[Solved] LAN clients to access remote VPN hosts

I'm using my OPENWRT router as a client to a remote OpenVPN server.

The router connects alright and I can interact with all the other VPN clients.

Now I want to all the lan clients to have access to these remote VPN hosts.

The following diagram illustrates what I'm trying to do.

I've created an interface in /etc/config/network

config interface 'vpn' 
 option proto 'none' 
 option ifname 'tun0'   

And put these lines in /etc/config/firewall

config zone 
 option name 'vpn_tunnel'   
 list network 'vpn'                
 option input 'ACCEPT'           
 option output 'ACCEPT'                       
 option forward 'REJECT'        

[...]

config forwarding                      
 option src 'vpn_tunnel'              
 option dest 'lan'        

config forwarding  
 option dest 'vpn_tunnel'
 option src 'lan'   

Unfortunately I still can't connect to a host on the VPN from PC1, for example. Basically I think is a NAT from LAN to tun0 VPN.

Could someone give a insight on what I'm doing wrong or forgot to do?

If you included the complete zone section above then there is no nat/ip masquerade enabled. You either have to enable that or add route and iroute statements for the lan subnet in the openvpn server config I think.

3 Likes

That's right, mikma. There was no IP masquerading enabled. :slight_smile:

I got it working by doing this:

First download openvpn

opkg install openvpn-openssl

Put your config in /etc/openvpn/ and change the /etc/config/openvpn file:

vim /etc/config/openvpn
/etc/init.d/openvpn enable
/etc/init.d/openvpn start

Create a net interface for the tun0 device

uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci commit network

Create a firewall zone for vpn

uci set firewall.vpn=zone
uci set firewall.vpn.name=vpn
uci set firewall.vpn.network=vpn0
uci set firewall.vpn.input=ACCEPT
uci set firewall.vpn.forward=REJECT
uci set firewall.vpn.output=ACCEPT
uci set firewall.vpn.masq=1
uci commit firewall

Create a firewall forwarding from vpn to lan and lan to vpn

uci set firewall.vpn_forwarding_lan_in=forwarding
uci set firewall.vpn_forwarding_lan_in.src=vpn
uci set firewall.vpn_forwarding_lan_in.dest=lan
uci set firewall.vpn_forwarding_lan_out=forwarding
uci set firewall.vpn_forwarding_lan_out.src=lan
uci set firewall.vpn_forwarding_lan_out.dest=vpn
uci commit firewall

Reload everything and bang! You set!

/etc/init.d/network reload
/etc/init.d/firewall reload

Kudos to the dude at https://elabu.ga/openvpn/ for writing this down.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.