Mwan3 and openVPN

ledeUser1 · April 16, 2019, 12:27pm

I wonder if there's anyone successfully using mwan3 and an openVPN tun device as virtual WAN interface ?

I'm interested in how to force the tunnel to be routed by a specific WAN, any hints appreciated.

tectonic · April 16, 2019, 12:44pm

I may be missing the point of that which you're trying to achieve, but perhaps you need VPN Policy-Based Routing?

stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md

# VPN Policy-Based Routing

## Description

This service allows you to define rules (policies) for routing traffic via WAN or your L2TP, Openconnect, OpenVPN, PPTP or Wireguard tunnels. Policies can be set based on any combination of local/remote ports, local/remote IPv4 or IPv6 addresses/subnets or domains. This service supersedes the [VPN Bypass](https://github.com/openwrt/packages/blob/master/net/vpnbypass/files/README.md) service, by supporting IPv6 and by allowing you to set explicit rules not just for WAN interface (bypassing OpenVPN tunnel), but for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels as well.

## Features

### Gateways/Tunnels

- Any policy can target either WAN or a VPN tunnel interface.
- L2TP tunnels supported (with protocol names l2tp\*).
- Openconnect tunnels supported (with protocol names openconnect\*).
- OpenVPN tunnels supported (with device names tun\* or tap\*).
- PPTP tunnels supported (with protocol names pptp\*).
- Wireguard tunnels supported (with protocol names wireguard\*).

### IPv4/IPv6/Port-Based Policies

- Policies based on local names, IPs or subnets. You can specify a single IP (as in ```192.168.1.70```) or a local subnet (as in ```192.168.1.81/29```) or a local device name (as in ```nexusplayer```). IPv6 addresses are also supported.

This file has been truncated. show original

ledeUser1 · April 16, 2019, 1:16pm

I'm using mwan3 to loadbalance between two WAN interfaces, that's my primary interest to use that package. In addition I'd want to set up an openVPN client that's routed via a
specific WAN interface (instead of getting balanced). I thought this could all be done using only mwan3 and openvpn but maybe I'd need other packages too ?

both individually work great for me.

ledeUser1 · April 16, 2019, 3:33pm

currently no packages get routed to an WAN it seems when OpenVPN tunnel and mwan3 are both up . Anyone any idea ? What info would you need ?

rakesh · April 16, 2019, 4:36pm

I don't have the complete answer for your issue, but I did something similar recently.
See if this helps:

So I too have mwan3 setup and i also use a package to run embedded speedtest on the router.
For the speedtest I wanted to select a particular wan link and run the speedtest on that.
Once done, select the other wan link and run the speedtest.

For this I added ip rules which complement to mwan3 default ip rules.
These rules are forcing the router originated traffic.
For your case probably you need something more, I am not aware of openvpn much.

For wan1:
ip rule add to $speedtest_server_ip/32 lookup 1 priority 1100
For wan2:
ip rule add to $speedtest_server_ip/32 lookup 2 priority 1200

ledeUser1 · April 16, 2019, 7:43pm

that's going in the right direction !

i'm not entirely sure how to set up a mask covering all openvpn originating traffic, to route it via one single wan interface. Source IP will always be the router, but how could the rest be configured, considering the gateway depends on the VPN Server response ?

other challange is, why is there no connection once the openvpn tunnel is connected ?

vgaetera · April 16, 2019, 7:48pm

Probably you should mark it by interface+port+protocol via iptables and apply the routing policies to the marked traffic.

ledeUser1 · April 16, 2019, 8:14pm

thank you !! any idea why traffic doesn't seem to get routed through any WAN as soon as the openVPN tunnel is up ? individuallt mwan3 and openvpn work well !

rakesh · April 17, 2019, 8:53am

I had faced issues using mwan3 with lot of other packages (sqm, wifidog etc) which used firewall packet marking. If 2 packages are using same bits of the packet to FW mark, there will be issues.
Latest mwan3 has provided a mask to select which bits to use.
I am not sure if openvpn also falls into such category of packages (which does FW marking).

ledeUser1 · April 17, 2019, 7:56pm

i assumed mwan3 to be compatible with openvpn 'out of box', but that might not be the case !

how could i check if openvpn and mwan3 use the same bits for marking ? tried to change the mwan3 marking mask randomly but this neither broke mwan3, nor made openvpn work.

ledeUser1 · April 18, 2019, 6:11pm

I'm reading others had similar challengea and updating to the latest github master tip of mwan3 solved it.

How would I do that ?
install git, clone repository, make build, make install ?

What would that do to the package based mwan3 that is in place right now ?

Thanks if anybody knows !!

rakesh · April 19, 2019, 4:01am

Use openwrt sdk to compile a package.
https://openwrt.org/docs/guide-developer/using_the_sdk#compile_packages
Once ipk available, copy it to the router.
Remove old one with "opkg remove " then "opkg install "

ledeUser1 · April 21, 2019, 5:07pm

thanks a lot ! i got this far, what am i missing to get rid of the warnings? :

