Setting up VPN client using OpenWrt as a client device

danvet · February 25, 2022, 2:28am

Another 2 steps forward.... I figured out that the only place the VLAN wifi wasn't working is the room with the Netgear managed switch - it was working fine on the APs connected to the unmanaged switches. I think the point that things broke is when I turned on the VLAN option and set the ports on the Netgear. I've now turned that back off off and installed the Unifi flex mini in front of it. All wifi now working again.

Problem now is that I can't see the C7 which is directly connected to the UDM - even when connected to the VPN wifi network. I have not yet set up the DHCP gateway on the UDM VLAN, so I have normal internet on the VLAN as expected. Just can't see C7 (which has a static IP of 192.168.2.2 and gateway set at 192.168.2.1).

psherman · February 25, 2022, 2:30am

Can you connect properly to the C7 when you are connected to VLAN2 (i.e. on the 192.168.2.0/24 network)?

danvet · February 25, 2022, 2:38am

Cracked it.... Set the UDM port that the C7 is connected to to VLAN rather than All/Trunk and we're back in business. Dam this stuff will trip you up.

psherman · February 25, 2022, 2:40am

Yup... all in the details. Trunk is absolutely a workable means of connecting, but you'd have to set the C7 to expect tagged frames. Making it untagged, for your config, is probably the easiest option.

danvet · February 25, 2022, 2:56am

Well I'm connecting to the VLAN.
Getting served the 192.168.2.2 gateway by DHCP.
Getting internet.....but not going over the VPN.
Seems like it's a firewall problem at this point? Which is weird because it was working before.
Might be time to call it a night.

psherman · February 25, 2022, 2:58am

do a traceroute from a client to some site on the internet (maybe 8.8.8.8 or google.com) and let's see what happens.

Also verify that your VPN is up on the C7.

danvet · February 25, 2022, 3:04am

1 * * *
2 192.168.2.1 (192.168.2.1) 4.894 ms 5.533 ms 4.728 ms
3 * * *
4 My ISP

So not going through 192.168.2.2 after all.

psherman · February 25, 2022, 3:04am

Force renew the DHCP lease on the client. It probably hasn't yet picked up the new gateway assignment.

danvet · February 25, 2022, 3:10am

The gateway is set to 192.168.2.2 so DHCP seems to work.
When I renew the lease it goes back to 192.168.2.1 for about a second then changes to 192.168.2.2.

Traceroute does now look better though:

192.168.2.2 (192.168.2.2) 4.941 ms *
2 192.168.2.1 (192.168.2.1) 4.708 ms 4.717 ms 4.990 ms
3 * * * ISP

But still not going through VPN.

Calling it a night. Thanks again for all your help. Tantalizingly close now!

psherman · February 25, 2022, 3:13am

You're really close now. It is hopefully now just the last bit of the config on the OpenWrt side.

When you resume, check the status of the VPN -- make sure the tunnel is up. If things are not working, please post your latest config files from the OpenWrt side (firewall and network).

danvet · February 25, 2022, 4:11am

Cracked it - disabled IPv6 on the C7 interfaces.

Phew! Too tired to understand what was happening but I think I'm there! Time will tell.

What a ride.

THANK YOU PETER!!

psherman · February 25, 2022, 4:14am

You're welcome. This was a fun one!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

danvet · February 25, 2022, 4:23am

Just remembered... I still have to have a crack at the PBR.... Tomorrow!!

danvet · February 25, 2022, 4:18pm

So right now, the VPN side of things are working perfectly. If I connect to my VLAN I go out over the VPN with no DNS leaks and a working kill switch.

What's not working is any communication between the two subnets. I can't even see the C7 admin panel if I'm connected to the default subnet. So is that going to be a PBR setting, or a firewall tweak, or both, or something else?

traceroute to 192.168.2.2 (192.168.2.2), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 10.776 ms 3.736 ms 3.995 ms
2 * * *
3 * * *

I see there is a (default) firewall setting on the UDM to allow local traffic between subnets. I'm wondering if I need the same on the C7 but I'm not sure how to implement it (and maybe I'm wrong).

psherman · February 25, 2022, 6:23pm

This could be both PBR and firewall, depending on the current state of your config.

I'm not the right person to advise on PBR settings, but broadly speaking you want to make sure that all traffic to 192.168.1.0/24 does not go through the tunnel and instead uses the 192.168.2.1 gateway.

WRT the firewall, make sure that all LAN traffic (192.168.2.0/24) can reach 192.168.1.0/24. I can review the firewall file for this, if you'd like.

danvet · February 25, 2022, 6:31pm

On the C7 I have one LAN interface set to a static IP of 192.168.2.2 with a gateway of 192.168.2.1 to access the VLAN.

Should I create a second LAN interface for the 192.168.1.1 network?

psherman · February 25, 2022, 6:58pm

No. The OpenWrt router will send all of the traffic bound for 192.168.1.0/24 to the defined gateway (192.168.2.1), and then the UDM will route between the networks.

The key thing is to make sure you haven't prohibited that traffic flow via the OpenWrt (or UDM) firewalls and that you are setting PBR such that traffic for that subnet bypasses the tunnel. (unless you changed anything on the UDM between yesterday and today, you should be fine on that side).

danvet · February 25, 2022, 8:22pm

I'm going round in circles with this and don't even know where to begin on the next (and hopefully final) step.

Here's where I'm at (as I see it):

Problem 1: When connected to the default network (192.168.1.x)...
- I can ping 192.168.1.1 and 192.168.2.1
- I cannot ping 192.168.2.2
Problem 2: When connected to the VLAN (192.168.2.x)...
- I can ping 192.168.2.1 and 192.168.2.2
- I cannot ping 192.168.1.1

The LAN firewall settings on UDM look like this:

That seems to make sense - allowing traffic in both directions between subnets.

The firewall settings on the C7 look like this:

Works perfectly for the VPN - but zero mention of the other subnet.

Finally, the options for adding a rule in PBR looks like this (note - I didn't save or enable this setting):

My assumptions:
Problem 1 requires a firewall adjustment on the C7 to solve.
Problem 2 requires a PBR adjustment on the C7 to solve.

My questions:
Do my assumptions sound right?
What adjustment should I make to the C7 firewall?
Does the sample PBR I created above look right?
Finally, should I create a new forum thread/topic for this problem?

psherman · February 25, 2022, 8:31pm

This probably makes sense when the VPN is running. If you disable the VPN, you should be able to access 192.168.2.2

And this makes sense for sure if the VPN is active. In this situation, any device on the 192.168.2.0/24 network will be sending traffic to the OpenWrt router which will then send it through the tunnel. This is where VPN PBR comes in to play.

Maybe, but probably not. Lets see your /etc/config/firewall file

So I'm not really an expert here on VPN PBR, but that rule looks generally good. I think you may want to add the local addresses 192.168.2.0/24 to that rule.

danvet · February 25, 2022, 9:25pm

Nope - still can't.

That rule works like a charm even without your modification! And it doesn't matter if the VPN is running or not. Either way, with the rule active I can ping 192.168.1.1 and with it inactive I cannot.

One down one to go.

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'nordlynx'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg0'

config forwarding
	option src 'lan'
	option dest 'nordlynx'