Ping LAN ip from the tunnel

I am using a vpn routing policy
My settings are such that the default openwrt route passes through WAN
And I pass the devices connected to openwrt through the vpn routing policy
But I want to be able to ping LAN ip through the tunnel, but I do not want to change the default path
Can anyone help me?

It is a bit unclear. From where do you want to ping the LAN IP? The vpn is client to some vpn provider or server to connect from the internet to your router?

1 Like

I get internet from WAN
And I want to ping the LAN IP on the other side of the VPN tunnel (ie from the VPN server)

So is it a site to site vpn tunnel from your router to another router?

1 Like

an l2tp vpn has been established that I have connected to a server via openwrt

can you help me ? @trendy

Linking a local LAN to a remote LAN via VPN does not require policy routing. But the routing tables and the firewalls must be properly set up. Consider two sites, where the main router for each site is also the terminus of the VPN tunnel.

  • The LANs at the two sites must have different IP subnets.
  • Each end of the tunnel has an IP, which is in the same subnet as the other end, but different from either of the LANs. (This isn't strictly necessary for the system to work, but it makes testing a lot easier since you can target pings at the tunnel endpoints).
  • Each VPN server/router has a route to the other site's LAN via the tunnel.
  • The firewall has a new zone for the VPN tunnel, and allows forwarding in and out of the VPN zone to the LAN. NAT / masquerade is not used.

As an example with actual numbers:
Site A:
LAN IP 192.168.10.1/24
Tunnel IP 192.168.199.10/24
Route: 192.168.20.0/24 via 192.168.199.20

Site B:
LAN IP 192.168.20.1/24
Tunnel IP 192.168.199.20/24
Route: 192.168.10.0/24 via 192.168.199.10

3 Likes

Yes, exactly . But the problem is that I pass the default route of openwrt through WAN and lan ip is not routed to the tunnel at all

Maybe we can better understand the situation from the configs.
Use ssh to connect to the device.
Then run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; uci export pbr; uci export vpn-policy-routing; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1 Like
{
        "kernel": "5.4.121",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7620AN ver:1 eco:2",
        "model": "zbt",
        "board_name": "zbt",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r16834-53b9cc442f",
                "target": "ramips/mt76x8",
                "description": "OpenWrt SNAPSHOT r16834-53b9cc442f"
        }
}
package network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fdae:c061:9cc7::/48'

config interface 'lan'
        option proto 'static'
        option ip6assign '60'
        option netmask '255.255.255.248'
        option device 'eth0.1'
        option ipaddr '172.200.xx.xx'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.2'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '1c:bf:ce:79:b6:2b'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0.2'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'

config interface 'VPN'
        option device 'tun1'
        option proto 'l2tp'
        option server '10.48.xx.xx'
        option username '*********'
        option password '*********'
        option ipv6 'auto'

config interface 'VPN_L2TP_BCP'
        option proto 'l2tp'
        option auto '0'
        option device 'tun0'

config interface 'mygre_static'
        option proto 'static'
        option ipaddr '0.0.0.0'
        option netmask '0.0.0.0'
        option auto '0'
        option device '@mygre'

config interface 'wan1'
        option proto 'dhcp'
        option device 'usb0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option rebind_protection '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option leasetime '24h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '1'
        option src '*'
        option dest 'lan'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '80'
        option name 'AllowWANWeb'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option name 'acsnew'
        option src_dport '7547'
        option dest_port '7547'
        option dest_ip '172.200.xx.xx'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option name 'snmp'
        option src_dport '161'
        option dest_port '161'
        option dest_ip '172.200.xx.xx'

config redirect
        option target 'DNAT'
        option src 'lan'
        option dest 'wan'
        option proto 'tcp udp'
        option name 'snmp2'
        option src_dport '161'
        option dest_port '161'
        option dest_ip '172.200.xx.xx'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option name 'wanhttp'
        option dest_port '80'
        option dest_ip '172.200.xx.xx'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option name 'DMZ'
        option enabled '0'
        option dest_ip '192.168.0.1'

config rule
        option target 'REJECT'
        option src 'acsport'
        option proto 'tcp'
        option dest_port '80'
        option name 'closelaport'
        option enabled '1'

uci: Entry not found
package vpn-policy-routing

config vpn-policy-routing 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset '0'
        option resolver_ipset 'dnsmasq.ipset'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver wgserver'
        option boot_timeout '0'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_enable_column '0'
        option webui_protocol_column '0'
        option webui_chain_column '0'
        option webui_show_ignore_target '0'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

config policy
        option name '1907381'
        option src_addr '172.200.x.37'
        option interface 'VPN'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 172.25.xx.255/16 brd 172.25.255.255 scope global usb0
       valid_lft forever preferred_lft forever
10: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.200.xx.xx/29 brd 172.200.7.39 scope global eth0.1
       valid_lft forever preferred_lft forever
13: l2tp-VPN: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1600 qdisc fq_codel state UNKNOWN group default qlen 3
    inet 172.28.xx.xx peer 10.48.246.12/32 scope global l2tp-VPN
       valid_lft forever preferred_lft forever
unreachable default table wan
10.48.xx.xx via 172.25.xx.0 dev usb0 table wan proto static
172.25.0.0/16 dev usb0 table wan proto kernel scope link src 172.25.xx.255
172.200.xx.xx/29 dev eth0.1 table wan proto kernel scope link src 172.200.xx.xx
default via 172.28.xx.xx dev l2tp-VPN table VPN
10.48.xx.xx via 172.25.xx.0 dev usb0 table VPN proto static
172.25.0.0/16 dev usb0 table VPN proto kernel scope link src 172.25.xx.255
172.200.xx.xx/29 dev eth0.1 table VPN proto kernel scope link src 172.200.xx.xx
unreachable default table VPN_L2TP_BCP
10.48.xx.xx via 172.25.xx.0 dev usb0 table VPN_L2TP_BCP proto static
172.25.0.0/16 dev usb0 table VPN_L2TP_BCP proto kernel scope link src 172.25.xx.255
172.200.xx.xx/29 dev eth0.1 table VPN_L2TP_BCP proto kernel scope link src 172.200.xx.xx
default via 172.25.xx.0 dev usb0 table wan1
10.48.xx.xx via 172.25.xx.0 dev usb0 table wan1 proto static
172.25.0.0/16 dev usb0 table wan1 proto kernel scope link src 172.25.xx.255
172.200.xx.xx/29 dev eth0.1 table wan1 proto kernel scope link src 172.200.xx.xx
default via 172.25.xx.0 dev usb0 proto static src 172.25.xx.255
10.48.246.12 dev l2tp-VPN proto kernel scope link src 172.28.xx.xx
10.48.xx.xx via 172.25.xx.0 dev usb0 proto static
172.25.0.0/16 dev usb0 proto kernel scope link src 172.25.xx.255
172.200.xx.xx/29 dev eth0.1 proto kernel scope link src 172.200.xx.xx
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.25.0.0 dev usb0 table local proto kernel scope link src 172.25.xx.255
local 172.25.xx.255 dev usb0 table local proto kernel scope host src 172.25.xx.255
broadcast 172.25.255.255 dev usb0 table local proto kernel scope link src 172.25.xx.255
local 172.28.xx.xx dev l2tp-VPN table local proto kernel scope host src 172.28.xx.xx
local 172.200.xx.xx dev eth0.1 table local proto kernel scope host src 172.200.xx.xx
broadcast 172.200.xx.xx dev eth0.1 table local proto kernel scope link src 172.200.xx.xx
broadcast 172.200.7.39 dev eth0.1 table local proto kernel scope link src 172.200.xx.xx
0:      from all lookup local
32762:  from all fwmark 0x40000/0xff0000 lookup wan1
32763:  from all fwmark 0x30000/0xff0000 lookup VPN_L2TP_BCP
32764:  from all fwmark 0x20000/0xff0000 lookup VPN
32765:  from all fwmark 0x10000/0xff0000 lookup wan
32766:  from all lookup main
32767:  from all lookup default

The default route applies only to IP destinations that aren't covered by another more specific route.

So if you have in the table a route to the other LAN via the tunnel, the tunnel will be used to reach the other LAN, and the WAN interface will still be used to reach places on the Internet.

2 Likes

Now with the settings I sent, where is the problem that I can not ping anything from the tunnel through lan ip and also I cannot ping lan ip from the server?

Remove vpn-policy-routing. You don't need it here.
There is nothing in the firewall about the vpn. Routing tables and even vpn-policy-routing set up what routes are to be used, but the traffic will be blocked by the firewall if it is not properly set.

I've never used l2tp so I can't say if that is set properly. I would use Wireguard instead wherever possible.

Also of course we're only looking at one side of the picture. If you're going to ping into the LAN of the other site, the other site's router needs a route (and firewall permission) to properly return the ping reply to you.

3 Likes

In openwrt, normally after the vpn is connected, the default route is set to vpn

But I needed my default route to be on wan because I had services that they had to use

So I used the vpn routing policy and set the default route to wan

Now after these settings, I no longer have access to lan ip through the vpn server. I need an idea that in addition to the default route is on wan to be able to access lan ip through the tunnel

All the IPs which you are using are private, there is no need to cover them.

More to what @mk24 noticed so far, there is just one IP routed via the tunnel, the 10.48.246.12. If you are trying to access the lan from another IP, or if it is not masqueraded, it will fail.

I did not understand what the problem was
And how should I solve it
Thank you very much if you can explain more fully

Maybe it would be better to create a diagram with the routers, the IPs and the flows you are trying to achieve. We can have a better understanding and help you solve your problem.

1 Like

Yes, Sure I prepare it

hi @trendy and @mk24
frun.drawio

Do I understand correctly that the VPN server is connected inside the lan?
Is it used to have incoming connections from the internet to connect to your lan or is it used for outgoing connections from the lan to the internet?

1 Like