[Solved] Access to VPN via dedicated Wifi SSID (Also, Split Tunnel)

I am going around in circles.

My Goal: Connect to a "Work" SSID and get access to work systems while on that wifi. Taking advantage of split tunnelling to reduce load on VPN (and improve latency/bandwidth when accessing things on the open internet).

On my router I can connect to my works Cisco Anyconnect VPN using openconnect fine, the Interface (vpn-work) comes up fine, and from the router (ssh'd in) I can ping different IPs at work without issue. This particular VPN connection is using split tunnelling and a bunch of static routes (?) are pushed and applied automatically (by vpnc-script i assume) to route certain IP ranges to the vpn-work interface (can be seen when running "route" command on the router).

I have then setup a seperate interface "work" with a static IP, and DHCP server, I then set a new SSID to use this interface when a client connects - and over wifi, this works fine, new clients get DHCP in the range I expect, and this client can access the internet fine.

Finally, I have a "work" Firewall zone which is allowed to forward to "wan" and input/output/forward are all "accept". Both "vpn-work" and "work" interfaces are in the "work" firewall zone.

Here is where I am stuck - I can not for the life of me get traffic on the wifi client to go down the tunnel (I am currently just pinging my works internal DNS server IP address) - Again, this works if done on the router via ssh, does not work when done on the wifi client device.

I have seen similar topics around PBR - and I am not sure this is required in this instance as the routes are already defined to push certain IPs to that interface - but how do I get the Wifi client traffic down that tunnel?

I have not posted my configs as they would need some redacting, but happy to do that if it helps - just let me know which ones.

FYI I am using a very recent snapshot build of OpenWRT as it is all my device currently supports - but it's been rock solid in every way, I doubt I am hitting a bug, almost certainly user error - I do have another router running 22.03.05 I could move all this across to, in case that is easier to support/debug.

I can answer my own question, just incase it helps anyone else.

I think the crux was possibly the Masquerading setting, turning it on was needed, but I also made other changes and not 100% what did it.

I created a new firewall zone "Company" with the "vpn-work" interface in it, input and forward are "reject" and output is "accept" - Masquerading is also enabled.

Then my "work" zone can forward to "wan" and "Company" with input/output/forward set to accept and Masquerading off.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.