I have a vpn server and a vpn client running on the same router.
As I don't want all devices to go through vpn tunnel to the vpn provider I use @stangri 's vpn-policy-routing
app and use route nopull on vpn client conf. One device is routed to the vpn provider.
Connecting to the vpn server I can reach all devices despite of the one that is routed to the vpn provider.
All other devices can be accessed just fine.
How can I reach that one device?
Following are my configs:
root@LEDE:~# cat /etc/config/openvpn
config openvpn 'torguard'
option client '1'
option dev_type 'tun'
option dev 'tun0'
option proto 'udp'
option resolv_retry 'infinite'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option ca '/etc/luci-uploads/cbid.openvpn.torguard.ca'
option route_nopull '1'
option remote_cert_tls 'server'
option cipher 'AES-128-CBC'
option comp_lzo 'yes'
option verb '3'
option fast_io '1'
option auth_user_pass '/etc/openvpn/userpass.txt'
option remote_random '0'
option auth 'SHA1'
option reneg_sec '0'
list remote 'nl.torguardvpnaccess.com 80'
option sndbuf '524288'
option rcvbuf '524288'
option tun-mtu '48000'
option fragment '0'
option mssfix '0'
option mute_replay_warnings '1'
option auth_nocache '1'
option enabled '1'
option log '/tmp/openvpnclient.log'
config openvpn 'VPNserver'
option enabled 1
# Protocol #
#------------------------------------------------
option dev_type 'tun'
option dev 'tun1'
option topology 'subnet'
option proto 'udp'
option port 5000
# Routes #
#------------------------------------------------
option server '10.1.0.0 255.255.255.240'
option ifconfig '10.1.0.1 255.255.255.240'
# Client Config #
#------------------------------------------------
# option ccd_exclusive 1
# option ifconfig_pool_persist '/etc/openvpn/clients/ipp.txt'
# option client_config_dir '/etc/openvpn/clients/'
# Pushed Routes #
#------------------------------------------------
list push 'route 192.168.1.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.1.1'
list push 'dhcp-option WINS 192.168.1.1'
# list push 'dhcp-option DNS 208.67.222.123'
# list push 'dhcp-option DNS 208.67.220.123'
list push 'dhcp-option NTP 129.6.15.30'
# Encryption #
#------------------------------------------------
# Diffie-Hellman:
option dh '/etc/ssl/openvpn/dh2048.pem'
# PKCS12:
# option pkcs12 '/etc/ssl/openvpn/vpn-server.p12'
option ca '/etc/ssl/ca/ca.crt'
option cert '/etc/ssl/openvpn/server.crt'
option key '/etc/ssl/openvpn/server.key'
# SSL:
option cipher AES-256-CBC
option auth 'SHA256'
option tls_auth '/etc/ssl/openvpn/ta.key 0'
# TLS:
# option tls_server 1
# option tls_version_min 1.2
# option tls_cipher 'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'
option remote_cert_tls 'client'
# Logging #
#------------------------------------------------
option log_append '/tmp/openvpnserver.log'
option status '/tmp/openvpn-status.log'
option verb 4
# Connection Options #
#------------------------------------------------
option keepalive '10 120'
option comp_lzo 'yes'
# Connection Reliability #
#------------------------------------------------
option client_to_client 1
option persist_key 1
option persist_tun 1
# Connection Speed #
#------------------------------------------------
option sndbuf 524288
option rcvbuf 524288
option fragment 0
option mssfix 0
option tun_mtu 48000
# Pushed Buffers #
#------------------------------------------------
list push 'sndbuf 524288'
list push 'rcvbuf 524288'
# Permissions #
#------------------------------------------------
option user 'nobody'
option group 'nogroup'
