How to: OpenVPN backhaul routes and DNS

davidk · 2024-03-07T16:14:06.428Z

I have an openvpn client on my router connecting to a

Hostname	GL-AR750S
Model	GL.iNet GL-AR750S (NOR/NAND)
Architecture	Qualcomm Atheros QCA956X ver 1 rev 0
Firmware Version	OpenWrt 19.07.7 r11306-c4a6851c72 / LuCI openwrt-19.07 branch git-21.044.30835-34e0d65
Kernel Version	4.14.221
Local Time	2024-03-07 08:07:02
Uptime	59d 11h 6m 52s

set up with openvpn server.

I have routes on my router that forces IPs for remote LAN network into tunnel and also my DNS server sends lookups for particular TLDs to the GLs DNS for lookup. That works great. Now I need to to the same at the GL end so that when at the GL LAN I can reach things back here on my network.

I’ve done this with other routers but not GL products and after looking at the static routes page of the UI I can’t get routes that will push into vpn tunnel.

Anyway can someone explain via the UI what I need to set and how (maybe a screen shot). That and also the DNS setting. Thx.

davidk · 2024-03-07T16:16:56.321Z

See there is not VPN interface in the list so I am confused

image1222×548 40 KB

SpitzAX3000 · 2024-03-08T04:52:12.754Z

davidk:

Now I need to to the same at the GL end so that when at the GL LAN I can reach things back here on my network.

I think you need site-2site vpn instead of client-server vpn. Btw, can you ping a remote host from a GL LAN host? In addition, can you login into the GL modem and ping a remote client on the remote network ?

davidk · 2024-03-09T19:40:00.405Z

AFAIK there is no such thing as a “site to site” VPN, one end must be a server and the other a client (e.g. openssh). Then if you set up routes/firewall/DNS correctly (which I said I can do on other routers just running linux or opnsense) then you can get it to work like “site to site”

Of course you can use a single static key which sometimes is called “site to site” in that both client and server need the static key (which I am doing here) instead of a road warrior setup with certs etc.

Not surprising I can ping from the GL to “my” end of the tunnel (tunnel ip) but of course can’t ping anything on my network including my router because the GL doesn’t know where to send request to my lan subnet (i.e. into that tunnel).

Maybe rather than trying to find anything on the UI i’ll ssh to cli and try to get the routes, etc set up like I know how. Just was wondering if it was possible via the UI using and openvpn server.

Well not really the solution I want but I could set up a client and the GL and server o my router and have a second vpn for the “backhaul”.

davidk · 2024-03-09T19:53:16.268Z

Looks like I might have found something in UI for routing. I’ll try that and see if I can get what I want to happen.

VPN policies.

docs.gl-inet.com

VPN Policies - GL.iNet Router Docs 3

Documentation for GL.iNet Router Productions

SpitzAX3000 · 2024-03-10T01:03:23.551Z

davidk:

AFAIK there is no such thing as a “site to site” VPN, one end must be a server and the other a client (e.g. openssh). Then if you set up routes/firewall/DNS correctly (which I said I can do on other routers just running linux or opnsense) then you can get it to work like “site to site”

A site-to-site virtual private network (VPN) is a way to connect local area networks (LANs) in multiple locations across the public internet.

Building a Site-2-Site network manually using two GL.iNet routers(SDK 4.X) VPN, DNS, Leaks

This post is to introduce the guide to config WireGuard LAN to LAN VPN (Site-2-Site) based on GL-iNet SDK 4.X fimrware. Supported Models Router Model Stable Beta GL-MT3000 (Beryl AX) √ - GL-AXT1800 (Slate AX) √ - GL-A1300 (Slate Plus) √ - GL-X3000 (Spitx AX) √ - GL-AX1800 (Flint) √ - GL-MT2500 (Brume 2) √ - GL-AR300M (shadow) - √ GL-MT300N-V2 (Mango) - √ GL-E750 (Mudi) - √ GL-SFT1200 (Opal) - √ GL-MT1300 (Beryl) - √ GL-X750 (Spitz) - √ GL-XE300 (Pul…

davidk · 2024-03-10T18:02:35.056Z

Good info but I can’t run wireguard on my router (older os on arm64 there is no wireguard binary) until I replace the router so only openvpn for now, thus your suggestion won’t work for me at this time.

I tried setting vpn policy did not solve the routing issue. Maybe it only works for wireguard?

I will be replacing my router next couple months so I guess since this won’t be trivial I’ll just wait till then.

SpitzAX3000 · 2024-03-10T22:26:33.544Z

It will work with OpenVPN too.