Vpn routing to another subnet

daytooner · August 5, 2021, 8:46pm

I finally successfully set up openwrt on an old router, and then set up a vpn on it, via: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server . Now I need to set up routing from the new tunnel to another subnet on my lan. Basically, I have a firewall with two routers connected: lan1 is my main secure lan; lan4 is the vpn. I can set up the firewall to route traffic from/to lan1 to/from lan4 if needed. So how do I route clients on the vpn (lan8) to access servers on lan1?

My client config:

dev tun
nobind
client
remote mynoipdomain.myddns.me 10194 udp
#auth-nocache
remote-cert-tls server
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

The only change made was the port to 10194, that is forwarded by the firewall to 1194 on lan4.

My server config:

user nobody
group nogroup
dev tun
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "route 192.168.8.1 255.255.255.255"
push "route 19.168.4.0 255.255.255.0"
push "dhcp-option DNS 192.168.8.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

Also, will machines on the server side vpn have access to vpn clients?

FWIW: The client is an android phone on broadband wan.

I appreciate any help/pointers to this.

TIA

ken

vgaetera · August 5, 2021, 9:43pm

Sounds similar to this:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#split_gateway

But you'd better show the proper diagram of your network topology.

daytooner · August 6, 2021, 12:02am

Current (proper?) setup:

 client
     ||
     == (WAN/internet)
     ||
  firewall (lan0)---->|
                      |
                      | <---> dmz (lan2)
                      |               ||
                      | <---> router for secure (lan1)
                      |                      |
                      |                      --> internal dns server
                      |
                      | <---> router for (lan4)
                                 |
                                 | --> vpn (lan8)

(simple )

Lan numbers (N) are just the subnet numbers (x.x.N.0/24)
Traffic to/from dmz controlled by lan1
Limited (by port#) traffic between lan1 and lan4 controlled by firewall
I need traffic between lan8 and lan1 (also lan4)
Also need vpn (lan8) to access internal DNS server on lan1 (names/ips for lan1/lan4)

The link you gave seems to have some useful info. Just need some time to digest it.

thx. appreciate the help.

ken

vgaetera · August 6, 2021, 12:47am

You need to clarify on the diagram:

IPs/netmasks/gateways/subnets for each router.
Custom static routes if any.
Local IP of the VPN server.

daytooner · August 6, 2021, 12:53pm

Is this better:

client 
     ||
     == (WAN/internet) 
     ||
     myddns <-> firewall=x.x.0.1  <->  x.x.0.0/24 (firewall)
                    |
                    --> x.x.0.102 = dmz = x.x.2.1 <-> x.x.2.0/24 
                    |
                    --> x.x.0.101 = (router1) = x.x.1.1 <-> x.x.1.0/24 (secure lan1)
                    |                                   |
                    |                                   --> x.x.1.100/32 (dns server)
                    |
                    --> x.x.0.104 = (router 4) = x.x.4.1 <-> x.x.4.0/24 (lan4)
                                                   |
                                                    --> x.x.4.1 = vpn = x.x.8.1 <-> x.x.8.0/24

static routes (by firewall): 
                  x.x.4.0/24 via x.x.0.104
                  x.x.1.0/24 via x.x.0.101

myddns is my ddns assigned ip.
lan4 router has openwrt/vpn installed in it.

x.x.1.100 is also DHCP, for lan1 only.

Mainly need to know how to route from x.x.8.0/24 to x.x.1.0/24, and use x.x.1.100 as DNS for both subnets 8 and 1.

Hope this helps.

ken

vgaetera · August 6, 2021, 12:59pm

Make sure to add a static route to X.X.8.0/24 via X.X.0.104.

mk24 · August 6, 2021, 1:00pm

Don't push the .8.1 route, since the VPN tunnel network (.8.0/24) is automatically installed on the client in any case.

The various routers in the home network need static routes to each other. That is outside the scope of OpenVPN. Everything the client does comes into router 4 so that router needs to reach the others.

Then it is just a matter of pushing additional networks beyond .4.0 -- .1.0 etc-- to the client, and properly firewalling all the traffic.

Get the .4.0 network working first and don't worry about DNS yet. (If you have the client using .8.1 for DNS, router 4's internal DNS needs to recurse to router 1, which actually holds the LAN network names.)