Use Lede VM as VPN client

Portisch · October 18, 2017, 1:03pm

Hi,

I have a WNDR3700v4 in use with LEDE 17.01.2 r3435-65eec8bd5f.
On the WNDR there is a USB modem connected (WAN1).

As I already found out that the WNDR3700v4 can't handle a 30MBit/s down, 10MBit/s up OpenVPN connection I was thinking about a VM with a x86 LEDE running. The VM is running on a Windows server in VirtualBox and should have enough power to handle a VPN client connection like NordVPN.

The server with the VM is one floor under the location of the WNDR3700 so a hardware USB connection isn't possible.

My idea is about this:
Set the WNDR3700 LAN to static 192.168.1.2, DHCP off
Set the VM LAN to static192.168.1.1, DHCP on, WAN: static 192.168.1.99, Gateway 192.168.1.2

Then set on the WNDR3700 the traffic rule that only IP 192.168.1.99 is allowed to send data to the WAN.

Should this work or is there an easier way to share the WAN connection of one router to another?

I tried also the tool usbip, I can share the USB device but not attach on the VM.

Somebody have an idea?

golialive · October 18, 2017, 10:26pm

Hey there.

Two interfaces with overlapping IP subnets (both, LAN and WAN are 192.168.1.0/24) isn't going to work.

Using a single interface LAN for inbound and outbound traffic (hence dropping the WAN entirely) is going to work in terms of routing, but it completely eliminates zone based firewall rules.

My suggestion:

WNDR3700: 192.168.100.1, DHCP off, IPv6 off
VM WAN: 192.168.100.2, DHCP off, gateway 192.168.100.1
VM LAN: 192.168.1.1, DHCP on

You can add a firewall rule on the WNDR3700 to only allow traffic from 192.168.100.2 to be forwared. But to be honest, to me that's only a little sugar but not at all secure. If I intruder your network, I can use the 192.168.100.2 myself and be done.
Using MAC instead of IP for a firewall rule isn't anything better because if I intruder your network, I just tcpdump what's going on, know both your MAC address and your IP address and can fake both.

Regards,
Stephan.

Portisch · October 19, 2017, 6:32pm

Can this work?
I use 4 ports of the LAN at the WNDR3700 right now.
One uplink to a 24 port switch and 3 192.168.1.x clients.

Are they gone a still work if I change the subnet of the LAN at the WNDR3700?

Portisch · October 21, 2017, 5:41pm

I connfiged the WNDR3700 now with 192.168.100.1, DHCP off.
The VM 192.168.1.1, DHCP on.
WAN on the VM is 192.168.100.2 and Gateway 192.168.100.1.

Internet connection is working without any problem.
Also the WNDR3700 is still doing DNS updates on freedns without problems.

But I can't reach the internal server anymore from extern.
The WNDR3700 do have a port forward from wan to 192.168.1.7:80.

Why is the port forwarding not Working anymore?

bnhf · October 21, 2017, 7:30pm

I think the problem is that you're trying to port forward across subnets. There are probably multiple ways to fix this, but one option would be to forward port 80 to 192.168.100.2 and then forward 80 on the virtual router to 192.168.1.7.

BTW, I helped someone on another forum with a very similar requirement, and we approached it a little differently. We kept a single subnet, but created a vlan on the primary router to connect the WAN port on the VPN router (virtual router in your case) to. Here's what it looked like:

It's essentially a dual gateway setup on a single subnet. Whenever this user wants to send traffic over the VPN, he changes the gateway on that device (which must also have a static address). He mostly just uses the VPN for his NAS, so we have that on at static IP with the VPN gateway set. The nice feature is the single subnet for the LAN.

Portisch · October 21, 2017, 8:24pm

That was what I was thinking too - but I didn't found out how to fix this.
But your tipp with forwarding to 192.168.100.2 to the VM and then to the right client host fixed it!

thx for this information!

Also really nice is the config you talk about only one subnet.

But my primary rooter is the WNDR3700. When I create a VLAN to what interface should I attach it? LAN is right now attached to eth0.1 and the VLAN of eth0.1 is mapped to the 4 hardware ports of WNDR3700.

bnhf · October 21, 2017, 9:48pm

Does this router have the ability to create a VLAN on a single Ethernet port? -- because that's crucial to this setup. You may need to ask a new question to the forum about this, as some routers have full "switch" control and some don't, IIRC. The idea is to create a VLAN on one Ethernet port on the WNDR3700 and attach the WAN port of your VM router to it.

bnhf · October 22, 2017, 1:44am

Looks like there's a current thread going on this very issue of having a VLAN on a single Ethernet port:

Portisch · October 22, 2017, 7:34pm

I think I got it working!

WNDR3700:
WAN-Port (WAN): Uplink to 24 port switch
LAN port 1 (LAN): Uplink to 24 port switch
LAN port 2-4 (LAN): local DHCP clients
USB (WWAN0): LTE modem

I do have internet connection if I use 192.168.1.1 or 192.168.1.2 as gateway.
How to check if the traffic is really running through 192.168.1.2->wan->192.168.2.1?
I do not have a VPN installation right now. This will be the next part on the VM router.

Config of the WNDR3700:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd70:d55a:f876::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option dns '8.8.8.8'
	option ipaddr '192.168.1.1'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '6c:b0:ce:1b:95:da'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option metric '1'
	option type 'bridge'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '6c:b0:ce:1b:95:db'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 1 2 3 4'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '0t 5'

config interface 'wwan'
	option proto 'dhcp'
	option metric '2'

config interface 'wan2'
	option proto 'dhcp'
	option metric '20'

config interface 'wan1'
	option proto 'dhcp'
	option ifname 'wwan0'
	option metric '10'

And firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan6 wwan wan1 wan2'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '80'
	option name 'nginx'
	option dest_ip '192.168.1.7'
	option dest_port '81'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '443'
	option dest_port '443'
	option name 'nginx_ssl'
	option dest_ip '192.168.1.7'

The VM have mapped on eth0 a maintenance port, on eth1 & eth2 bridged direct:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9b:5c54:0d49::/48'

config interface 'wan'
	option ifname 'eth2'
	option proto 'static'
	option netmask '255.255.255.0'
	option metric '1'
	option ipaddr '192.168.2.2'
	option type 'bridge'
	option gateway '192.168.2.1'

config interface 'mng'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.56.2'

config interface 'lan'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.2'
	option type 'bridge'

config interface 'wan1'
	option proto 'dhcp'
	option metric '10'

config interface 'wan2'
	option proto 'dhcp'
	option metric '20'

config interface 'wwan'
	option proto 'dhcp'
	option metric '2'

And firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option output 'ACCEPT'
	option name 'wan'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option network 'wan wwan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

bnhf · October 23, 2017, 1:32am

How about traceroute or tracert to confirm?

Portisch · October 24, 2017, 8:26pm

Thank you again! I finished the setup today. On gateway 192.168.1.1 I am connected through the ISP. On gateway 192.168.1.2 I am connected through NordVPN to the Internet!