VPN Policy based routing

Guna · December 21, 2021, 9:22am

Hi
I am trying to use VPN policy based routing , in a following scenario

Wireless Clients --> Access Point (OpenVPN Client) --> OpenVPN server --> Internet

In the above scenario wireless clients are getting attached to AP with diff VLAN IDs , and tunnel(s) are being formed between AP (Open VPN Client) and Open VPN server ; We intend to steer the traffic from clients to diff tunnels at the AP (running OpenWRT) based on VLAN ; I understand that we have a mechanism of VPN routing using based on fwmark (traffic control filter), iptables and setting up custom routing tables to support both the WAN and VPN routes
But this needs touching each packet at the dataplane level, wish to see if we can steer the traffic using VLAN Id itself to diff tunnels w/o touching the packets , Thanks for the support

Thanks
Guna

trendy · December 21, 2021, 9:46am

With a set of rules/routes for each internet connection you can do pbr based on the source interface.

Guna · December 21, 2021, 10:51am

Thanks for the swift response, we are able to get it done thru a combination of ebtables (to mark the packets) and then handling via seperate routing table for each marking ; With this we are able to do steering based on the VLAN , not sure if this is same as what you meant , if any alternates are available , please share , Thanks

trendy · December 22, 2021, 9:10pm

You are overkilling it.
Assign one interface on each vlan and make a rule based on the input interface.

Guna · December 24, 2021, 5:44am

Yeah, agreed , but in our case , we have wireless interfaces (ath0, ath1 etc ) attached br-lan , here vlan is attached to each interface , but making a rule to route the packets coming on a specific vlan to the tunnel , IMO wont be possible as the ath0 etc wont be visible once attached to br-lan

Wireless UEs-----AP ------OpenVPN server
SSID1(Vlan100) --- ath0--bl-lan---tun0----- OpenVPN server
SSID2(VLAN200) --ath1 --br-lan --tun1---OpenVPN Server

This is our topo

Would like to hear on possibility of steering w/o marking , sorry for bothering

Thanks
Guna

trendy · December 24, 2021, 10:01am

SSID1 assigned to interface test1, then you make a rule to direct input of test1 to the routing table with default gateway the tun0.

Guna · December 24, 2021, 11:28am

Thanks for the swift response , really grateful ! on your input
"SSID1 assigned to interface test1, then you make a rule to direct input of test1 to the routing table with default gateway the tun0."
We have done the similar /same approach

SSID1 assigned to interface test1 - Yes
direct input of test1 to the routing table with default gateway the tun0. - Yes
Here the problem we face being the test1 is attached to br-lan as bridge member , so at L3 level 'test1' wont be visible , hence we adopted a method of using fwmark of marking packets arriving in SSID1 with specific meta data and use 'ip rule add fwmark lookup
'
The table will have the same what you mentioned , the default route ; Thanks

trendy · December 24, 2021, 3:31pm

What is the logic behind that?
If you are bridging all the SSIDs to the same br-lan there is no point for separating the vlans.

system · January 3, 2022, 3:32pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.