The OpenWRT has all the interfaces it needs (and thus the route) to be able to ping the remote gw (10.128.0.1). And it seeme the VPN replies back. good.
Now, on the DSL, you need to add a route : 10.128.0.X/24 (or 10.X/8 ? depends what you have setup on the remote... adjust as needed), with gateway 10.130.3.45 (ie, the OpenWRT, which is the "gateway" you need to go through to reach the 10.128.x network). A lan can only acces another LAN by going through a gateway, using that gateway's LAN ip, as it's the only thing a local machine can access: any ips on its (one or many) LANs. It seems you directly put the remote IP on the DSL, but the DSL doesn't know how to reach it. It probably by default send it to its "default gateway", which could be a internet router or anything, but apparently not the OpenWRT (or at least not the OpenWRT 10.130.3.45 interface, the one which gateways to the 10.X net)
I may have read diagonally.
But in a nutshell:
place yourself in the packet, and act as if you want to reach the destination, hop by hop:
you need to find the "closest" route (or, if none, take the default route) to go to the next hop.
Proceed like this hop by hop (forward, and also backwards), and you'll soon find which of the hop doesn't have the necessary step to reach the next hop (or maybe goes to a wrong hop)
ie:
I'm a ping packet sent from DSL. my source is DSL-ip. My destination is a.b.c.d (10.128.0.1, I guess).
I look at the ROUTE table, and choose the destination that most precisely fit a.b.c.d (ie, between 0.0.0.0/0 (defautl gw) , 10.0.0.0/8 (with gw 10.130.3.45) and a special 10.128.0.x (with gw 10.120.3.45), I chose the latest as it's a more precise fit, ie more "bits" match my destination).
So I take that route, and go to 10.130.3.45. (if my local firewall allows it)
Now I'm a ping packet with source "...." (could change because of SNAT), and destination "....." (could change with DNAT). And I look at the routing table...
You'll of course also need forward iptables to allow you to proceed to the next hop (and with rules that establish connections, allowing thus the reply packets to come back too.
Don't allow both directions, it would open your LAN to anything incoming from the VPN instead of just the established connections!) – Olivier Dulac just now edit
/edit: Ok, I have found a solution which works rather nice for my needs.
I have managed to improve upon the first working idea below. Especially, now I can manage a list of ips to be routed / forwarded directly to A in an external list. I have added the following to /etc/firewall.user
# If connection was established before, accept it (so we dont have to deal with inbound connections)
iptables -A forwarding_rule -m state --state ESTABLISHED,RELATED -j ACCEPT
# Read ips from file
FORWARDIPS=$(egrep -v -E "^#|^$" /etc/forward_ip)
# create new iptables and route table entries for each ip in the file
# allow forward if packet matches destination and route it through "table admin", for which we set a default gateway below
for ipblock in $FORWARDIPS
do
iptables -A forwarding_rule -d $ipblock -j ACCEPT -p all
ip rule add to $ipblock table admin
done
~
root@OpenWrt:~# cat /etc/forward_ip
54.164.36.0/24
8.31.8.0/22
I needed to call the following command from another file at startup (I put it into /etc/rc.local):
# Route everything in table admin by default through ISP-Router
ip route add default via 192.168.0.1 dev eth0 table admin
also edit /etc/iproute2/rt_tables and add the line:
10 admin
/edit, this was my first solution:
I have found a solution. However, it can be improved on greatly. The idea follows my intuition in /edit 1. I enable masquerading for my wan zone and also enable conditional forwarding between my lan and wan zone for a specific destination ip. I can't add more than one "option dest_ip" for the config rule, though. So it would be nice to have what I do in the uci firewall config as a iptables rule which i then add to /etc/firewall.user
I edited /etc/config/firewall and changed config zone & added config rule
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'wan'
option network 'wan'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
option name 'Lan to Wan'
option proto 'all'
option dest_ip '54.164.36.190'
option enabled '0'
I've discarded my idea in /edit 2 after some trying, because there were many unforeseen hurdles. For example without a default gateway from B to A i cannot establish my vpn connection in the first place. Nonetheless, I suppose that it can be done if you have a better understanding of routing then me.
Best Answer
Use VLANs. See: router on a stick, http://wikipedia.org/wiki/One-armed_router