OpenWRT: Forward traffic to non private IP address space through VPN

openvpn networking openwrt routing
13,902

Solution 1

First, though I'm not familiar with UCI, the OpenWrt Wiki informs me it can accommodate manual iptables rules using an external file. You've defined one already: '/etc/firewall.user', so the solution you referred to in your comment may still be viable.

Your routes allow the 192.168.178.0/24 subnet to be reached just fine, assuming that the interface your router uses for that is in fact 'br-wan' and you just failed to copy the last character into your question. It would appear to be a firewall issue.

The output of iptables -L shows something peculiar. The rules that allow traffic from LAN to VPN are:

Chain FORWARD (policy DROP)
delegate_forward  all  --  anywhere             anywhere   

Chain delegate_forward (1 references)
zone_lan_forward  all  --  anywhere             anywhere     

Chain zone_lan_forward (1 references)
zone_ipr_dest_ACCEPT  all  --  anywhere             anywhere             /* forwarding lan -> ipr */

Chain zone_ipr_dest_ACCEPT (2 references)
ACCEPT     all  --  anywhere             anywhere

The '--verbose' flag would be required to be certain, but based on the comments and names of these chains, it seems these rules apply only to traffic forwarded to the 'tun1337' interface. Your iptables has no equivalent rules for 'br-wan'. Traffic forwarded to the internet router's subnet is eventually rejected.

To do this without manually adding rules, append the following lines to '/etc/config/firewall':

config forwarding
    option src      lan
    option dest     wan

Traffic from behind the OpenWrt router should now arrive at the 192.168.178.0/24 subnet, but there will be no response; the machines behind the internet router do not know how to route packets with a destination in the range 192.168.1.0/24. The easiest way to deal solve this problem is to have the OpenWrt router perform NAT. Using iptables:

iptables -t nat -A POSTROUTING -i br-lan -i br-wan -j MASQUERADE

My educated guess would be a similar rule will be created automatically by inserting the line option masq 1 in the wan zone configuration in '/etc/config/firewall'.

There are some disadvantages to using NAT. All traffic forwarded in this way will appear to machines behind the internet router to have 192.168.178.20 as a source. Moreover, you will need to set up port forwards to initiate connections from the WAN side of the OpenWrt router.

Avoiding NAT will require further changes to the firewall and the routing table on the internet router. You would need to add the route '192.168.1.0/24 via 192.168.178.20'. If the router does not allow the routing table to be configured manually, you would have to add them to machines on the 192.168.178.0/24 subnet individually. Also, the following lines would have to be appended to '/etc/config/firewall' on the OpenWrt router:

config forwarding
    option src      wan
    option dest     lan

Solution 2

All you need to do is to add the follwoing route to the OpenWRT routing table,

  ip ro add 192.168.78.0/24 via 192.168.78.1 dev your_WAN_interface

where your_WAN_interface stands for the OpenWRT router's WAN interface NIC. Also you will the follwoing iptables rule:

  iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.78.0/24 -j MASQUERADE
Share:
13,902

Related videos on Youtube

jelhan
Author by

jelhan

I'm a full-stack web developer. My preferred stack is currently Ember.js and Laravel (PHP) with a pinch of Node.js. I enjoy working with GitLab, which is an amazing development platform in my opinion. It's not only providing source control but also including one of the bests CI/CD tools available. Reinventing the wheel and bikeshedding are one of the main blockers for a high productivity. Developers time is too precious to be waste on problems that already have been solved by others. Therefore I encourage existing standards like JSON:API specification. The combination of test-driven development, conventions over configuration and DevOps unlocks an amazing productivity while ensuring good code quality at the same time. It's a key factor to success - not only but especially for enterprise applications.

Updated on September 18, 2022

Comments

  • jelhan
    jelhan over 1 year

    I am running an OpenWRT router which establishes an VPN connection via OpenVPN and routes all traffic through the VPN. The OpenWRT router is behind another router, which establish the internet connection. This all works fine but now I like to access other devices in the private network but not connected to OpenWRT router.

    The network configuration looks like this:

    • A internet router which establishing connection to internet and providing a network at 192.168.178.0/24. It's ip address is 192.168.178.1.
    • A vpn router running OpenWRT which is connected via lan cable with internet router. It is providing a network at 192.168.1.0/24. It's ip address is 192.168.1.1. It establish an VPN connection to a server in internet and routes all traffic from his private network (192.168.1.0/24) through VPN.

    The goal:

    • A device connected to vpn router should have access to a device in network of internet router. For example a network printer connected via lan to internet router with ip address 192.168.178.2 should be useable from a device connected to vpn router with ip address 192.168.1.2.

