OpenVPN server. Allow route to LAN

Hello, it seems obvious, but can't figure out what is missing to allow OpenVPN client to connect to LAN network devices. Affter connection I am able to connect to gateway only, but not devices on LAN network. Have tried to add route in OpenVpn config and push-remove redirect-gateway, but ended with disconnect from ethernet for lan devices :smiley: Thank you for your assitance.
Here are my configs

network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde3:d3f0:9ebc::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option type 'bridge'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'WG0'
	option proto 'wireguard'
	option peerdns '0'
	option mtu '1280'
	option private_key 'UBjR+qN2YmmjdToWXMNivdheNakN4/vS+kymLjp7T0k='
	list addresses '172.16.0.2/32'
	list addresses 'fd01:5ca1:ab1e:849e:158f:6b7d:d692:3965/128'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1'

config wireguard_WG0
	option endpoint_port '2408'
	option description 'cloudflare_warp'
	option endpoint_host 'engage.cloudflareclient.com'
	option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'wIJbq4YbyzPGVdwasNAhdXJ0p98c+c3qwi+X0cqPtG8='
	option listen_port '51821'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:7610:d152:3a9c::1/64'
	option auto '0'

config wireguard_wg1 'wgclient'
	option preshared_key 'awC/+dA1Akjz5D/avUZh7jaC4sD9JBk9k9xAUGGeVLk='
	option description 'home'
	option public_key 'jEjf974eLz4fHZ6ovW5g5C/Oj6W9Wp8lVd7oe3TmAiU='
	option private_key 'AOuC2bqUGW0cz7Yx+IyhD+wNl7v6m0IaqcDDhTIHrlE='
	list allowed_ips '192.168.9.0/24'
	list allowed_ips 'fdf1:7610:d152:3a9c::1/64'
	list allowed_ips '192.168.9.11/32'

config interface 'openvpn'
	option proto 'none'
	option device 'tun0'

config interface 'vpn_free'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'real_guest'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'iot_vpn_free'
	option proto 'static'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'openvpn'
	list network 'wg1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn_free'
	option output 'ACCEPT'
	list network 'vpn_free'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	option name 'iot_vpn_fre'
	list network 'iot_vpn_free'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'guest'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config zone
	option name 'real_guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'real_guest'
	option input 'REJECT'

config rule
	option name 'VPN_FREE DNS'
	option src 'vpn_free'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'VPN_FREE DHCP'
	list proto 'udp'
	option src 'vpn_free'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'IOT_VPN_FREE DNS'
	option dest_port '53'
	option target 'ACCEPT'
	option src 'iot_vpn_fre'

config rule
	option name 'IOT_VPN_FREE DHCP'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'iot_vpn_fre'

config rule
	option name 'REAL_GUEST DNS'
	option src 'real_guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'REAL_GUEST DHCP'
	list proto 'udp'
	option src 'real_guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config zone
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	option name 'wg0'
	list network 'WG0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'wan'
	list network 'wan6'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WOL'
	option src_dport '9'
	option dest_ip '192.168.1.233'
	option dest_port '9'
	option src 'lan'
	option enabled '0'

config forwarding
	option src 'guest'
	option dest 'wg0'

config rule
	list proto 'tcp'
	option src 'wan'
	option src_port '80'
	option dest_port '80'
	option target 'ACCEPT'
	option name 'Allow-HTTP'
	option enabled '0'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51821'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'tcp'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wg0'

config forwarding
	option src 'vpn_free'
	option dest 'wan'

config forwarding
	option src 'real_guest'
	option dest 'wg0'

config forwarding
	option src 'iot_vpn_fre'
	option dest 'wan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

pbr


config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option dest_ipset '0'
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option procd_reload_delay '1'
	option webui_enable_column '0'
	option webui_protocol_column '0'
	option webui_chain_column '0'
	option webui_show_ignore_target '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option ipv6_enabled '1'
	option resolver_set 'none'
	option rule_create_option 'add'
	option enabled '1'

config include
	option path '/etc/pbr.netflix.user'
	option enabled '0'

config include
	option path '/etc/pbr.aws.user'
	option enabled '0'

config policy
	option interface 'wan'
	option name 'openvpn'
	option src_port '1194'
	option proto 'tcp'
	option chain 'output'

config policy
	option name 'wireguard'
	option src_port '51821'
	option proto 'udp'
	option chain 'output'
	option interface 'wan'
	option enabled '0'

config policy
	option name 'lan_to_wg'
	option src_addr '192.168.1.1/24'
	option interface 'WG0'

config policy
	option name 'openvpn_in_to_wg'
	option src_addr '192.168.8.0/24'
	option interface 'WG0'

config policy
	option name 'guest_to_vpn'
	option src_addr '192.168.30.1/24'
	option interface 'WG0'

config policy
	option src_addr '192.168.10.1/24'
	option name 'iot_to_vpn'
	option interface 'WG0'

config policy
	option name 'iot_to_wan'
	option src_addr '192.168.40.1/24'
	option chain 'output'
	option interface 'wan'

config policy
	option name 'vpn_free'
	option interface 'wan'
	option chain 'output'
	option src_addr '192.168.20.1/24'

config policy
	option interface 'wan'
	option enabled '0'

config policy

config policy


openvpn serv.conf

user nobody
group nogroup
dev tun
port 1194
proto tcp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>

openvpn client.conf is empty at this moment

I test by trying to connect to CCTV camera on 192.168.1.112, but I am not able to openvpn client computer, but able to ping / curl from router itself.

Thank you in advance for your support.

1 Like

Insert ignore policy for all local and VPN destinations:
https://docs.openwrt.melmac.net/pbr/#ignore-target

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.