OpenVPN on linux server and OpenWrt

Kyar · June 15, 2023, 8:57am

Hello,

I have a server running OpenVPN, located in my "DMZ," which uses the 10.0.0.0/24 subnet.

The IP address for this server is, for instance, 10.0.0.7.

OpenVPN utilizes the 10.0.4.0 virtual subnet.

How can I create a virtual interface on OpenWrt to manage the firewall, allowing the 10.0.4.0 subnet to connect to the 10.0.0.0 subnet or the 10.0.1.0 subnet?

egc · June 15, 2023, 9:25am

Basically just open up the firewall for the appropriate port and place the OpenVPN interface (tunx) in the LAN zone:

Kyar · June 15, 2023, 9:40am

I know that OpenWrt have OpenVPN but I already have one server with it.

I think it's not the same no ?

egc · June 15, 2023, 9:41am

If the OpenVPN server is not running on the router but on a client then you have to port forward to that client

andyboeh · June 15, 2023, 11:27am

I'm not sure if I've fully understood your questions, let me try to rephrase it:

You have OpenWrt running as your main router with 10.0.0.0/24 subnet. Within this subnet, you have an OpenVPN server that uses the 10.0.4.0/24 subnet for its clients. Now you would like to give your clients from the 10.0.4.0 subnet access to the 10.0.0.0/24 subnet - right?

If that's the case, then you need to configure your server accordingly, not OpenWrt. You have several options, what comes to my mind:

Enable NAT on the server and masquerade the OpenVPN traffic as traffic from the server (usually a quick solution)
Enable routing on the server and on OpenWrt and avoid the masquerading
Use a VLAN to get the OpenVPN traffic as-is to an interface on OpenWrt and configure the routing/masquerading there

In all cases, you will have to configure your server to do the right thing. What OS is your server running?

If you OpenWrt device has enough power, is moving the OpenVPN instance to the OpenWrt router an option? That would ease a few things.

Kyar · June 15, 2023, 1:32pm

Yes, It's that.

I need to create push route on my openvpn config.

And how can I create vlan with this "virtual" 10.0.4.0 subnet created by openvpn ?

andyboeh · June 15, 2023, 1:42pm

That depends on the answer to my question:

Kyar · June 15, 2023, 1:44pm

It's a debian 11 and I have OpenWrt 22.03

andyboeh · June 15, 2023, 1:47pm

I'm afraid, you will have to figure out how to do this in Debian 11 since you need to bridge and/or route the OpenVPN traffice on the OpenVPN server - not on OpenWrt. Once you have the VLAN, we can help with the OpenWrt side.

Edit: The easiest solution we can help with is moving the OpenVPN server to OpenWrt!

Kyar · June 15, 2023, 2:27pm

Yes it's the easiest solution but it's very long and difficult to configure server and add user...

With my Linux I have a script "openvpn-install.sh" to do it.

But if it's very complicate, I will try openvpn on openwrt a second time

andyboeh · June 15, 2023, 2:33pm

It can definitely be done on Debian 11, I remember having done this many years ago on a Ubuntu machine. Basically, I configured Ubuntu to act as a NAT router for the VPN interface.