Selective Routing with Asuswrt-Merlin

[dP21]

tun_if variable is set to tun11 which means the script will work for client1..you didn't set the client2 did you ? that'd be tun12

Nope, on client1.

 

[josh.zyman]

Nope, on client1.

Try to put echo "1" echo "2"... between the lines of the code and see where it crashes.

 

[Martineau]

Nope, on client1.

The script I posted earlier in this thread:

http://forums.smallnetbuilder.com/showpost.php?p=83692&postcount=40http://

has worked fine on my RT-N66U (post#42 logs the relevant info).

I got an RT-AC56U last week and naively assumed that I would be able to have my legacy RT-N66U scripts up and running as-is...well not quite so simple

Jan 24 15:43:30 openvpn[1265]: ERROR: Cannot ioctl TUNSETIFF tun11: Device or resource busy (errno=16)
Jan 24 15:43:30 openvpn[1265]: Exiting due to fatal error

I am putting the above down to a potential timing issue for the scripts during the boot phase as the RT-AC56U is trying to concurrently start both the OpenVPN server1 and the PPTP server instances, and the OpenVPN client1 and DUAl-WAN etc. and may be too fast!

So I suggest you try the following:

1. Uncheck start OpenVPN client1 with WAN
2. Rename openvpn-event to Xopenvpn-event
3. Reboot the router

When the boot is complete...

4. Manually run Xopenvpn-event
5. Manually start OpenVPN client1
6. Check if selective routing works

I have automated steps 4 & 5 by adding the following lines to wan-start

   /jffs/scripts/Xopenvpn-event
   service start_vpnclient1

then my selective routing script from post #40 works fine on the RT-AC56U.

/EDIT for a DUAL-WAN environment then I did modify the line that was unreliable:
ip route add default table 100 via $(nvram get wan0_gateway)

If you still have no joy then you will need to post the relevant contents of syslog and the iptables having inserted (as advised by another member) judicious 'echo' / 'logger' statements into your script.

Regards,

 

[DJR747]

This is all I do. I reject the route push from the server by adding route-nopull to the custom config section.

Then I run a custom script by adding these lines to the custom config as well.

script-security 2
route-up /jffs/scripts/vpn_route_up.sh

Here is the script. I didn't want to mess with any of the default routes and tables so I just added two new tables to direct traffic.

#
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.7.40-192.168.7.49 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 563 -j MARK --set-mark 12

exit

I imagine there is some way to pass out the tunnel interface name as well just haven't gotten that far yet. So for now it is just hard coded.

 

[Martineau]

This is all I do. I reject the route push from the server by adding route-nopull to the custom config section.

Then I run a custom script by adding these lines to the custom config as well.

script-security 2
route-up /jffs/scripts/vpn_route_up.sh

Here is the script. I didn't want to mess with any of the default routes and tables so I just added two new tables to direct traffic.

#
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.7.40-192.168.7.49 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 563 -j MARK --set-mark 12

exit

I imagine there is some way to pass out the tunnel interface name as well just haven't gotten that far yet. So for now it is just hard coded.

This is a very elegant solution - everything is in one place - not only in the OpenVPN Cleint GUI, but also in the Syslog:

Jan 25 10:44:06 openvpn[1483]: TUN/TAP device tun11 opened
Jan 25 10:44:06 openvpn[1483]: TUN/TAP TX queue length set to 100
Jan 25 10:44:06 openvpn[1483]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 25 10:44:06 openvpn[1483]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jan 25 10:44:06 openvpn[1483]: /usr/sbin/ip addr add dev tun11 10.200.5.46/22 broadcast 10.200.7.255
Jan 25 10:44:06 (VPN_Select.sh): 1496 OpenVPN Client Selective routing starting....  /jffs/scripts/VPN_Select.sh.
Jan 25 10:44:07 (VPN_Select.sh): 1496 VPN Selective customisation for: $PS3_Bedroom 10.88.8.142
Jan 25 10:44:08 (IPTablesDump.sh): 1534 Started [VPN_Client_Select]
Jan 25 10:44:09 (VPN_Select.sh): 1496 OpenVPN Client Selective routing completed....
Jan 25 10:44:09 openvpn[1483]: Initialization Sequence Completed

Setting OpenVPN Client to Start with WAN, (and removing my wan-start calls) everything worked perfectly during the reboot.

In summary, it would appear that we both agree that use of a openvpn-event script is a bad idea for selective routing.

