How to configure routing across OpenVPN tunnel
Hello!
I'm completely new to OMADA and acquired an ER605 device for testing purposes and see if it's a good fit for my company's network.
The goal is to replace a legacy Linux server running as a border gateway between 4 networks (WAN / DMZ / LAN / VPN using OpenVPN)
Where I'm struggling is with routing and firewall access control rules (AKA iptables FORWARD rules?).
My OpenVPN server is configured to push routes to the client, which doesn't seem to happen with the OpenVPN client on this router.
I tried to configure these route statically, but the web GUI does not allow me access to the VPN tunnel interface, which surfaces the first question:
How do I configure specific routes through a VPN?
On a traditional gateway, I'd expect to have access to the VPN interface so that I can create access control rules, but It seems I can't do that here.
How do I define that the firewall should allow traffic from the VPN network into my DMZ/LAN, but NOT through WAN?
That is, traffic can flow from the VPN network, but cannot be NATed out of the WAN managed by this router.
How do I tell this router that the LAN should not have access to the VPN?
That is, packets can flow from LAN to VPN, but only if established already. Most importantly, NOT THROUGH NAT.
For an advanced router, this product seems confusing to me. Please point me the right way.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
policy route for OpenVPN is just around the corner, it is said that it will come in controller version 5.15, now the server has to push the route, there is nothing you can do on the omada router with it.
OpenVPN on Omada routers also does not support OpenVPN 2.4 or later. so you must have a server with a version lower than 2.4
- Copy Link
- Report Inappropriate Content
Thank you for taking the time to reply.
Would you have information on making that interface available on the UI? I'd like to create access control rules on it.
Also,
MR.S wrote
policy route for OpenVPN is just around the corner, it is said that it will come in controller version 5.15
What exactly "around the corner" mean in terms of time? Cuz I'm running controller 5.13, cuz 5.14 had a bug on the docker image, and wouldn't run.
I've also been working with my Router in standalone mode. It honestly felt that the controller was very much making things more confusing, and even restricting some functionalities.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
PedroPeixoto wrote
Thank you for taking the time to reply.
Would you have information on making that interface available on the UI? I'd like to create access control rules on it.
Also,
MR.S wrote
policy route for OpenVPN is just around the corner, it is said that it will come in controller version 5.15
What exactly "around the corner" mean in terms of time? Cuz I'm running controller 5.13, cuz 5.14 had a bug on the docker image, and wouldn't run.
I've also been working with my Router in standalone mode. It honestly felt that the controller was very much making things more confusing, and even restricting some functionalities.
Docker is not maintained by us and when recoding that to the Docker system, and if there is a bug, we cannot resolve it or adjust that for the Docker.
Understand the migration of the system and it is normal to experience an issue when migrating. It is possible that we will not be able to address what you mentioned in the Docker.
Like the MR.S wrote, PBR for the OVPN is scheduled for V5.15. For a disclaimer, read the original post: https://community.tp-link.com/en/business/forum/topic/625262
Regarding two other questions,
1) Full tunnel mode. If you are the OVPN client, you don't have control over the tunnel mode. Server decides.
2) Local Networks.
- Copy Link
- Report Inappropriate Content
Hello @Clive_A
Thanks for taking the time to reply to my thread!
My OMADA is indeed the client, but the server is NOT another OMADA router. It's a legacy system running OpenVPN 2.4.0.
I'm not aware of any split/full tunnel settings. My VPN server will not push itself as the default gateway (is that what a "split" tunnel means?)
I'm afraid I didn't get what you meant by "local networks". Is a way to select which of the local networks are going to be routed to the VPN server?
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
PedroPeixoto wrote
Hello @Clive_A
Thanks for taking the time to reply to my thread!
My OMADA is indeed the client, but the server is NOT another OMADA router. It's a legacy system running OpenVPN 2.4.0.
I'm not aware of any split/full tunnel settings. My VPN server will not push itself as the default gateway (is that what a "split" tunnel means?)
I'm afraid I didn't get what you meant by "local networks". Is a way to select which of the local networks are going to be routed to the VPN server?
If you are not in proxy mode, route all to the server, it is a split tunnel.
The local network determines what local network should be using the VPN tunnel.
- Copy Link
- Report Inappropriate Content
OK! Thanks for the added info.
