OpenVPN Cloud with OpenWRT Client

 OpenVPN Cloud is a remote access VPN server with a free plan that supports 3 simultaneous clients.

Whilst they make clients available for common desktop operating systems, you can also get clients for Linux based networking equipment such as OpenWRT. This makes it possible for me to configure my office router to be a client and tunnel site-to-site traffic over the much more secure SSH protocol without having to mess around with static IP addresses etc.

The problem was the default route table that OpenVPN Cloud pushes to its clients:

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         192.168.5.1     0.0.0.0         UG    10     0        0 eth0.2

100.80.0.0      100.96.X.Y      255.240.0.0     UG    0      0        0 tun0

100.96.0.0      100.96.X.Y      255.224.0.0     UG    0      0        0 tun0

100.96.X.Z      *               255.255.255.240 U     0      0        0 tun0

172.16.1.0      *               255.255.255.0   U     0      0        0 br-lan

192.168.5.0     *               255.255.255.0   U     10     0        0 eth0.2

192.168.9.0     *               255.255.255.0   U     0      0        0 br-guest

This is using the default "Full Mesh" mode which just routes all traffic between all connected clients - in my case between my laptop and my router.

It didn't work.

The problem appears to be that the subnets 100.96/11 (the mesh) and 100.96.X.Z/28 (the uplink) overlap and OpenWRT can't figure out which one to use to send IP traffic. The former is a gateway and the latter is an interface but that doesn't matter to OpenWRT (this is possibly a bug but hey)

Route metrics are a way out of this: the router will prefer one of the subnets over the other because is has a lower "cost".

I didn't find a way to set route metrics on the OpenVPN Cloud server but you can add a line to the client .ovpn configuration - you can find it in the Luci control panel under VPN -> Open VPN -> Edit

route-metric 1

This results in the correct route table and it works beautifully:

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

default         192.168.5.1     0.0.0.0         UG    10     0        0 eth0.2

100.80.0.0      100.96.X.Y      255.240.0.0     UG    1      0        0 tun0

100.96.0.0      100.96.X.Y      255.224.0.0     UG    1      0        0 tun0

100.96.X.Z      *               255.255.255.240 U     0      0        0 tun0

172.16.1.0      *               255.255.255.0   U     0      0        0 br-lan

192.168.5.0     *               255.255.255.0   U     10     0        0 eth0.2

192.168.9.0     *               255.255.255.0   U     0      0        0 br-guest