Mwan3 with an OpenVPN interface

mightyminion · February 10, 2020, 1:27am

I'd like to use mwan3 to sent some traffic directly over my wan connection, and some traffic (my guest network) over an OpenVPN connection. I'm having trouble setting it up because I think OpenVPN and mwan3 have a conflict over which one takes precedence, but I'm not sure.

My OpenVPN config is a standard client config file. Routes are pushed form the server. It connects fine, a new default route is added, and requests from the host get sent over VPN.

Here are slightly abbreviated network and mwan3 configs:

/etc/config/network:

config interface 'lan'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option dns '1.1.1.1'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option metric 10

config interface 'vpnwan'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'
        option metric 20

config interface 'guestlan'
        option ifname 'eth2'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

/etc/config/mwan3:

config globals 'globals'
        option local_source 'lan'
        option mmx_mask '0x3F00'
        option rtmon_interval '5'

config interface 'wan'
        option enabled '0'
        list track_ip '8.8.4.4'
        option family 'ipv4'
        option reliability '2'
        option count '1'
        option timeout '2'
        option failure_latency '1000'
        option recovery_latency '500'
        option failure_loss '20'
        option recovery_loss '5'
        option interval '5'
        option down '3'
        option up '8'

config interface 'vpnwan'
        option enabled '0'
        list track_ip '8.8.4.4'
        option family 'ipv4'
        option reliability '1'
        option count '1'
        option timeout '2'
        option failure_latency '1000'
        option recovery_latency '500'
        option failure_loss '20'
        option recovery_loss '5'
        option interval '5'
        option down '3'
        option up '8'

config member 'wan_m1_w1'
        option interface 'wan'

config member 'vpnwan_m1_w1'
        option interface 'vpnwan'

config policy 'vpnwan_only'
        list use_member 'vpnwan_m1_w1'

config policy 'wan_only'
        list use_member 'wan_m1_w1'

config rule 'guest'
        option use_policy 'vpnwan_only'
        option src_ip '192.168.1.0/24'

config rule 'lan'
        option use_policy 'wan_only'
        option src_ip '10.0.0.0/24'

config rule 'default_rule'
        option dest_ip '0.0.0.0/0'
        option use_policy 'vpnwan_only'

mightyminion · February 10, 2020, 2:04am

I just tried running only OpenVPN, not mwan3. The router has internet access, but clients don't. I think it's because my firewall has this line:

config forwarding
        option src 'lan'
        option dest 'wan'

but my routing table has

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         <tun0 ip>      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         <wan gateway>    0.0.0.0       UG    10     0        0 eth1
...

So lan packets would be routed over vpn (tun0) because the metric is lower, but the firewall only allows forwarding to the wan interface.

I tried setting route-metric 80 in my OpenVPN config, but it set the metric on the wrong route. The default route still has metric=0.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         <tun0 ip>      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         <wan gateway>  0.0.0.0         UG    10     0        0 eth1
<tun0 ip>      <vpn gateway>   255.255.255.255 UGH   80     0        0 tun0

mightyminion · February 10, 2020, 2:58am

I'm not thrilled with the solution, but I got my network to at least look like a normal network with two wan interfaces.

I added these lines to my OpenVPN client config:

script-security 2
route-up route-up.sh
route-noexec

And route-up.sh:

ip route add 0.0.0.0/0 via $route_vpn_gateway dev $dev metric 20

I'll try mwan3 on top of this config.

ulmwind · February 10, 2020, 7:47am

You should just enable forwarding from lan to vpn (create network interface, and zone before).