2

I have setup a router with OpenWRT 15.05 installed (Chaos Calmer), and configured two wi-fi networks each with there own network interface:

  • wi-fi-1: interface br-lan ip address 10.0.2.1; address range 10.0.2.0/24
  • wi-fi-2: interface br-vpn ip address 10.0.10.1; address range 10.0.10.0/24

I configured OpenVPN client software to connect to vpn service vpnservice1. In the OpenWRT system logs I can see that the openvpn client successfully connects to vpnservice1 and interface tun0 is opened.

My aim is to route all traffic from network wi-fi-1 (10.0.2.0/24) through the default gateway; and route all internet-bound traffic on wi-fi-2 (10.0.10.0/24) through the vpn interface tun0. Note. I would still like devices connected to the wi-fi-2 network (10.0.10.0/24) to be able to connect to other devices on this network.

With the configuration I currently have - devices on the wi-fi-1 network can connect to the internet via the default gateway. However devices connected to wi-fi-2 cannot connect to the internet. Any assistance is welcome :)

My configuration is described below:

  1. Firewall configuration (/etc/config/firewall):

    config rule config rule option src 'wan' option dest 'lan' option proto 'esp' option target 'ACCEPT' config rule option src 'wan' option dest 'lan' option dest_port '500' option proto 'udp' option target 'ACCEPT' config zone option input 'ACCEPT' option output 'ACCEPT' option name 'stream' option network 'stream' option masq '1' option forward 'ACCEPT'
    config zone option input 'ACCEPT' option output 'ACCEPT' option name 'stream_vpn' option forward 'ACCEPT' option network 'stream_vpn' option masq '1' config forwarding option dest 'stream' option src 'stream_vpn' config forwarding option dest 'stream_vpn' option src 'stream'

  2. Network configuration (/etc/config/network):

    config interface 'lan' option ifname 'eth1' option force_link '1' option type 'bridge' option proto 'static' option netmask '255.255.255.0' option ip6assign '60' option ipaddr '10.0.2.1' config interface 'wan' option ifname 'eth0' option proto 'dhcp' config interface 'stream_vpn' option proto 'none' option ifname 'tun0' config interface 'stream' option proto 'static' option ipaddr '10.0.10.1' option netmask '255.255.255.0' option type 'bridge' option _orig_ifname 'stream_lan wlan1-2' option _orig_bridge 'true' option ifname 'stream_lan'

  3. OpenVPN client 'vpnservice1' configuration (/etc/openvpn):

config openvpn 'vpnservice1' option dev_type 'tun' option client '1' option resolv_retry 'infinite' option persist_tun '1' option persist_key '1' option tun_ipv6 '1' option cipher 'AES-256-CBC' option remote_random '0' option route_delay '2' option route_nopull '1' option route '10.0.10.1 255.255.255.255' option auth_retry 'interact' option auth 'SHA1' option remote_cert_tls 'server' option reneg_sec '0' option tls_client '1' option verb '3' option mute '20' option float '1' option ifconfig_nowarn '1' option auth_user_pass '/etc/openvpn/vpnservice1/userpass.txt' option port '1194' option remote 'vpnservice1.com' option auth_nocache '1' option dev 'tun0' option proto 'udp' option comp_lzo 'adaptive' option enabled '1' option fast_io '1' option tun_mtu '1500' option tun_mtu_extra '32' option ca '/etc/openvpn/vpnservice1/vpnservice1_com.crt' option ping '15' option ping_restart '0' option tls_auth '/etc/openvpn/vpnservice1/vpnservice1_com_tls.key 1' option script_security '2'