    I configured the OpenWRT router with UCI (unified configuration interface). The configuration looks like following:

    /etc/config/network

    config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
    option ula_prefix 'fd6a:fb7c:0d05::/48'

config interface 'lan'
    option ifname 'eth0.1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option macaddr 'f8:1a:67:5a:a6:22'

config interface 'wan'
    option ifname 'eth0.2'
    option macaddr 'f8:1a:67:5a:a6:25'
    option netmask '255.255.255.0'
    option proto 'dhcp'
    option type 'bridge'

config interface 'wan6'
    option ifname '@wan'
    option proto 'dhcpv6'

config interface 'IPredator'
    option ifname 'tun1337'
    option proto 'none'

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0t 2 3 4 5'

config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0t 1'

    /etc/config/firewall

    config defaults
    option syn_flood    1
    option input        ACCEPT
    option output       ACCEPT
    option forward      REJECT
# Uncomment this line to disable ipv6 rules
#   option disable_ipv6 1

config zone
    option name     lan
    list   network      'lan'
    option input        ACCEPT
    option output       ACCEPT
    option forward      REJECT

config zone
    option name     wan
    list   network      'wan'
    list   network      'wan6'
    option input        ACCEPT
    option output       ACCEPT
    option forward      REJECT

config zone
    option name         ipr
    option input        REJECT
    option output       ACCEPT
    option forward      REJECT
    option masq     1
    option mtu_fix      1
    list   network      'IPredator'

config forwarding
    option src      lan
    option dest     ipr

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
    option name     Allow-DHCP-Renew
    option src      wan
    option proto        udp
    option dest_port    68
    option target       ACCEPT
    option family       ipv4

# Allow IPv4 ping
config rule
    option name     Allow-Ping
    option src      wan
    option proto        icmp
    option icmp_type    echo-request
    option family       ipv4
    option target       ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
    option name     Allow-DHCPv6
    option src      wan
    option proto        udp
    option src_ip       fe80::/10
    option src_port     547
    option dest_ip      fe80::/10
    option dest_port    546
    option family       ipv6
    option target       ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
    option name     Allow-ICMPv6-Input
    option src      wan
    option proto    icmp
    list icmp_type      echo-request
    list icmp_type      echo-reply
    list icmp_type      destination-unreachable
    list icmp_type      packet-too-big
    list icmp_type      time-exceeded
    list icmp_type      bad-header
    list icmp_type      unknown-header-type
    list icmp_type      router-solicitation
    list icmp_type      neighbour-solicitation
    list icmp_type      router-advertisement
    list icmp_type      neighbour-advertisement
    option limit        1000/sec
    option family       ipv6
    option target       ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
    option name     Allow-ICMPv6-Forward
    option src      wan
    option dest     *
    option proto        icmp
    list icmp_type      echo-request
    list icmp_type      echo-reply
    list icmp_type      destination-unreachable
    list icmp_type      packet-too-big
    list icmp_type      time-exceeded
    list icmp_type      bad-header
    list icmp_type      unknown-header-type
    option limit        1000/sec

    option family       ipv6
    option target       ACCEPT

# include a file with users custom iptables rules
config include
    option path /etc/firewall.user

    **ifconfig -a **

    root@OpenWrt:~# ifconfig -a
br-lan    Link encap:Ethernet  HWaddr F8:1A:67:5A:A6:22  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::fa1a:67ff:fe5a:a622/64 Scope:Link
          inet6 addr: fd6a:fb7c:d05::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:93532 errors:0 dropped:0 overruns:0 frame:0
          TX packets:115912 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:56145012 (53.5 MiB)  TX bytes:123691502 (117.9 MiB)

br-wan    Link encap:Ethernet  HWaddr F8:1A:67:5A:A6:25  
          inet addr:192.168.178.20  Bcast:192.168.178.255  Mask:255.255.255.0
          inet6 addr: fe80::fa1a:67ff:fe5a:a625/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:115908 errors:0 dropped:0 overruns:0 frame:0
          TX packets:92434 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:130982133 (124.9 MiB)  TX bytes:16794507 (16.0 MiB)

eth0      Link encap:Ethernet  HWaddr 00:04:9F:EF:01:01  
          inet6 addr: fe80::204:9fff:feef:101/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:205419 errors:0 dropped:0 overruns:0 frame:0
          TX packets:203843 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:192549225 (183.6 MiB)  TX bytes:137710000 (131.3 MiB)
          Base address:0x4000 

