OpenVPN client and MWAN3

Many of you have trouble with using OpenVPN (Client and/or Server) with MWAN3 package.

I'm using 19.07.1 with a working config.
There're different OpenVPN clients defined for my outgoing routing
and also a OpenVPN server (not in use with WMAN3) to be able to connect from outside to my network.

My VPN provider is "ExpressVPN".
I would like to present my config to help others with this problem.
ExpressVPN allows up to 5 connections. In this example I'll use 2 connection at the same time.
As I said before, there is also a working OpenVPN server active.

Hint: I'm using in addition to that 2 WAN connection, but they're not in this config files here.
This is very good described in https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3

Hopefully this helps some other users to get this working as well.


/etc/config/network

config interface 'vpnclient1'
        option proto 'none'
        option ifname 'tun1'

config interface 'vpnclient2'
        option proto 'none'
        option ifname 'tun2'

config interface 'vpnserver'
        option proto 'none'
        option ifname 'tun9'

/etc/config/firewall

config zone
        option name 'vpnserver'
        option network 'vpnserver'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'

config zone
        option name 'vpnclient'
        option network 'vpnclient1 vpnclient2'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'vpnclient'

config forwarding
        option src 'vpnserver'
        option dest 'wan'

config forwarding
        option src 'vpnserver'
        option dest 'lan'

config forwarding
        option src 'vpnserver'
        option dest 'vpnclient'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option dest_port '1194'
        list proto 'udp'
        option src 'wan'

/etc/config/openvpn

config openvpn 'ExpressVPN_Client1'
        option config '/etc/openvpn/ExpressVPN_Client1.ovpn'
        option enabled '1'

config openvpn 'ExpressVPN_Client2'
        option config '/etc/openvpn/ExpressVPN_Client2.ovpn'
        option enabled '1'

config openvpn 'Server'
        option config '/etc/openvpn/Server.ovpn'
        option enabled '1'

/etc/config/wman3

config interface 'vpnclient1'
        option enabled '1'
        option initial_state 'online'
        option family 'ipv4'
        list track_ip '8.8.8.8'
        option track_method 'ping'
        option reliability '1'
        option count '1'
        option size '56'
        option max_ttl '60'
        option check_quality '0'
        option timeout '2'
        option interval '5'
        option failure_interval '5'
        option recovery_interval '5'
        option down '3'
        option up '3'

config interface 'vpnclient2'
        option enabled '1'
        option initial_state 'online'
        option family 'ipv4'
        list track_ip '8.8.8.8'
        option track_method 'ping'
        option reliability '1'
        option count '1'
        option size '56'
        option max_ttl '60'
        option check_quality '0'
        option timeout '2'
        option interval '5'
        option failure_interval '5'
        option recovery_interval '5'
        option down '3'
        option up '3'

config member 'm_vpnclient1'
        option interface 'vpnclient1'
        option metric '1'
        option weight '1'

config policy 'p_vpnclient1'
        list use_member 'm_vpnclient1'
        option last_resort 'unreachable'

config member 'm_vpnclient2'
        option interface 'vpnclient2'
        option metric '1'
        option weight '1'

config policy 'p_vpnclient2'
        list use_member 'm_vpnclient2'
        option last_resort 'unreachable'

config rule 'laptop_1'
        option src_ip '192.168.1.120'
        option proto 'all'
        option sticky '0'
        option use_policy 'p_vpnclient1'

config rule 'laptop_2'
        option src_ip '192.168.1.121'
        option proto 'all'
        option sticky '0'
        option use_policy 'p_vpnclient2'

/etc/openvpn/ExpressVPN_Client1.ovpn

dev-type tun
dev tun1
fast-io
persist-key
persist-tun
nobind
remote <server> <port>
float
remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
remote-cert-tls server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-nocache
auth-user-pass /etc/openvpn/expressvpn.auth
log /etc/openvpn/expressvpn1.log
pull-filter ignore "dhcp-option"
pull-filter ignore "redirect-gateway"
pull-filter ignore "route"
route 0.0.0.0 0.0.0.0 vpn_gateway 31
route-metric 31
route-nopull

[...]

/etc/openvpn/ExpressVPN_Client2.ovpn

dev-type tun
dev tun2
fast-io
persist-key
persist-tun
nobind
remote <server> <port>
float
remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
remote-cert-tls server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1200
verb 3
cipher AES-256-CBC
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-nocache
auth-user-pass /etc/openvpn/expressvpn.auth
log /etc/openvpn/expressvpn2.log
pull-filter ignore "dhcp-option"
pull-filter ignore "redirect-gateway"
pull-filter ignore "route"
route 0.0.0.0 0.0.0.0 vpn_gateway 32
route-metric 32
route-nopull

[...]

/etc/openvpn/Server.ovpn

verb 3
user nobody
group nogroup
dev-type tun
dev tun9
port 1194
proto udp
server 192.168.3.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
push "dhcp-option DNS 192.168.3.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
log /etc/openvpn/server.log

[...]
2 Likes

I did something similar recently, thanks for sharing, another good resource aside from the official wiki entry is from Leow Kah Man there is also a good write up on his blog:

https://www.leowkahman.com/2016/06/19/conditional-multiple-openvpn-routing-hostname-ip/

This mainly covers the concept of conditional routing with IP/DNS based rules, but you can adjust it to do VPN load balancing by adjusting the member policy.

how to set metric on vpn interface?
Thanks!

uci set network.vpn0.metric="20"
uci commit network
/etc/init.d/network restart
1 Like

great! Thank you very much!

1 Like