OpenWRT router runs the OpenVPN server.
We want: As long as a node has either LAN or VPN access (or both) to be able to access all other nodes in LAN and all other nodes in VPN.
We have the following networks:
- WAN:
192.168.0.0/24with router at192.168.0.2 - LAN:
10.100.0.0/24with router at10.100.0.1 - VPN:
10.110.0.0/24with router at10.110.0.1
Some nodes in the LAN are also connected to VPN. Therefore they have 2 IP addresses: 10.100.0.x and 10.110.0.x. Some other LAN nodes are not connected to VPN and have only the LAN IP.
Additionally the OpenVPN server has been configured with the option:
list push "route 10.100.0.0 255.255.255.0 10.110.0.1"
This adds an entry in the routing table of the VPN clients that routes the traffic towards the LAN of the VPN server via the VPN server (10.110.0.1) and not via their gateway. This is needed by the VPN road warriors.
Issue
We have the following configuration:
| Node | LAN IP | VPN IP | Description |
|---|---|---|---|
| Router | 10.100.0.1 | 10.110.0.1 | Router & VPN server |
| A | 10.100.0.50 | NO | LAN node without VPN connection |
| B | 10.100.0.20 | 10.110.0.20 | LAN node with VPN connection |
| C | NO | 10.110.0.65 | VPN road warrior |
We want all nodes to be able to access each other.
This is the connectivity table among the nodes. Each cell shows if the node in row can ping the IP in the column.
| A (10.00.0.50) | B (10.100.0.20) | B (10.110.0.20) | C (10.110.0.65) | |
|---|---|---|---|---|
| A | Y | Y | Y | Y |
| B | Y | Y | Y | Y |
| C | Y | N <--- | Y | Y |
There is no connectivity from a VPN road warrior to the LAN interface of a node which is connected both to the LAN and to VPN. However if the LAN node is disconnected from the VPN then the VPN road warrior can access the LAN IP.