Normal -> WAN / Guest -> VPN


#1

Hello there,

What i have: Right now i have my Normal Network going just threw the VPN

What i want: My normal Network going threw WAN directly and my Guest Network threw my VPN on ProtonVPN.

What i have don so far: I have setup a Guest Network threw Floris and it is working.

Problem: When i change the Firewall Zones Forwarding that one Zone is going directly to WAN and the second threw VPN just the VPN Network will work.

Is this setup possible to Setup on Turris? How can i fix this?

Thanks for your Help.


OpenVPN as client over a specific wifi interface?
OPENVPN on Wifi1 and Lanport 1-2
#2

Your guest network -> VPN_FW needs forward set to accept.

The second part will be policy based routing. According to a quick search luci-app-mwan3 should provide a gui for this. You guest traffic has to use VPN_FW as default route but everything else needs to use wan. luci-app-mwan3 (luci-part for mwan3) should be able to do this. I can try this in a few hours.


#3

Thanks i will try it out in the evening. mwan3 sounds right to me :slight_smile:


#4

@adminX: Can you help me a bit out with a Configuration for this Problem? I was reading the Doc and Trying a bit around but wasn’t able to do so.


#5

mwan3 is basically right for the job but will not work with OpenVPN because it is not handled by netifd. So you are out of luck for this part.

OpenVPN and OpenWRT/LEDE have never been good friends and in my opinion it will never change.

After re-reading the documentation i should have found a far simpler version for your requirements. It basically means creating the routes for the VPN using a script instead of letting OpenVPN do it.

Found a solution:

Remove mwan3 as it may interfere with this.

opkg remove luci-app-mwan3 mwan3

add to /etc/config/network

config route 'vpn_unreachable'
        option interface 'wan'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '20'
        option table '103'
        option type 'unreachable'

config rule
        option priority '1030'
        option in 'guest_turris'
        option dest '0.0.0.0/0'
        option lookup '103'

config rule
        option priority '1035'
        option in 'guest_turris'
        option dest '0.0.0.0/0'
        option action 'unreachable'

add to your openvpn-config

route_noexec
route_up '/root/openvpn-setup-script'
down '/root/openvpn-setup-script'
script_security 2
# script_security 2 may already be
# up and down may also be there but if it is update-resolv-conf then remove it.
# setting your nameserver to the vpn one is a bad idea. inverse leak of information.
# better set the DNS of the provider or some generic one like the google ones on the guest interface as custom DHCP setting

/root/openvpn-setup-script

#!/bin/sh
table="table 103"
unreachable="unreachable"
metric="metric 10"

case $script_type in
route-up)
        unreachable=""
        via="via $route_vpn_gateway"
        #via="via $route_vpn_gateway dev $dev"
        src="src $ifconfig_local"
        ;;
*)
        via=""
        src=""
        ;;
esac
ip route replace $unreachable default $via $table $src $metric

What it does

The rules say everything from interface guest_turris should use routing table 103 and if there is no match then the destination is unreachable. The static route does the same.

noroute_exec in the openvpn-config makes OpenVPN not set up the routes for the VPN but only give them to the script. The script simply takes the default gateway and adds it to table 103. When the link goes down then the script replaces this route with an unreachable one. Deleting it would also work but keeping the unreachable one around feels safer.


#6

@adminX why do you list guest_turris and guest as one is a firewall-zone and the other a network-if?


#7

Because my firewall zone is named guest and i forgot to rename it in the second rule it. I fixed it in the post above.

guest isn’t even a network interface in the screenshot above. The network interface would be br-guest_turris.


#8

I made the changes but i still can’t access the internet over the guest. Eventually :wink: i have a wrong Config. Now the VPN also doesn’t work when i do the Normal Lan threw VPN.

Does the /root/openvpn-setup-script needs other Read/Write/Execute rights?

root@turris:~# ls -l /root/openvpn-setup-script
-rw-r–r-- 1 root root 326 Oct 15 08:22 /root/openvpn-setup-script

root@turris:~# cat /root/openvpn-setup-script
https://paste.laravel.io/4d189393-ba8a-4cb8-bbe4-2d518831461f

root@turris:~# cat /etc/config/network
https://paste.laravel.io/63779936-8c07-4ca1-bce7-e9b8e0cfeda4

cat /etc/config/openvpn
https://paste.laravel.io/08841139-36c5-496c-ae7e-ab360049b699

Thanks for the Help!

EDIT: My Logs

root@turris:~# cat /var/log/messages
https://paste.laravel.io/2d4c0213-e098-4919-8816-6ae1584fd743


OpenVPN as client over a specific wifi interface?
#9

You need to do a chmod +x /root/openvpn-setup-script - that’s necessary to make it executable.


#10

warning openvpn(protonvpn)[1879]: WARNING: Failed running command (–route-up): could not execute external program

chmod a+x /root/openvpn-setup-script should help with this

If it still does not work afterwards please post the output of ip rule show

The rest seems okay.

This is expected as the script did not run and route_noexec disables automatically adding routes.

Side note for everyone using this on other OpenWRT/LEDE devices: If you do not want to lose your settings then move the script to /etc/openvpn/ and add /etc/openvpn/ to the file list to /etc/sysupgrade.conf


#11

I changed the Permission and made a Reboot. I still can’t access the Internet threw the Guest / VPN Network.

root@turris:~# ip rule show
0:	from all lookup local
1030:	from all iif br-guest_turris lookup 103
1035:	from all iif br-guest_turris unreachable
32766:	from all lookup main
32767:	from all lookup default

root@turris:~# ls -l
-rwxr-xr-x    1 root     root           326 Oct 15 08:22 openvpn-setup-script

#12

Please post or pastebin the output of ip route show table 103 and grep openvpn /var/log/messages


#13
root@turris:~# ip route show table 103
unreachable default  proto static  metric 20

root@turris:~# grep openvpn /var/log/messages
https://paste.debian.net/991166/

Options error: No client-side authentication method is specified.  You must use either --cert/--key, --pkcs12, or --auth-user-pass

This i had also before and in my openvpn config i setup as client.


#14

Run ip route replace default via 10.8.8.1 table 103 metric 10 and verify if the guest network is able to reach the internet.

And please check if there is an empty line in /root/openvpn-setup-script. The very first line of this file is #!/bin/sh

Running /root/openvpn-setup-script in a terminal should give no error or output but ip route show table 103 should give 2 unreachable default routes.


#15

Yes with your Command i have now on the Guest W-Lan a Internet Connection over VPN.

 ip route replace default via 10.8.8.1 table 103 metric 10

So the Script is not running Correctly? I have checked it and had no “line” or something else before


#16

Error…

root@turris:~# ./openvpn-setup-script
./openvpn-setup-script: line 18: /sbin/ip: not found

Which Package do i need for the IP command?


#17

Replace /sbin/ip with /usr/sbin/ip or ip

It seems LEDE x86-64 has a different path for this and i tried it only on a VM.

Package name is ip-full


#18

Amazing! Thank you so much it works now.

Is there a Wiki from Turris? Would be good to make a How-To on there for others.


#19

It should be in the OpenWRT and LEDE wiki but it is not. It is also not fully featured. It will only work with all-or-nothing default routing to one gateway ip. If OpenVPN pushes multiple routes to different gateways it will break.

And there is some doc missing how to setup dnsmasq to hand out a different nameserver to the guest network.