[Routing expert needed] How to route between vpn server and vpn client (tunnel to vpn provider) both on same router

Hi there again. So I'm struggling with this for over a year now and I don't want to believe there's no solution, so here I ask again:

I have a vpn server and a vpn client, both running on the same router.
The vpn client on there connects to the vpn provider torguard. I don’t want all devices tunneled to the vpn provider, just one IP, let's call this odroid.
So I use @stangri 's vpn-policy-routing app along with the options nobind and route-nopull in vpn client conf.

Configuring vpn server, client and vpn-policy-routing app I used these tutorials from openwrt:
Openvpn server setup
Openvpn client setup
Openvpn server and client simultaneously

Seems vpn-policy-routing app creates a torguadvpn table and a wan table and routes odroid trough torguard table and openvpn server through wan table.

Now the situation is as follows:
If I connect from "outside" via openvpn to my openvpn server, I can reach all IP's perfectly also by hostname, BUT I cannot reach the odroid IP :frowning:

I have very limited knowledge in vpn and routing my only guess is to somehow connect the 2 routing tables?..idk.
So please, could someone here help me reach the odroid IP? :sob:

Here are the config files:

/etc/config/openvpn

config openvpn 'torguard'
	option client '1'
	option dev 'tun0'
	option proto 'tcp'
	option resolv_retry 'infinite'
	option nobind '1'
	option persist_key '1'
	option persist_tun '1'
	option ca '/etc/config/torguard/ca.crt'
	option route_nopull '1'
	option remote_cert_tls 'server'
	option cipher 'AES-128-CBC'
	option compress 'lzo'
	option verb '3'
	option fast_io '1'
	option auth_user_pass '/etc/config/torguard/userpass.txt'
	option remote_random '0'
	option auth 'SHA1'
	option reneg_sec '0'
	list remote 'nl.torguardvpnaccess.com 80'
	option sndbuf '524288'
	option rcvbuf '524288'
	option fragment '0'
	option mssfix '0'
	option mute_replay_warnings '1'
	option auth_nocache '1'
	option enabled '1'
	option log '/tmp/openvpnclient.log'

config openvpn 'vpnserver'
	option enabled '1'
	option dev_type 'tun'
	option dev 'tun1'
	option port '1194'
	option topology 'subnet'
	option tls_server '1'
	option mode 'server'
	option server '192.168.200.0 255.255.255.0'
	option route_gateway 'dhcp'
	option compress 'lz4'
	option keepalive '10 120'
	option persist_key '1'
	option persist_tun '1'
	option verb '4'
	option ca '/etc/openvpn/ca.crt'
	option cert '/etc/openvpn/my-server.crt'
	option key '/etc/openvpn/my-server.key'
	option dh '/etc/openvpn/dh2048.pem'
	option tls_auth '/etc/openvpn/tls-auth.key 0'
	option client_to_client '1'
	option log '/tmp/openvpnserver.log'
	list push 'topology subnet'
	list push 'redirect-gateway def1'
	list push 'route-gateway dhcp'
	list push 'route 192.168.200.0 255.255.255.0'
	list push 'dhcp-option DNS 192.168.1.1'
	list push 'compress lz4'
	list push 'persist-key'
	list push 'persist-tun'
	option proto 'tcp'

/etc/config/firewall

#::: Defaults :::#
# LuCI: Network - Firewall

 
# Default OpenWrt Rule #
config defaults
    option  input           'ACCEPT'
    option  output          'ACCEPT'
    option  forward         'DROP'
    option  syn_flood       1
    option  drop_invalid    1
	
config rule
    option  name                'Allow-OpenVPN-Inbound'
    option  target              'ACCEPT'
    option  src                 *
    option  proto               'tcpudp'
    option  dest_port           1194

 #::: Zones :::#
# LuCI: Network - Firewall - Zones
#------------------------------------------------
 
# LAN #
config zone
    option  name            'lan'
    option  network         'lan'
    option  input           'ACCEPT'
    option  output          'ACCEPT'
    option  forward         'DROP'
    option  masq            '1'

config zone
    option  name                'vpnserver'
    option  network             'vpnserver'
    option  input               'ACCEPT'
    option  forward             'REJECT'
    option  output              'ACCEPT'
    option  masq                1
	