/EDIT

P.S. Forgot to mention, your use of two separate routing tables has also appeared to fix the frustating lack of inbound connectivity to services hosted on the router.

i.e. using my original script, I was unable to connect to the router via either OpenVPN or PPTP if the OpenVPN Client selective routing was running!




Regards,

 

[bobg8zwf]

So, I used DJR747 script in my RT-AC66U, running Merlin 3.0.0.4.374.38_2 firmware.

Copied the script from this thread, pasted into Notepad++, edited the ip ranges.
Saved as vpn_route_up.sh

Then set format on boot jffs and reboot.

Using winscp, pasted vpn_route_up.sh into scripts folder and set octal 0777.

Added to vpn custom config

route-nopull
script-security 2 system (tried with and without system)
route-up /jffs/scripts/vpn_route_up.sh

Reboot router.

Here is part of the log......

Jan 27 15:21:41 openvpn[889]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jan 27 15:21:42 openvpn[889]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.200.4.1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 10,ping-restart 90,redirect-gateway def1,ifconfig 10.200.5.53 255.255.252.0'
Jan 27 15:21:42 openvpn[889]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:21:42 openvpn[889]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:21:42 openvpn[889]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:21:42 openvpn[889]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 27 15:21:42 openvpn[889]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 27 15:21:42 openvpn[889]: OPTIONS IMPORT: route-related options modified
Jan 27 15:21:42 openvpn[889]: TUN/TAP device tun11 opened
Jan 27 15:21:42 openvpn[889]: TUN/TAP TX queue length set to 100
Jan 27 15:21:42 openvpn[889]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 27 15:21:42 openvpn[889]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jan 27 15:21:42 openvpn[889]: /usr/sbin/ip addr add dev tun11 10.200.5.53/22 broadcast 10.200.7.255
Jan 27 15:21:42 openvpn[889]: WARNING: Failed running command (--route-up): could not execute external program
Jan 27 15:21:42 openvpn[889]: Initialization Sequence Completed

At this point, the ip addresses are not being re-directed and go out over normal wan.

I do not understand the options errors, but I guess they are the issue.

The wan is pppoe to TpLink epon modem.
Enable wan - yes.
Enable NAT - yes.
Get wan IP auto - yes.
Connect to DNS auto - yes.


So as an experiment....

Using winscp, right click on vpn_route_up.sh and execute it.
There is an error message returned about the tables being empty, but after a few moments, the ip address range starts to route over VPN.

One thing here in Shanghai. It takes a long time to get VPN link to HMA up, there are many retries due to TLS timeout, but eventually connects ok.

I've scratched my head so much that it is bleeding. So I defer to a higher authority, wot is rong? HELP!!!

Bob

 

[Martineau]

So, I used DJR747 script in my RT-AC66U, running Merlin 3.0.0.4.374.38_2 firmware.

Copied the script from this thread, pasted into Notepad++, edited the ip ranges.
Saved as vpn_route_up.sh

Then set format on boot jffs and reboot.

Using winscp, pasted vpn_route_up.sh into scripts folder and set octal 0777.

Added to vpn custom config

route-nopull
script-security 2 system (tried with and without system)
route-up /jffs/scripts/vpn_route_up.sh

Reboot router.

Here is part of the log......

Jan 27 15:21:41 openvpn[889]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jan 27 15:21:42 openvpn[889]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.200.4.1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 10,ping-restart 90,redirect-gateway def1,ifconfig 10.200.5.53 255.255.252.0'
Jan 27 15:21:42 openvpn[889]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:21:42 openvpn[889]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:21:42 openvpn[889]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:21:42 openvpn[889]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 27 15:21:42 openvpn[889]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 27 15:21:42 openvpn[889]: OPTIONS IMPORT: route-related options modified
Jan 27 15:21:42 openvpn[889]: TUN/TAP device tun11 opened
Jan 27 15:21:42 openvpn[889]: TUN/TAP TX queue length set to 100
Jan 27 15:21:42 openvpn[889]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 27 15:21:42 openvpn[889]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jan 27 15:21:42 openvpn[889]: /usr/sbin/ip addr add dev tun11 10.200.5.53/22 broadcast 10.200.7.255
Jan 27 15:21:42 openvpn[889]: WARNING: Failed running command (--route-up): could not execute external program
Jan 27 15:21:42 openvpn[889]: Initialization Sequence Completed

At this point, the ip addresses are not being re-directed and go out over normal wan.

I do not understand the options errors, but I guess they are the issue.

