Configure VPN tunnel just for one VLAN
I have following topology:
- router (192.168.10.1, 192.168.11.1)
- WAN - eth1 (1.2.3.4)
- VLAN1 (br-lan) - eth0 (PC1, 192.168.10.2, PC2, 192.168.10.3)
- VLAN2 (br-lantv) - eth2 (Smart TV, 192.168.11.2)
and I have running OpenVPN client on the router. I want to route JUST the traffic from Smart TV (VLAN2) through the VPN tunnel, the rest (router, VLAN1) should go directly to WAN, without the TV even noticing (it is pretty dumb, and I'm unable to configure VPN client on it).
The router is running OpenWRT (turris omnia).
I ended up with following:
/etc/config/firewall
config zone
option name 'lan'
list network 'lan'
config zone
option name 'lantv'
list network 'lantv'
config zone
option name 'vpn'
list network 'vpntun0'
config forwarding
option src 'lantv'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
/etc/config/network
config interface 'lan'
option ifname 'eth0'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
config interface 'lantv'
option ifname 'eth2'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.11.1'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
option delegate '0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
And end up with following routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.7.7.1 128.0.0.0 UG 0 0 0 tun0
default 1.2.3.4 0.0.0.0 UG 0 0 0 eth1
10.7.7.0 * 255.255.255.0 U 0 0 0 tun0
78.45.252.0 * 255.255.255.0 U 0 0 0 eth1
78.45.252.1 * 255.255.255.255 UH 0 0 0 eth1
128.0.0.0 10.7.7.1 128.0.0.0 UG 0 0 0 tun0
173.209.60.43 1.2.3.4 255.255.255.255 UGH 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.11.0 * 255.255.255.0 U 0 0 0 br-lantv
Traffic from LAN cannot reach internet.
I tried following:
config forwarding
option src 'lan'
option dest 'vpn'
which routes everything even from PC and router through VPN, and that is undesirable.
OR
--route-nopull to VPN config, which ended up with no routes, and the lantv was forwarded to vpn, but it ended there, and internet was unreachable.
What I am probably missing is the way how to define route default gw for specific VLAN, and configure lantv that way. Or am I doing it completely wrong? Is separate VLAN even needed? I want to re-route only single device. Thanks!
networking router vpn openwrt
asked Mar 30 '18 at 0:13
nothrownothrow
931110
add a comment |
I have following topology:
- router (192.168.10.1, 192.168.11.1)
- WAN - eth1 (1.2.3.4)
- VLAN1 (br-lan) - eth0 (PC1, 192.168.10.2, PC2, 192.168.10.3)
- VLAN2 (br-lantv) - eth2 (Smart TV, 192.168.11.2)
and I have running OpenVPN client on the router. I want to route JUST the traffic from Smart TV (VLAN2) through the VPN tunnel, the rest (router, VLAN1) should go directly to WAN, without the TV even noticing (it is pretty dumb, and I'm unable to configure VPN client on it).
The router is running OpenWRT (turris omnia).
I ended up with following:
/etc/config/firewall
config zone
option name 'lan'
list network 'lan'
config zone
option name 'lantv'
list network 'lantv'
config zone
option name 'vpn'
list network 'vpntun0'
config forwarding
option src 'lantv'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
/etc/config/network
config interface 'lan'
option ifname 'eth0'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
config interface 'lantv'
option ifname 'eth2'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.11.1'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
option delegate '0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
And end up with following routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.7.7.1 128.0.0.0 UG 0 0 0 tun0
default 1.2.3.4 0.0.0.0 UG 0 0 0 eth1
10.7.7.0 * 255.255.255.0 U 0 0 0 tun0
78.45.252.0 * 255.255.255.0 U 0 0 0 eth1
78.45.252.1 * 255.255.255.255 UH 0 0 0 eth1
128.0.0.0 10.7.7.1 128.0.0.0 UG 0 0 0 tun0
173.209.60.43 1.2.3.4 255.255.255.255 UGH 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.11.0 * 255.255.255.0 U 0 0 0 br-lantv
Traffic from LAN cannot reach internet.
I tried following:
config forwarding
option src 'lan'
option dest 'vpn'
which routes everything even from PC and router through VPN, and that is undesirable.
