OpenWRT on LXC, GUI access dies when VPN starts

S

sgt_jamez

Member
Jun 8, 2021
10
0
6
54
I'm having trouble following a walk-through on YouTube for installing OpenWRT/VPN from Novaspirit Tech.
I'm on PVE 8.2.4 and have installed OpenWRT from linuxcontainers.org.

What I'm running into, is when I enable and start the VPN (I have vpn service from PIA), I lose access to the web GUI. The container i still running since I can ping out of it, and a Debian LXC running through the VPN (vmbr1 by following the instructions in the video) will show a Los Angeles IP address when running # curl ifconfig.co.

I posted about this on the OpenWRT forum, and since the version I am running is a fork, they didn't get into it with me.

So:
A.) Does anyone know how I can regain access to the web GUI with the VPN running? Is this a firewall rule issue?
B.) Has anyone gotten OpenWRT to run in a container with VPN?

Please help... I'm running out of head to scratch! :)
 
Note: Not played with this at all, just going on general Networking knowledge

First question: The IP-Range that you're trying to reach the Server from, and the range the Server is on, is that the same range?
If it is not: Most likely the new default route is set to use the VPN, except for traffic to the same network.
If it is: Then the ruleset is even more stricts, blocking ALL traffic from going anywhere but the VPN, except for traffic to the router and VPN-Service.

From the proxmox console, could you do a ip route list both while the VPN isn't and is active, plus answer the above about the IP-Ranges.

Or do you mean losing access to the GUI of the container/VM?
 
Last edited:
Yes, I mean I am losing access to the VM GUI.

The tutorial I followed has the OpenWRT GUI on vbmr0 (in my case set for vlan 40, and static IP to 192.168.40.35).
Everything else on vlan 40 is accessible regardless of the VPN status. Just the OpenWRT GUI IP becomes inaccessible when I start the VPN service.

If I stop the VPN service from the VM console, the GUI is accessible and IP is pingable. I can start a ping on 192.168.40.35 then go into the OpenWRT VM console and start the service. Immediately lose ping and GUI access. Also a Debian VM I have accessing the VPN will go from my ISP issued public IP to the VPN issued IP (based on curl ifconfig.co as noted above) and back when I start/stop the service manually.

Here's the IP route list from the VM with the VPN stopped:
default via 192.168.40.1 dev eth0 src 192.168.40.35
10.50.50.0/24 dev eth1 scope link src 10.50.50.1
192.168.40.0/24 dev eth0 scope link src 192.168.40.35

And with the VPN running:
0.0.0.0/1 via 10.10.110.1 dev tun0
default via 192.168.40.1 dev eth0 src 192.168.40.35
10.10.110.0/24 dev tun0 scope link src 10.10.110.90
10.50.50.0/24 dev eth1 scope link src 10.50.50.1
128.0.0.0/1 via 10.10.110.1 dev tun0
191.96.106.139 via 192.168.40.1 dev eth0
192.168.40.0/24 dev eth0 scope link src 192.168.40.35

Interpreting that is over my head and I don't know what to change inside OpenWRT. As I've searched around, other people are having the same issue but there's been no solution posted.

Here's the firewall ruleset. The very last entry is what I thought would keep my GUI access alive from the WAN IP.
root@openwrt:/# cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'tun0'
list network 'wan'
list network 'wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config rule
option src 'wan'
option dest_port '80'
option proto 'tcp'
option target 'ACCEPT'
 
Last edited:
Also, you asked about the IP I was accessing the server from... both my laptop and my main PC were on VLAN 10. I connected my laptop to VLAN 40 and I can access the OpenWRT GUI while the VPN is running.

So now the question becomes how to add VLAN 10 access?
 
Your OpenWRT doesn't know about the IP-Range of VLAN 10, so it sends it to the "smallest" range that it does know, being 0.0.0.0/1 and 128.0.0.0/1 (which is basically all IP adresses that it doesn't have manually configured), which are both set to go over the tunnel

To fix it, we'll have to add a route of our own, tell it "Hey OpenWRT, if you are searching for this range of VLAN10, yeah? Go ask the main router, he knows (as the router will be moving traffic between the VLAN's if allowed)

To do that, let's first add it as a temporary route to see if it works.
Judging by the IP-Range used for the 40 VLAN, I'm guessing the VLAN 10 has a range of 192.168.10.0/24, if not, change accordingly below
Code: 
ip route add 192.168.10.0/24 via 192.168.40.1 dev eth0
Check with ip route list if it is added correctly (it should probably look something like this:
Code: 
default via 192.168.40.1 dev eth0  src 192.168.40.35
10.50.50.0/24 dev eth1 scope link  src 10.50.50.1
192.168.40.0/24 dev eth0 scope link  src 192.168.40.35
192.168.10.0/24 via 192.168.40.1 dev eth0

Some more reading material for working with routes: https://www.cyberciti.biz/faq/ip-route-add-network-command-for-linux-explained/
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back