STATIC ROUTE: vpn, dmz and intranet

gipsea · October 4, 2019, 8:57pm

Dear all,

I've a router running openwrt. I have a local network and a dmz with a webserver. I'm away from home and I'm stadying new features for when I return

I thought to start using a VPN.

My idea (I can't consider my self IT expert but I try to be intuitive) is to:

use the VPN connection as the default gateway of the intranet, 10.0.0.0/24. router address 10.0.0.1
use the wlan GW only for the DMZ (I use DDNS and I think it won't works over vpn connections) 10.0.1.0/24. router address 10.0.1.1

the routing howto shows how to route via VPN a single IP. What about routing a subnet?

IS it possible?
Does it make sense?
Any VPN service to suggest?

cheers

anon50098793 · October 5, 2019, 9:10am

while your desired setup is not clear to me, i'm sure the vpn-pbr package and openvpn will satisfy your requirements.

what seems to trip people up, is the fundamentals around wlan and choosing the right underlying config for the policies to sit on top of.

basically, if you want to pbr "wlan" it needs to be isolated on L3. providing this exists, then try it and can come back with any specific issues you may have...

"DMZ" is ambiguous in the consumer router world because it has two meanings. The traditional "locked down subnet with specific one to one nat entries" and the simplified "NAT everything to somewhere"...

gipsea · October 5, 2019, 10:11am

Thanks wulfy23 for ur time.

In the DMZ as I said I have we server and a Nas to work as cloud. This is an isolated network where I basically NAT port HTTP, HTTPS and SSH

For the intranet the concept is to bridge/route all the subnet via the VPN.

I'll take a look at the vpn-pbr how-to

Thanks a lot

I'll revert as soon as I'll have the chance of putting my hands around the router

Cheers

anon50098793 · October 5, 2019, 10:26am

Apologies, if I had to clarify... and I am clear and understand your use of the formal definitions of DMZ and intranet.

The only real challenge ( vpn-pbr aside ) comes is when internal/remote-internal hosts attempt to access the dmz hosts over normal wan ( via dns )...

Someone implementing this for the first time will find that the traffic gets pumped into the VPN, which breaks things.

Depending on your desired traffic flows, this can be handled at a dns level and/or ip policy / mark level.

gipsea · October 17, 2019, 4:12pm

ciao @anon50098793,

I'm finally home and I'm already stack by the VPN setups.

At the moment my intention is to have 2 VPN

VPN, tun with external server to be used by the LAN
VPN, Tap to internal server

I'm going over this 2 tutorials:
OpenVPN basic
OpenVPN client

but not successfully. Do you have any hint? so far I've created 2 directories under /etc/openvpn where to store all relative files....

I've created 2 virtual interfaces to relate to the services

I keep digging around and work on these and help welcome. After this I'll be able to work on routing

cheers

gipsea · October 20, 2019, 3:30am

Ok,
I managed to setup the commercial VPN.
I'm now confused how to setup the firewall.

My first choice based on a guess is to forward the intranet traffic over VPN in input and output but in one post I've seen:
Out via VPN
In via Wan

Which is correct or most appropriate?

After the intranet will b surfing tunnelled via VPN I'll move on about DMZ settings

Cheers

vgaetera · October 20, 2019, 7:41am

To minimize firewall setup, consider the VPN network as public and assign the VPN interface to WAN zone, otherwise perform the following:

gipsea · October 20, 2019, 2:52pm

ciao @vgaetera,

I created a firewall zone called VPN but still not really succesfull.
If I use the following config
LAN, -dest WAN&VPN, all accepted no masq no mss
WAN, -source LAN, input reject, output accept, forward reject, masq and mss
VPN, -source LAN, all accept, masq no mss

the intranet has internet and if I do traceroute to openwrt.org the first hop is always the PPPOE address and not the VPN IP

if I change LAN -dest VPN (remove dest wan) the router has internet but not the intranet

can't get my head around this issue...
Is it a problem or pre/postrouting? of Static route? NIC metric?

If I can support with the copy of some files please advise

thanks

gipsea · May 24, 2020, 2:06pm

[SOLVED]
To start the the reason why I hadn't internet after connecting to VPN it was just matter of latency from connection and new routing table.

The solution is VPN POLICY ROUTING. There is a dedicated thread.
After the packages are installed it is really straight forward to set rules.

Thank you all for helps