Trouble accessing device from subnet without interface

Hey there,

I am struggling for while to make a "switch only" used OpenWRT device manageable from my management VPN network zone. My setting is sketched in the image below. Basically what I want to achieve is accessing the OpenWRT device 2 via the VPN which is hosted on device 1 but failing so far.

Device 1 and 2 are connected by a trunk with multiple VLANs. The management VLAN ID is 80. On device 1 I have a zone MGT which is allowed to access the device 1. The zone is composed of an ethernet interface eth0.80 with DHCP spanning 10.3.80.1/24 and the OpenVPN tun0 spanning 10.3.180.1/24. The same zone MGT and interface is set up at device 2 but without DHCP and a static ip of 10.3.80.3. As long as I connect to my management ethernet port at device 1 or 2 I can perfectly access device 2 with IP 10.3.80.3. However, if I connect via VPN to my management VPN zone at device 1 tun0 10.3.180.1/24, I can only access device 1 from that VPN connection but not device 2. I already tried the following firewall rule on device 2 but was not successful.

What I tried in the firewall setting on device 2

config zone
	list subnet '10.3.180.1/24'
	option name 'MGTvpn'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'

Device 2 Network Config


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd03:0:0::/48'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'x'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '3'
	option ports '0t 3 1t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '6'
	option ports '0t 3t 1t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '7'
	option ports '0t 2 1t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '10'
	option ports '0t 3t 1t'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option vid '80'
	option ports '0t 4 1t'

config interface 'MGT'
	option ifname 'eth0.80'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6hint '80'
	option ipaddr '10.3.80.3'
	option ip6assign '64'
	option ip6ifaceid '::3'

Device 2 Firewall Config

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config include
	option path '/etc/firewall.user'

config zone
	option network 'MGT'
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'MGT'
	option output 'ACCEPT'

Device 1 Network Config


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd03:0:0::/48'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'x'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0.2'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'x'

config interface 'wan6'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option ifname 'eth0.2'
	option reqprefix '58'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 3t'
	option vid '10'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '6t 0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '80'
	option ports '6t 3t 4'

config interface 'MGT'
	option ifname 'eth0.80'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.3.80.1'
	option ip6assign '64'
	option ip6hint '80'
	option ipv6class 'local'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '3'
	option ports '6t 2 3t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '4'
	option ports '6t 3t'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option vid '5'
	option ports '6t 1'

config interface 'LAN'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6hint '2'
	option ipaddr '10.3.2.1'
	option ip6assign '64'
	option ifname 'eth0.10'

config interface 'MGTvpn'
	option proto 'none'
	option ifname 'tun0'

Device 1 Firewall Config

config include
	option path '/etc/firewall.user'

config zone
	option input 'ACCEPT'
	option name 'MGT'
	option output 'ACCEPT'
	option network 'MGT MGTvpn'
	option forward 'ACCEPT'

config rule 'MGTvpn'
	option name 'Allow-OpenVPN-MGT'
	option src 'wan'
	option dest_port '4589'
	option proto 'udp'
	option target 'ACCEPT'

Make sure it works without VPN.
Verify that VPN connection establishes successfully.
Post the VPN server and client configs as well as runtime network and routing configs.

1 Like

Yes, I can access device 2 without VPN if I am connected to the 10.3.80.1/24 subnet on device 1. In addition, I can access device 1 via VPN. Which output do you refer to by "runtime network config"?

