Seperate Network for VPN Traffic

Hi all,

I've seen this answered a few times but can't work out what the specific solution is without using Policy Based Routing (and I want to try and do it without policy based routing).

Setup (simplified)
Regular internet interface:

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option peerdns '0'

VPN Interface (OpenVPN):

config interface 'VPN_EXT'
        option ifname 'ovpnc0'
        option proto 'none'

Regular LAN interface (want this to use WAN for non-local traffic)

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'

VPN LAN interface (want this to use VPN_EXT for non-local traffic)

config interface 'vpninternal'
        option proto 'static'
        option type 'bridge'
        option ipaddr '10.66.0.1'
        option netmask '255.255.255.0'

This much is working fine, and the VPN tunnel connects and reports good status. My regular LAN -> WAN traffic is still working as expected.

So then I have added a zone forward to allow vpninternal network to forward to VPN_EXT network. Plus firewall rules to allow DHCP and DNS to the router.

This doesn't work however, clients on the vpninternal get a DHCP address as expected but then have no connectivity outside of that local network.

Now I think what I need to do is add something to the routing table to tell the router to send non-local traffic on the vpninternal network to the VPN_EXT network - but I can't figure this out.

Please help?!
Thanks!

1 Like

You need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.
3 Likes

Thanks @trendy

I tried number 3 in your list but it didn't work. Can you verify I'm understanding the option fields correctly...

config rule
        option in 'vpninternal'    <<< this should be the interface of the network containing my vpn-bound clients?
        option src '10.66.0.1/24'  <<< this should be the ip-range of the network containing my vpn-bound clients?
        option lookup '100'  <<< this is an arbitrary table id for the new route table and needs to match the table in the route config below?

config route
        option interface 'VPN_EXT'   <<< this is the external interface of my VPN bridge?
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

I think this might be the issue, my VPN provider is pushing some routing commands to me whenever I make a connection which are getting in the way of what I want to do. I have taken the 'pull' option out of the ovpn file but they still come through. Can I block this somehow??

Sun Apr 18 08:40:41 2021 daemon.notice openvpn(vpn_ext)[29692]: /sbin/ifconfig ovpnc0 101.28.0.2 netmask 255.255.0.0 mtu 1500 broadcast
Sun Apr 18 08:40:41 2021 daemon.notice openvpn(vpn_ext)[29692]: /sbin/route add -net XX.XX.XX.XX netmask 255.255.255.255 gw XX.XX.XX.XX 
Sun Apr 18 08:40:41 2021 daemon.notice openvpn(vpn_ext)[29692]: /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 101.28.0.1 
Sun Apr 18 08:40:41 2021 daemon.notice openvpn(vpn_ext)[29692]: /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 101.28.0.1

This is wrong. Should be 10.66.0.0/24, or you can omit it.

Yes. But there is no vpn bridge. Packets are routed.

2 Likes

Thanks @trendy

I finally got this working thanks to this brilliant guide: https://kiljan.org/2020/03/27/vpn-as-wan-for-guest-network-on-openwrt/

Turns out the one tiny piece I'd overlooked was enabling masquerading on the firwall zone of the external vpn interface. Just got a DNS leak to sort out. The right DNS servers are being passed to the client on the vpn internal network, but for some reason when I run a leak tesk I am still getting the servers assigned to my other networks.

Verify that the client is really using the designated DNS.
If there are hardcoded DNS on the clients, then try to hijack the queries.

1 Like

So it's weird. Clients on my VPN LAN are getting the correct DNS servers from DHCP, but some still send queries to the gateway (i.e. my OpenWRT router).

So I guess hijacking is the right way to go to be sure.

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.