Running OpenVPN VPN client for specific routes only

Hello,

I am pretty new to the VyOS operating system, recently somehow managed to replace my home network router with small dell pc.

I have configured everything and OpenVPN and Static Route work perfectly inside the VyOS host, but it doesn’t work in the LAN maybe someone could look over it?

Here is my configuration commands:

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall ipv6-receive-redirects 'enable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name NET-IN default-action 'drop'
set firewall name NET-IN rule 10 action 'accept'
set firewall name NET-IN rule 10 state established 'enable'
set firewall name NET-IN rule 10 state related 'enable'
set firewall name NET-LOCAL default-action 'drop'
set firewall name NET-LOCAL rule 10 action 'accept'
set firewall name NET-LOCAL rule 10 state established 'enable'
set firewall name NET-LOCAL rule 10 state related 'enable'
set firewall name NET-LOCAL rule 20 action 'accept'
set firewall name NET-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name NET-LOCAL rule 20 protocol 'icmp'
set firewall name NET-LOCAL rule 20 state new 'enable'
set firewall options interface pppoe0 adjust-mss '1414'
set firewall options interface pppoe0 adjust-mss6 '1414'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces bridge br0 address 'xxx.xxx.0.1/24'
set interfaces bridge br0 ipv6 address autoconf
set interfaces bridge br0 ipv6 disable-forwarding
set interfaces bridge br0 ipv6 dup-addr-detect-transmits '1'
set interfaces bridge br0 member interface eth0
set interfaces bridge br0 member interface eth1
set interfaces bridge br0 member interface eth2
set interfaces ethernet eth0 description 'INSIDE 1G'
set interfaces ethernet eth0 hw-id 'XX:XX:XX:XX:XX:58'
set interfaces ethernet eth1 description 'INSIDE 10G'
set interfaces ethernet eth1 hw-id 'XX:XX:XX:XX:XX:c2'
set interfaces ethernet eth2 description 'OUTSIDE 10G'
set interfaces ethernet eth2 hw-id 'XX:XX:XX:XX:XX:c3'
set interfaces loopback lo
set interfaces openvpn vtun0 description 'Vutlr'
set interfaces openvpn vtun0 device-type 'tun'
set interfaces openvpn vtun0 encryption cipher 'aes256'
set interfaces openvpn vtun0 hash 'sha512'
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 openvpn-option 'route-nopull'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 remote-host 'xxxx:xxxx:7001:1c'
set interfaces openvpn vtun0 remote-port '1993'
set interfaces openvpn vtun0 tls ca-cert-file xxxxxx
set interfaces openvpn vtun0 tls cert-file xxxxxx
set interfaces openvpn vtun0 tls crypt-file '/config/auth/openvpn/vultr/tls-crypt.key'
set interfaces openvpn vtun0 tls key-file xxxxxx
set interfaces pppoe pppoe0 authentication password xxxxxx
set interfaces pppoe pppoe0 authentication user xxxxxx
set interfaces pppoe pppoe0 default-route 'auto'
set interfaces pppoe pppoe0 firewall in name 'NET-IN'
set interfaces pppoe pppoe0 firewall local name 'NET-LOCAL'
set interfaces pppoe pppoe0 mtu '1454'
set interfaces pppoe pppoe0 source-interface 'br0'
set nat source rule 100 outbound-interface 'pppoe0'
set nat source rule 100 source address 'xxx.xxx.0.0/24'
set nat source rule 100 translation address 'masquerade'
set protocols static interface-route xxx.xxx.161.186/32 next-hop-interface vtun0 distance '1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 default-router 'xxx.xxx.0.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 dns-server 'xxx.xxx.0.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 domain-name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 lease '86400'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 range 0 start 'xxx.xxx.0.50'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 range 0 stop 'xxx.xxx.0.254'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 static-mapping xxxxxx ip-address 'xxx.xxx.0.2'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.0.0/24 static-mapping xxxxxx mac-address 'XX:XX:XX:XX:XX:18'
set service dns forwarding allow-from 'xxx.xxx.0.0/24'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address 'xxx.xxx.0.1'
set service dns forwarding name-server 'xxx.xxx.1.1'
set service dns forwarding name-server 'xxx.xxx.8.8'
set service ssh port '22'
set system config-management commit-revisions '100'
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system syslog global facility all level 'info'
set system syslog global facility protocols level 'debug'
set system time-zone 'Asia/Tokyo'

Did you try to disable the firewall?

Just did delete firewall but no difference, it works on the router but not in the local network… Maybe it’s related to NAT or etc?

Hello @aurimas, why you added your WAN interface to the bridge?
Did you check show ip route output from CLI and run traceroute xxx.xxx.161.186 from PC on your LAN

Ah, it’s a special case in Japan we have FTTH based on GPON technology and we have an ONU box that provides IPv6 by direct LAN connection and IPv4 via PPPoE. So I need to bridge WAN with LAN so I could get IPv6 working (but maybe it’s bad practice but it was the only way I managed to get it working) (Just to clarify there are no IPv4 communications on the WAN side only IPv6 + PPPoE

I did run show IP route from the router and it was routing straight through VPN 10.8.0.1 so it’s fine, but traceroute on LAN devices stops at 192.168.0.1 router and doesn’t go any further

Ok, does the remote OpenVPN router know about your local net xxx.xxx.0.0/24?
Can you try to run ping xxx.xxx.161.186 interface xxx.xxx.0.1 where xxx.xxx.0.1 - IP address on bridge interface.
In another case, you need to add additional NAT rule

set nat source rule 110 outbound-interface 'vtun0'
set nat source rule 110 source address 'xxx.xxx.0.0/24'
set nat source rule 110 translation address 'masquerade'

Note: As for IPv6. ISP can provide a Framed IPv6 address and also Delegate IPv6 Prefix. I don’t know how exactly this configured, but your LAN clients should receive IPv6 addresses from Delegated IPv6 Prefix

No, it is just cloud instance running OpenVPN server, and I don’t need much from it just to route some routes through it, the local IPv4 is really bad quality with less than 100Mbit down while IPv6 can do up to 800Mbit/s

This did help and it worked. Thank you!

I have tried almost all possible combinations with DHCPv6-options and prefix delegation to br0, but none of it worked on the LAN side like the host gets the IPv6 address no issue but LAN devices not. If you have any suggestion I am all ears as I also feel this bridged way is not a correct one.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.