VPN access through one VLAN (and internet/WAN access through another VLAN)

I have a Pi 4.
I followed this thread to make the external network on the VPN server side, available on my LAN: [Solved] LAN clients to access remote VPN hosts - #2 by mikma

By all logic, this firewall zone rules should at least allow traffic from-to:

  • VLAN50 ( --> WAN

  • VLAN50 ( --> VPN-tunnel

  • VLAN20 ( --> WAN

(I've extended both networks to separate wifi SSIDs, in which you might see where this is going).

My challenge is:

  • When I'm on VLAN20 I have no internet connection. Or I cannot reach anything other than the gw/OpenWRT and other devices on the same VLAN. This goes nevertheless if my firewall is connected to the VPN-server or not. (Pasted snippet of my OpenVPN tab further down).

  • When connected to VLAN50, I reach both the LAN on the VPN server side as well as getting online through the external network. Which is fine/as it shall be. Not that it's relevant to me and how I want stuff to run, but for the sake of the trouble shooting: When I disconnect OpenWRT from the OpenVPN server, I also loose internet traffic through to wan.

OpenVPN client on OpenWRT GUI:
I wasn't allowed to put more media in this post....

My goal:

  • Wanting to reach the VPN network as of now, through VLAN50.
  • Wanting to have regular internet access through VLAN20, independent of which my OpenVPN connection is up/down.

What more do you guys need? Any configs I should share?

Thanks for any help here, hope that I made this easy enough to read etc.

You need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.

Hi trendy, thanks for the fast reply.

What of those is the easiest option?
I am new to OpenWRT, have been using Netgate's PFSense a while on other devices/virtualizing.

Haven't been trying this setup before on any platform, for that reason.

1 Like

Actually I had a look at VPN and WAN Policy-Based Routing, and added this:

Haven't tried it out just yet - But is this to "ballpark" it ?
If I want the 20.x subnet to strictly be routed to wan when VPN gw is down?

There is the strict enforcement option for that.

1 Like

Hey, thanks trendy and vgaetera for helping out.
Got it working as I want to. :slight_smile:

One more thing I do not understand. I've tried to read about it, and it's the formatting I don't seem to understand... I want to change the name server addresses assigned by the DHCP server. For one network interface.

Understand I can do this either in terminal by editing the config file, or type something similar in one field under Advanced Settings in the DHCP Server tab on the interface. I tried the following without any changes on the clients side: 6,

What is the no. 6 mean? (The IP addr. is the DC and DNS server on one of the LANs.)

1 Like

It worked.

1 Like

DHCP options

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.