#VPN client#
config zone
	option name 'vpnclientfw'
	option network 'torguardvpn'
	option input 'REJECT'
    option output 'ACCEPT'
	option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
 
# WAN #
config zone
    option  name            'wan'
    option  network         'wan wan6'
    option  input           'DROP'
    option  output          'ACCEPT'
    option  forward         'DROP'
    option  masq            1
    option  mtu_fix         1
 
 
#::: InterZone Forwarding :::#
# LuCI: Network -> Firewall -> Zones -
# VPN - Edit - Inter-Zone Forwarding
#------------------------------------------------
 

config forwarding
    option  src                 'vpnserver'
    option  dest                'wan'
 
config forwarding
    option  src                 'vpnserver'
    option  dest                'lan'

# LAN to VPN client#
config forwarding
    option dest             'vpnclientfw'
    option src              'lan'

config forwarding
    option  src                 'vpnserver'
    option  dest                'vpnclientfw'

# LAN to WAN #
config forwarding
    option  dest            'wan'
    option  src             'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone 'gastwlanfw'
	option name 'gastwlanfw'
	option network 'gastwlan'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding 'gastwlanfw_fwd'
	option src 'gastwlanfw'
	option dest 'wan'

config rule 'gastwlanfw_dhcp'
	option name 'gastwlanfw_DHCP'
	option src 'gastwlanfw'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'

config rule 'gastwlanfw_dns'
	option name 'gastwlanfw_DNS'
	option src 'gastwlanfw'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'

/etc/config/vpn-policy-routing

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '1'
	option strict_enforcement '1'
	option dnsmasq_enabled '1'
	option output_chain_enabled '1'
	option enabled '1'
	list ignored_interface 'vpnserver'

config policy
	option comment 'odroid-hc2'
	option local_addresses '192.168.1.111'
	option interface 'torguardvpn'

config policy
	option comment 'ovpnserver'
	option interface 'wan'
	option local_ports '1194'

Have you tried creating a policy with the local ports matching the service ports (ie: 22 for ssh) and routing set to WAN for the odroid services you want to be able to access thru the OpenVPN Server running on your router?

You mean sth. like this?

config policy
	option comment 'odroid'
	option local_addresses '192.168.1.111’
	option local_ports '22’
	option interface ‘wan’

I put that at the end of /etc/config/firewall but it didn't work. What I noticed though is if I reload firewall I get errrors:

root@LEDE:~# /etc/init.d/firewall reload
 * Clearing IPv4 filter table
 * Clearing IPv4 nat table
 * Clearing IPv4 mangle table
 * Populating IPv4 filter table
Warning: fw3_ipt_rule_append(): Can't find target 'input_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'input_vpnserver_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_vpnserver_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_vpnserver_rule'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'gastwlanfw_DHCP'
   * Rule 'gastwlanfw_DNS'
   * Forward 'vpnserver' -> 'wan'
   * Forward 'vpnserver' -> 'lan'
   * Forward 'lan' -> 'vpnclientfw'
   * Forward 'vpnserver' -> 'vpnclientfw'
   * Forward 'lan' -> 'wan'
   * Forward 'gastwlanfw' -> 'wan'
   * Zone 'lan'
   * Zone 'vpnserver'
   * Zone 'vpnclientfw'
   * Zone 'wan'
   * Zone 'gastwlanfw'
 * Populating IPv4 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_vpnserver_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_vpnserver_rule'
   * Zone 'lan'
   * Zone 'vpnserver'
   * Zone 'vpnclientfw'
   * Zone 'wan'
   * Zone 'gastwlanfw'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'vpnserver'
   * Zone 'vpnclientfw'
   * Zone 'wan'
   * Zone 'gastwlanfw'
 * Clearing IPv6 filter table
 * Clearing IPv6 mangle table
 * Populating IPv6 filter table
Warning: fw3_ipt_rule_append(): Can't find target 'input_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'input_vpnserver_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'output_vpnserver_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'forwarding_vpnserver_rule'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'gastwlanfw_DHCP'
   * Rule 'gastwlanfw_DNS'
   * Forward 'vpnserver' -> 'wan'
   * Forward 'vpnserver' -> 'lan'
   * Forward 'lan' -> 'vpnclientfw'
   * Forward 'vpnserver' -> 'vpnclientfw'
   * Forward 'lan' -> 'wan'
   * Forward 'gastwlanfw' -> 'wan'
   * Zone 'lan'
   * Zone 'vpnserver'
   * Zone 'vpnclientfw'
   * Zone 'wan'
   * Zone 'gastwlanfw'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'vpnserver'
   * Zone 'vpnclientfw'
   * Zone 'wan'
   * Zone 'gastwlanfw'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/usr/share/miniupnpd/firewall.include'

Not /etc/config/firewall but /etc/config/vpn-policy-routing.

