VPN: OpenWrt -> Fritzbox - but not all (internet) traffic

I would like to open a vpn connection from OpenWrt to a remote fritzbox.
The vpn connection should only be used for the traffic to the remote devices and NOT for all the traffic. And that's my problem. My vpn forwards all the traffic to the remote firtzbox... so my ip changes as well.

A rough overview what I did:

• I use OpenWrt snapshot release for Raspberry Pi 4B (I am prototyping and will move to another router later)
• I use vpnc (it seems to be the only option for fritzbox)
• I used the manual: https://www.sebastianklein.de/blog/vpn-zwischen-lede-openwrt-und-fritzbox-via-luci/
• and the "Network-Firewall"+"In zones"-part from https://forum.gl-inet.com/t/vpn-tunnel-to-fritzbox-via-ipsec-ikev1-with-mutual-psk-and-xauth/6337/3

In the end it looks like this:

cat /etc/config/network
config interface 'bvpn'
	option proto 'vpnc'
	option server '...'
	option interface 'wan'
	option username '...'
	option password '...'
	option authgroup '...'
	option passgroup '...'
	option dh_group 'dh2'
	option pfs 'nopfs'
	option natt_mode 'natt'
	option target_network '0'
	#option target_network '192.168.179.0/255.255.255.0'

I added the #comment in the last line because this was the most promissing config I could find in the doc. Btw: For some reason LUCI wasn't able to allow "/" syntax. I also tried with normal CIDR.
Doc: https://github.com/openwrt/packages/blob/master/net/vpnc/README

I also played around with some other settings but no success, especially in the firewall setting with "Covered subnets".

How can I limit the traffic of the vpn to the remote fritzbox (similar to "AllowedIPs" in Wireguard)?

This would be a split horizon setup, basically you only route the specific remote subnet over the IPsec/ IKEv1 tunnel.

Any tutorial, guide or something like that? I couldn't find anything about "split horizon setup".

I have to zone forwarding defined:

cat /etc/config/firewall

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'bvpn'

According to the doc I cannot add more useful options to the forwarding: https://openwrt.org/docs/guide-user/firewall/firewall_configuration#forwardings

How is the traffic handled? First match? Based on alphabetic sequence? Is all the traffic forwarded to both bvpn and lan?

I tried a lot of different things.

After adding vpnc interface mentioned above, there is a new route under: Status → Router
network: bvpn
target: 0.0.0.0/0
So it seems it listens on everything. That's why everything goes over the tunnel.

I tried to change it

config interface 'bvpn'
	option proto 'vpnc'
	option local_addr '192.168.178.0/24

now under Status → Router
there is no network bvpn anymore
and wan has target on 0.0.0.0/0

Could it be that the vpnc plugin has a bug?
Any help?

Another option is strongSwan, perhaps with a site-to-site configuration.

Thank you for your suggestion. Seems to be a solution for my needs.

I followed exactly your config you posted. Apart from spaces, passwords and the dns names, all is exactly the same (even the ip ranges) in:

/etc/ipsec.conf
/etc/ipsec.secrets
/etc/strongswan.d/local.conf
/etc/config/firewall

But for some reason I got

Connections:
       fritz:  openwrt.dns.de...fritzbox.dns.de  IKEv1 Aggressive, dpddelay=30s
       fritz:   local:  [openwrt.dns.de] uses pre-shared key authentication
       fritz:   remote: [fritzbox.dns.de] uses pre-shared key authentication
       fritz:   child:  192.168.1.0/24 === 192.168.178.0/24 TUNNEL, dpdaction=hold
Routed Connections:
       fritz{1}:  ROUTED, TUNNEL, reqid 1
       fritz{1}:   192.168.1.0/24 === 192.168.178.0/24
Security Associations (0 up, 1 connecting):
       fritz[1]: CONNECTING, 78.xx.xx.xxx[openwrt.dns.de]...84.xxx.xx.xxx[%any]
       fritz[1]: IKEv1 SPIs: 7056196f708e481a_i* 0000000000000000_r
       fritz[1]: Tasks queued: QUICK_MODE 
       fritz[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE AGGRESSIVE_MODE ISAKMP_CERT_POST ISAKMP_NATD

No event logs on fritzbox regarding vpn.

Are there other steps to do?

On the Fritzbox, you could run a packet capture to look for IKE connection attempts.

Or try to establish the connection from the Fritzbox side.
Strongswan offers more verbose logging, and it is configurable.

Also check whether both DNS entries match the current WAN IP addresses.

The WAN IP address of my OpenWrt is different because its behind another fritzbox. So its just a local IP. (e.g. for DynDNS I had to configure an external url that can check the real IP instead of using WAN IP).

How can I deal with it?

Set up redirections for udp ports 500 and 4500 in the Fritzbox which is located in front of OpenWrt.

Okay, I see. OpenWrt is an exposed host. So all ports are automatically forwarded...

I set strongswan logging to debug level 2:

May 29 19:44:06 10[KNL] using 192.168.12.1 as nexthop and eth1 as dev to reach 84.xx.xx.xxx/32
May 29 19:44:06 10[KNL] installing route: 192.168.178.0/24 via 192.168.12.1 src 192.168.1.1 dev eth1

...

