PROBLEM
I've set up an OpenVPN server instance on an OpenWRT router that also runs an OpenVPN client instance: host "Lemmiwinks" (see SETUP) can successfully connect to the server instance, but only when the client instance is disabled.
SETUP
OPENWRT
---------------------------------------
| VPN client if: tun0, 10.28.10.6/32 |
| VPN server if: tun1, 10.255.0.1/24 |
| WAN if: eth0, 192.168.1.2/24 |
---------------------------------------
|
HOME GATEWAY |
-------------------------------
| Internal if: 192.168.1.1/24 |
| External if: x.x.x.x/x |
-------------------------------
|
INTERNET | LEMMIWINKS
----------------- --------------------------------------
| |----| VPN client if: tun1, 10.255.0.6/24 |
----------------- --------------------------------------
|
VPN PROVIDER |
--------------------------------
| VPN server if: 10.28.10.1/32 |
--------------------------------
OpenWRT 15.05.1 on Linksys WRT1200ac
OpenWRT VPN server instance listens on port 1194
OpenWRT firewall accepts incoming connections to port 1194
Home Gateway firewall redirects to 192.168.1.2 incoming connections to port 1194
Home Gateway external IP x.x.x.x is dynamically mapped to a domain name
WHAT IS GOING ON
I'm pretty sure this has to do with the VPN client instance changing OpenWRT's main routing table, so that all its connections are tunneled through VPN Provider: Lemmiwinks tries to talk to OpenWRT but gets a response from VPN Provider instead, so he rejects it.
SOLUTION?
Lemmiwinks had a similar problem when trying to SSH into OpenWRT (with the VPN client instance enabled). I solved it by simply adding ip rule number 2:
0: from all lookup 128 (not sure what this is: there's no 128 table in /etc/iproute2/rt_table)
1: from all lookup local
2: from 192.168.1.0/24 lookup no_vpn_provider
32766: from all lookup main
32767: from all lookup default (default table is empty)
where no_vpn_provider is a routing table identical to the main table before it gets modified by the VPN client instance. Unfortunately this doesn't do the trick for incoming VPN connections. I tried adding another rule:
3: from 10.255.0.0/24 lookup no_vpn_provider
but it doesn't work either. I tried various combinations of some/all of the previous rules with some/all of the following rules:
w: from all iif tun1 lookup no_vpn_provider
x: from all oif tun1 lookup no_vpn_provider
y: from all to 192.168.0.0/24 lookup no_vpn_provider
z: from all to 10.255.0.0/24 lookup no_vpn_provider
but I had no success. What is the correct routing policy for this situation?
(Last edited by endvour on 11 Dec 2016, 17:13)