Routing Single Interface through VPN Tunnel

cliffordanup · October 3, 2020, 10:56am

Hello,

I recently installed openvpn to connect to my NordVPN Server and the setup works fine. All the clients are by default forwarded to my NordVPN Server. I had 3 networks before and now I have created a new network called LAN5_VPN and I have this network bridged to my newly created Wireless SSID's OpenWrt-VPN & OpenWrt-5G-VPN with the interface LAN5_VPN having a static IP Address configuration in the network 192.168.30.0/24.

What I want to be able to do is ONLY Route the clients on my newly created Interface 192.168.30.0/24 through the OpenVPN Tunnel and all the other Interfaces MUST by-pass this tunnel and connect directly through my WAN Interface.

I figured this is something to do with the routing rules, could you please give me the commands to route just the interface 192.168.30.0/24 through the tunnel and by-pass the rest?

The existing network config and the routing tables are as follows:

Network Config:

root@OpenWrt_Netgear_R6220:/etc/config# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb7:e176:4b25::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'
        option type 'bridge'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option ipaddr 'x.x.x.x'
        option gateway 'x.x.x.x'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 3'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 2'
        option vid '20'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '6t 1'
        option vid '10'

config interface 'LAN4_Venu'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.10'

config interface 'LAN3_Guest'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.20'
        option type 'bridge'

config interface 'tun0'
        option ifname 'tun0'
        option proto 'none'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '6t 0'
        option vid '30'

config interface 'LAN5_VPN'
        option ifname 'eth0.30'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        option type 'bridge'

root@OpenWrt_Netgear_R6220:/etc/config#

Wireless Radio Config:

root@OpenWrt_Netgear_R6220:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
        option noscan '1'
        option htmode 'HT40'
        option channel '3'
        option country 'IN'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option key 'abcdefghijk'
        option ssid 'OpenWrt-Cliff'
        option encryption 'psk2'
        option network 'lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'IN'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option key 'abcdefghijk'
        option ssid 'OpenWrt-5G-Cliff'
        option encryption 'psk2'
        option network 'lan'

config wifi-iface 'wifinet2'
        option ssid 'OpenWrt-Guest-Cliff'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option network 'LAN3_Guest'
        option key 'abcdefghijk'

config wifi-iface 'wifinet3'
        option ssid 'OpenWrt-5G-Guest-Cliff'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option network 'LAN3_Guest'
        option key 'abcdefghijk'

config wifi-iface 'wifinet4'
        option ssid 'OpenWrt_VPN'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option key 'abcdefghijk'
        option network 'LAN5_VPN'

config wifi-iface 'wifinet5'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option key 'abcdefghijk'
        option ssid 'OpenWrt-5G-VPN'
        option network 'LAN5_VPN'

root@OpenWrt_Netgear_R6220:~#

Routing Table:

root@OpenWrt_Netgear_R6220:/etc/config# ip route
0.0.0.0/1 via 10.8.2.1 dev tun0
default via x.x.x.1 dev eth0.2
10.8.2.0/24 dev tun0 scope link  src 10.8.2.15
x.x.x.x via x.x.x.1 dev eth0.2
x.x.x.0/24 dev eth0.2 scope link  src x.x.x.x
128.0.0.0/1 via 10.8.2.1 dev tun0
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.10.0/24 dev eth0.10 scope link  src 192.168.10.1
192.168.20.0/24 dev br-LAN3_Guest scope link  src 192.168.20.1
192.168.30.0/24 dev br-LAN5_VPN scope link  src 192.168.30.1
root@OpenWrt_Netgear_R6220:/etc/config#

Firewall Config:

root@OpenWrt_Netgear_R6220:/etc/config# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan tun0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'PrimaryVLAN'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'lan'
        option input 'ACCEPT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'LAN4_Venu'
        option name 'VenuLAN'

config forwarding
        option src 'PrimaryVLAN'
        option dest 'VenuLAN'

config zone
        option name 'GuestVLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'LAN3_Guest'

config forwarding
        option src 'PrimaryVLAN'
        option dest 'GuestVLAN'

config forwarding
        option src 'PrimaryVLAN'
        option dest 'wan'

config forwarding
        option src 'VenuLAN'
        option dest 'wan'

config forwarding
        option src 'GuestVLAN'
        option dest 'wan'

config redirect
        option target 'DNAT'
        option name 'RDP'
        option src 'wan'
        option src_dport '3389'
        option dest 'PrimaryVLAN'
        option dest_ip '192.168.1.5'
        option dest_port '3389'

config rule
        option name 'BlockGuest'
        list proto 'all'
        option src 'GuestVLAN'
        option target 'REJECT'
        list dest_ip '192.168.1.1'
        list dest_ip '192.168.10.1'
        list dest_ip '192.168.30.1'

config rule
        option name 'BlockVenu'
        list proto 'all'
        option src 'VenuLAN'
        option target 'REJECT'
        list dest_ip '192.168.1.1'
        list dest_ip '192.168.20.1'
        list dest_ip '192.168.30.1'

config zone
        option name 'VPNVLAN'
        option input 'ACCEPT'
        option forward 'REJECT'
        option network 'LAN5_VPN'
        option output 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'VPNVLAN'

config forwarding
        option dest 'VPNVLAN'
        option src 'PrimaryVLAN'

config rule
        option src 'VPNVLAN'
        option name 'BlockVPN'
        option target 'REJECT'
        list dest_ip '192.168.1.1'
        list dest_ip '192.168.10.1'
        list dest_ip '192.168.20.1'
        list proto 'all'

root@OpenWrt_Netgear_R6220:/etc/config#

cliffordanup · October 3, 2020, 1:52pm

Solution is as follows:

Followed the solution provided in the link https://medium.com/@ingamedeo/openvpn-splittunneling-on-openwrt-e4302a1a4e12#:~:text=Split-tunneling%20is%20a%20networking,on%20its%20source%20IP%20address).

trendy · October 3, 2020, 4:19pm

What you want to do is Policy Based Routing and you have 3 options:

mwan3 package
pbr package
a set of rules/routes for the connection which doesn't use the default gateway.

system · October 13, 2020, 4:19pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.