Hello!
I have used DD-WRT for a while, but am completely new to OpenWrt. I made the switch to have more flexibility and to get a specific use case working.
I am sure what I am trying to do is trivial, and I have searched the forums for a few days looking for a solution that will work for me, but I have yet to solve this issue.
I have an OpenVPN server running on a remote site that I use to connect to my office, from my RV while on the road. My OpenWrt router has a single LAN and my WAN varies based on location. Sometimes I use an ethernet connection to my hotspot, and sometimes I use WWAN to a camp wifi network.
I have configured OpenVPN client (TAP) from the OpenWrt router. I do not enforce the default gateway to the VPN in the config, so as it is now, all clients access using a split tunnel.
Basic topology:
10.1.10.0/24 (Office LAN)
10.1.12.0/24 (OpenWrt LAN)
10.1.13.0/24 (OpenVPN Network)
My OpenWrt connects to the OpenVPN server without issue and is assigned 10.1.13.2 as its client IP. All clients on the 10.1.12.0/24 LAN can access resources on 10.1.10.0/24. All internet traffic from 10.1.12.0/24 goes out the default gateway on OpenWrt.
I would like to have 2 clients (10.1.12.225 & 10.1.12.226) have a default gateway pointing to the OpenVPN connection, therefore having internet access use the "Office Network's" internet connection.
I have attempted to configure VPN Policy-Based Routing using guides and forum posts, but have not yet had success. If I enable PBR for 10.1.12.225 and point it to the interface that was configured with the OpenVPN connection, the client is no longer able to reach the internet or the 10.1.10.0/24 network.
Once PBR is configured, a ping from 10.1.12.225 to 10.1.10.1 results (10.1.13.2 is the VPN client IP of the OpenWrt router):
Ping "Office LAN" and Google DNS
Pinging 10.1.10.1 with 32 bytes of data:
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.
If I ping 8.8.8.8, TCPDump on the VPN interface shows strange ARP behavior from 10.1.13.2 (the VPN client IP of the OpenWrt router:
ARP Results
14:38:49.620793 ARP, Request who-has dns.google tell 10.1.13.2, length 28
14:38:50.663493 ARP, Request who-has dns.google tell 10.1.13.2, length 28
14:38:51.703496 ARP, Request who-has dns.google tell 10.1.13.2, length 28
14:38:52.740097 ARP, Request who-has dns.google tell 10.1.13.2, length 28
14:38:53.773494 ARP, Request who-has dns.google tell 10.1.13.2, length 28
14:38:54.823493 ARP, Request who-has dns.google tell 10.1.13.2, length 28
Config Files:
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.1.12.1'
option ifname 'eth0.1'
option ipv6 'off'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
option ipv6 'off'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'wwan'
option proto 'dhcp'
option auto '0'
config interface 'home'
option proto 'none'
option ifname 'tap0'
/etc/config/firewall
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 wwan'
config zone
option name 'VPN_FW'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
option masq '1'
option network 'home'
option mtu_fix '1'
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option strict_enforcement '1'
option dest_ipset 'dnsmasq.ipset'
option ipv6_enabled '0'
list supported_interface ''
list ignored_interface 'vpnserver wgserver'
option boot_timeout '30'
option iptables_rule_option 'append'
option webui_sorting '1'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'all'
option enabled '1'
option webui_enable_column '1'
option iprule_enabled '0'
option src_ipset '0'
option webui_protocol_column '1'
option webui_chain_column '1'
config include
option path '/etc/vpn-policy-routing.netflix.user'
option enabled '0'
config include
option path '/etc/vpn-policy-routing.aws.user'
option enabled '0'
config policy
option name 'Desktop'
option src_addr '10.1.12.190'
option interface 'home'
option proto 'all'
Diags:
/etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.5. WAN (IPv4): wan/dev/192.168.1.1.
============================================================
Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1.2
IPv4 Table 201: default via 192.168.1.1 dev eth1.2
IPv4 Table 201 Rules:
32744: from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: unreachable default
IPv4 Table 202 Rules:
32743: from all fwmark 0x20000/0xff0000 lookup 202
IPv4 Table 203: default via 10.1.13.2 dev tap0
IPv4 Table 203 Rules:
32742: from all fwmark 0x30000/0xff0000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 10.1.12.190/32 -m comment --comment Desktop -c 81 6862 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set home dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set home dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_FORWARD -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set home dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_INPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set home dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_OUTPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wwan hash:net family inet hashsize 1024 maxelem 65536 comment
create home hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
/etc/init.d/vpn-policy-routing reload
Creating table 'wan/eth1.2/192.168.1.1' [✓]
Creating table 'wwan//0.0.0.0' [✓]
Creating table 'home/tap0/10.1.13.2' [✓]
Routing 'Desktop' via home [✓]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1.2/192.168.1.1 [✓]
wwan//0.0.0.0
home/tap0/10.1.13.2
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan wwan home .
Any ideas what I am missing?
Thanks in advance