I am struggling for while to make a "switch only" used OpenWRT device manageable from my management VPN network zone. My setting is sketched in the image below. Basically what I want to achieve is accessing the OpenWRT device 2 via the VPN which is hosted on device 1 but failing so far.
Device 1 and 2 are connected by a trunk with multiple VLANs. The management VLAN ID is 80. On device 1 I have a zone MGT which is allowed to access the device 1. The zone is composed of an ethernet interface eth0.80 with DHCP spanning 10.3.80.1/24 and the OpenVPN tun0 spanning 10.3.180.1/24. The same zone MGT and interface is set up at device 2 but without DHCP and a static ip of 10.3.80.3. As long as I connect to my management ethernet port at device 1 or 2 I can perfectly access device 2 with IP 10.3.80.3. However, if I connect via VPN to my management VPN zone at device 1 tun0 10.3.180.1/24, I can only access device 1 from that VPN connection but not device 2. I already tried the following firewall rule on device 2 but was not successful.
What I tried in the firewall setting on device 2
config zone
list subnet '10.3.180.1/24'
option name 'MGTvpn'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
Make sure it works without VPN.
Verify that VPN connection establishes successfully.
Post the VPN server and client configs as well as runtime network and routing configs.
Yes, I can access device 2 without VPN if I am connected to the 10.3.80.1/24 subnet on device 1. In addition, I can access device 1 via VPN. Which output do you refer to by "runtime network config"?
OpenVPN Server Config on Device 1
config openvpn 'MGT'
option enabled '1'
option verb '11'
option tls_server '1'
option tls_version_min '1.2'
option user 'nobody'
option fast_io '1'
option group 'nogroup'
option dev 'tun0'
option port '2347'
option proto 'udp6'
option server '10.3.180.0 255.255.255.0'
option multihome '1'
option client_to_client '0'
option topology 'subnet'
option mute_replay_warnings '1'
option compress 'lzo'
option keepalive '10 120'
option persist_tun '1'
option persist_key '1'
option tls_crypt '/etc/openvpn/MGT/ssl/tc.pem'
option dh '/etc/openvpn/MGT/ssl/dh.pem'
option cert '/etc/openvpn/MGT/ssl/MGT_vpnserver.crt'
option key '/etc/openvpn/MGT/ssl/MGT_vpnserver.key'
option ca '/etc/openvpn/MGT/ssl/ca.crt'
option cipher 'AES-256-GCM'
option auth 'SHA512'
option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
list push 'dhcp-option DOMAIN MGT'
list push 'redirect-gateway def1'
list push 'topology subnet'
list push 'dhcp-option DNS 10.3.180.1'
OpenVPN Client Config
verb 3
nobind
dev tun0
tls-client
proto udp
resolv-retry infinite
remote x.de 2347
fast-io
comp-lzo
remote-cert-tls server
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
cipher AES-256-GCM
mute 20
topology subnet
verify-x509-name x.de name
auth SHA512
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
tls-version-min 1.2
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
</key>
Routes on Device 1
root@GrenzwegERX /root [#]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default fritz.box 0.0.0.0 UG 0 0 0 eth0.2
10.3.1.0 * 255.255.255.0 U 0 0 0 eth0.2
10.3.2.0 * 255.255.255.0 U 0 0 0 eth0.10
10.3.3.0 * 255.255.255.0 U 0 0 0 eth0.3
10.3.4.0 * 255.255.255.0 U 0 0 0 eth0.4
10.3.5.0 * 255.255.255.0 U 0 0 0 eth0.5
10.3.7.0 * 255.255.255.0 U 0 0 0 eth0.7
10.3.8.0 * 255.255.255.0 U 0 0 0 eth0.8
10.3.9.0 * 255.255.255.0 U 0 0 0 eth0.9
10.3.80.0 * 255.255.255.0 U 0 0 0 eth0.80
10.3.102.0 * 255.255.255.0 U 0 0 0 tun1
10.3.180.0 * 255.255.255.0 U 0 0 0 tun0
Routes on device 2
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.3.80.0 * 255.255.255.0 U 0 0 0 eth0.80
Connecting the VPN should redirect the gateway.
And the VPN remote is supposed to be in the link scope, so the gateway is not really necessary.
Assuming that the OP connects by IP, otherwise it depends on the DNS configuration.
Thus, it's best to collect the diagnostics and then make a conclusion.
It doesn't look to me that router2 connects to router1 via vpn. I only see a trunk port.
Notice also that vpn subnet is .180.0/24 and management is .80.0/24
Assuming that the client is 10.3.80.3/24 and the server is 10.3.80.1/24 and they have link scope connectivity, the VPN connection should be possible at least by IP.
Yes, this is also my understanding of what should work but does not:
ovpn client 10.3.180.3 -> router1 tun0 10.3.180.1 -> router1 mgt 10.3.80.1 -> router2 10.3.80.3
Thank you very much! Yes this was the issue.. eye opening moment for me - I was only thinking of the problem from the traffic from device 1 towards device 2 but not the other way around..