VPN does not add network route


#1

Using Openwrt 4.9.120

I have set up a pptp vpn to connect to another site, the link comes up and I can ping Internet sites and the vpn remote gateway, but not any hosts on the remote LAN. Basically, I want to set up a LAN-LAN vpn for traffic between the LANs and all other traffic to go the default local gw to Internet.

Local LAN: 192.168.11.0/24
Remote LAN: 192.168.1.0/24

`ip -o link show up` -->
...
11124: pptp-SCD_pptp01: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 3\    link/ppp

route -n gives

root@OpenWrt:~# route -n 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.42.129  0.0.0.0         UG    0      0        0 usb0
11.22.33.44     192.168.42.129  255.255.255.255 UGH   0      0        0 usb0
192.168.1.1     0.0.0.0         255.255.255.255 UH    0      0        0 pptp01
192.168.11.0    0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.42.0    0.0.0.0         255.255.255.0   U     0      0        0 usb0
root@OpenWrt:~#

I can ping 192.168.1.1, but not any host on the 192.168.1.x LAN.

If I add the route manually with:
/sbin/route add -net 192.168.1.0/24 gw 192.168.1.1
all works as desired and expected.

Now, back to the LuCi vpn setup. What do I need to do to have the route added and deleted on this vpn link, in LuCi?

Or, is this a bug or deficiency?


#2

It is expected behavior.
The static routes that are bound to an interface will be erased when the interface goes down. You need to add this route with an if-up script, if there is no option in Luci.
It would be a better idea to leave pptp and go to Wireguard or Openvpn for site-to-site tunnels. Better security and you can automatically install routes.


#3

"expected behavior", no, it is a deficiency: a design deficiency; a not yet implemented issue; or a bug. Beta behavior at best.

So, lets move this to a design recommendation list.

pptp is another issue which will be remedied later, however; this is probably a common denominator issue for any vpn that is used. An option that needs to be implemented.

So, looks like a if-up script is the only answer to my question at this stage. Hopefully, that will be mainline implemented, as a basic route or based on policy-based routing in the future.