OpenVPN Server Config on Device 1

config openvpn 'MGT'
	option enabled '1'
	option verb '11'
	option tls_server '1'
	option tls_version_min '1.2'
	option user 'nobody'
	option fast_io '1'
	option group 'nogroup'
	option dev 'tun0'
	option port '2347'
	option proto 'udp6'
	option server '10.3.180.0 255.255.255.0'
	option multihome '1'
	option client_to_client '0'
	option topology 'subnet'
	option mute_replay_warnings '1'
	option compress 'lzo'
	option keepalive '10 120'
	option persist_tun '1'
	option persist_key '1'
	option tls_crypt '/etc/openvpn/MGT/ssl/tc.pem'
	option dh '/etc/openvpn/MGT/ssl/dh.pem'
	option cert '/etc/openvpn/MGT/ssl/MGT_vpnserver.crt'
	option key '/etc/openvpn/MGT/ssl/MGT_vpnserver.key'
	option ca '/etc/openvpn/MGT/ssl/ca.crt'
	option cipher 'AES-256-GCM'
	option auth 'SHA512'
	option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
	list push 'dhcp-option DOMAIN MGT'
	list push 'redirect-gateway def1'
	list push 'topology subnet'
	list push 'dhcp-option DNS 10.3.180.1'

OpenVPN Client Config

verb 3
nobind
dev tun0
tls-client
proto udp
resolv-retry infinite
remote x.de 2347
fast-io
comp-lzo
remote-cert-tls server
user nobody
group nobody
persist-key
persist-tun
mute-replay-warnings
cipher AES-256-GCM
mute 20
topology subnet
verify-x509-name x.de name
auth SHA512

tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

tls-version-min 1.2
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
</tls-crypt>
<ca>
-----BEGIN CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
</key>

Routes on Device 1

root@GrenzwegERX /root [#]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         fritz.box       0.0.0.0         UG    0      0        0 eth0.2
10.3.1.0        *               255.255.255.0   U     0      0        0 eth0.2
10.3.2.0        *               255.255.255.0   U     0      0        0 eth0.10
10.3.3.0        *               255.255.255.0   U     0      0        0 eth0.3
10.3.4.0        *               255.255.255.0   U     0      0        0 eth0.4
10.3.5.0        *               255.255.255.0   U     0      0        0 eth0.5
10.3.7.0        *               255.255.255.0   U     0      0        0 eth0.7
10.3.8.0        *               255.255.255.0   U     0      0        0 eth0.8
10.3.9.0        *               255.255.255.0   U     0      0        0 eth0.9
10.3.80.0       *               255.255.255.0   U     0      0        0 eth0.80
10.3.102.0      *               255.255.255.0   U     0      0        0 tun1
10.3.180.0      *               255.255.255.0   U     0      0        0 tun0

Routes on device 2

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.3.80.0       *               255.255.255.0   U     0      0        0 eth0.80
1 Like
# Server
uci set openvpn.MGT.proto="udp"
uci commit openvpn
/etc/init.d/openvpn restart

# Client
/etc/init.d/log restart; /etc/init.d/openvpn restart; \
sleep 10; logread -e openvpn; ip r; ip ru

Router 2 doesn't have a gateway, so it doesn't know where to send packets destined to 10.3.180.0/24
Add one in MGT interface towards 10.3.80.1

1 Like

Connecting the VPN should redirect the gateway.
And the VPN remote is supposed to be in the link scope, so the gateway is not really necessary.
Assuming that the OP connects by IP, otherwise it depends on the DNS configuration.
Thus, it's best to collect the diagnostics and then make a conclusion.

It doesn't look to me that router2 connects to router1 via vpn. I only see a trunk port.
Notice also that vpn subnet is .180.0/24 and management is .80.0/24

Assuming that the client is 10.3.80.3/24 and the server is 10.3.80.1/24 and they have link scope connectivity, the VPN connection should be possible at least by IP.

ovpn client 10.3.180.3 -> router1 tun0 10.3.180.1 -> router1 mgt 10.3.80.1 -> router2 10.3.80.3

Yes, this is also my understanding of what should work but does not:
ovpn client 10.3.180.3 -> router1 tun0 10.3.180.1 -> router1 mgt 10.3.80.1 -> router2 10.3.80.3

What works are the following routes:

ovpn client 10.3.180.3 -> router1 tun0 10.3.180.1 -> router1 mgt 10.3.80.1
ethernet client 10.3.80.100 -> router1 mgt 10.3.80.1 -> router2 mgt 10.3.80.3

Did you add the gateway?

Thank you very much! Yes this was the issue.. eye opening moment for me - I was only thinking of the problem from the traffic from device 1 towards device 2 but not the other way around..

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.