The wan is pppoe to TpLink epon modem.
Enable wan - yes.
Enable NAT - yes.
Get wan IP auto - yes.
Connect to DNS auto - yes.


So as an experiment....

Using winscp, right click on vpn_route_up.sh and execute it.
There is an error message returned about the tables being empty, but after a few moments, the ip address range starts to route over VPN.

One thing here in Shanghai. It takes a long time to get VPN link to HMA up, there are many retries due to TLS timeout, but eventually connects ok.

I've scratched my head so much that it is bleeding. So I defer to a higher authority, wot is rong? HELP!!!

Bob

The first line of your script must be:

#!/bin/sh

Regards,

 

[bobg8zwf]

Yes, I tried both with and without. It did not solve the problem.

But I will try again to be sure.

Seems to me that maybe there is another setting somewhere in the router that it making the problem, but don't know where.

I dunno, but I am sure someone does!

Bob

 

[Martineau]

Yes, I tried both with and without. It did not solve the problem.

But I will try again to be sure.

Seems to me that maybe there is another setting somewhere in the router that it making the problem, but don't know where.

I dunno, but I am sure someone does!

Bob

Well, if don't have the first line as #!/bin/sh then I can faithfully reproduce your error:

Jan 27 09:04:53 openvpn[5925]: TUN/TAP device tun11 opened
Jan 27 09:04:53 openvpn[5925]: TUN/TAP TX queue length set to 100
Jan 27 09:04:53 openvpn[5925]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 27 09:04:53 openvpn[5925]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jan 27 09:04:54 openvpn[5925]: /usr/sbin/ip addr add dev tun11 10.200.5.5/22 broadcast 10.200.7.255
Jan 27 09:04:54 openvpn[5925]: WARNING: Failed running command (--route-up): could not execute external program
Jan 27 09:04:54 openvpn[5925]: Initialization Sequence Completed

and by restoring the #!/bin/sh line it works..

Jan 27 09:06:57 openvpn[6116]: TUN/TAP device tun11 opened
Jan 27 09:06:57 openvpn[6116]: TUN/TAP TX queue length set to 100
Jan 27 09:06:57 openvpn[6116]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 27 09:06:57 openvpn[6116]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jan 27 09:06:57 openvpn[6116]: /usr/sbin/ip addr add dev tun11 10.200.5.5/22 broadcast 10.200.7.255
Jan 27 09:06:57 (VPN_Select.sh): 6125 OpenVPN Client Selective routing starting....  /jffs/scripts/VPN_Select.sh.
Jan 27 09:06:59 (VPN_Select_ON_OFF.sh): 6163 VPN Selective routing for [PS3-Bedroom ON FORCE]
Jan 27 09:06:59 (VPN_Select_ON_OFF.sh): 6163 ***DEBUG*** PS3-Bedroom lookup returned 10.88.8.142
Jan 27 09:06:59 (VPN_Select_ON_OFF.sh): 6163 VPN Selective routing for 10.88.8.142 set MARK=1 (ON)
Jan 27 09:06:59 (IPTablesDump.sh): 6188 Started [VPN_Client_Select]
Jan 27 09:06:59 (VPN_Select.sh): 6125 OpenVPN Client Selective routing completed....
Jan 27 09:06:59 openvpn[6116]: Initialization Sequence Completed

I suggest you SSH/telnet into the router and run your script on the command line to see what errors it reports.

Regards,

 

[bobg8zwf]

Ok Martin

I tried it 4 times. First 3 times it did not work, 4th time it worked.

What I saw is for the first 3 reboots, TLS timeout errors. The 4th time vpn connected without TLS timeout and the script did not error.

Looking at the log, there are still the option errors.

Currently, the devices connected via vpn are loosing their connections every few mins. But nothing new is showing in the log as this happens.

I think I have some setting wrong which is causing a fight, making the dedicated fixed vpn address range to keep dropping their connection. They are outside the dhcp range and manually set at the devices (Sony TV, pc, Reciva radio etc).

I would like to understand the meaning of the option errors. I think this is something to do with it.

Currently, the vpn connected devices are not maintaining a connection for more than a few minutes.


Thanks for your advice!

Bob

 

[Martineau]

Ok Martin

I tried it 4 times. First 3 times it did not work, 4th time it worked.

What I saw is for the first 3 reboots, TLS timeout errors. The 4th time vpn connected without TLS timeout and the script did not error.

Looking at the log, there are still the option errors.

