Routing LAN -> VPN1 and WLAN -> VPN2

Installing and Using OpenWrt
1

I'm having a really hard time getting the following to work:

Problem 1. I cannot get 2 wireguard vpns running at the same time.
Problem 2. I cannot get lan -> vpn1 and wlan -> vpn2

It should not be that difficult, but apparently I'm a moron, I could really use the help.

EDIT:
Finally managed to get both VPNs working on the router itself. I see TX/RX counters increase and can ping the WireGuard servers and resolve a dns query from the router. (nslookup domain remote_vpn_ip)

However now I need to route LAN/WLAN to their individual VPNs
And I tried adding tables, marking traffic, but my knowledge is just insufficient.

Thanks in advance

2

The easiest way to achieve this is using Policy Based Routing:

https://openwrt.org/docs/guide-user/network/routing/pbr

3

Yes, I've been trying that for a couple of days now, but no luck.

Its the most basic setup I could come up with lan wan wlan vpn
Set vpnoption defaultroute '0' to remove default route to VPN.

Then I used this:
https://openwrt.org/docs/guide-user/network/routing/pbr_netifd

Applied example 1 (but removed ipv6 and dmz):

for IPV in 4
do
uci set network.lan.ip${IPV}table="1"
uci set network.vpn.ip${IPV}table="2"
uci -q delete network.lan_vpn${IPV%4}
uci set network.lan_vpn${IPV%4}="rule${IPV%4}"
uci set network.lan_vpn${IPV%4}.in="lan"
uci set network.lan_vpn${IPV%4}.lookup="2"
uci set network.lan_vpn${IPV%4}.priority="30000"
done
uci commit network
service network restart

Result:
Not working, external ip address over lan is the same as wan

What am I doing wrong, or not doing ?

Configs:
/etc/config/network:

config globals 'globals'
        option packet_steering '1'

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config device
        option name 'eth1'

config interface 'lan'
        option proto 'static'
        option device 'eth1'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option ip4table '1'

config device
        option name 'eth0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wlan'
        option proto 'static'
        option device 'phy0-ap0'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option type 'bridge'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '<removed>'
        list addresses '10.2.0.2/32'
        list dns '10.2.0.1'
        option defaultroute '0'
        option delegate '0'
        option ip4table '2'

config wireguard_vpn
        option public_key '<removed>'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '<vpn ip>'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config rule 'lan_vpn'
        option in 'lan'
        option lookup '2'
        option priority '30000'

/etc/config/firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vpn'

config zone
        option name 'wlan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wlan'

config forwarding
        option src 'wlan'
        option dest 'vpn'

config forwarding
        option src 'wlan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'lan'
        option dest 'wan'
4

Remove option defaultroute '0' (or set to 1)

Reboot (or do service network restart) and test again

1 Like
5

That is a purposeful setting, I only want lan to route to vpn, not wlan. Otherwise it will just add a default route similar to : ip route add default dev vpn and route everything over vpn.

image
image144×472 9.04 KB

6

option ip4table already removes the default route from the main table and places that in a separate table 2.

However if you remove the default route then table 2 will not have a default route and it does not work

ip route show
ip route show table 2
ip rule

should show what is happening

7

You are so right :blush:, I really need to work my understanding. (currently i have no clue). Let me do some additional configuration.

8

Sure, some info for making rules to use the vpn:

config rule
	# for ip source:
	option src '192.168.30.0/24'
	# destination e.g. from all to dest
	option dest '25.52.71.40/32'
	# for interface
	option in 'lan'
	# for proto
	option ipproto 'icmp`
	
    option lookup '2'
9

Could you elaborate why/if this is still needed, because I do not understand it fully ?

uci set network.lan.ip${IPV}table="1"

I now have tables:

1 lan
2 vpn1
3 wlan
4 vpn2

I added one for wlan too.. I'm a bit fuzzy to why, but it works.

10

A few things:

First (and not related) you might need to review your settings regarding wlan:

I think that that is not the the recommended way to setup a "guest wifi" see:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

The problem with using netifd for PBR like you are doing is that local routes are not copied so you only have a default gateway for your LAN but can not connect to your other local networks.
Maybe that is not a problem but if it is you need to copy local routes from main table to table 2.

But if you have already table 2 for the VPN then doing this makes not much sense to me:

You end up with a table 1 with only a local route for the LAN, I can imagine you want that route in table 2 so using this could make sense:

uci set network.lan.ip4table="2"

then you have your local route in table 2 together with the default route.

But it looks like you are overcomplicating things or you want a fine grained PBR for which using the PBR app:

https://openwrt.org/docs/guide-user/network/routing/pbr_app
It also has a LuCi app to configure: https://docs.openwrt.melmac.net/pbr/

is more suited

netifd is a powerful tool but it has its limitations

1 Like
11

Thank you for your time and advice, I will take it to heart.

It's not every day you find out you really really suck at something, and for me that something is routing. So I have to study some more :blush:

I know about the PBR-app and it seems quite the success seeing all those translation packages, congrats! ... but its not for me.

Thanks again, you made my day.

12

You are welcome we are here to help :slight_smile:

13

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.