Asus AC-68u Merlin + openvpn selective routing (plex)

[MichelW]

Hi,

I'm new to writing here, but I have been doing quit some reading
I have a problem that I unfortunately can not figure out myself.

I have the following setup:

192.168.2.0/24 subnet on a Asus AC-68U with a few computers, media-players (kodi), and a home-server/storage (ubuntu server).

On the Homeserver I have Plexe Media Server running, a bittorrent client, Sabnzd, Couchpotato and SickRage.

I have setup a Private Internet Access OpenVPN on the AC-68U. That works. I can route all traffic through the VPN, but off course that's not what I want. I would like to route the download clients and both the Raspberry's through the VPN and all other stuff should use the normal route.

After sifting through this great 19 pages topic: http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/ I have read so much information that It got me even more confused. The problems is that my iptables knowledge is very limited, so I am in need of some help

The network is setup like this:

Asus AC-68U firmware 378.53 192.168.2.1
KodiWK (Raspberry PI running openelec) 192.168.2.15
KodiSK (Raspberry PI running openelec) 192.168.2.16
Ubuntu Homeserver/Storage 192.168.2.5
The computer I am writing this on: 192.168.2.230

I have modified the script from Wysie that I found at: https://gist.github.com/Wysie/7487571

To this:

#!/bin/sh

# This script will route traffic from home network through VPN selectively.
# Based off the discussion at http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-8
# The setup is a Asus AC68U running Merlin 387.53. On the Asus I have a Private Internet Access OpenVPN
# installed and running. Furthermore 2 Paspberry PI's (KodiWK and KodiSK) and a HomeServer with a torrent client
# running a web interface as well as some other download clients.
# The aim is to have all traffic from the Kodi Raspberry's to go through the VPN, the HomeServer using the VPN,
# and to have all traffic from all other devices bypassing the VPN, There are however some exceptions. Since Plex
# uses port 32400, the Homeserver has to bypass the VPN when using that port. In addition, port 9091 has to
# bypass the VPN as well in order to access the HomeServer torrent client as well as some other download clients.

logger -t "($(basename $0))" $$ PIA-VPN Selective Customization Starting... " $0${*:+ $*}."

HomeServer="192.168.2.5"
KodiWK="192.168.2.15"
KodiSK="192.168.2.16"

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
# List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
# Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING

#
# Disable Reverse Path Filtering on all current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
tun_if="tun11"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
| while read ROUTE ; do
ip route add table 100 $ROUTE
logger -t "($(basename $0))" $$ PIA-VPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ Selective customisation for: "$"KodiWK $KodiWK
# By default KodiWK uses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $KodiWK -j MARK --set-mark 0

logger -t "($(basename $0))" $$ Selective customisation for: "$"KodiWK $KodiSK
# By default KodiSK uses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $KodiSK -j MARK --set-mark 0

logger -t "($(basename $0))" $$ Selective customisation for: "$"HomeServer $HomeServer
# By default HomeServer uses the VPN, and FORCES the use of the VPN tunnel
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $HomeServer -j MARK --set-mark 0
# except for some ports that should bypass the VPN:
# Transmission ------ TCP port 9091
# SickRage ---------- TCP port 8081
# SaBnzbd ----------- TCP port 8080
# CouchPotato ------- TCP port 5050
# Plex Media server - TCP port 3005,8324,32400,32469
# Plex Media Server - UDP port 1900,5353,32410,32412,32413,32414
iptables -I FORWARD -i br0 -s $HomeServer -o eth0 -j DROP
iptables -I FORWARD -i br0 -s $HomeServer -o eth0 -p tcp -m multiport --port 9091 -j ACCEPT
iptables -I FORWARD -i br0 -s $HomeServer -o eth0 -p tcp -m multiport --port 8091 -j ACCEPT
iptables -I FORWARD -i br0 -s $HomeServer -o eth0 -p tcp -m multiport --port 8080 -j ACCEPT
iptables -I FORWARD -i br0 -s $HomeServer -o eth0 -p tcp -m multiport --port 5050 -j ACCEPT
iptables -I FORWARD -i br0 -s $HomeServer -o eth0 -p tcp -m multiport --port 3005,8324,32400,32469 -j ACCEPT
iptables -I FORWARD -i br0 -s $HomeServer -o eth0 -p udp -m multiport --port 1900,5353,32410,32412,32413,32414 -j ACCEPT

# TCP and UDP Ports that will bypass the the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --port 22,9091,8091,8080,5050,3005,8324,32400,32469 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp -m multiport --port 1900,5353,32410,32412,32413,32414 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ PIA-VPN Selective Customization completed.