~/Downloads/openwrt-sdk-mvebu-cortexa9_gcc-7.4.0_musl_eabi.Linux-x86_64$ ./scripts/feeds install mwan3
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'r8169-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'e100-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'bnx2-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'ar3k-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'mwifiex-sdio-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'kmod-phy-bcm-ns-usb2', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'edgeport-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'kmod-phy-bcm-ns-usb3', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'amdgpu-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'radeon-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'prism54-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'rtl8192su-firmware', which does not exist
Installing package 'mwan3' from packages
Installing package 'iproute2' from base
Installing package 'iptables' from base
Installing package 'libnetfilter-conntrack' from base
Installing package 'libnfnetlink' from base
Installing package 'libmnl' from base
Installing package 'libnftnl' from base
Installing package 'libiconv' from base
Installing package 'gettext' from base
Installing package 'libnl-tiny' from base
Installing package 'elfutils' from base
Installing package 'argp-standalone' from base
Installing package 'bzip2' from base
Installing package 'gettext-full' from base
Installing package 'zlib' from base
Installing package 'ipset' from base
Installing package 'libubox' from base
Installing package 'lua' from base
Installing package 'libjson-c' from base

rakesh · April 21, 2019, 5:34pm

Ignore the warnings.
As long as ipk is getting generated everything is fine.

ledeUser1 · April 21, 2019, 9:14pm

unfortunately the ipk doesn't seem to get generated yet ?

~/Downloads/openwrt-sdk-mvebu-cortexa9_gcc-7.4.0_musl_eabi.Linux-x86_64$ make -j1 V=sc package/mwan3/index
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'r8169-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'e100-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'bnx2-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'ar3k-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'mwifiex-sdio-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'kmod-phy-bcm-ns-usb2', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'edgeport-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'kmod-phy-bcm-ns-usb3', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'amdgpu-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'radeon-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'prism54-firmware', which does not exist
WARNING: Makefile 'package/linux/Makefile' has a dependency on 'rtl8192su-firmware', which does not exist
tmp/.config-package.in:36:warning: ignoring type redefinition of 'PACKAGE_libc' from 'boolean' to 'tristate'
tmp/.config-package.in:64:warning: ignoring type redefinition of 'PACKAGE_libgcc' from 'boolean' to 'tristate'
tmp/.config-package.in:149:warning: ignoring type redefinition of 'PACKAGE_libpthread' from 'boolean' to 'tristate'
tmp/.config-package.in:442:warning: ignoring type redefinition of 'PACKAGE_libip4tc' from 'boolean' to 'tristate'
tmp/.config-package.in:456:warning: ignoring type redefinition of 'PACKAGE_libip6tc' from 'boolean' to 'tristate'
tmp/.config-package.in:486:warning: ignoring type redefinition of 'PACKAGE_libxtables' from 'boolean' to 'tristate'
tmp/.config-package.in:544:warning: ignoring type redefinition of 'PACKAGE_libblobmsg-json' from 'boolean' to 'tristate'
tmp/.config-package.in:625:warning: ignoring type redefinition of 'PACKAGE_libjson-c' from 'boolean' to 'tristate'
tmp/.config-package.in:738:warning: ignoring type redefinition of 'PACKAGE_libnl-tiny' from 'boolean' to 'tristate'
tmp/.config-package.in:750:warning: ignoring type redefinition of 'PACKAGE_libubox' from 'boolean' to 'tristate'
tmp/.config-package.in:798:warning: ignoring type redefinition of 'PACKAGE_ip6tables' from 'boolean' to 'tristate'
tmp/.config-package.in:868:warning: ignoring type redefinition of 'PACKAGE_iptables' from 'boolean' to 'tristate'
tmp/.config-package.in:1632:warning: ignoring type redefinition of 'PACKAGE_jshn' from 'boolean' to 'tristate'
tmp/.config-package.in:1703:warning: ignoring type redefinition of 'PACKAGE_libjson-script' from 'boolean' to 'tristate'
#
# configuration written to .config
#
make[1]: Entering directory '~/Downloads/openwrt-sdk-mvebu-cortexa9_gcc-7.4.0_musl_eabi.Linux-x86_64'
make[1]: *** No rule to make target 'package/mwan3/index'.  Stop.
make[1]: Leaving directory '~/Downloads/openwrt-sdk-mvebu-cortexa9_gcc-7.4.0_musl_eabi.Linux-x86_64'
~/Downloads/openwrt-sdk-mvebu-cortexa9_gcc-7.4.0_musl_eabi.Linux-x86_64/include/toplevel.mk:209: recipe for target 'package/mwan3/index' failed
make: *** [package/mwan3/index] Error 2

ledeUser1 · April 21, 2019, 10:25pm

ok, finally im running mwan3_2.7.12-1

still the same issue though, once ovpn connected no more reply to ping 1.1.1.1

rakesh · April 22, 2019, 7:32am

I wanted to give this a try myself. I use mwan3 but not openvpn.
I have started with installing openvpn on a server but I don't know if I will get to complete it.
Until then I hope someone else helps.

ledeUser1 · April 22, 2019, 12:10pm

Ironically I'm back to 'stock' mwan3 and it appears to be working, openvpn included. somewhere on the way openvpn config got compromised and needed to be redone. seems that its best to restart the router after any config change to validate effects instead of relying on service stop/start. Also worth mentioning that kind of all devices cache a lot of stuff: dns, routing tables,,, ....

Manbares · May 3, 2019, 5:48pm

Honestly, I don't like openVPN,in my opinion there are other services that are much better, If you want to watch Netflix and other serials even if they are forbidden in your region then VeePN service is really a great decision that you can use in order to hide your real IP address and make everything you want in the network. Now it is absolutely free, you can try it on your desktop or download the mobile version.

hellion86 · October 15, 2019, 2:20am

Hi!
I am facing at the same problem. i'm stuck. Can you help me?