eth0.1    Link encap:Ethernet  HWaddr 00:04:9F:EF:01:01  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:89286 errors:0 dropped:0 overruns:0 frame:0
          TX packets:111404 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:55392304 (52.8 MiB)  TX bytes:120099623 (114.5 MiB)

eth0.2    Link encap:Ethernet  HWaddr 00:04:9F:EF:01:01  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:115908 errors:0 dropped:0 overruns:0 frame:0
          TX packets:92434 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:130982133 (124.9 MiB)  TX bytes:16794507 (16.0 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:12 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2232 (2.1 KiB)  TX bytes:2232 (2.1 KiB)

tun1337   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:46.246.43.203  P-t-P:46.246.43.203  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:114743 errors:0 dropped:0 overruns:0 frame:0
          TX packets:91993 errors:0 dropped:351 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:121822466 (116.1 MiB)  TX bytes:55995093 (53.4 MiB)

wlan0     Link encap:Ethernet  HWaddr F8:1A:67:5A:A6:24  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:122 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:22643 (22.1 KiB)

wlan1     Link encap:Ethernet  HWaddr F8:1A:67:5A:A6:23  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4244 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4750 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:812112 (793.0 KiB)  TX bytes:3727774 (3.5 MiB)

    route

    root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         anon-43-1.vpn.i 128.0.0.0       UG    0      0        0 tun1337
default         192.168.178.1   0.0.0.0         UG    0      0        0 br-wan
46.246.43.0     *               255.255.255.0   U     0      0        0 tun1337
46.246.43.130   192.168.178.1   255.255.255.255 UGH   0      0        0 br-wan
128.0.0.0       anon-43-1.vpn.i 128.0.0.0       UG    0      0        0 tun1337
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.178.0   *               255.255.255.0   U     0      0        0 br-wan

    iptables -L

    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  403  172K delegate_input  all  --  any    any     anywhere             anywhere            

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  358  169K delegate_forward  all  --  any    any     anywhere             anywhere            

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  317 84722 delegate_output  all  --  any    any     anywhere             anywhere            

Chain delegate_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  358  169K forwarding_rule  all  --  any    any     anywhere             anywhere             /* user chain for forwarding */
  340  167K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   18  2048 zone_lan_forward  all  --  br-lan any     anywhere             anywhere            
    0     0 zone_wan_forward  all  --  br-wan any     anywhere             anywhere            
    0     0 zone_ipr_forward  all  --  tun1337 any     anywhere             anywhere            
    0     0 reject     all  --  any    any     anywhere             anywhere            

Chain delegate_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
  403  172K input_rule  all  --  any    any     anywhere             anywhere             /* user chain for input */
  145 13909 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    5   268 syn_flood  tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
   11   766 zone_lan_input  all  --  br-lan any     anywhere             anywhere            
  243  157K zone_wan_input  all  --  br-wan any     anywhere             anywhere            
    4   208 zone_ipr_input  all  --  tun1337 any     anywhere             anywhere            

Chain delegate_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    lo      anywhere             anywhere            
  317 84722 output_rule  all  --  any    any     anywhere             anywhere             /* user chain for output */
  129 27577 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 zone_lan_output  all  --  any    br-lan  anywhere             anywhere            
  186 56993 zone_wan_output  all  --  any    br-wan  anywhere             anywhere            
    2   152 zone_ipr_output  all  --  any    tun1337  anywhere             anywhere            

Chain forwarding_ipr_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_ipr_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_ipr_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (4 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   208 REJECT     tcp  --  any    any     anywhere             anywhere             reject-with tcp-reset
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   268 RETURN     tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
    0     0 DROP       all  --  any    any     anywhere             anywhere            

Chain zone_ipr_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   20  2200 ACCEPT     all  --  any    tun1337  anywhere             anywhere            

Chain zone_ipr_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_ipr_rule  all  --  any    any     anywhere             anywhere             /* user chain for forwarding */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port forwards */
    0     0 zone_ipr_src_REJECT  all  --  any    any     anywhere             anywhere            

Chain zone_ipr_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   208 input_ipr_rule  all  --  any    any     anywhere             anywhere             /* user chain for input */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port redirections */
    4   208 zone_ipr_src_REJECT  all  --  any    any     anywhere             anywhere            

Chain zone_ipr_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2   152 output_ipr_rule  all  --  any    any     anywhere             anywhere             /* user chain for output */
    2   152 zone_ipr_dest_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_ipr_src_REJECT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   208 reject     all  --  tun1337 any     anywhere             anywhere            

