OpenVPN: Set up a VPN Server and VPN Client in the router

fenix1o1 · March 1, 2020, 5:24pm

Hi, currently my setup is Zyxel Armor Z2 running on OpenWRT 19.07, I am using a VPN Service, so for that reason I have an OpenVPN client running on my router so all my network traffic to the internet goes thru that VPN.

But I would like to additionally set up a VPN Server on the router, so when i am on the go, I can access securely my resources on my network and not having to deal with port forwarding or making public any private resource.

So, my questions are:

is it posible to have both configuration on the same roter?

if so:

how can I make the dual configuration work?
do I need to bridge my modem with my router for it to work? or just with the DDNS services up is enough?
once I have connected to my network remotely, my devices would access the internet thru the VPN on my router, or they would access the internet from their local connection? what about if I am using an smartphone to connect like iphone?

ulmwind · March 1, 2020, 6:09pm

Yes, it is possible. However now we are trying to configure Policy-Based Routing to perform it. At the time we have troubles with it, vpn-policy-routing by @stangri doesn't work, it creates additional chain in mangle table, and redirects packets marked with --mark 0x0/0xff0000:

-N VPR_PREROUTING
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING

Since we haven't found the place, where mark is set, no packets goes via chain.

You should have real IP to connect from Internet.

You can configure access via VPN-client, it is the simplest approach. With Policy-Based Routing you can configure access via WAN.

fenix1o1 · March 1, 2020, 9:10pm

Thank you @ulmwind, so basically theoretically it is possible but at the moment the functionality is not mature enough? or I misunderstood something.

stangri · March 1, 2020, 9:54pm

It does work (well, did work last time I've had default routing thru VPN tunnel). Needs different chain (OUTPUT) as indicated in the README.

I can re-test some time next week.

ulmwind · March 1, 2020, 10:20pm

OK, thanks to @stangri, now we can try to configure.

dl12345 · March 1, 2020, 10:37pm

I've been doing this for years, although manually configured, using exactly this technique: putting the list of networks to route via the vpn into a ipset, then marking the matching packets in the mangle table and then doing policy routing based on the mark, so it should work if setup correctly.

I used to use it to bond two internet links together. I currently use it to selectively route certain traffic through a vpn tunnel.

Can you point me to this package so I can look at it?

ulmwind · March 2, 2020, 6:54am

github.com

stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md

# VPN Policy-Based Routing

## Description

This service allows you to define rules (policies) for routing traffic via WAN or your L2TP, Openconnect, OpenVPN, PPTP or Wireguard tunnels. Policies can be set based on any combination of local/remote ports, local/remote IPv4 or IPv6 addresses/subnets or domains. This service supersedes the [VPN Bypass](https://github.com/openwrt/packages/blob/master/net/vpnbypass/files/README.md) service, by supporting IPv6 and by allowing you to set explicit rules not just for WAN interface (bypassing OpenVPN tunnel), but for L2TP, Openconnect, OpenVPN, PPTP and Wireguard tunnels as well.

## Features

### Gateways/Tunnels

- Any policy can target either WAN or a VPN tunnel interface.
- L2TP tunnels supported (with protocol names l2tp\*).
- Openconnect tunnels supported (with protocol names openconnect\*).
- OpenVPN tunnels supported (with device names tun\* or tap\*).<sup>[1](#footnote1)</sup> <sup>[2](#footnote2)</sup>
- PPTP tunnels supported (with protocol names pptp\*).
- Wireguard tunnels supported (with protocol names wireguard\*).

### IPv4/IPv6/Port-Based Policies

- Policies based on local names, IPs or subnets. You can specify a single IP (as in ```192.168.1.70```) or a local subnet (as in ```192.168.1.81/29```) or a local device name (as in ```nexusplayer```). IPv6 addresses are also supported.

This file has been truncated. show original

fenix1o1 · March 7, 2020, 2:39pm

Hi @stangri, in the readme says that it supersedes VPNbypass, I should remove it first, or they can co-exists?

As I am looking forward to test it out this weekend.

stangri · March 7, 2020, 4:18pm

I would recommend to not have both packages installed at the same time.