[Solved] Multiple OpenVPN clients

Hi,

I'm running OpenWRT 21.02.0-rc2 on Nanopi R2S that is connected to my home network.
I'm mainly experimenting with OpenWRT and learning stuff along the way.

I created a VLAN that is connected to OpenVPN using this tutorial
https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci.
I've used OpenVPN configuration from my VPN provider and everything works fine.

Now I'd like to add a second VLAN which is connected to a different VPN server.
After some searching I found out that I need to add pull-filter ignore redirect-gateway
to the configuration file to make both VPNs work at once.

After I added the filter and enabled the first VPN there is no internet connection on the VLAN.
OpenVPN connects without error and from traceroute -i tun0 openwrt.org I can see that the connection works correctly.

I tried to add an unmanaged interface for the tun0 device and change the firewall zone
so that it uses the interface instead of tun0 directly but that doesn't work either.

Is there a way to make this work?

Interfaces:

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.2.1'
	list dns '162.252.172.57'
	list dns '149.154.159.92'
	option device 'eth0.1'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option device 'eth0'

config interface 'lan1'
	option proto 'static'
	option device 'eth0.2'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

Firewall zones:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option input 'ACCEPT'
	list network 'wan'
	list network 'wan6'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'lan0'
	list network 'lan'

config zone
	option name 'lan1'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan1'

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option name 'OpenVPN0'
	list device 'tun0'

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun1'
	option name 'OpenVPN1'

config forwarding
	option src 'lan0'
	option dest 'OpenVPN0'

config forwarding
	option src 'lan1'
	option dest 'OpenVPN1'

OpenVPN config:

client
dev tun0
proto udp
remote us-stl.prod.surfshark.com 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server

auth-user-pass /etc/openvpn/Surfshark.auth

#comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC

auth SHA512

# Added lines
auth-nocache
pull-filter ignore redirect-gateway

IP routing table

Without pull-filter ignore redirect-gateway

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.8.8.1        128.0.0.0       UG    0      0        0 tun0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.8.8.0        *               255.255.255.0   U     0      0        0 tun0
128.0.0.0       10.8.8.1        128.0.0.0       UG    0      0        0 tun0
148.72.174.38   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0.1
192.168.3.0     *               255.255.255.0   U     0      0        0 eth0.2

With pull-filter ignore redirect-gateway

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.8.8.0        *               255.255.255.0   U     0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0.1
192.168.3.0     *               255.255.255.0   U     0      0        0 eth0.2

Remove the dns from the lan interfaces. They should be added under the interface where they are reachable from, e.g wan.

Also, you need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.
2 Likes

Thank you. I've already had VPN Policy-Based Routing installed but I thought that It's useful only if I want a single device or url to be routed through the VPN.
I've created a rule for the entire LAN and it works perfectly.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.