Using PBR for VPN to one VLAN

Hello, Long time reader first time caller.

I am on the last step (for now) of my openwrt configuration. Everything is working OK besides the VPN. When I connect to the vpn all traffic stops, including br-lan.1 (lan).

goal: route VLAN1 to WAN, route VLAN10 to VPN.

OpenWrt 23.05.2 r23630-842932a63d


The VPN is tun0, has a firewall zone

There is a PBR policy for to default to WAN
The default interface is check marked with WAN

The tunnel connects OK (shows (yes)). System logs:

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
logread | grep openvpn



Can you add: cat /etc/config/firewall

The VPN seems down, probably first see if you can get that working

The VPN is down, yes. When it is enabled and connected it shows connected (yes) and I presume the tunnel comes up without errors. When it's up all network connectivity stops, and I can't cause any disruptions at this time on the network to bring it up for debugging.

If vlan1 is PBR routing to WAN, I am expecting while on vlan1, enabling the VPN should have no effect.

I added /etc/config/firewall. Was cleaning up the editing.

edit: I have strict policy enforcement on the VLAN1 - WAN rule. Could this be cutting it off? the logs show the killswitch is turned off.


You need a forwarding rule from e.g. vlan_10 to VPN, remove the current forwarding rule from VPN to wan

config forwarding
        option src 'vlan_10'
        option dest 'VPN'

The VPN client is like a WAN so treat it as such and set option input 'REJECT'

I would first disable the the VPN and disable PBR, then restart the router and check if you have internet access from vlan_1 and vlan_10

To make sure the default route is via the WAN you can add to the OpenVPN config file:
pull-filter ignore "redirect-gateway"
redirect-private def1

This will route everything by default via the WAN unless you use PBR to route via the VPN

1 Like

That worked.

Thank you very much.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.