# chroot #
#------------------------------------------------
# chroot should be utilized in case the VPN is ever exploited; however, most commercial
# routers don't have internal flash storage large enough to support it. An OpenVPN
# chroot would be ~11MB in size.
# Modify if chroot is configured #
#--------------------------------------------
# option ccd_exclusive 1
# option ifconfig_pool_persist /var/chroot-openvpn/etc/openvpn/clients/ipp.txt
# option client_config_dir /var/chroot-openvpn/etc/openvpn/clients
# option cipher AES-256-CBC
# option dh /var/chroot-openvpn/etc/ssl/openvpn/dh2048.pem
# option pkcs12 /var/chroot-openvpn/etc/ssl/openvpn/vpn-server.p12
# option tls_auth '/var/chroot-openvpn/etc/ssl/openvpn/tls-auth.key 0'
root@LEDE:~# cat /etc/config/firewall
#::: Traffic Rules :::#
# LuCI: Network - Firewall - Traffic Rules
#::: Defaults :::#
# LuCI: Network - Firewall
#------------------------------------------------
#::: Firewall.User Rules :::#
# LuCI: Network - Firewall - Custom Rules
config include
option path '/etc/firewall.user'
# Default OpenWrt Rule #
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option syn_flood 1
option drop_invalid 1
# Allow initial VPN connection #
#------------------------------------------------
# LuCI: From any host in any zone To any router
# IP at port 5000 on this device (Accept Input)
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src '*'
option dest_port 5000
option name 'Allow Forwarded VPN Request -> <device>'
# Once Assigned VPN IP, Allow Inbound -> LAN #
#------------------------------------------------
# LuCI: From IP range 10.1.0.0/28 in vpn To IP
# range 192.168.3.0/26 on this device (Accept Input)
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src 'vpnserverfw'
option src_ip '10.1.0.0/28'
option dest_ip '192.168.1.0/24'
option name 'Allow OpenVPN -> LAN'
# Once Assigned VPN IP, Allow Forwarded -> LAN #
#------------------------------------------------
# LuCI: From any host in vpn To any host in any
# zone (Accept Forward)
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'tcp udp'
option src 'vpnserverfw'
option dest *
option name 'Allow Forwarded OpenVPN -> <device>'
# Allow Outbound ICMP Traffic from VPN #
#------------------------------------------------
# LuCI: ICMP From IP range 10.1.0.0/28 in vpn To
# any host in lan (Accept Forward)
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
option src 'vpnserverfw'
option src_ip '10.1.0.0/28'
option dest 'lan'
option name 'Allow OpenVPN (ICMP) -> LAN'
# Allow Outbound Ping Requests from VPN #
#------------------------------------------------
# LuCI: ICMP with type echo-request From IP range
# 10.1.0.0/28 in vpn To any host in wan (Accept Forward)
config rule
option target 'ACCEPT'
option family 'ipv4'
option proto 'icmp'
list icmp_type 'echo-request'
option src 'vpnserverfw'
option src_ip '10.1.0.0/28'
option dest 'wan'
option name 'Allow OpenVPN (ICMP 8: echo-request) -> WAN'
#::: Zones :::#
# LuCI: Network - Firewall - Zones
#------------------------------------------------
# LAN #
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option masq 1
# VPN #
config zone
option name 'vpnserverfw'
option network 'vpnserver'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
# WAN #
config zone
option name 'wan'
option network 'wan wan6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq 1
option mtu_fix 1
#::: InterZone Forwarding :::#
# LuCI: Network -> Firewall -> Zones -
# VPN - Edit - Inter-Zone Forwarding
#------------------------------------------------
# LAN to VPN #
config forwarding
option dest 'vpnserverfw'
option src 'lan'
# LAN to WAN #
config forwarding
option dest 'wan'
option src 'lan'
# VPN to LAN #
config forwarding
option dest 'lan'
option src 'vpnserverfw'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config zone
option forward 'REJECT'
option output 'ACCEPT'
option name 'vpnclientfw'
option input 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'torguardvpn'
config forwarding
option dest 'vpnclientfw'
option src 'lan'
config zone 'gastwlanfw'
option name 'gastwlanfw'
option network 'gastwlan'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding 'gastwlanfw_fwd'
option src 'gastwlanfw'
option dest 'wan'
config rule 'gastwlanfw_dhcp'
option name 'gastwlanfw_DHCP'
option src 'gastwlanfw'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule 'gastwlanfw_dns'
option name 'gastwlanfw_DNS'
option src 'gastwlanfw'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
#config policy
# option comment 'hc2'
# option local_addresses '192.168.1.111'
# option local_ports '22'
# option interface 'wan'
The last part in firewall config which now is commented out was suggested by @stangri . 192.168.1.111 is the IP that I cannnot reach when connected to vpn server. At first it seemed to work, with another firewall config. Now I changed that and it does not work anymore. I don't know why, maybe it's in the wrong position.
Here is the log output of vpn-policy routing app:
Mon Feb 26 13:24:26 2018 user.notice vpn-policy-routing [8493]: Creating table 'wan/eth1.2/<.........>/fe80::/64' [✓]
Mon Feb 26 13:24:27 2018 user.notice vpn-policy-routing [8493]: Creating table 'torguardvpn/tun0/<.....................>/fe80::a9d1:26d5:d19c:1' [✓]
Mon Feb 26 13:24:27 2018 user.notice vpn-policy-routing [8493]: Creating table 'vpnserver/tun1/<...........................>/<.............>' [✓]
Mon Feb 26 13:24:27 2018 user.notice vpn-policy-routing [8493]: Routing 'odroid-hc2' via torguardvpn [✓]
Mon Feb 26 13:24:27 2018 user.notice vpn-policy-routing [8493]: service started on wan/eth1.2/<.........................>/fe80::/64 torguardvpn/tun0/<..........................>/<......................> vpnserver/tun1/10.1.0.1/<................................> [✓]
Mon Feb 26 13:24:28 2018 user.notice vpn-policy-routing [8493]: service monitoring interfaces: wan torguardvpn vpnserver [✓]
The <...........> part is left out Adresses.
Edit:
I found this: https://openwrt.org/docs/user-guide/services/openvpnserverandclient
it looked promising but didn't help