Chain zone_lan_dest_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    br-lan  anywhere             anywhere            

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination       
 pkts bytes target     prot opt in     out     source               destination         
   18  2048 forwarding_lan_rule  all  --  any    any     anywhere             anywhere             /* user chain for forwarding */
   18  2048 zone_ipr_dest_ACCEPT  all  --  any    any     anywhere             anywhere             /* forwarding lan -> ipr */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port forwards */
    0     0 zone_lan_src_REJECT  all  --  any    any     anywhere             anywhere            

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   11   766 input_lan_rule  all  --  any    any     anywhere             anywhere             /* user chain for input */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port redirections */
   11   766 zone_lan_src_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_lan_rule  all  --  any    any     anywhere             anywhere             /* user chain for output */
    0     0 zone_lan_dest_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   11   766 ACCEPT     all  --  br-lan any     anywhere             anywhere            

Chain zone_lan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  br-lan any     anywhere             anywhere            

Chain zone_wan_dest_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  186 56993 ACCEPT     all  --  any    br-wan  anywhere             anywhere            

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wan_rule  all  --  any    any     anywhere             anywhere             /* user chain for forwarding */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_src_REJECT  all  --  any    any     anywhere             anywhere            

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  243  157K input_wan_rule  all  --  any    any     anywhere             anywhere             /* user chain for input */
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:bootpc /* Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request /* Allow-Ping */
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate DNAT /* Accept port redirections */
  243  157K zone_wan_src_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  186 56993 output_wan_rule  all  --  any    any     anywhere             anywhere             /* user chain for output */
  186 56993 zone_wan_dest_ACCEPT  all  --  any    any     anywhere             anywhere            

Chain zone_wan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  243  157K ACCEPT     all  --  br-wan any     anywhere             anywhere            

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  br-wan any     anywhere             anywhere

    I am not so used to network configuration. So I really would appreciate your help.

  • jelhan
    jelhan over 10 years
    I applied the config forwarding from lan to wan in my /etc/config/firewall. Afterwards iptables -L are showing similiar rules to what you posted for wan. But the local network on 192.168.178.0/24 (local network with OpenWRT Router as a client) is still not reachable from 192.168.1.0/24 (local network behind OpenWRT router). Do you have any idea?
  • jelhan
    jelhan over 10 years
    I updated the questition with output of iptables -L --verbose. It is in state without applying your suggestion. Hope that helps.
  • jelhan
    jelhan over 10 years
    My OpenWRT doesn't have ip package. I tried to apply your command on route like this route add 192.168.178.0/24 gw 192.168.178.1 dev br-wan but this fails with route: netmask 000000ff and host route conflict. I could apply your iptables route with correcting destination ip address space to 192.168.178.0/24 but afterwards 192.168.178.0/24 is still not accessible from behind vpn router. Also I would really like to stay with UCI configuration.
  • Marcks Thomas
    Marcks Thomas over 10 years
    @jelhan: As MariusMatutiae's answer reminded me, I missed the part where the machines on 192.168.178.0/24 need to reply via the OpenWrt router. I've expanded my answer with a few recommendations.
  • MariusMatutiae
    MariusMatutiae over 10 years
    @jelhan the correct command is route add -net 192.168.178.0/24 gw 192.168.178.1 ...: you need the net flag.
  • jelhan
    jelhan over 10 years
    Working now fine also with option masq 1 so I could configure all in UCI. Thank you very much. One last question, just for interest: On which rule does the vpn router now decide which package should be passed through VPN?
  • Marcks Thomas
    Marcks Thomas over 10 years
    @jelhan: With some trickery, OpenVPN creates a default route via 'anon-43-130.vpn.ipredator.se' on tun1337. All destinations not matching a specific route are forwarded over VPN. '46.246.43.130 on br-wan' is one such route (you use the regular internet connection to contact the VPN server itself), as is 192.168.178.0/24. You can add more if you don't want to use VPN for specific IPs.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OpenVPN connecting but no internet access on Ubuntu 16.04 / 18.04 / 20.04
OpenWRT OpenVPN LAN access
Split tunnel routing a specific port over OpenVPN on Ubuntu Server 12.04
Setting default route for tun1: RTNETLINK answers: No such process
Only routing certain traffic through VPN
openvpn - How to set client to use local gateway? aka use connection for resources on its network only
OpenVPN router - how to propagate 255.255.255.255 broadcasts on VPN?
Routing subnet to specific routing table with fwmark, direct to ISP and VPN
OpenVPN without NAT
Yet another routing issue in OpenVPN - Cannot access local machines while on VPN