Routing issue between VLANs

[klewin]

Thanks for the excellent work!

Is it possible to configure a single VPN for multiple VLANs and retain interVLAN routing?

For example:

VLAN 1: 10.0.1.0/24
VLAN 2: 10.0.2.0/24

vpn.conf is set as FORCED_SOURCE_INTERFACE="br1 br2"

When the vpn is running, ping 10.0.2.x from any client on VLAN 1 returns "Destination Host Unreachable" as traffic is routed through the vpn.

When the vpn is stopped, the ping works properly.

[peacey]

Hi @klewin,

Yes it's possible. You just have to add the networks you want to exempt from the VPN to the EXEMPT_DESTINATIONS_IPV4 option in your vpn.conf file. Like:

EXEMPT_DESTINATIONS_IPV4="10.0.1.0/24 10.0.2.0/24"

[klewin]

Thanks for the quick reply.

Can confirm that the EXEMPT_DESTINATIONS_IPV4 filters properly.

I excluded 10.0.1.0/24 in order to solve a dns leak and inadvertently caused this. Probably better to have dns set up on a different VLAN.

[peacey]

Regarding the DNS leaks, the default DNS_IPV4_IP option is set to "DHCP" which forces your VPN clients to use the NordVPN DNS they give you (it adds a DNAT rule to that DNS).

However, if you have a DNS set on the same subnet as your client (and that DNS is given by the UDMP's DHCP server), then that DNS will be accessed directly on layer 2 without going through the router, so the router won't be able to filter traffic going between the same subnet.

So I would definitely advise you do not set the DNS on the same subnet and hand that out with the UDM's DHCP (though, setting the DNS as the router's IP is fine since that traffic can still be rerouted to the VPN DNS).

You can also force your VPN through a local pihole or other local DNS server that you have, though you have to worry about making sure it doesn't leak from the pihole (e.g. by using DoH or DoT to an upstream server).

[klewin]

setting the DNS as the router's IP

that did the trick.

[peacey]

Great! So everything is working for you or are there any other issues? If there are no more issues, you can go ahead and close this issue.

Have a nice day!

[klewin]

As a follow up to

force your VPN through a local pihole

The 10-dns-host.sh script and instructions worked well to setup pihole in host mode. There was also a discussion at boostchicken/udm-utilities about DoH/DoT support and a cloudflared container example was posted.

Both the host mode and cloudflared examples run DNS outside the vpn tunnel, which unfortunately leads to connectivity issues with streaming services when ip traffic is routed through the vpn.

In researching this a bit further, it sounds possible - though not necessarily ideal - to configure pihole to act as a VPN gateway. With some vague steps described here.

Just wondering if this is something you have looked into and if it's even possible to configure pihole to route through the VPN on a UDM.

[peacey]

Hi @klewin,

If you want your pihole to use the VPN, have you tried to force its IP or MAC with the FORCEDSOURCE* options? Have not tried it myself yet but I don't see why it wouldn't work.

Even if pihole/CloudFlared is running on the UDMP, it is still listening on some interface, or IP, which you can force.

Also, host mode for Pihole is not needed for this really, it should work without host mode too. Host mode is for the ability to support forcing domains through the VPN. Im fact, host mode might introduce problems (you might have to add a custom rule).

[klewin]

None of the FORCED_SOURCE_* options worked when trying to force pi-hole through the VPN with host mode.

However, I was able to get it to work without host mode using the FORCED_SOURCE_IPV4="10.0.5.3" option after re-installing from the instructions at https://github.com/boostchicken/udm-utilities/tree/master/run-pihole.

Unfortunately, this leads to the problem of setting pi-hole's upstream dns server based on the DHCP options from openvpn. Setting manually works fine.

I have found a script that "Parses DHCP options from openvpn to update resolv.conf", which is intended to be called from an openvpn *.conf file.

If something similar could execute during the up/down events...

# update/restore pi-hole conf at
/mnt/data/etc-pihole/setupVars.conf

# restart pi-hole server
podman exec -it pihole pihole restartdns

Would this be a useful feature?

[peacey]

Hi @klewin,

When you run pihole in host mode, you cannot use the FORCEDSOURCE* variables for phiole because those are only for routed traffic. You would need to add the pihole interface to FORCED_LOCAL_INTERFACE instead.

Anyways, host mode is only needed if you want to force domains. Don't bother with it for your use case.

Also, I can definitely add an option to run custom commands on up/down hooks. That seems pretty useful for having custom configurations not covered by the script. Will do that shortly.

[klewin]

Appologies, I forgot to mention that the FORCED_LOCAL_INTERFACE option didn't work in host mode either.

[peacey]

Ah sorry @klewin. You are right, that option won't work because it forces on outgoing interface. I don't have an option for it but you can add the proper rule by running this after you run the VPN (replace PIHOLE_IP* with the pihole IPs and 0x9 with your MARK):

On second thought this won't work because in host mode, pihole uses the source IP of your WAN, not the pihole interface. So in host mode you cannot force pihole to use the VPN.

However, you can run another DNS resolver like unbound or knot on the UDMP, and use that as your pihole's DNS. Then you can force the unbound's IP since it won't be in host mode. This is what I do and it works well.

[peacey]

Hi @klewin,

The ability to run commands on up/down events has now been added to the script thanks to the latest pull request by @midzelis.

Update to the latest version of the script, then define the hooks_up() and hooks_down() functions in your vpn.conf file with whatever you want to execute within them. An example is shown at the bottom of vpn.conf.filled.sample.

Try this out and tell me if this works for you.

[klewin]

This error appears in the openvpn.log with the latest updown.sh script with and without changes to vpn.conf.

/mnt/data/split-vpn/vpn/updown.sh: line 353: syntax error: bad substitution
Fri Jul 16 14:39:16 2021 WARNING: Failed running command (--up/--down): external program exited with error status: 2

[peacey]

@klewin, can you modify the updown.sh script and change the first line that says set -e to set -xe and rerun the VPN, then show me the log? The -x switch tells us which line it failed on.

Thanks.

Edit: FYI, I downloaded the script fresh and it seems to be working fine here. Can you try to redownload it too?

[klewin]

hmm. redeployed and it worked this time. thanks.

[klewin]

@peacey thanks for all the assistance. Closing issue as main problem with dns routing through vpn has been resolved.