Mwan3 and openVPN

#1

I wonder if there's anyone successfully using mwan3 and an openVPN tun device as virtual WAN interface ?

I'm interested in how to force the tunnel to be routed by a specific WAN, any hints appreciated.

#2

I may be missing the point of that which you're trying to achieve, but perhaps you need VPN Policy-Based Routing?

#3

I'm using mwan3 to loadbalance between two WAN interfaces, that's my primary interest to use that package. In addition I'd want to set up an openVPN client that's routed via a
specific WAN interface (instead of getting balanced). I thought this could all be done using only mwan3 and openvpn but maybe I'd need other packages too ?

both individually work great for me.

#4

currently no packages get routed to an WAN it seems when OpenVPN tunnel and mwan3 are both up . Anyone any idea ? What info would you need ?

#5

I don't have the complete answer for your issue, but I did something similar recently.
See if this helps:

So I too have mwan3 setup and i also use a package to run embedded speedtest on the router.
For the speedtest I wanted to select a particular wan link and run the speedtest on that.
Once done, select the other wan link and run the speedtest.

For this I added ip rules which complement to mwan3 default ip rules.
These rules are forcing the router originated traffic.
For your case probably you need something more, I am not aware of openvpn much.

For wan1:
ip rule add to $speedtest_server_ip/32 lookup 1 priority 1100
For wan2:
ip rule add to $speedtest_server_ip/32 lookup 2 priority 1200

#6

that's going in the right direction !

i'm not entirely sure how to set up a mask covering all openvpn originating traffic, to route it via one single wan interface. Source IP will always be the router, but how could the rest be configured, considering the gateway depends on the VPN Server response ?

other challange is, why is there no connection once the openvpn tunnel is connected ?

#7

Probably you should mark it by interface+port+protocol via iptables and apply the routing policies to the marked traffic.

#8

thank you !! any idea why traffic doesn't seem to get routed through any WAN as soon as the openVPN tunnel is up ? individuallt mwan3 and openvpn work well !

#10

I had faced issues using mwan3 with lot of other packages (sqm, wifidog etc) which used firewall packet marking. If 2 packages are using same bits of the packet to FW mark, there will be issues.
Latest mwan3 has provided a mask to select which bits to use.
I am not sure if openvpn also falls into such category of packages (which does FW marking).

#11

i assumed mwan3 to be compatible with openvpn 'out of box', but that might not be the case !

how could i check if openvpn and mwan3 use the same bits for marking ? tried to change the mwan3 marking mask randomly but this neither broke mwan3, nor made openvpn work.

#12

I'm reading others had similar challengea and updating to the latest github master tip of mwan3 solved it.

How would I do that ?
install git, clone repository, make build, make install ?

What would that do to the package based mwan3 that is in place right now ?

Thanks if anybody knows !!

#13

Use openwrt sdk to compile a package.
https://openwrt.org/docs/guide-developer/using_the_sdk#compile_packages
Once ipk available, copy it to the router.
Remove old one with "opkg remove " then "opkg install "

#14

thanks a lot ! i got this far, what am i missing to get rid of the warnings? :

~/Downloads/openwrt-sdk-mvebu-cortexa9_gcc-7.4.0_musl_eabi.Linux-x86_64$ ./scripts/feeds install mwan3
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'r8169-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'e100-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'bnx2-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'ar3k-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'mwifiex-sdio-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'kmod-phy-bcm-ns-usb2', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'edgeport-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'kmod-phy-bcm-ns-usb3', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'amdgpu-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'radeon-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'prism54-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'rtl8192su-firmware', which does not exist
Installing package 'mwan3' from packages
Installing package 'iproute2' from base
Installing package 'iptables' from base
Installing package 'libnetfilter-conntrack' from base
Installing package 'libnfnetlink' from base
Installing package 'libmnl' from base
Installing package 'libnftnl' from base
Installing package 'libiconv' from base
Installing package 'gettext' from base
Installing package 'libnl-tiny' from base
Installing package 'elfutils' from base
Installing package 'argp-standalone' from base
Installing package 'bzip2' from base
Installing package 'gettext-full' from base
Installing package 'zlib' from base
Installing package 'ipset' from base
Installing package 'libubox' from base
Installing package 'lua' from base
Installing package 'libjson-c' from base
#15

Ignore the warnings.
As long as ipk is getting generated everything is fine.

