Routing into VPN over secondary WiFi-connected box?

Preface: I run two OpenWRT boxes: an Archer A7 as my router/AP, and an x64-based machine to handle CPU/RAM-intensive things - namely, my AdGuard Home and my VPN client. Previously, I was able to connect both OpenWRT boxes via Ethernet, and everything worked beautifully using VLANs that both boxes were aware of (specifically, routing certain WAN IP address ranges through the VPN for all LAN devices).

Current situation: Now, unfortunately, due to physical constraints, I have to use a WDS link between the boxes (see picture). In this configuration, the x64 can establish the VPN link just fine and is aware of both the .1.x and .192.x networks, but the A7 is only aware of the .1.x network and thus cannot route anything into the VPN.

Question: I assume that if I make use of firewall/routing rules on both machines I can fix this, but this is beyond my current networking capabilities. Any pointers are thus much appreciated!

The use of WDS should not change anything in the setup you are trying to achieve.
Anyway, in A7 you can add a static route. Provided that the 192.168.1.0/24 is the lan interface, use the following:

uci add network route
uci set network.@route[-1].interface='lan'
uci set network.@route[-1].target='192.168.192.0'
uci set network.@route[-1].netmask='255.255.255.0'
uci set network.@route[-1].gateway='192.168.1.254'
uci commit network
service network restart
1 Like

I'm actually not sure if I was clear enough describing my issue/scenario, but this did help me find the solution, many thanks!

Based off your suggestion, I set the A7 route for my external target, let's call it 134.134.0.1/24, to the LAN interface and the x64 box 192.168.1.254 gateway. Then, on the x64, I configured a static route for 134.134.0.1/24 with the VPN interface and with the VPN gateway 192.168.192.1 (i.e., the same route that, on its own, was previously sufficient on my A7). Working now :slight_smile:

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

So, turns out it's not fully solved after all - it stopped working again, with tracert from lan-connected device (192.168.1.2) showing requests that should go via VPN simply bouncing back and forth:

Tracing route to external-hostname.com [134.134.0.1]
 1     1 ms     1 ms    <1 ms  192.168.1.1
  2     2 ms     2 ms     2 ms  192.168.1.254
  3   293 ms     2 ms     2 ms  192.168.1.1
  4   102 ms     3 ms     4 ms  192.168.1.254
etc.

I didn't mess with the configuration, so not sure what happened. Maybe some cache expiration? If you or someone else can find any pointers in my config for what went wrong - here they are (or at least the relevant parts):

1) Main Router / A7 / 192.168.1.1 (lan)

etc/config/network

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.10'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ipv6 '0'

config interface 'wan'
	option device 'eth0.7'
	option proto 'dhcp'
	option ipv6 '0'
	option peerdns '0'

config route
	option interface 'lan'
	option target '134.134.0.0/21'
	option gateway '192.168.1.254'

etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'
	option forward 'DROP'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'AdGuard'
	option src 'lan'
	option src_dport '53'
	option dest_ip '192.168.1.254'
	option dest_port '53'
	option src_ip '!192.168.1.254'

config nat
	option name 'AdGuard-NAT-lan'
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_ip '192.168.1.254'
	option dest_port '53'
	option target 'MASQUERADE'

config rule
	option name 'deny_dot'
	option src 'lan'
	list src_ip '!192.168.1.254'
	option dest 'wan'
	option dest_port '853'
	option target 'DROP'

etc/config/dhcp

config dnsmasq 'lan_dns'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases.lan'
	option localservice '1'
	option ednspacket_max '1232'
	option noresolv '1'
	option port '0'
	option localuse '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '24h'
	list dhcp_option '6,192.168.1.254'

2) AdGuard+VPN box / 192.168.1.254 (lan) / 192.168.192.10 (vpn)

etc/config/network

config interface 'lan'
	option proto 'static'
	option device 'eth0'
	option ipaddr '192.168.1.254'
	option netmask '255.255.255.0'
	option ipv6 '0'
	option gateway '192.168.1.1'

config interface 'vpn'
	option proto 'static'
	option device 'vpn_sevpn'
	option ipaddr '192.168.192.10'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'
	option gateway '192.168.192.1'

config route
	option interface 'vpn'
	option target '134.134.0.0/21'
	option gateway '192.168.192.1'

etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'DROP'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'vpn'

config forwarding
	option src 'lan'
	option dest 'wan'

dnsmasq is disabled

The remote VPN server still shows an intact connection from 192.168.192.10 (AdGuard+VPN box).

What exactly do you want?
Do you want all traffic from all clients to go via the vpn, do you only want all traffic from some clients go via the vpn or do you only want to reach the vpn server etc.?

Sorry if I haven't been sufficiently clear on this. Traffic to external-hostname.com [134.134.0.1], originating from any device in LAN (and only this traffic), should go out via the remote VPN server (instead of the "local" cable modem).
I.e., from 192.168.1.2, this traffic should go -> 192.168.1.1 (LAN router) -> 192.168.1.254 aka 192.168.192.10 -> 192.168.192.1 (aka some dynamic WAN IP of the remote VPN server) -> 134.134.0.1

Your vpn is already connected, it might work if the vpn server supports nat hairpinning, but it is much easier to set a static route to the subnet of the vpn server
Note it should be different from the other subnets.

Furthermore you might have to snat traffic going out of the router to the vpn client otherwise traffic might be classified as invalid because it originates from the router but will not be directed back to the routetbut directly to the lan client.
Alternatively disable invalid traffic on the firewall I think there is a general invalid setting and also per interface

You have a routing loop, the ISP router is sending packets to the OpenWrt and the last is sending them back to the first.
Either the OpenWrt will have just the VPN gateway, or multiple gateways with proper metrics, or you'll create another routing table, or use pbr package.
Also some gateways you have there are invalid, so you need to fix them.

So, upon further investigation, my configuration from Post #5 is actually working, with correct forwarding between different gateways and devices as desired. The issue was that the static routing rules were lost if the vpn connection intermittently dropped, due to "Force Link" being set by default - adding option force_link '0' to the VPN interface on the x64 box resolved the issue. (solution by Malvineous here)

1 Like