Hi folks. I've been trawling the forum for ages to try and get my config going, and believe I'm almost there but am just missing that final step...
The end result I'm after is that I want my Apple TV device to bypass the VPN, but I also want to still be able to reach the device from the rest of the network for AirPlay purposes.
What I've currently done:
- OpenVPN is installed and working.
- There are two VLANs.
lan
andnon_vpn_lan
. Their subnets are192.168.1.0/24
and192.168.2.0/24
respectively. - I have the
VPN Bypass
package installed, and have theLocal IP Addresses to Bypass
field populated with192.168.2.0/24
. -
lan
connects correctly to the internet via the VPN. -
non_vpn_lan
connects correctly to the internet bypassing the VPN. - Zone forwardings are as per the following screenshot:
- I have the
avahi-utils
package installed to facilitate Apple's Bonjour service across the VLANs.
My Apple devices on the 192.168.1.0 subnet can see the Apple TV device, but when I attempt to AirPlay, I get an error. If I stop VPN Bypass
, AirPlay works but the Apple TV can no longer reach the internet.
I've also tested with a computer connected to both subnets via physical ethernet.
If VPN Bypass
is enabled, both computers can reach the internet but are unable to ping each other.
If VPN Bypass
is disabled, the computer on subnet 192.168.1.0 can reach the internet, the computer on subnet 192.168.2.0 cannot reach the internet, and both computers can ping each other.
Ideally it would be good to keep the two VLANs, but if it's easier to put the Apple TV back on the lan
VLAN and configure the one device to bypass the VPN whilst allowing connectivity to it from the rest of the network, I'm OK with that.
/etc/config/network is as follows:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0.17'
config interface 'wan'
option proto 'dhcp'
option ifname 'eth1.7'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth1.7'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '17'
option ports '2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
option vid '7'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '27'
option ports '0 1 5t'
config interface 'non_vpn_lan'
option ifname 'eth0.27'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
option type 'bridge'
/etc/config/firewall is as follows:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option name 'non_vpn_lan'
option network 'non_vpn_lan'
config forwarding
option src 'lan'
option dest 'non_vpn_lan'
config forwarding
option dest 'lan'
option src 'non_vpn_lan'
config zone
option input 'REJECT'
option forward 'REJECT'
option name 'wan_via_vpn'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list device 'tun0'
config forwarding
option dest 'wan_via_vpn'
option src 'lan'
config forwarding
option dest 'wan'
option src 'non_vpn_lan'
Appreciate any help, and thanks in advance!