from wan to e.g. vpncl?

2 where is the correct place to define individual dns ip addresses for each vpn/wan?

Of course I will close it. Again thank you!

You would need to accept or not the default route from the vpn. By default they send it, so you ignore it for the vpn that you don't want it.
https://github.com/stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md#a-word-about-default-routing

There isn't exactly such a thing, however you can advertise from dhcp with option 6 per host the appropriate nameserver.

thank you but I was not clear enough

1 - default gateway (exit)
So far I have created a default rule that - if there is no other rule - everybody has to use VPNCL. I got the impression that this is a workaround and that there is (should?) somewhere in the openwrt configuration the possibility to set the default internet access e.g. to VPNCL (instead of WAN)!?

2- I am working with fixed IPs and wanted to avoid typing in each system the DNS IPs (I wanted only to use the routers IP as DNS on the client side and the router should replace the DNS with the correct one for a centralized administration). Can this be done in openwrt?

Would DNS highjacking be an alternative?

There is, ignore the default gateway from vpnde, accept the default gateway from vpncl.

Centralized administration -> DHCP
There are multiple instances of dnsmasq, but that would work for different interfaces, not different hosts.
DNShijacking does work, at least I have managed to hijack queries to GoogleDNS etc towards my Piholes. So I don't see why you cannot do the same with the NS outside of your network.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.