OpenWrt Forum Archive

Topic: OpenVPN/OpenWRT tunneling issue

The content of this topic has been archived on 24 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

What I've currently got going on is that all of my traffic on my lan from my local clients is going straight out to the internet from the RSP, with an IP of 72.209.203.184

Here's my current setup:

  VPS           (    RouterStation Pro (RSP)                )
openvz<---------{  external ip: 72.209.203.184 (eth0)       }<-------local clients
                (  internal ip: 192.168.1.10 (eth1/br-lan)  )           192.168.1.x
                (  openvpn ip:  10.9.0.10  (tun0)           )

A little more detail:

-The RSP is acting as the DHCP server for the clients, giving out IPs 192.168.1.x
-The VPS is set up as the OpenVPN Server giving out IPs in the 10.9.0.x range
-The RSP is set up as an OpenVPN client
-The RSP is connecting to the VPS without error.  I have verified that the server is setup correctly with other clients. 

Here's what I would ideally like:

The RSP will continue to act as DHCP and hand out IPs on the 192.168.1.x subnet.  All traffic destined for the internet will be routed through the tunnel.  It seems to me that all I would need is a rule on the RSP that says that "all traffic destined for the default gateway (192.168.1.10) should be forwarded through the tunnel."  This way all of my local clients will still be able to see each other.

Is this possible?  I know enough about this to be dangerous, but not enough to actually get things done  smile  Can you help me get my internet traffic into that tunnel?



OpenVPN Server Config File

local 187.63.22.57

port 443

# TCP or UDP server?
proto tcp

dev tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/serverconfig.crt
key /etc/openvpn/keys/serverconfig.key  

dh /etc/openvpn/keys/dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.9.0.0 255.255.255.0

ifconfig-pool-persist serverdefault-ipp.txt

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

client-config-dir ccd
route 192.168.1.0 255.255.255.0

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

keepalive 10 120

tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret

cipher AES-256-CBC

comp-lzo

max-clients 10

user nobody
group nogroup
.
persist-key
persist-tun

status /var/log/openvpn/serverdefault-status.log

log-append  /var/log/openvpn/serverdefault.log

verb 3

mute 20

OpenVPN client configuration

config openvpn sample_client

        # Set to 1 to enable this instance:
        option enable 1

        option client 1

        option dev tun

        option proto tcp

        list remote "187.63.22.57"

        option resolv_retry infinite

        option nobind 1

        option persist_key 1
        option persist_tun 1

        option mute_replay_warnings 1

        option ca /etc/openvpn/keys/ca.crt
        option cert /etc/openvpn/keys/owrt.crt
        option key /etc/openvpn/keys/owrt.key

        option ns_cert_type server

        option tls_auth "/etc/openvpn/keys/ta.key 1"

        option cipher AES-256-CBC

        option comp_lzo 1

        option verb 7
        option log      /tmp/openvpn.log

        option mute 20

OpenWRT network config

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.10'
        option 'netmask' '255.255.255.0'
        option 'gateway' '192.168.1.1'
        option '_orig_ifname' 'eth1'
        option '_orig_bridge' 'true'
        option 'ifname' 'eth1 tun0'

config 'interface' 'wan'
        option 'ifname' 'eth0'
        option 'proto' 'dhcp'

config 'switch'
        option 'name' 'eth1'
        option 'reset' '1'
        option 'enable_vlan' '1'

config 'switch_vlan'
        option 'device' 'eth1'
        option 'vlan' '1'
        option 'ports' '0 1 2 3 4'
        option 'vid' '1'

config 'switch_port'
        option 'pvid' '1'
        option 'port' '0'

config 'switch_port'
        option 'pvid' '1'
        option 'port' '1'

config 'switch_port'
        option 'pvid' '1'
        option 'port' '2'

config 'switch_port'
        option 'pvid' '1'
        option 'port' '3'

config 'switch_port'
        option 'pvid' '1'
        option 'port' '4'

config 'switch_port'
        option 'pvid' '1'
        option 'port' '5'

output of route on the RSP:

root@OpenWrt:/etc/config# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
187.63.22.57    ip72-209-200-1. 255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
72.209.200.0    *               255.255.252.0   U     0      0        0 eth0
default         ip72-209-200-1. 0.0.0.0         UG    0      0        0 eth0

OpenWRT firewall rules

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
        option disable_ipv6     1

config zone
        option name             lan
        option network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config zone
        option name             wan
        option network          'wan'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fe80::/10
        option src_port         547
        option dest_ip          fe80::/10
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user

config  rule
        option target ACCEPT
        option dest_port        443
        option src      wan
        option proto    tcp
        option family   ipv4

This is pretty much exactly what I'm looking for.

Have a look at OpenVPN's redirect-gateway directive, you'll probably want it on the client machine in this case.

I achieved this without using redirect-gateway, but rather forwarding traffic from 'lan' to 'tun0'

In Luci, after OpenVPN is set up and 'tun0' already exists (confirm by running 'ifconfig' on the router):

Network > Interfaces > Create new interface

  • Name: tun0

  • Protocol: DHCP client

  • Masquerading: checked

  • MSS clamping: checked

  • Cover interfaces: tun0

  • Allow forward, destination: check 'lan'

  • Allow forward, source: check 'lan'

Click Save and apply. Reboot here. Note that it may take a minute or two after boot for the tunnel and forwarding to come up. You can watch Status > System Log in Luci. After netifd stops spewing "sending discover..." in the log, your tunnel, and forwarding through it from LAN, should work.

Then, try to connect and traceroute to hosts from a machine on the LAN to ensure the tunnel is in use and working. You may also want to use a site like https://www.whatismyip.com/ to ensure that your IP is that of your OpenVPN server.

(Last edited by normblop on 17 May 2016, 06:52)

The discussion might have continued from here.