Static Routing

Penguin-Guru · February 19, 2019, 8:17pm

Hi, I have been trying to create a static route to bypass openvpn for specific destination addresses (e.g. 8.8.8.8). My laptop is on 192.168.2.255 and outside global (though not actually global) is 192.168.1.1.

First I tried adding this entry in /etc/config/network :

config route 'test'
option interface 'wan'
option target '8.8.8.8'

Which produces this output from ip route show :

8.8.8.8 dev eth0.2 scope link

That just doesn't seem to work. Traceroute stops at the inside global interface (192.168.1.208). Eventually I got to this:

8.8.8.8 via 192.168.1.1 dev eth0.2 src 192.168.2.1

This seems to do what I want, but only based on traceroute from the OpenWRT router. Traceroute passing through the router (from 192.168.2.255) behaves the same as before, landing on outside local (192.168.2.1) twice then terminating.

I'm not sure what to try next. Specifying scope global explicitly doesn't help. I will continue trying to figure this out, but any insight would be appreciated.

mikma · February 19, 2019, 8:33pm

This means 8.8.8.8 is directly reachable on the local network without using a gateway, which isn't the case. (You also don't need a gateway on peer to peer interfaces such as wireguard.)

It seems to use wrong src address in the route, that will only affect traffic from the openwrt router itself but indicates something is wrong. We probably need morw information about the network configuration and routing table.

Penguin-Guru · February 19, 2019, 8:47pm

That does seem to be the case, but I don't know what else to try. ip route will not accept src 192.168.2.0 or 192.168.2.0/24.

What information would be useful? I don't think I have changed anything other than basic LAN configuration and setting up openvpn.

Here is /etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd17:c4d3:52aa::/48'

config interface 'lan'
	option ifname 'eth0.1'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config interface 'wan'
	option ifname 'eth0.2'
	option force_link '1'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 5t'

config interface 'vpn'
	option proto 'none'
	option ifname 'tun0'

And here is ip route show:

0.0.0.0/1 via 10.7.7.1 dev tun0 
default via 192.168.1.1 dev eth0.2  src 192.168.1.208 
10.7.7.0/24 dev tun0 scope link  src 10.7.7.8 
95.174.67.84 via 192.168.1.1 dev eth0.2 
128.0.0.0/1 via 10.7.7.1 dev tun0 
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.208 
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1

Penguin-Guru · February 19, 2019, 9:19pm

In /etc/config/firewall I just commented out forwarding from lan to wan and added a forwarding entry from lan to vpn. Now that I think about it, this might be part of the problem. I will try to figure out how to do this with ip routes, but I'm not confident that I will know if it is working properly.

vgaetera · February 19, 2019, 9:48pm

Penguin-Guru · February 19, 2019, 9:57pm

It seems like that was the cause, sorry for troubling you. This is what I have set up instead (hopefully it works):

ip route show:

0.0.0.0/1 via 10.7.7.1 dev tun0 
default via 10.7.7.1 dev tun0 
10.7.7.0/24 dev tun0 scope link  src 10.7.7.8 
95.174.67.84 via 192.168.1.1 dev eth0.2 
128.0.0.0/1 via 10.7.7.1 dev tun0 
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.208 
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
8.8.8.8 via 192.168.1.1 dev eth0.2

In /etc/config/firewall:

config rule
	option target 'ACCEPT'
	option src 'lan'
	option name 'VPN Bypass 1'
	option dest 'wan'
	option dest_ip '8.8.8.8'

config rule
	option enabled '1'
	option src 'lan'
	option name 'VPN Block'
	option dest 'wan'
	option target 'DROP'

The only problem I see with this is that I will have to manually edit the static route if my outside global address (192.168.1.1) changes... Or so I was going to say, but Vgaetera beat me to it! This looks perfect. Now I just need to figure out where to install it.

Penguin-Guru · February 20, 2019, 12:42am

There's probably a better way of doing this but I put that into a script in my root directory and call it from /etc/rc.local . if [ $(uci get network.autoroute) ]; then ... to prevent duplicates. Seems to be working well so far.

Thank you both.

lleachii · February 20, 2019, 11:26pm

config route
    option target '8.8.8.8'
    option netmask '255.255.255.255' 
    option gateway '192.168.1.1' #not sure this is needed
    option source '192.168.1.208'

Would have been easier.

See: https://openwrt.org/docs/guide-user/network/routes_configuration

This can also be done in LuCI under Network > Static Routes.