Routing issues with OpenWRT and OpenVPN

-->
Hi everybody, today I'm going to expand the OpenVPN task and solution. This post is an addition to the last one and all the configuration files are the same. I expect from you to have a configured openvpn client (TP-Link WDR 4300) with OpenWRT connected with OpenVPN server though a tunnel. So let's get it started.

The task

After setting the OpenVPN tunnel, add additional route to an IP address (not from the subnet on the client or on the server). All of the traffic to this outer IP address should be routed through the VPN tunnel.

The solution

This doesn't sound very complicated, but it turns out to be a little bit tricky. In openwrt, at least the version I'm using, setting additional route needs installation of the “ip” package. Here is a link to openwrt wiki for routing. As it is stated in the article first thing you got to do is to get “ip” tool for openwrt. This can be accomplished with the following commands inside openwrt command line:

# opkg update

# opkg install ip

After installing you can try adding a new route with the command:

# ip route add 88.88.88.88/32 via 192.168.2.1 dev tun0

*88.88.88.88 is an outer IP used only in the example for presentation purposes.

Test the new route with traceroute command:

# traceroute 88.88.88.88

Most probably this test will show you that the packet is routed through the VPN tunnel, but there will be no output after the VPN gateway (192.168.0.1). Then you can try to ping the same IP and you will get either “Port unreachable” error or no error at all.

The next thing you got to do is tweak the iptable rules to allow packets from everywhere to pass through your VPN tunnel. Open the file /etc/firewall.user and edit the last two lines, describe in my last post. At last, they should look like:

/usr/sbin/iptables -I FORWARD -i tun0 -d 10.16.5.0/24 -o br-lan -s 0.0.0.0/0 -j ACCEPT

/usr/sbin/iptables -I FORWARD -o tun0 -s 10.16.5.0/24 -i br-lan -d 0.0.0.0/0 -j ACCEPT

Restart the firewall, check again for the route and test again with traceroute and ping.

# /etc/init.d/firewall restart

# ip route show

# traceroute 88.88.88.88

Now you should have working connection with the outer IP through the VPN tunnel. Till now, everything is standard, but if you try to add this route to be executed at boot time of the router, you will get stuck. I tried a lot of configurations from the openwrt and no one seemed to work. Finally I try to add it when the tunnel is initialize with openvpn. This one worked like a charm.
You need to create the file /etc/openvpn/additional_routes.sh, which contains the following lines:

#!/bin/ash

#This script add additional routes after openvpn Initialization

/usr/sbin/ip route add 88.88.88.88/32 via 192.168.2.1 dev tun0

Next add the two additional lines to /etc/openvpn/openvpn.conf

script-security 2

up /etc/openvpn/additional_routes.sh

What will this cause? When the openvpn is started on the client (TP-Link router) it will add the new route through the tunnel. What is missing? As the way it is configured the openvpn would only create the route, it won't deleted it. In this scenario this is not needed, because the openvpn will be started with router and when the router is turn off everything will be gone. In your scenario if you stop and start the openvpn service on the client it is better to delete the route every time and add it at start.

When you are ready configuring just restart the openvpn service and if everything is ok restart the router. Hope this will be handy to someone of us.