OpenVPN Only for Local Traffic on Gl-AR300M (Running on OpenWrt)

Hacking, IoT, Programming

I’m using the following fancy router not only to share the internet connection via WiFi at home, but also to run Domoticz – a home automation system (I will probably write more about it in my further posts).


GL-AR300M Mini Router
A feature of this router is that it works on OpenWrt – a Linux-based open-source firmware for routers, which makes it very attractive for IoT enthusiasts, because they don’t need to flash or unlock it to run their custom services there. It’s allowed out of the box.

In order to make Domoticz web interface available from the outside of my home LAN, I decided to setup a VPN on my publicly accessible server and connect the router to the VPN. The firmware natively supports OpenVPN configs. Everything is great, you just need to upload an OpenVPN client config and it will work, but it’s done in assumption that all traffic should be forwarded through the VPN, while I don’t want pass gigabytes of my meaningless home traffic through the server. Instead I need to pass only the traffic related to the VPN through the tunnel. Looks like this problem can not be resolved by standard tools via a web interface and I decided to leverage custom_config option in the OpenVPN configuration.

I’m not going to describe everything step-by-step, since this article is more like a note for myself than comprehensive tutorial 😉 Instead I would just briefly show what changes I made to achieve the result after few days of trial and error. The following changeset is relevant to the firmware version 3.019 (OpenWrt 18.06.1, r7258-5eb055306f)

/etc/config/openvpn

/etc/config/network

/etc/config/firewall

Afterwards you will see the following settings in LuCI Web Interface at /cgi-bin/luci/admin/network/firewall/zones:

/etc/openvpn/privnet.conf

☝️ I don’t assign routes pushed from the server, instead routing is set up in privnet-routing.sh script.
Make sure that daemon option is disabled/removed, otherwise /etc/init.d/openvpn script will endlessly create openvpn processes

/etc/openvpn/privnet-routing.sh

☝️ This is quite specific for my VPN configuration (peer-to-peer 10.8.0.0/24 net), keeping it just as an example. Your case will likely be different.

Configure OpenVPN to autostart

Reboot or run

to make the changes take effect.