Currently, the devices connected via vpn are loosing their connections every few mins. But nothing new is showing in the log as this happens.

I think I have some setting wrong which is causing a fight, making the dedicated fixed vpn address range to keep dropping their connection. They are outside the dhcp range and manually set at the devices (Sony TV, pc, Reciva radio etc).

I would like to understand the meaning of the option errors. I think this is something to do with it.

Currently, the vpn connected devices are not maintaining a connection for more than a few minutes.


Thanks for your advice!

Bob

Having adopted the more elegant script I too now use the directive route-nopull, and as a consequence see the same errors:

Jan 27 09:06:59 openvpn[6116]: Initialization Sequence Completed
Jan 27 09:06:59 openvpn[6116]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.200.4.1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 10,ping-restart 90,redirect-gateway def1,ifconfig 10.200.5.5 255.255.252.0'
Jan 27 09:06:59 openvpn[6116]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 09:06:59 openvpn[6116]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 09:06:59 openvpn[6116]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])

so I don't believe they are relevant.

So create a new script xx.sh which simply contains

#!/bin/sh
echo OpenVPN Client Selective routing starting.... 
logger -t "($(basename $0))" $$ OpenVPN Client Selective routing starting...

.

and change the client directive to route-up /jffs/scripts/xx.sh then turn OFF then turn ON the OpenVPN client through the GUI.

Also, manually running the xx.sh script on the command line should not produce errors but the messages should be correctly displayed/logged.

Wait and see if the OpenVPN client remains ON after say 15 mins. If not then it can't be the script causing the issue in which case it may be an incorrect OpenVPN configuration or try another VPN target node.



Regards,

 

[Martineau]

I imagine there is some way to pass out the tunnel interface name as well just haven't gotten that far yet. So for now it is just hard coded.

If you add say the following to the OpenVPN Client custom configuration

up /jffs/scripts/xup.sh

e.g. xup.sh contains

#!/bin/sh

logger -t "($(basename $0))" $$ Args.... " $0${*:+ $*}"

# Pass Interface name to VPN_Route.sh
echo $1 >/tmp/Client_TUN_IF.txt

logger -t "($(basename $0))" $$ OpenVPN client Interface=$1

then you can retrieve the value in VPN_Route.sh using

tun_if=`cat /tmp/Client_TUN_IF.txt`

P.S. store the file on a true USB drive if you are concerned about wearing out the router RAM!

Regards,

 

[RMerlin]

P.S. store the file on a true USB drive if you are concerned about wearing out the router RAM!

Regards,

/tmp is fine, it's actual RAM and not flash. There is no finite amount of writes that can be done to it.

 

[ir0nfist]

Hey guys. I've been trying to get this working since November. I've had no luck. I'm attempting to use DJ's script at this point. When I try to execute these scripts through WinSCP or from Tools>Run Cmd via /jffs/scripts/vpn_route_up.sh or previously with /jffs/scripts/openvpn-event, I receive the error sh: /jffs/scripts/vpn_route_up.sh: not found.

jffs is enabled, formatted, and the scripts are in the specified location. I'm using PIA with the custom commands:

persist-key
persist-tun
tls-client
comp-lzo
verb 1
route-nopull
script-security 2
route-up /jffs/scripts/vpn_route_up.sh

An example log looks like so:

Jan 27 15:36:23 rc_service: httpd 321:notify_rc start_vpnclient1
Jan 27 15:36:24 kernel: tun: Universal TUN/TAP device driver, 1.6
Jan 27 15:36:24 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jan 27 15:36:24 openvpn[935]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 17 2014
Jan 27 15:36:24 openvpn[935]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan 27 15:36:24 openvpn[935]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 27 15:36:24 openvpn[939]: UDPv4 link local: [undef]
Jan 27 15:36:24 openvpn[939]: UDPv4 link remote: [AF_INET]46.165.251.68:1194
Jan 27 15:36:24 openvpn[939]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 27 15:36:26 openvpn[939]: [server] Peer Connection Initiated with [AF_INET]46.165.251.68:1194
Jan 27 15:36:28 openvpn[939]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:36:28 openvpn[939]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:36:28 openvpn[939]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:36:28 openvpn[939]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:36:28 openvpn[939]: TUN/TAP device tun11 opened
Jan 27 15:36:28 openvpn[939]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 27 15:36:28 openvpn[939]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jan 27 15:36:28 openvpn[939]: /usr/sbin/ip addr add dev tun11 local 10.193.1.10 peer 10.193.1.9
Jan 27 15:36:28 openvpn[939]: updown.sh tun11 1500 1542 10.193.1.10 10.193.1.9 init
Jan 27 15:36:29 openvpn[939]: WARNING: Failed running command (--route-up): could not execute external program
Jan 27 15:36:29 openvpn[939]: Initialization Sequence Completed

The script begins with #!/bin/sh, just a note since it's been mentioned before. They are also set to 0777.

