Hi there again. So I'm struggling with this for over a year now and I don't want to believe there's no solution, so here I ask again:
I have a vpn server and a vpn client, both running on the same router.
The vpn client on there connects to the vpn provider torguard. I don’t want all devices tunneled to the vpn provider, just one IP, let's call this odroid.
So I use @stangri 's vpn-policy-routing app along with the options nobind
and route-nopull
in vpn client conf.
Configuring vpn server, client and vpn-policy-routing app I used these tutorials from openwrt:
Openvpn server setup
Openvpn client setup
Openvpn server and client simultaneously
Seems vpn-policy-routing app creates a torguadvpn table and a wan table and routes odroid trough torguard table and openvpn server through wan table.
Now the situation is as follows:
If I connect from "outside" via openvpn to my openvpn server, I can reach all IP's perfectly also by hostname, BUT I cannot reach the odroid IP
I have very limited knowledge in vpn and routing my only guess is to somehow connect the 2 routing tables?..idk.
So please, could someone here help me reach the odroid IP?
Here are the config files:
/etc/config/openvpn
config openvpn 'torguard'
option client '1'
option dev 'tun0'
option proto 'tcp'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option ca '/etc/config/torguard/ca.crt'
option route_nopull '1'
option remote_cert_tls 'server'
option cipher 'AES-128-CBC'
option compress 'lzo'
option verb '3'
option fast_io '1'
option auth_user_pass '/etc/config/torguard/userpass.txt'
option remote_random '0'
option auth 'SHA1'
option reneg_sec '0'
list remote 'nl.torguardvpnaccess.com 80'
option sndbuf '524288'
option rcvbuf '524288'
option fragment '0'
option mssfix '0'
option mute_replay_warnings '1'
option auth_nocache '1'
option enabled '1'
option log '/tmp/openvpnclient.log'
config openvpn 'vpnserver'
option enabled '1'
option dev_type 'tun'
option dev 'tun1'
option port '1194'
option topology 'subnet'
option tls_server '1'
option mode 'server'
option server '192.168.200.0 255.255.255.0'
option route_gateway 'dhcp'
option compress 'lz4'
option keepalive '10 120'
option persist_key '1'
option persist_tun '1'
option verb '4'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/my-server.crt'
option key '/etc/openvpn/my-server.key'
option dh '/etc/openvpn/dh2048.pem'
option tls_auth '/etc/openvpn/tls-auth.key 0'
option client_to_client '1'
option log '/tmp/openvpnserver.log'
list push 'topology subnet'
list push 'redirect-gateway def1'
list push 'route-gateway dhcp'
list push 'route 192.168.200.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.1.1'
list push 'compress lz4'
list push 'persist-key'
list push 'persist-tun'
option proto 'tcp'
/etc/config/firewall
#::: Defaults :::#
# LuCI: Network - Firewall
# Default OpenWrt Rule #
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option syn_flood 1
option drop_invalid 1
config rule
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src *
option proto 'tcpudp'
option dest_port 1194
#::: Zones :::#
# LuCI: Network - Firewall - Zones
#------------------------------------------------
# LAN #
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
config zone
option name 'vpnserver'
option network 'vpnserver'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq 1
#VPN client#
config zone
option name 'vpnclientfw'
option network 'torguardvpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
# WAN #
config zone
option name 'wan'
option network 'wan wan6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq 1
option mtu_fix 1
#::: InterZone Forwarding :::#
# LuCI: Network -> Firewall -> Zones -
# VPN - Edit - Inter-Zone Forwarding
#------------------------------------------------
config forwarding
option src 'vpnserver'
option dest 'wan'
config forwarding
option src 'vpnserver'
option dest 'lan'
# LAN to VPN client#
config forwarding
option dest 'vpnclientfw'
option src 'lan'
config forwarding
option src 'vpnserver'
option dest 'vpnclientfw'
# LAN to WAN #
config forwarding
option dest 'wan'
option src 'lan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone 'gastwlanfw'
option name 'gastwlanfw'
option network 'gastwlan'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding 'gastwlanfw_fwd'
option src 'gastwlanfw'
option dest 'wan'
config rule 'gastwlanfw_dhcp'
option name 'gastwlanfw_DHCP'
option src 'gastwlanfw'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule 'gastwlanfw_dns'
option name 'gastwlanfw_DNS'
option src 'gastwlanfw'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '1'
option strict_enforcement '1'
option dnsmasq_enabled '1'
option output_chain_enabled '1'
option enabled '1'
list ignored_interface 'vpnserver'
config policy
option comment 'odroid-hc2'
option local_addresses '192.168.1.111'
option interface 'torguardvpn'
config policy
option comment 'ovpnserver'
option interface 'wan'
option local_ports '1194'