I have the following working setup on my network:
A. ISP-Router (connected to inet, internal ip 192.168.0.1 ) <----> B. eth0 - OpenWrt Router (OpenVPN client running) br-lan (bridge eth1 + wlan0, ip 192.168.1.0) <----> C. Multiple Clients
The idea is that all client connections go through B. B routes everything through the VPN. If the VPN connection breaks down, clients have no internet access anymore. Thus, I prevent clients from exposing themselves in case there is a problem with the vpn connection.
My setup of the OpenWrt router is taken from here: https://blog.ipredator.se/howto/openwrt/configuring-openvpn-on-openwrt.html
Summing it up:
1 relevant devices:
root@OpenWrt:~# ifconfig
br-lan Link encap:Ethernet
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
eth0 Link encap:Ethernet
inet addr:192.168.0.16 Bcast:192.168.0.255 Mask:255.255.255.0
tun0 Link encap:UNSPEC
inet addr:10.33.197.41 P-t-P:10.33.197.41 Mask:255.255.0.0
2 relevant Firewall Zones:
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan'
option input 'ACCEPT'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
3 routing table looks like this:
root@OpenWrt:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.33.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
10.33.0.0 0.0.0.0 255.255.0.0 U 0 0 0 tun0
46.122.122.89 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0
128.0.0.0 10.33.0.1 128.0.0.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
Everything with this setup works fine so far. However, now I want to bypass the vpn for specific IPs/Hosts. Hence, making them available even when the vpn is disconnected. My idea was to add a route for these IPs going directly through A (ip rule add ...) . This does not work because it seems that i additionally have to adjust my firewall settings as well. Unfortunately, reading about the basics of iptables has not yet made me understand which changes are to be done.
/edit: Trying around and further researching, I come to think that theoretically there are two solutions. However, I dont know how to make them work:
Keeping the above concept in place I need to:
- Add MASQUERADE for my wan_zone (I did this)
- Add FORWARD rules from lan to wan and from wan to lan (I can do this, but then I lose my "vpn-breakdown protection") that are conditional on the IP i want to access (I don't know if and how that works)
Changing the concept and getting rid of iptables and instead using iproute2 and policy based routing (http://www.linupedia.org/opensuse/Policy_Based_Routing)
- By default route everything only through vpn
- conditionally route specific IPs through A. directly
However, this seems to be even more complicated, at least for me because I have never used this.