Could anyone please help me out with this? I don't know if it matters, but also when the vpn is enabled, if I telnet in and request the variable

$(nvram get wan_gateway)

I receive this: -sh: My ISPs Gateway here: not found

Not sure it's relevant.

 

[Martineau]

Hey guys. I've been trying to get this working since November. I've had no luck. I'm attempting to use DJ's script at this point. When I try to execute these scripts through WinSCP or from Tools>Run Cmd via /jffs/scripts/vpn_route_up.sh or previously with /jffs/scripts/openvpn-event, I receive the error sh: /jffs/scripts/vpn_route_up.sh: not found.

jffs is enabled, formatted, and the scripts are in the specified location. I'm using PIA with the custom commands:

persist-key
persist-tun
tls-client
comp-lzo
verb 1
route-nopull
script-security 2
route-up /jffs/scripts/vpn_route_up.sh

An example log looks like so:

Jan 27 15:36:23 rc_service: httpd 321:notify_rc start_vpnclient1
Jan 27 15:36:24 kernel: tun: Universal TUN/TAP device driver, 1.6
Jan 27 15:36:24 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jan 27 15:36:24 openvpn[935]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 17 2014
Jan 27 15:36:24 openvpn[935]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan 27 15:36:24 openvpn[935]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 27 15:36:24 openvpn[939]: UDPv4 link local: [undef]
Jan 27 15:36:24 openvpn[939]: UDPv4 link remote: [AF_INET]46.165.251.68:1194
Jan 27 15:36:24 openvpn[939]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 27 15:36:26 openvpn[939]: [server] Peer Connection Initiated with [AF_INET]46.165.251.68:1194
Jan 27 15:36:28 openvpn[939]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:36:28 openvpn[939]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:36:28 openvpn[939]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:36:28 openvpn[939]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Jan 27 15:36:28 openvpn[939]: TUN/TAP device tun11 opened
Jan 27 15:36:28 openvpn[939]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan 27 15:36:28 openvpn[939]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jan 27 15:36:28 openvpn[939]: /usr/sbin/ip addr add dev tun11 local 10.193.1.10 peer 10.193.1.9
Jan 27 15:36:28 openvpn[939]: updown.sh tun11 1500 1542 10.193.1.10 10.193.1.9 init
Jan 27 15:36:29 openvpn[939]: WARNING: Failed running command (--route-up): could not execute external program
Jan 27 15:36:29 openvpn[939]: Initialization Sequence Completed

The script begins with #!/bin/sh, just a note since it's been mentioned before. They are also set to 0777.

Could anyone please help me out with this? I don't know if it matters, but also when the vpn is enabled, if I telnet in and request the variable

$(nvram get wan_gateway)

I receive this: -sh: My ISPs Gateway here: not found

Not sure it's relevant.

The 'not found' error is because the script has been created under something like NOTEPAD and contains CRLF characters as EOL delimiters.
Try to run from a SHH/telnet prompt to prove it!

Use NOTEPAD++ on Windows in Unix LF EOL mode to verify, then use WinSCP to drag and drop on to the router.

P.S. The correct NVRAM variable is wan0_gateway if this is your primary interface in a DUAL-WAN configuration.

Regards,

 

[bobg8zwf]

Martineau.

Tried multiple reboots early this morning here in China. Every time comes up fine, vpn connects without issue and ip range redirection works.

When the internet here is not busy, I do not get the TLS timeouts. Strangely though, I never see TLS timeout issues when connecting using HMA program directly on pc, it only happens with the router.

Of course, vpn for unblocking things that are "restricted" here is good, but of course everything still has to go through the GFW bottleneck. This severely limits speed.
Speed to "in Country" sites is extremely fast, speedtest is often near the top of the meter for downloads. But upload speed is much poorer. One hop over the border and download speed falls down to a few meg.

Not much I can do about that!

Many thanks for your advise.

Bob

 

[Martineau]

Martineau.

Tried multiple reboots early this morning here in China. Every time comes up fine, vpn connects without issue and ip range redirection works.

