I'm trying to have a setup where users on the 'lan' network (wifi or ethernet) connect plainly to the internet, while anyone on the 'guest' (wifi) network will be sent through a remote vpn (I don't control that server).
I managed to enable the vpn for 'guest' and verified that they got a remote IP address, but then any connection from 'lan' got borked (e.g. ping google.com just sits there with no response).
logread shows the following:
Nov 27 12:07:07 OpenWrt daemon.notice openvpn(mullvad)[4000]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ifconfig 10.8.0.110 10.8.0.109'
the redirect-gateway seems to be the culprit? I can add "option route_nopull 1" to my openvpn config in order to ignore the redirect-gateway, but then the guest network doesn't go though the vpn any more (at least, https://duckduckgo.com/?q=what%27s+my+ip shows my home ip).
route -n (with openvpn started, without the nopull option):
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
95.211.92.236 <provider>.1 255.255.255.255 UGH 0 0 0 br-wan
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
<provider>.0 0.0.0.0 255.255.240.0 U 0 0 0 br-wan
0.0.0.0 <provider>.1 0.0.0.0 UG 0 0 0 br-wan
10.8.0.1 10.8.0.141 255.255.255.255 UGH 0 0 0 tun0
10.8.0.141 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
0.0.0.0 10.8.0.141 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.8.0.141 128.0.0.0 UG 0 0 0 tun0
(95.211.92.236 seems to be the remote vpn)
So, how can I make it so 'guest' goes through the vpn service and 'lan' does not?
/etc/config/firewall:
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'drop_invalid' '1'
config 'zone'
option 'name' 'lan'
option 'network' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'network' 'wan'
option 'output' 'ACCEPT'
option 'masq' '1'
option 'mtu_fix' '1'
option 'input' 'REJECT'
option 'forward' 'REJECT'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
config 'rule'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
option 'family' 'ipv4'
config 'rule'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'target' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
### Guest network, VPN:
config 'zone'
option 'name' 'guest'
option 'input' 'REJECT'
option 'forward' 'REJECT'
option 'output' 'ACCEPT'
config 'forwarding'
option 'src' 'guest'
option 'dest' 'wan'
config 'rule'
option 'src' 'guest'
option 'dest_port' '53'
option 'proto' 'tcpudp'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'guest'
option 'src_port' '67-68'
option 'dest_port' '67-68'
option 'proto' 'udp'
option 'target' 'ACCEPT'
config zone
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option name 'vpn'
option masq '1'
option network 'vpn'
config forwarding
option dest 'guest'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'guest'
/etc/config/network:
config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'
config 'interface' 'lan'
option 'ifname' 'eth0.1'
option 'type' 'bridge'
option 'proto' 'static'
option 'ipaddr' '192.168.1.1'
option 'netmask' '255.255.255.0'
config 'interface' 'wan'
option 'ifname' 'eth1'
option 'proto' 'dhcp'
option 'type' 'bridge'
config 'interface' 'guest'
option 'proto' 'static'
option 'ipaddr' '10.0.0.1'
option 'netmask' '255.255.255.0'
config interface 'vpn'
option ifname 'tun0'
option defaultroute '0'
option peerdns '0'
option proto 'none'
config 'switch'
option 'name' 'rtl8366s'
option 'reset' '1'
option 'enable_vlan' '1'
option 'blinkrate' '2'
config 'switch_vlan'
option 'device' 'rtl8366s'
option 'vlan' '1'
option 'ports' '0 1 2 3 5t'
config 'switch_port'
option 'device' 'rtl8366s'
option 'port' '1'
option 'led' '6'
config 'switch_port'
option 'device' 'rtl8366s'
option 'port' '2'
option 'led' '9'
config 'switch_port'
option 'device' 'rtl8366s'
option 'port' '5'
option 'led' '2'
/etc/config/openvpn (translated from the config the vpn provider gave):
package openvpn
config openvpn mullvad
option enable 1
option client 1
option dev tun
option proto udp
list remote "openvpn.mullvad.net 1194"
list remote "openvpn.mullvad.net 443"
list remote "openvpn.mullvad.net 53"
# option remote "se.mullvad.net"
# option remote "nl.mullvad.net"
# Pick a random server:
# option remote_random 1
# Default: try in the order listed
option resolv_retry infinite
option nobind 1
option persist_key 1
option persist_tun 1
option ca /etc/openvpn/master.mullvad.net.crt
option cert /etc/openvpn/mullvad.crt
option key /etc/openvpn/mullvad.key
option comp_lzo 1
option verb 3
option remote_cert_tls server
option ping_restart 60
option script_security 2
option ping 10
/etc/config/dhcp
config 'dnsmasq'
option 'domainneeded' '1'
option 'boguspriv' '1'
option 'localise_queries' '1'
option 'rebind_protection' '1'
option 'rebind_localhost' '1'
option 'local' '/lan/'
option 'domain' 'lan'
option 'expandhosts' '1'
option 'authoritative' '1'
option 'readethers' '1'
option 'leasefile' '/tmp/dhcp.leases'
option 'resolvfile' '/tmp/resolv.conf.auto'
config 'dhcp' 'lan'
option 'interface' 'lan'
option 'start' '100'
option 'limit' '150'
option 'leasetime' '12h'
config 'dhcp' 'guest'
option 'interface' 'guest'
option 'start' '100'
option 'limit' '150'
option 'leasetime' '12h'
config 'dhcp' 'wan'
option 'interface' 'wan'
option 'ignore' '1'
(Last edited by unhammer on 27 Nov 2012, 15:30)