Using PBR for VPN to one VLAN

Sechorda · March 23, 2024, 11:01am

Hello, Long time reader first time caller.

I am on the last step (for now) of my openwrt configuration. Everything is working OK besides the VPN. When I connect to the vpn all traffic stops, including br-lan.1 (lan).

goal: route VLAN1 to WAN, route VLAN10 to VPN.

OpenWrt 23.05.2 r23630-842932a63d

PBR
OpenVPN

The VPN is tun0, has a firewall zone
VPN => WAN

There is a PBR policy for 192.168.1.0/24 to default to WAN
The default interface is check marked with WAN

The tunnel connects OK (shows (yes)). System logs:

egc · March 23, 2024, 11:18am

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
logread | grep openvpn

Sechorda · March 23, 2024, 11:32am

redacted

resolved

egc · March 23, 2024, 11:39am

Can you add: cat /etc/config/firewall

The VPN seems down, probably first see if you can get that working

Sechorda · March 23, 2024, 11:43am

The VPN is down, yes. When it is enabled and connected it shows connected (yes) and I presume the tunnel comes up without errors. When it's up all network connectivity stops, and I can't cause any disruptions at this time on the network to bring it up for debugging.

If vlan1 is PBR routing to WAN, I am expecting while on vlan1, enabling the VPN should have no effect.

I added /etc/config/firewall. Was cleaning up the editing.

edit: I have strict policy enforcement on the VLAN1 - WAN rule. Could this be cutting it off? the logs show the killswitch is turned off.

Thanks!

egc · March 23, 2024, 12:19pm

You need a forwarding rule from e.g. vlan_10 to VPN, remove the current forwarding rule from VPN to wan

config forwarding
        option src 'vlan_10'
        option dest 'VPN'

The VPN client is like a WAN so treat it as such and set option input 'REJECT'

Sechorda:

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'ExpressVPN'
        option masq '1'

config forwarding
        option src 'VPN'
        option dest 'wan'

I would first disable the the VPN and disable PBR, then restart the router and check if you have internet access from vlan_1 and vlan_10

To make sure the default route is via the WAN you can add to the OpenVPN config file:
pull-filter ignore "redirect-gateway"
redirect-private def1

This will route everything by default via the WAN unless you use PBR to route via the VPN

Sechorda · March 23, 2024, 12:26pm

That worked.

Thank you very much.

system · April 2, 2024, 12:27pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.