I guess this VPN feature is not really a good fit for me: It's configurable enough.
In my scenario, the VPN tunnel works to connect the remote site (where the OMADA would be) to a cloud service (The VPN server), where applications then consume services and data (HTTP, Database) hosted on the remote site.
The OMADA would need to be very configurable for me to define how each network can talk to one another. IE:
- My LAN can talk to the DMZ, but only on a few services.
- Connections coming from the the VPN (the cloud) should have full access to LAN and DMZ, but cannot be NAT'ed through WAN
- No connections can flow from WAN into any of the local networks without a NAT/Masquerading.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
PedroPeixoto wrote
OK! Thanks for the added info.
I guess this VPN feature is not really a good fit for me: It's configurable enough.
In my scenario, the VPN tunnel works to connect the remote site (where the OMADA would be) to a cloud service (The VPN server), where applications then consume services and data (HTTP, Database) hosted on the remote site.
The OMADA would need to be very configurable for me to define how each network can talk to one another. IE:
- My LAN can talk to the DMZ, but only on a few services.
- Connections coming from the the VPN (the cloud) should have full access to LAN and DMZ, but cannot be NAT'ed through WAN
- No connections can flow from WAN into any of the local networks without a NAT/Masquerading.
It sounds really strange to describe the things you want in this way. I think it can do that. But from what you described, it seems to not be available on the system. So, we seems to be not on the same page.
Do you have a diagram to illustrate further your points on i.e.?
With all due respect, it sounds like you have not figured out what it means in OVPN. What would be the level of your understanding of the OVPN? So I can explain this specifically.
If you have other opinions or some verification you've done, you can let me know so I can point out if it is normal behavior or not supported.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A
First and foremost, thank you for taking the time to discuss this with me.
Here's a simplified diagram for the network I wish to accomplish with OMADA (Again, the OMADA would be replacing a traditional Linux box acting as a router):
I'm a web developer, and pretty familiar with Linux Administration, Networks, Routing, Firewalls, and OpenVPN, though working on this has not been my main role for a long time now.
My OpenVPN configuration is pretty simple. It creates a TUN interface through which clients can connect and offer their services and data to the VPC to consume, so, in that sense, it's more of a site-to-site network than a client-to-site (where the client usually routes their traffic through the VPN, or consume services within the VPN).
Upon connection, the VPN server learns a few routes from the client, and pushes some routes to it as well, using OVPN's "CCD" files.
As you can see, no traffic is routed from the client, through the tunnel, into the VPC. The flow is reversed: The VPC applications use the tunnel to access resources within the clients.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
PedroPeixoto wrote
Hi @Clive_A
First and foremost, thank you for taking the time to discuss this with me.
Here's a simplified diagram for the network I wish to accomplish with OMADA (Again, the OMADA would be replacing a traditional Linux box acting as a router):
I'm a web developer, and pretty familiar with Linux Administration, Networks, Routing, Firewalls, and OpenVPN, though working on this has not been my main role for a long time now.
My OpenVPN configuration is pretty simple. It creates a TUN interface through which clients can connect and offer their services and data to the VPC to consume, so, in that sense, it's more of a site-to-site network than a client-to-site (where the client usually routes their traffic through the VPN, or consume services within the VPN).
Upon connection, the VPN server learns a few routes from the client, and pushes some routes to it as well, using OVPN's "CCD" files.
As you can see, no traffic is routed from the client, through the tunnel, into the VPC. The flow is reversed: The VPC applications use the tunnel to access resources within the clients.
If it is more of a site-to-site, you should refer to the guide in the Configuration Guide label. For this setup, you should create dual tunnels to make the connection bidirectional between them.
When you only access the 10.10.X.X, you are routed. This is a split tunnel. If you intend to forward all traffic from either LAN inside the Remote Site, you use a full tunnel.
The previous answers still stand.
2) You should create dual tunnels. Full tunnel.
3) When the tunnel is up, the remote site clients can access the cloud and they will be proxied by the cloud WAN if 2) is enabled..
- Copy Link
- Report Inappropriate Content
Thank you so much for the information.
I'll keep working and try to achieve this.
Best Regards,
Pedro Peixoto
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 538
Replies: 10
Voters 0
No one has voted for it yet.