When the internet here is not busy, I do not get the TLS timeouts. Strangely though, I never see TLS timeout issues when connecting using HMA program directly on pc, it only happens with the router.

Of course, vpn for unblocking things that are "restricted" here is good, but of course everything still has to go through the GFW bottleneck. This severely limits speed.
Speed to "in Country" sites is extremely fast, speedtest is often near the top of the meter for downloads. But upload speed is much poorer. One hop over the border and download speed falls down to a few meg.

Not much I can do about that!

Many thanks for your advise.

Bob

Glad you finally got it working - although the lack of a reliable connection is frustrating. (HMA nodes can differ widely in speed - not sure if they are oversubscribed etc.)

Here are my OpenVPN client settings: (it may be worthwhile trying both protocols TCP/UDP?)

Start with WAN: YES
Interface Type: TUN
Protocol: UDP
Server Address: your choice of HMA server
Port: 443 for TCP 53 for UDP
Firewall: Automatic
Authorization mode: TLS
Username/Password Authentication: Yes
Username: your HMA username
Password: your HMA password
Username Auth. Only: No
Extra HMAC authorization: Disabled
Create NAT on tunnel: Yes
Poll Interval: 0
Redirect Internet traffic:Yes
Accept DNS Configuration: Disabled
Encryption cipher: BF-CBC
Compression: Disabled
TLS Renegotiation Time: -1
Connection Retry: 30
Verify Server Certificate: No
Custom Configuration: ns-cert-type server
route-nopull
script-security 2
route-up /jffs/scripts/VPN_Select.sh

I have a couple of other router configuration changes which may or may not be relevant.

1. WAN / Internet Settings (I use Google 8.8.8.8/8.8.4.4)

Connect to DNS Server automatically No
DNS Server1: your choice of DNS Server
DNS Server2: your choice of alternate DNS Server

2. I have the following rule in firewall-start, to prevent clients overriding the above.

iptables -I PREROUTING -t nat -p udp -s `nvram get lan_ipaddr`/`nvram get lan_netmask` ! -d `nvram get lan_ipaddr`/`nvram get lan_netmask` --dport 53 -j DNAT --to-destination `nvram get lan_ipaddr`

Regards,

 

[dpjanda]

Split Tunneling

I have a question.

I have adopted an earlier script on page 4 of this thread to work with the PPTP client.

And it works!

However .....

Upon noticing on the thread, and with my own testing, you cannot get access to the router (AiCloud etc) when the VPN is active. Split tunneling *appears* to be a solution.

But ....

On investigating this i noticed that although my selective routing is working ALL traffic seams to be going via the VPN interface. Try this to see if it doing the same for you:

ip route get 8.8.8.8

I get:

8.8.8.8 via 10.255.240.1 dev ppp5

Which ppp5 is my VPN. Anyone having this with OpenVPN?

Regards

 

[Martineau]

I have a question.

I have adopted an earlier script on page 4 of this thread to work with the PPTP client.

And it works!

However .....

Upon noticing on the thread, and with my own testing, you cannot get access to the router (AiCloud etc) when the VPN is active. Split tunneling *appears* to be a solution.

But ....

On investigating this i noticed that although my selective routing is working ALL traffic seams to be going via the VPN interface. Try this to see if it doing the same for you:

ip route get 8.8.8.8

I get:

8.8.8.8 via 10.255.240.1 dev ppp5

Which ppp5 is my VPN. Anyone having this with OpenVPN?

Regards

Do not use that script...it prevents access to any service hosted on the router.

Use the latest script posted by member DJR747

http://forums.smallnetbuilder.com/showpost.php?p=101202&postcount=64

If the selective routing is working then I use

http://www.ip2location.com/

to verify my country of origin (I don't recall seeing any difference in the

ip route 8.8.8.8

command when I switched to the VPN).

Regards,

 

[dpjanda]

Ah thanks for that Martineau

Alas the script by DJR747 appears to be very specific for OpenVPN, and adapting it for use with the PPTP client is beyond my scope!

Tried, just for the heck of it, and got some interesting errors:

someone@RT-N66U:/jffs# ip route flush table 10
Nothing to flush.

someone@RT-N66U:/jffs# ip route del default table 10
RTNETLINK answers: No such process

someone@RT-N66U:/jffs# ip route del default table 12
RTNETLINK answers: No such process

Ran it anyway and the result was everything went via the VPN and the one device I wanted routed via VPN had no access at all

Oh well.

Regards