OR
--route-nopull to VPN config, which ended up with no routes, and the lantv was forwarded to vpn, but it ended there, and internet was unreachable.
What I am probably missing is the way how to define route default gw for specific VLAN, and configure lantv that way. Or am I doing it completely wrong? Is separate VLAN even needed? I want to re-route only single device. Thanks!
networking router vpn openwrt
asked Mar 30 '18 at 0:13
nothrownothrow
931110
add a comment |
I have following topology:
- router (192.168.10.1, 192.168.11.1)
- WAN - eth1 (1.2.3.4)
- VLAN1 (br-lan) - eth0 (PC1, 192.168.10.2, PC2, 192.168.10.3)
- VLAN2 (br-lantv) - eth2 (Smart TV, 192.168.11.2)
and I have running OpenVPN client on the router. I want to route JUST the traffic from Smart TV (VLAN2) through the VPN tunnel, the rest (router, VLAN1) should go directly to WAN, without the TV even noticing (it is pretty dumb, and I'm unable to configure VPN client on it).
The router is running OpenWRT (turris omnia).
I ended up with following:
/etc/config/firewall
config zone
option name 'lan'
list network 'lan'
config zone
option name 'lantv'
list network 'lantv'
config zone
option name 'vpn'
list network 'vpntun0'
config forwarding
option src 'lantv'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
/etc/config/network
config interface 'lan'
option ifname 'eth0'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
config interface 'lantv'
option ifname 'eth2'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.11.1'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
option delegate '0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
And end up with following routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.7.7.1 128.0.0.0 UG 0 0 0 tun0
default 1.2.3.4 0.0.0.0 UG 0 0 0 eth1
10.7.7.0 * 255.255.255.0 U 0 0 0 tun0
78.45.252.0 * 255.255.255.0 U 0 0 0 eth1
78.45.252.1 * 255.255.255.255 UH 0 0 0 eth1
128.0.0.0 10.7.7.1 128.0.0.0 UG 0 0 0 tun0
173.209.60.43 1.2.3.4 255.255.255.255 UGH 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.11.0 * 255.255.255.0 U 0 0 0 br-lantv
Traffic from LAN cannot reach internet.
I tried following:
config forwarding
option src 'lan'
option dest 'vpn'
which routes everything even from PC and router through VPN, and that is undesirable.
OR
--route-nopull to VPN config, which ended up with no routes, and the lantv was forwarded to vpn, but it ended there, and internet was unreachable.
What I am probably missing is the way how to define route default gw for specific VLAN, and configure lantv that way. Or am I doing it completely wrong? Is separate VLAN even needed? I want to re-route only single device. Thanks!
networking router vpn openwrt
asked Mar 30 '18 at 0:13
nothrownothrow
931110
I have following topology:
- router (192.168.10.1, 192.168.11.1)
- WAN - eth1 (1.2.3.4)
- VLAN1 (br-lan) - eth0 (PC1, 192.168.10.2, PC2, 192.168.10.3)
- VLAN2 (br-lantv) - eth2 (Smart TV, 192.168.11.2)
and I have running OpenVPN client on the router. I want to route JUST the traffic from Smart TV (VLAN2) through the VPN tunnel, the rest (router, VLAN1) should go directly to WAN, without the TV even noticing (it is pretty dumb, and I'm unable to configure VPN client on it).
The router is running OpenWRT (turris omnia).
I ended up with following:
/etc/config/firewall
config zone
option name 'lan'
list network 'lan'
config zone
option name 'lantv'
list network 'lantv'
config zone
option name 'vpn'
list network 'vpntun0'
config forwarding
option src 'lantv'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
/etc/config/network
config interface 'lan'
option ifname 'eth0'
option force_link '1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
config interface 'lantv'
option ifname 'eth2'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.11.1'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
option delegate '0'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
And end up with following routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.7.7.1 128.0.0.0 UG 0 0 0 tun0
default 1.2.3.4 0.0.0.0 UG 0 0 0 eth1
10.7.7.0 * 255.255.255.0 U 0 0 0 tun0
78.45.252.0 * 255.255.255.0 U 0 0 0 eth1
78.45.252.1 * 255.255.255.255 UH 0 0 0 eth1
128.0.0.0 10.7.7.1 128.0.0.0 UG 0 0 0 tun0
173.209.60.43 1.2.3.4 255.255.255.255 UGH 0 0 0 eth1
192.168.10.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.11.0 * 255.255.255.0 U 0 0 0 br-lantv
Traffic from LAN cannot reach internet.
