Working with VLANs and OpenVPN on a router

[sbeaver]

I have been struggling with this for a while, and am hoping someone might point me in the right direction. I have a WNR3500L router running TomatoUSB and OpenVPN 2.1 I have been working with for a while and am comfortable compiling from source and modifying the system. Newer versions of TomatoUSB support VLANs. I have configured my router with four VLANs and an OpenVPN tunnel over tun/UDP. It all works great! Each VLAN has it's own IP range, and seems to be able to connect to resources at the far end of the VPN.

Better yet (and this took some source code tweaks in Tomato) if I set the appropriate config option, I can route all traffic down the tunnel, from all the VLANs.

But what if I would like all traffic from one VLAN to go down the tunnel, traffic from another not? Doesn't sound too hard, but so far a solution has eluded me.

I have tried NOT setting the "redirect all" option, and manually routing traffic from a particular VLAN to the tunnel, AND I have tried setting hte "route all" option, and routing traffic from a partuclar VLAN direct to the internet. No yok. My attempts result in a VLAN that no longer seems to even be able to get an IP address via DHCP, never mind connect to the tunnel/internet.

This is an example of what I have tried:

Code: Select all

ip route add 192.168.30.0/24 dev vlan2 table 1
ip route add default via 192.168.254.33 table 1
ip rule add from 192.168.30.0/24 table 1
ip route flush cache

Traffic from my VLANs defaults to the tunnel like it should, but traffic from 192.168.30.0/24 is routed directly to the Ethernet Interface (vlan2)

This is the routing table:

Code: Select all

10.255.0.1      *               255.255.255.255 UH    0      0        0 tun11
192.168.254.33  192.168.254.33  255.255.255.255 UGH   0      0        0 vlan2
192.168.254.33  *               255.255.255.255 UH    0      0        0 vlan2
192.168.254.32  *               255.255.255.224 U     0      0        0 vlan2
192.168.30.0    *               255.255.255.0   U     0      0        0 br3
192.168.20.0    *               255.255.255.0   U     0      0        0 br2
192.168.2.0     *               255.255.255.0   U     0      0        0 br0
192.168.8.0     *               255.255.255.0   U     0      0        0 br1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         10.255.0.1      128.0.0.0       UG    0      0        0 tun11
128.0.0.0       10.255.0.1      128.0.0.0       UG    0      0        0 tun11
default         192.168.254.33  0.0.0.0         UG    0      0        0 vlan2

More details can be found here: http://tomatousb.org/forum/t-441920/vla ... elp-needed and some help would be most welcome. Am I missing a local route, some sort of broadcast magic?

Steve

[janjust]

VLAN info is ethernet specific - this gets stripped when using a 'tun' based setup. Try switching to 'tap' (no need for bridging, just use 'dev tap') to see if it makes a difference.

[sbeaver]

Thank you.

Since it is easily possible to route all four of my VLANs down the tunnel via tun, I'm not sure that is the issue. I can also cause my VLAN traffic not to default to the tunnel. The problem I am trying to solve is to route some VLANs to the tunnel, while traffic from the others has direct access to the Internet side of the router.

[elessard84]

@sbeaver I don't have an answer for you... but i have my own issue with openvpn on my tomatoUSB router and as I see it you can have the answer. I searched and ask on many forum (tomato forum even ddwrt and openwrt too) and no answer.

What I want; incoming connections from the WAN/Internet to be forwarded to far clients in my VPN. My vpn is bridged with my local netword and use tap interface....

http://forums.openvpn.net/topic7823.html here is what I should do if my vpn server wasn't on my router but on a local computer. But that can't work in my case.

I don't even speak english so it's realy hard for me to find my way around this problem (must of wikis are in english...)