#16

unfortunately the ipk doesn't seem to get generated yet ?

~/Downloads/openwrt-sdk-mvebu-cortexa9_gcc-7.4.0_musl_eabi.Linux-x86_64$ make -j1 V=sc package/mwan3/index
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'r8169-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'e100-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'bnx2-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'ar3k-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'mwifiex-sdio-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'kmod-phy-bcm-ns-usb2', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'edgeport-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'kmod-phy-bcm-ns-usb3', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'amdgpu-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'radeon-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'prism54-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'rtl8192su-firmware', which does not exist
tmp/.config-package.in:36:warning: ignoring type redefinition of 'PACKAGE_libc' from 'boolean' to 'tristate'
tmp/.config-package.in:64:warning: ignoring type redefinition of 'PACKAGE_libgcc' from 'boolean' to 'tristate'
tmp/.config-package.in:149:warning: ignoring type redefinition of 'PACKAGE_libpthread' from 'boolean' to 'tristate'
tmp/.config-package.in:442:warning: ignoring type redefinition of 'PACKAGE_libip4tc' from 'boolean' to 'tristate'
tmp/.config-package.in:456:warning: ignoring type redefinition of 'PACKAGE_libip6tc' from 'boolean' to 'tristate'
tmp/.config-package.in:486:warning: ignoring type redefinition of 'PACKAGE_libxtables' from 'boolean' to 'tristate'
tmp/.config-package.in:544:warning: ignoring type redefinition of 'PACKAGE_libblobmsg-json' from 'boolean' to 'tristate'
tmp/.config-package.in:625:warning: ignoring type redefinition of 'PACKAGE_libjson-c' from 'boolean' to 'tristate'
tmp/.config-package.in:738:warning: ignoring type redefinition of 'PACKAGE_libnl-tiny' from 'boolean' to 'tristate'
tmp/.config-package.in:750:warning: ignoring type redefinition of 'PACKAGE_libubox' from 'boolean' to 'tristate'
tmp/.config-package.in:798:warning: ignoring type redefinition of 'PACKAGE_ip6tables' from 'boolean' to 'tristate'
tmp/.config-package.in:868:warning: ignoring type redefinition of 'PACKAGE_iptables' from 'boolean' to 'tristate'
tmp/.config-package.in:1632:warning: ignoring type redefinition of 'PACKAGE_jshn' from 'boolean' to 'tristate'
tmp/.config-package.in:1703:warning: ignoring type redefinition of 'PACKAGE_libjson-script' from 'boolean' to 'tristate'
#
# configuration written to .config
#
make[1]: Entering directory '~/Downloads/openwrt-sdk-mvebu-cortexa9_gcc-7.4.0_musl_eabi.Linux-x86_64'
make[1]: *** No rule to make target 'package/mwan3/index'.  Stop.
make[1]: Leaving directory '~/Downloads/openwrt-sdk-mvebu-cortexa9_gcc-7.4.0_musl_eabi.Linux-x86_64'
~/Downloads/openwrt-sdk-mvebu-cortexa9_gcc-7.4.0_musl_eabi.Linux-x86_64/include/toplevel.mk:209: recipe for target 'package/mwan3/index' failed
make: *** [package/mwan3/index] Error 2

#17

ok, finally im running mwan3_2.7.12-1

still the same issue though, once ovpn connected no more reply to ping 1.1.1.1

#18

I wanted to give this a try myself. I use mwan3 but not openvpn.
I have started with installing openvpn on a server but I don't know if I will get to complete it.
Until then I hope someone else helps.

#19

Ironically I'm back to 'stock' mwan3 and it appears to be working, openvpn included. somewhere on the way openvpn config got compromised and needed to be redone. seems that its best to restart the router after any config change to validate effects instead of relying on service stop/start. Also worth mentioning that kind of all devices cache a lot of stuff: dns, routing tables,,, ....

1 Like
#20

Honestly, I don't like openVPN,in my opinion there are other services that are much better, If you want to watch Netflix and other serials even if they are forbidden in your region then VeePN service is really a great decision that you can use in order to hide your real IP address and make everything you want in the network. Now it is absolutely free, you can try it on your desktop or download the mobile version.