root@OpenWrt:~# cat /etc/banner | grep Open
OpenWrt 19.07.8, r11364-ef56c85848
root@OpenWrt:~# uci show network.vpn.auto
network.vpn.auto='0'
root@OpenWrt:~# echo "Internet over $(curl -s ifconfig.me)"
Internet over 77.xx.xxx.xx
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.180.1 0.0.0.0 UG 0 0 0 br-lan
192.168.180.0 * 255.255.255.0 U 0 0 0 br-lan
root@OpenWrt:~# ifup vpn
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 vpn-vpn
10.10.10.0 * 255.255.255.0 U 0 0 0 vpn-vpn
95.xxx.xx.xxx 192.168.180.1 255.255.255.255 UGH 0 0 0 br-lan
192.168.180.0 * 255.255.255.0 U 0 0 0 br-lan
root@OpenWrt:~# echo "Internet over $(curl -s ifconfig.me)"
Internet over 95.xxx.xx.xxx
root@OpenWrt:~# ifdown vpn
!!! THERE IS AN ERROR IN OUR ROUTING TABLE !!!
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
95.xxx.xx.xxx 192.168.180.1 255.255.255.255 UGH 0 0 0 br-lan
192.168.180.0 * 255.255.255.0 U 0 0 0 br-lan
root@OpenWrt:~# cat fix
#!/bin/sh
t="$(ip route)"
dest="$(echo "$t" | awk '$2 == "via" {print $1}' )"
gate="$(echo "$t" | awk '$2 == "via" {print $3}' )"
iface="$(echo "$t" | awk '$2 == "via" {print $5}' )"
logger -t fixroute "dest=$dest gate=$gate iface=$iface"
ip route del "$dest"
ip route add defaut via "$gate" dev "$iface"
root@OpenWrt:~# ./fix
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.180.1 0.0.0.0 UG 0 0 0 br-lan
192.168.180.0 * 255.255.255.0 U 0 0 0 br-lan
You could place a fix in the vpnc-script/netifd "framework".
Attention !
It is not enough to wait for "down" of vpn interface.
The routing table is updated asynchronously by dnsmasq ( As far as I understood ...)
Maybe there is a cooler way to wait for dnsmasq than parsing the output of "route" until vpn disappears.
Of course, it would be really cool if someone could fix the error.
root@OpenWrt:~# mkdir /etc/openconnect/post-disconnect.d
root@OpenWrt:~# vi /etc/openconnect/post-disconnect.d/fix
root@OpenWrt:~# cat /etc/openconnect/post-disconnect.d/fix
# wait for system to update routing table; removed vpn interface in our case
while [ "$(ip route show $TUNDEV)" != "" ]; do
sleep 1
done
t="$(ip route)"
dest="$(echo "$t" | awk '$2 == "via" {print $1}' )"
gate="$(echo "$t" | awk '$2 == "via" {print $3}' )"
iface="$(echo "$t" | awk '$2 == "via" {print $5}' )"
logger -t openconnect "dest=$dest gate=$gate iface=$iface"
ip route del "$dest"
ip route add defaut via "$gate" dev "$iface"
You can change the metric of the lan interface. Then, when you bring up the vpn both gateways will be in the routing table. And when the vpn goes down the original gateway will still be there.
I need to clarify a few things.
It is OpenWRT on a Raspberry PI 3B+
I have tried version 21.02.0 and version 19.07.8.
The Raspberry has only one physical LAN connection.
I am absolutely new to OpenWRT.
As far as I found out, I am missing a WAN interface in contrast to a "normal" OpenWRT configuration.
On the PI, the route is "broken" when the VPN connection is terminated.
The routing table is modified by the script /lib/netifd/vpnc-script.
From therefore I have no plan at all how I should introduce there now metrics
uci set network.lan.metric='50'
uci commit network
/etc/init.d/network restart
After that, your routing table should look like that:
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.180.1 0.0.0.0 UG 50 0 0 br-lan
192.168.180.0 * 255.255.255.0 U 50 0 0 br-lan
root@OpenWrt:~# ifup vpn
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 vpn-vpn
default 192.168.180.1 0.0.0.0 UG 50 0 0 br-lan
10.10.10.0 * 255.255.255.0 U 0 0 0 vpn-vpn
95.xxx.xx.xxx 192.168.180.1 255.255.255.255 UGH 50 0 0 br-lan
192.168.180.0 * 255.255.255.0 U 50 0 0 br-lan
root@OpenWrt:~# ifdown vpn
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.180.1 0.0.0.0 UG 50 0 0 br-lan
95.xxx.xx.xxx 192.168.180.1 255.255.255.255 UGH 50 0 0 br-lan
192.168.180.0 * 255.255.255.0 U 50 0 0 br-lan
Thank you very much. Works perfectly.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.