  1. Interface listing (ifconfig -a):

    br-lan Link encap:Ethernet HWaddr C0:56:27:7A:92:D3 inet addr:10.0.2.1 Bcast:10.0.2.255 Mask:255.255.255.0 inet6 addr: fe80::c256:27ff:cd56:92a1/64 Scope:Link inet6 addr: fd1d:c378:aa11::1/60 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15469 errors:0 dropped:0 overruns:0 frame:0 TX packets:15465 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2029206 (1.9 MiB) TX bytes:9594955 (9.1 MiB) br-vpn Link encap:Ethernet HWaddr 06:25:9C:13:97:F5 inet addr:10.0.10.1 Bcast:10.0.10.255 Mask:255.255.255.0 inet6 addr: fe80::425:cc22:ab34:22e1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:640 errors:0 dropped:0 overruns:0 frame:0 TX packets:566 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:101972 (99.5 KiB) TX bytes:71890 (70.2 KiB) eth0 Link encap:Ethernet HWaddr C2:56:27:7A:92:D3 inet addr:10.0.1.21 Bcast:10.0.1.255 Mask:255.255.255.0 inet6 addr: fe80::c056:34ff:abcd:84d3/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13175 errors:0 dropped:0 overruns:0 frame:0 TX packets:12879 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:532 RX bytes:8697083 (8.2 MiB) TX bytes:1939234 (1.8 MiB) Interrupt:194 tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.8.134 P-t-P:10.8.8.133 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

  2. Routing listing (route -n):

    Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.0.1.1 0.0.0.0 UG 0 0 0 eth0 10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br-vpn 10.0.10.1 205.1.2.3 255.255.255.255 UGH 0 0 0 tun0 205.1.2.3 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.0.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan

@porchez I tried the changes you suggested. I installed the iproute2 package.

In the /etc/iproute2/rt_tables I added the line

0 admin

I created a new shell script /etc/openvpn/guest-up.sh and added the lines

ip rule add from 10.0.10.0/24 table admin
ip route add default dev tun0 table admin

In my openvpn config file (/etc/config/openvpn) added options

option script_security '2'
option up '/etc/openvpn/guest-up.sh'

After restarting the VPN session the syslog entries indicated the vpn session connected successfully. However the wi-fi network isn't connecting to the internet over the vpn.

Running ip route list shows

0:      from all lookup 128
0:      from 10.0.10.0/24 lookup 1
0:      from 10.0.10.0/24 lookup 2
0:      from 10.0.10.0/24 lookup 3
0:      from 10.0.10.0/24 lookup 4
0:      from 10.0.10.0/24 lookup 5
0:      from 10.0.10.0/24 lookup 6
0:      from 10.0.10.0/24 lookup 7
0:      from 10.0.10.0/24 lookup 8

Running command ip route show table admin | grep "10.0.10.0 returns

10.0.10.0/24 dev br-vpn  proto kernel  scope link  src 10.0.10.1
broadcast 10.0.10.0 dev br-vpn  table local  proto kernel  scope link  src 10.0.10.1

Apologies I'm fairly new to linux networking and routing.

Sven
  • 98,649
  • 14
  • 180
  • 226
Michael
  • 121
  • 1
  • 1
  • 3

1 Answers1

1

It should be possible with the iproute2 package:

opkg update
opkg install ip

I just started using it, so I guess I can only give some hints and no working solution for your specific case. With iproute2 you can implement policy routing (conditional routing). In your case you need two different routes for your two devices (br-lan and br-vpn). For br-lan this seems to be already in place. Now you need to route all traffic from br-vpn (or the subnet it represents) through your tun0 device and the vpn.

My guess would be something like this (probably not working but hopefully gets you going in the right direction):

edit /etc/iproute2/rt_tables and add this line

0 admin

Then:

ip rule add from 10.0.10.0/24 table admin
ip route add default dev tun0 table admin

Intuition: you add a rule for all traffic coming from your 10.0.10.0/24 subnet and tell iproute2 to look into the admin table on how to handle this. Then you add a default rule in your admin table, routing everything by default through your vpn.

I'm a bit confused by your configuration. Are you sure the "route -n" output and the ifconfig and /etc/config/network outputs are from the same session?

Notice that these changes are not reflected with "route -n" instead look at 

ip rule list
ip route show table admin
mc51
  • 121
  • 1
  • 1
  • 8