OpenVPN and PBR for a couple of hosts

Installing and Using OpenWrt
1

Hello!

I have used DD-WRT for a while, but am completely new to OpenWrt. I made the switch to have more flexibility and to get a specific use case working.

I am sure what I am trying to do is trivial, and I have searched the forums for a few days looking for a solution that will work for me, but I have yet to solve this issue.

I have an OpenVPN server running on a remote site that I use to connect to my office, from my RV while on the road. My OpenWrt router has a single LAN and my WAN varies based on location. Sometimes I use an ethernet connection to my hotspot, and sometimes I use WWAN to a camp wifi network.

I have configured OpenVPN client (TAP) from the OpenWrt router. I do not enforce the default gateway to the VPN in the config, so as it is now, all clients access using a split tunnel.

Basic topology:

10.1.10.0/24 (Office LAN)
10.1.12.0/24 (OpenWrt LAN)
10.1.13.0/24 (OpenVPN Network)

My OpenWrt connects to the OpenVPN server without issue and is assigned 10.1.13.2 as its client IP. All clients on the 10.1.12.0/24 LAN can access resources on 10.1.10.0/24. All internet traffic from 10.1.12.0/24 goes out the default gateway on OpenWrt.

I would like to have 2 clients (10.1.12.225 & 10.1.12.226) have a default gateway pointing to the OpenVPN connection, therefore having internet access use the "Office Network's" internet connection.

I have attempted to configure VPN Policy-Based Routing using guides and forum posts, but have not yet had success. If I enable PBR for 10.1.12.225 and point it to the interface that was configured with the OpenVPN connection, the client is no longer able to reach the internet or the 10.1.10.0/24 network.

Once PBR is configured, a ping from 10.1.12.225 to 10.1.10.1 results (10.1.13.2 is the VPN client IP of the OpenWrt router):

Ping "Office LAN" and Google DNS 

Pinging 10.1.10.1 with 32 bytes of data:
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.
Reply from 10.1.13.2: Destination host unreachable.

If I ping 8.8.8.8, TCPDump on the VPN interface shows strange ARP behavior from 10.1.13.2 (the VPN client IP of the OpenWrt router:

ARP Results 

14:38:49.620793 ARP, Request who-has dns.google tell 10.1.13.2, length 28
14:38:50.663493 ARP, Request who-has dns.google tell 10.1.13.2, length 28
14:38:51.703496 ARP, Request who-has dns.google tell 10.1.13.2, length 28
14:38:52.740097 ARP, Request who-has dns.google tell 10.1.13.2, length 28
14:38:53.773494 ARP, Request who-has dns.google tell 10.1.13.2, length 28
14:38:54.823493 ARP, Request who-has dns.google tell 10.1.13.2, length 28

Config Files:

/etc/config/network 

config interface 'loopback'
     option ifname 'lo'
     option proto 'static'
     option ipaddr '127.0.0.1'
     option netmask '255.0.0.0'

config interface 'lan'
     option type 'bridge'
     option proto 'static'
     option netmask '255.255.255.0'
     option ip6assign '60'
     option ipaddr '10.1.12.1'
     option ifname 'eth0.1'
     option ipv6 'off'

config interface 'wan'
     option ifname 'eth1.2'
     option proto 'dhcp'
     option ipv6 'off'

config interface 'wan6'
     option ifname 'eth1.2'
     option proto 'dhcpv6'

config switch
     option name 'switch0'
     option reset '1'
     option enable_vlan '1'

config switch_vlan
     option device 'switch0'
     option vlan '1'
     option ports '0 1 2 3 5t'

config switch_vlan
     option device 'switch0'
     option vlan '2'
     option ports '4 6t'

config interface 'wwan'
     option proto 'dhcp'
     option auto '0'

config interface 'home'
     option proto 'none'
     option ifname 'tap0'
/etc/config/firewall 
config zone
     option name 'lan'
     option input 'ACCEPT'
     option output 'ACCEPT'
     option forward 'ACCEPT'
     option network 'lan'

config zone
     option name 'wan'
     option input 'REJECT'
     option output 'ACCEPT'
     option forward 'REJECT'
     option masq '1'
     option mtu_fix '1'
     option network 'wan wan6 wwan'

config zone
     option name 'VPN_FW'
     option forward 'REJECT'
     option output 'ACCEPT'
     option input 'REJECT'
     option masq '1'
     option network 'home'
     option mtu_fix '1'
/etc/config/vpn-policy-routing 
config vpn-policy-routing 'config'
     option verbosity '2'
     option strict_enforcement '1'
     option dest_ipset 'dnsmasq.ipset'
     option ipv6_enabled '0'
     list supported_interface ''
     list ignored_interface 'vpnserver wgserver'
     option boot_timeout '30'
     option iptables_rule_option 'append'
     option webui_sorting '1'
     list webui_supported_protocol 'tcp'
     list webui_supported_protocol 'udp'
     list webui_supported_protocol 'tcp udp'
     list webui_supported_protocol 'icmp'
     list webui_supported_protocol 'all'
     option enabled '1'
     option webui_enable_column '1'
     option iprule_enabled '0'
     option src_ipset '0'
     option webui_protocol_column '1'
     option webui_chain_column '1'

config include
     option path '/etc/vpn-policy-routing.netflix.user'
     option enabled '0'

config include
     option path '/etc/vpn-policy-routing.aws.user'
     option enabled '0'

config policy
     option name 'Desktop'
     option src_addr '10.1.12.190'
     option interface 'home'
     option proto 'all'

Diags:

/etc/init.d/vpn-policy-routing support 

vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.5. WAN (IPv4): wan/dev/192.168.1.1.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth1.2
IPv4 Table 201: default via 192.168.1.1 dev eth1.2
IPv4 Table 201 Rules:
32744:  from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: unreachable default
IPv4 Table 202 Rules:
32743:  from all fwmark 0x20000/0xff0000 lookup 202
IPv4 Table 203: default via 10.1.13.2 dev tap0
IPv4 Table 203 Rules:
32742:  from all fwmark 0x30000/0xff0000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 10.1.12.190/32 -m comment --comment Desktop -c 81 6862 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set home dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set home dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_FORWARD -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set home dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_INPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set home dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_OUTPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wwan hash:net family inet hashsize 1024 maxelem 65536 comment
create home hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
/etc/init.d/vpn-policy-routing reload 

Creating table 'wan/eth1.2/192.168.1.1' [✓]
Creating table 'wwan//0.0.0.0' [✓]
Creating table 'home/tap0/10.1.13.2' [✓]
Routing 'Desktop' via home [✓]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1.2/192.168.1.1 [✓]
wwan//0.0.0.0
home/tap0/10.1.13.2
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan wwan home .

Any ideas what I am missing?

Thanks in advance

2

They don't seem to be configured.
Also tap is for bridging, which you are not doing here. Therefore you should use tun interface for the OpenVPN.

2 Likes
3

OpenVPN TAP is supposed to be in the IP range of the server side LAN and may be tricky to implement in some cases, so you'd best go with TUN.
In addition, your topology specifies a separate VPN subnet that should use TUN as well.

2 Likes
4

@trendy Sorry, I should have been more clear... that config was me testing... Your comment was spot on.... I got too far in the weeds... I had started using tap as I originally wanted to bridge, but changed my mind and forgot to change it when I started down the other path....

You solved my issue... Simple change to tun on both ends and viola!

Thanks so much for your help... Always great to have another set of eyes see what you are missing.

1 Like
5

@vgaetera You are right... this was my issue.

6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.