I tried following:
config forwarding
option src 'lan'
option dest 'vpn'
which routes everything even from PC and router through VPN, and that is undesirable.
OR
--route-nopull to VPN config, which ended up with no routes, and the lantv was forwarded to vpn, but it ended there, and internet was unreachable.
What I am probably missing is the way how to define route default gw for specific VLAN, and configure lantv that way. Or am I doing it completely wrong? Is separate VLAN even needed? I want to re-route only single device. Thanks!
networking router vpn openwrt
networking router vpn openwrt
asked Mar 30 '18 at 0:13
nothrownothrow
931110
asked Mar 30 '18 at 0:13
nothrownothrow
931110
edited Mar 30 '18 at 6:26
nothrow
asked Mar 30 '18 at 0:13
nothrownothrow
931110
asked Mar 30 '18 at 0:13
nothrownothrow
931110
asked Mar 30 '18 at 0:13
nothrownothrow
931110
931110
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The "forwarding" statements in luci configuration relates to firewalling (and it would seem that you need complementary entries for it to work). Take a look here(OpenWRT WiKi).
What you really need to do is implement Policy (source) Based Routing , which can be configured by using rules and different routing tables. You will need iproute2 to do that, and a short HowTo doc is available here(OpenWrt WiKi).
edited Jan 13 at 15:39
Community♦
1
answered Mar 30 '18 at 20:24
Carlos MendiorozCarlos Mendioroz
1216
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1309236%2fconfigure-vpn-tunnel-just-for-one-vlan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The "forwarding" statements in luci configuration relates to firewalling (and it would seem that you need complementary entries for it to work). Take a look here(OpenWRT WiKi).
What you really need to do is implement Policy (source) Based Routing , which can be configured by using rules and different routing tables. You will need iproute2 to do that, and a short HowTo doc is available here(OpenWrt WiKi).
edited Jan 13 at 15:39
Community♦
1
answered Mar 30 '18 at 20:24
Carlos MendiorozCarlos Mendioroz
1216
add a comment |
The "forwarding" statements in luci configuration relates to firewalling (and it would seem that you need complementary entries for it to work). Take a look here(OpenWRT WiKi).
What you really need to do is implement Policy (source) Based Routing , which can be configured by using rules and different routing tables. You will need iproute2 to do that, and a short HowTo doc is available here(OpenWrt WiKi).
edited Jan 13 at 15:39
Community♦
1
answered Mar 30 '18 at 20:24
Carlos MendiorozCarlos Mendioroz
1216
add a comment |
The "forwarding" statements in luci configuration relates to firewalling (and it would seem that you need complementary entries for it to work). Take a look here(OpenWRT WiKi).
What you really need to do is implement Policy (source) Based Routing , which can be configured by using rules and different routing tables. You will need iproute2 to do that, and a short HowTo doc is available here(OpenWrt WiKi).
edited Jan 13 at 15:39
Community♦
1
answered Mar 30 '18 at 20:24
Carlos MendiorozCarlos Mendioroz
1216
The "forwarding" statements in luci configuration relates to firewalling (and it would seem that you need complementary entries for it to work). Take a look here(OpenWRT WiKi).
What you really need to do is implement Policy (source) Based Routing , which can be configured by using rules and different routing tables. You will need iproute2 to do that, and a short HowTo doc is available here(OpenWrt WiKi).
edited Jan 13 at 15:39
Community♦
1
answered Mar 30 '18 at 20:24
Carlos MendiorozCarlos Mendioroz
1216
edited Jan 13 at 15:39
Community♦
1
edited Jan 13 at 15:39
Community♦
1
edited Jan 13 at 15:39
Community♦
1
1
answered Mar 30 '18 at 20:24
Carlos MendiorozCarlos Mendioroz
1216
answered Mar 30 '18 at 20:24
Carlos MendiorozCarlos Mendioroz
1216
answered Mar 30 '18 at 20:24
Carlos MendiorozCarlos Mendioroz
1216
1216
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1309236%2fconfigure-vpn-tunnel-just-for-one-vlan%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
