LEDE | Two VLANs - when one connects to OpenVPN the other has no internet connection

Question

We have two VLANs. First one is supposed to operate with OpenVPN (NordVPN), have two WiFi networks (5G, 2.4G) and occupy two switch ports. Second one is supposed to be normal, have one WiFi (2.4G) and occupy other two switch ports. The problem is, when I start the OpenVPN service, the first VLAN connects to it, but the internet disappears completely on the second. If I turn it off it comes back. It looks like OpenVPN blocks off all traffic, but I don't know why it happens on both VLANs, when only the first one is linked to the OpenVPN firewall. Here are some details:

config interface 'lan'
    option type 'bridge'
    option ifname 'eth1.1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '208.67.222.222 208.67.220.220'

config interface 'lan2'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.2.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option dns '208.67.222.222 208.67.220.220'
    option ifname 'eth1.2'

config switch_vlan 'eth1_1'
    option device 'switch0'
    option vlan '1'
    option vid '1'
    option ports '3 4 6t'

config switch_vlan 'eth1_2'
    option device 'switch0'
    option vlan '2'
    option ports '1 2 6t'
    option vid '2'

config switch_vlan
    option device 'switch0'
    option vlan '3'
    option ports '0 5'
    option vid '3'

config interface 'nordvpntun'
    option proto 'none'
    option ifname 'tun0'

I set up firewall forwarding like this:

config zone
    option name 'vpnfirewall'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    option network 'nordvpntun'

config forwarding
    option src 'lan'
    option dest 'wan'

config forwarding
    option src 'lan'
    option dest 'vpnfirewall'

config forwarding
    option src 'lan2'
    option dest 'wan'

Here are some screenshots from GUI:

Interfaces

Firewall

VLAN Switch

Routes before and after VPN started

When started, does OpenVPN work correctly on 'lan'? Also, why is your WAN address in the same subnet as 'lan'? Can you include LEDE's routing table before and after VPN service is started? — multithr3at3d, Jan 28 '18 at 17:57
1. Yes, OpenVPN works correctly on "lan" after turning it on. 2. I don't know why WAN is in the same subnet as "lan", it must have defaulted to this after LEDE installation (someone's custom build, maybe that has something to do with it). 3. Here are the [routes](https://i.imgur.com/79ywdrf.jpg). — Haruspik, Jan 29 '18 at 19:27
Well, your WAN interface would only be in that range if your upstream router is on that subnet, which means you are behind another NAT'ing gateway/firewall. I would recommend changing your local subnet(s) to avoid confusion and misconfiguration. — multithr3at3d, Jan 29 '18 at 19:50
I checked the WAN interface and it is set to DHCP. Doesn't that mean it's my ISP-assigned IP? Sorry if I'm confusing things. — Haruspik, Jan 29 '18 at 19:56
Yeah, _somebody_ is assigning it to you, could be ISP, property manager, etc. or you're behind someone else's router... but that is unrelated here. Mainly odd because it's a private IP address, but I guess some ISPs do that. — multithr3at3d, Jan 29 '18 at 20:27

multithr3at3d · Accepted Answer · 2018-01-31T16:44:42.463

0

As indicated in the image of the routing table, the VPN connection is clobbering the default gateway for your router, forcing all outbound traffic through the VPN regardless which internal subnet it originated from. "lan2" loses connectivity because it is trying to use the VPN, but the firewall rules prevent it from doing so.

The best way to tackle this may be to modify routing policy so that you have a different routing table depending where the traffic originates.

Let's take a stab at this policy routing (source), forcing traffic from 'lan2' to use the default gateway:

# ip rule add from 192.168.2.0/24 table lan2
# ip route add default via 192.168.1.254 dev eth0 table lan2

(Actually, this may explode since 192.168.1.0/24 is your WAN subnet. You can either fix this maybe by adding src br-lan to the first line after the address, or by changing the address range of your LAN in the interface configuration and here).

Confirm output with:

# ip rule list
# ip route show table lan2

Start your VPN client and test both networks.

Note that the commands above will not persist reconfigurations or reboots. You will need to commit them somewhere such that they execute when the interfaces come up.

Edit: @Haruspik's comment indicates that the above works. Here's how to make it persistent:

At the bottom of /etc/iproute2/rt_tables, create a new table:

10 lan2

In /etc/config/network, add the new rules and routes so they persist (source):

config rule
    option src    '192.168.2.0/24'
    option lookup 'lan2'

config route
    option 'interface' 'wan'
    option 'target' '0.0.0.0'
    option 'netmask' '0.0.0.0'
    option 'gateway' '192.168.1.254'
    option 'table' 'lan2'

Finally, apply with service network restart and confirm output with:

# ip rule list
# ip route show table lan2

edited Jan 31 '18 at 16:44

answered Jan 29 '18 at 20:25

multithr3at3d

287
2
9

Okay, that did it. You can modify your answer to include what I actually did: 1. nano /etc/iproute2/rt_tables 1a. Add "10 lan2" at the bottom 2. nano /etc/rc.local 2a. Add "/etc/openvpn/bypass_on_other_lans.sh &" at the top 3. nano /etc/openvpn/bypass_on_other_lans.sh 3a. Paste: sleep 1m uci set openvpn.nordvpn.route_nopull=1 uci commit openvpn ip rule add from 192.168.2.0/24 table lan2 ip route add default via 192.168.1.254 dev eth0 table lan2 4. That's it. Of course adding some hook to interface launch would be better, maybe I'll polish it out later. For now it'll do! – Haruspik Jan 30 '18 at 17:42
Can't `openvpn.nordvpn.route_nopull=1` go in your VPN configuration file? – multithr3at3d Jan 30 '18 at 17:53
Actually, you shouldn't need to enable that option anymore, since the VPN routes are allowed to remain. I've updated the answer with steps to make this persistent; do they work for you as well? – multithr3at3d Jan 30 '18 at 20:21
Your edited persistant solution doesn't work, here is the output you asked for: [link](https://i.imgur.com/6gndaBB.jpg). The vpn doesn't start itself on the first lan in this configuration somehow. – Haruspik Jan 31 '18 at 16:14
My bad, under `config route`, the interface should not be the interface's real name (eth0), but rather the name of the logical interface defined in `/etc/config/network`; I believe it is 'wan' by default. – multithr3at3d Jan 31 '18 at 16:46
Here's the [output](https://i.imgur.com/jNvl7QO.jpg). VPN still doesn't work on the first lan with this setup. – Haruspik Feb 01 '18 at 17:37

LEDE | Two VLANs - when one connects to OpenVPN the other has no internet connection

1 Answers1