Also, this needs to be higher in the list than the policy routing odroid to VPN.

PS. On the second thought, it probably won't work and also have a negative effect.

Yeah, that didn't help either.
There's so much stuff going on in this forum and so little categories, I fear once again my topic has been forgotten in the depths of this forum.
Do you happen to know any other forum or chat where I could get help?
I feel like it's a tiny policy/rule for someone experienced in this..idk.

I'm not familiar with the policy routing app. I also wasn't aware you could make a routing policy based on ports.

IP Rules are used to specify how to route. This can be done based on IP and Interface.

You then specify the routes.

For your odroid example:

/etc/config/network

#Tells odroid to use Route Table No. 2
config rule
	option src '192.168.1.111/32'     
	option priority '10'
	option lookup '2'

#Creates a gateway on Route Table No. 2
config route
	option interface 'wan'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	#This will be your WAN gateway IP
	option gateway 'xxx.xxx.xxx.xxx'
	option table '2'

Thx for your answer! Idk how this will play along with vpn-policy-routing app but I'll try it.
Just one noob question:

Since my wan ip changes, I've set up a ddns service. Can I also put a domain name as gateway?

..Scratch that, I thought wan ip,...but doesn't wan gateway ip also change?..

ok I added this in etc/config/network and did /etc/init.d/network reload, unfortunatly odroid is still not reachable :frowning: any other ideas?

Still not reachable???

HOLD UP!!!

OH!!!! TRY THIS! You probably just have OpenVPN using another routing table...

#Tells system to always use main routing table for odroid
config rule
	option src '192.168.1.111/32'     
	option priority '10'
	option lookup 'main'

Did not work either :frowning:

Maybe this has sth. to do with the config in /etc/config/vpn-policy-routing?

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipv6_enabled '1'
	option strict_enforcement '1'
	option dnsmasq_enabled '1'
	option output_chain_enabled '1'
	option enabled '1'
	list ignored_interface 'vpnserver'

config policy
	option comment 'odroid-hc2'
	option local_addresses '192.168.1.111'
	option interface 'torguardvpn'

config policy
	option comment 'ovpnserver'
	option interface 'wan'
	option local_ports '1194'

I set it up according to this tutorial: OpenVPN Client & Server (Simultaneously)

Honestly I don't know what's the meaning of this wiki.....

Oh, wait: I recently updated nginx and organizr (website/frontend to show several webinterfaces in tabs via iframe) and that was the site on odroid I tried to reach. I cannot reach it in lan right now, let me fix that and then try your suggestions again.

Nope, still not working :confused:

@lleachii Do you have any other ideas? Maybe the vpn-policy-routing app with its routing tables or the config of in this wiki OpenVPN Client & Server (Simultaneously) causes your lines not to work.
Idk... all I realized is now, if I change vpn client config to proto tcp, I only get like 35 Mbps speed versus proto upd my full bandwith of 100 Mbps..so changing to tcp is out of question.

This policy (sorry, formatting lost because of quoting):

Needs to be higher in /etc/config/vpn-policy-routing than this policy:

If you then have configured the VPN Client and Server at the same time as per wiki, odroid ssh should be reachable when connecting to your LAN via OpenVPN Server.

The extra firewall/iptables rules you have created manually may get in the way.

If you don't like TCP, you can probably have both vpnc and vpns using UDP, but you'll have to set different ports (and adjust VPR config accordingly). If you do, please post your results here/on the wiki.

Ditched extra rules in /etc/config/firewalland also in /etc/config/network and resorted the rules in vpn-policy-routing app. Also followed the wiki. Unfortunatly I still can't reach ssh on odroid. Everything tcp for now.

If you remember, I got it working once, long time ago. But I didn't know how...I think I had your suggested rule in /etc/config/firewall...but then it stopped working... :frowning: