OpenWrt Split Tunnel WireGuard Omada Double NAT

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

OpenWrt Split Tunnel WireGuard Omada Double NAT

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
OpenWrt Split Tunnel WireGuard Omada Double NAT
OpenWrt Split Tunnel WireGuard Omada Double NAT
2022-08-09 14:17:31

I have been thrown into a unique network setup and could use some help. My network design started out with an Omada system (Router, Switch, EAPs) but I also need to incorporate a router to connect to our VPN service. I've been doing this with a Linksys 3200ACM running OpenWRT and a Wireguard interface. My network topology looks like the following:

 

ISP -> (WAN Port) OpenWRT Router (192.168.1.1) running WireGuard -> (WAN Port) TP-Link Omada Setup (ER605 192.168.0.1) (Managed Switch) and (EAPs)

 

This works but I want the ability to do split tunneling via VPN and WAN Policy-Based Routing. The way to do this is usually by identifying the IP address you want to run through the WAN instead of the VPN. All my IPs are behind the Omada system of 192.168.0.1 with several VLAN subnets. These IPs of course are not being seen by the OpenWRT router and no policy will work on them. 

 

One thought I had was cascading the two routers and wanted some input on whether this would even work or the best way to do it. Thanks.

 

What if I were to cascade my routers in the below fashion? Would it allow the IPs to be seen by OpenWRT? I think the only way for it to work would to turn off DHCP on the OpenWRT to allow Omada to set the IPs. 

 

ISP -> (WAN port) OpenWRT Router (change IP to 192.168.0.1 turn off DHCP) running WireGuard -> (LAN port) TP-Link Omada Setup with VLANS i.e.(main Omada router 192.168.0.2/24), 192.168.2.X, 192.168.3.X (ER605) (Managed Switch) and (EAPs)

  0      
  0      
#1
Options
4 Reply
Re:OpenWrt Split Tunnel WireGuard Omada Double NAT
2022-08-09 22:23:03 - last edited 2022-08-09 22:24:13

  @Hartman9 

 

In this configuration, there doesn't seem to be any value in the ER605.  I suspect the OpenWRT device can do everything the ER605 can for your use case.

 

That being said, if you want to do it.  It should be possible.

 

Provision two VLANs from the OpenWRT device one for VPN traffic and one for non-VPN traffic.  Cable them into two WAN ports on the ER605 and then use policy-based routing to decide which WAN to use. 

 

For example, WAN 1 on the ER605 could be the VPN and WAN could be no VPN.

 

Assuming the OpenWRT device can do that, it should work in theory.  It just seems pointless to me.

  0  
  0  
#2
Options
Re:OpenWrt Split Tunnel WireGuard Omada Double NAT
2022-08-10 01:34:13

  @Alex789 The reason I want to keep the ER605 in place is because the Omada environment is more user friendly than OpenWRT.

 

I understand your idea I am not sure it would work for individual IPs. I assume I would have to put the VPN WAN traffic on specified VLANs and Regular WAN on its own VLANs. What if I only wanted one IP from, as an example, the VPN WAN VLAN to go through the regular WAN? Would I have to set up something like a static route just for that IP or how would it work? Thanks.

  0  
  0  
#3
Options
Re:OpenWrt Split Tunnel WireGuard Omada Double NAT
2022-08-10 01:44:27

  @Hartman9 From a flexibility standpoint, why not just creat two SSIDs for two different VLANs?  Then you can choose to connect your device to the WAN SSID or VPN SSID.  You could even switch back and forth by disconnecting from one and connecting to the other.

  0  
  0  
#4
Options
Re:OpenWrt Split Tunnel WireGuard Omada Double NAT
2022-08-11 01:43:57

  @Hartman9 you router already has a vpn and you use wireguard. If you want to keep omada managing everything, then best would be probably to set your openwrt wan port as switch, connect it to er605 which is in same subnet and define your openwrt as gateway. For this purpose, you better should use openwrt as dhcp server as you can set gateway and dns which clients will get under advanced settings, you can not set gateway (3) and dns (6) as dhcp options, omada offers only (60, 66, 138). You say split tunnel, with wireguard you can connect to quite all peers which any vpn provider offers, you just need to configure then which traffic will go where and that can be done in several ways, easiest would be setting according routes.

 

There is many ways how you can what you describe, be it with double nat with openwrt behind or in front of er605 as well without double nat by simply using openwrt as gateway within your subnet.

  0  
  0  
#5
Options