May 29 19:33:38 16[NET] <fritz|2> sending packet: from 78.xx.xx.xxx[500] to 84.xx.xx.xxx[500] (513 bytes)
May 29 19:33:38 03[NET] sending packet: from 78.xx.xx.xxx[500] to 84.xx.xx.xxx[500]
May 29 19:33:38 01[JOB] next event in 3s 999ms, waiting
May 29 19:33:38 03[NET] error writing to socket: Network unreachable

Could it be the problem that my openwrt needs to hop over my local fritzbox?

Which setup do you have? Do you use PPPoE or something similiar?

My OpenWrt router is connected to the ISP via its built-in xDSL modem. It terminates PPPoE and is assigned a public IPv4 address. It also serves as the IPsec gateway, which means Strongswan can use the public IP address directly.

The remote Fritzbox serving as the IPsec peer gateway is used in a similar configuration.

In my LAN, there is another Fritzbox which handles telephone service (SIP, DECT), but nothing else.

Yes, could be, but I do not use an IPsec gateway behind NAT.

This looks strange. It would be worth to find out whether 78.xx.xx.xxx is just an IKE identity, or is strongswan really trying to send with this IP address as the source?

Perhaps turn up the debug level for net a bit further?

I increased the log level of net to 4. But no additional info unfortunately.
I also tried the log level of everything (default) to 4 but this is not useful.
Just to be sure that the loglevel has an effect I tried with -1 and then there was no logging at all.

May 30 06:49:10 06[KNL] creating acquire job for policy 192.168.1.144/32[tcp/40090] === 192.168.178.1/32[tcp/www] with reqid {1}
May 30 06:49:10 06[IKE] <fritz|1> initiating Aggressive Mode IKE_SA fritz[1] to 84.xx.xx.xxx
May 30 06:49:10 06[ENC] <fritz|1> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
May 30 06:49:10 06[NET] <fritz|1> sending packet: from 78.xx.xx.xxx[500] to 84.xx.xx.xxx[500] (513 bytes)
May 30 06:49:10 04[NET] sending packet: from 78.xx.xx.xxx[500] to 84.xx.xx.xxx[500]
May 30 06:49:10 04[NET] error writing to socket: Network unreachable

@mpa thank you very much for your help.
@slh it is actually just a static route in the end.

I solved my initial problem with vpnc.

Actually I used a snapshot version of OpenWrt for Raspberry Pi 4B. There are definitely some bugs. I opened 2 issues on github:

• about luci: https://github.com/openwrt/packages/issues/15718
• about vpnc: https://github.com/openwrt/luci/issues/5085

Manual

Today I used my fritzbox 4040 running OpenWrt 19.07.7 on it. Since I spend so much time on the topic and collected some configs here and there... I would like to share it

Again, the goal was to create a vpn tunnel to a remote fritzbox but it should be only used for traffic to the remote devices (that it does not change my ip).

Install plugins

→ System → Software → update lists → filter:
vpnc
vpnc-scripts
luci-proto-vpnc
→ install → install → dismiss

→ system → reboot → perform reboot

Set up tunnel in general

based on: https://www.sebastianklein.de/blog/vpn-zwischen-lede-openwrt-und-fritzbox-via-luci/

→ network → interfaces → add new interface... →
name: xyz
protocol: VPNC
→ create interface
VPN Server: <TODO>
Output Interface: wan

username: <TODO>
password: <TODO>
auth group: <TODO>
group password: <TODO>

IKE DH Group: DH2
Perfect Forward Secrecy: nopfs
DPD Idle Timeout: 0

target network: 192.168.178.0/24
Default Route: no

→ Firewall Settings → choose "lan"
→ save
→ save & apply

Firewall stuff

based on: https://forum.gl-inet.com/t/vpn-tunnel-to-fritzbox-via-ipsec-ikev1-with-mutual-psk-and-xauth/6337/3

→ Network → Firewall → Add
Name ‘xyz’
Input: reject
check Masquerading
check MSS clamping
Covered networks: check ‘xyz’
→ Click ‘Save and Apply’

→ click edit ‘lan => wan’ (under zones)
Allow forward to destination zones: leave ‘wan’ checked, and also check ‘xyz’
→ Save and Apply

goal:
(under → network → interfaces)
you should see an ip for the interface "xyz" (means it is up and running)

Static route - for routing only traffic though the tunnel to reach remote devices

vi /etc/config/network
config route 'route_xyz'
        option interface 'xyz'
        option target '192.168.178.0'
        option table 'main'
        option netmask '255.255.255.0'

/etc/init.d/network restart

Hopefully it helps someone.

Btw: I will also try the strongSwan way on OpenWrt 19.07.7 (fritzbox 4040) later again and will post the results.

Today I tried the strongSwan way on OpenWrt 19.07.7 (fritzbox 4040).
Same issue, same error message.

So I guess the reason is that my OpenWrt is behind another router.

However, in my opinion the vpnc solution is better/easier.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.