VPN on guest network interferes with regular network

craibuc · January 31, 2019, 1:43am

I used the Foris interface to create a guest network; my router has two networks with these properties:

lan: 192.168.1.*; eth0; port0,port1,port2,port3; wlan0
guest_turris: 192.168.2.*; eth2; port4; wlan1

I created an OpenVPN connection and assigned it to the vpn_interface. In the firewall, I connected the guest_zone to the vpn_zone.

When the VPN is operational, and I’m connected to wlan1 or port4, the connection works as expected and the resulting IP address corresponds to the VPN’s expected geolocation.

However, when the VPN is operational, and I’m connected to wlan0 or port0, the network isn’t responsive. While I have an IP address in the 192.168.1.* range, I can’t ping external address via name or number.

What is wrong with my configuration?

anon50890781 · January 31, 2019, 2:00pm

Probably the VPN is set as default gateway when active

craibuc · January 31, 2019, 2:25pm

Thanks for the response.

Where is this set? How do I change it?

anon50890781 · January 31, 2019, 3:01pm

Depends on the sort of VPN being utilized.

routes are listed either in LuCI or can be checked via ssh with ip r | grep default

craibuc · February 1, 2019, 10:57pm

The router is on 192.168.1.0/24 network, the guest network is 192.168.2.0/24. As such, I can’t connect to the router when I’m using the VPN. If I change the guest_zone's Input rule to allow (temporarily), would that allow me to access the router while on the guest network?

What am I hoping to find?

It sounds like I need to add a route when the VPN is active, correct? Is there a way to add one when the VPN starts and remove it when it stops?

** edit **

I started the VPN, but stayed connected to the “main” LAN. I ran ip r:

# ip r
0.0.0.0/1 via 10.35.0.5 dev tun0 
default via 72.50.209.209 dev eth1  proto static 
10.35.0.1 via 10.35.0.5 dev tun0 
10.35.0.5 dev tun0  proto kernel  scope link  src 10.35.0.6 
23.226.128.42 via 72.50.209.209 dev eth1 
72.50.209.208/30 dev eth1  proto kernel  scope link  src 72.50.209.210 
128.0.0.0/1 via 10.35.0.5 dev tun0 
192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.1 
192.168.2.0/24 dev br-guest_turris  proto kernel  scope link  src 192.168.2.1

Does this illustrate any issues?

anon50890781 · February 1, 2019, 11:36pm

Your global traffic is routed via the VPN, probably invoked when the VPN gets up. Perhaps check the settings of the VPN.

There are complimentary packages for policy based routing, one is mwan - which seems to suffer some issues in the current TOS version and then there is also VPN policy based routing possible? - SW help - Turris forum

craibuc · February 9, 2019, 6:34pm

I installed the policy-based-routing package that is referenced in that thread. I’m not sure how to use it–do you have any recommendations on the settings or perhaps a good reference?

anon50890781 · February 9, 2019, 7:07pm

Basic understanding should be that rules are working in the order they are listed, i.e. top listed superseding any following rule.

Plus that the VPN is not controlling the routing or else policy routing will have no effect.

As far as I can discern from this thread you only want the guest ip range to be routed via VPN and thus it would require only one

policy rule