And put it in /jffs/scripts/openvpn-event

After rebooting the router, traffic from both the KodiWK and KodiSK as well as the Homeserver are routed through the VPN and the rest of my network attached devices use the normal internet route.

The problem is that Plex won't connect from the internet. The portforward TCP 32400 to 192.168.2.5 is set, without the VPN running it works, but As soon as the VPN is running Plex simply won;t connect.


As you can see in the image below, my normal public IP address does not show up in Plex, but in stead it shows my PIA OpenVPN IP. This should be my public ISP IP address.

Does anybody see what I am doing wrong. Please do consider that I am a iptables noob

Cheers,

Michel

 

[john9527]

Plex is not VPN service friendly.....it uses standard http to determine your WAN address, and since http goes through the VPN, that's the address it sees. The only workaround is to specify all the plex.tv server addresses in the bypass as well. Here's the last list of adds I had, and don't know if it's still current (I've since just let it go thru the VPN when I need it).....

iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 184.169.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 54.176.0.0/16 -j MARK --set-mark 1

EDIT: I did a quick check and that list still looks good.

 

[MichelW]

Thanks that helped!

I had to change the script due to some other problems.
This is what I ended up using and works on a AC-68U running Merlin v378.53:

#!/bin/sh
logger -t "($(basename $0))" $$ "Starting custom piavpn.sh"
echo "($(basename $0))" $$ "Starting piavpn.sh"

ip route flush table 10
ip rule del table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip rule del table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

echo "($(basename $0))" $$ "RTNETLINK errors are from deleting tables that don't exist yet and can be ignored."

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan_gateway) dev eth0 table 12"

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "10" will pass through the VPN. If MARK is set
# to "12" it will bypass the VPN.

# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 12

# Ports 80 and 443 will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 12

# All UDP and ICMP traffic will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 12

# All traffic from KodiWK on the LAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.15 -j MARK --set-mark 10

# All traffic from KodiSK on the LAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.15 -j MARK --set-mark 10

# All traffic from the Homeserver on the LAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.5 -j MARK --set-mark 10

# All traffic to a specific Internet IP address will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 213.163.70.14 -j MARK --set-mark 10

# All traffic to a specific Internet IP address will bypass the VPN
# Plex web
iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/16 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -d 184.169.0.0/16 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -d 54.176.0.0/16 -j MARK --set-mark 12

# Exception for some ports on the Homeserver that should bypass the VPN:
# plex
iptables -t mangle -A PREROUTING -i br0 -s 192.168.5.2 -p tcp -m multiport --sport 32400 -j MARK --set-mark 12
exit

And this is the vpn config:

Add this to your custom configuration:

route-nopull 
script-security 2
route-up /jffs/scripts/piavpn.sh

 

[MichelW]

Hmm, still have a problem.

If I remotely connect to my home network using a dial-up openvpn connection, I can only reach the router, not the rest of my network.

I soon as I close the Private Internet Access VPN I can access the rest of the network.

The VPN status on the remote PC: (for privacy my public IP has been replaced with 80.80.80.80)

Mon Jun 01 16:34:58 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Mon Jun 01 16:34:58 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Mon Jun 01 16:35:02 2015 UDPv4 link local: [undef]
Mon Jun 01 16:35:02 2015 UDPv4 link remote: [AF_INET]80.80.80.80:1194
Mon Jun 01 16:35:16 2015 [RT-AC68U] Peer Connection Initiated with [AF_INET]80.80.80.80:1194
Mon Jun 01 16:35:19 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jun 01 16:35:19 2015 open_tun, tt->ipv6=0
Mon Jun 01 16:35:19 2015 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{3610EE7E-E611-40A6-876E-B5BF9EFFA0F1}.tap
Mon Jun 01 16:35:19 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {3610EE7E-E611-40A6-876E-B5BF9EFFA0F1} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Mon Jun 01 16:35:19 2015 Successful ARP Flush on interface [25] {3610EE7E-E611-40A6-876E-B5BF9EFFA0F1}
Mon Jun 01 16:35:24 2015 Initialization Sequence Completed

iptables-save ouput: (for privay my public IP has been replaced with 80.80.80.80)

# Generated by iptables-save v1.4.14 on Mon Jun  1 16:37:28 2015
*raw
:PREROUTING ACCEPT [3844:892721]
:OUTPUT ACCEPT [1880:657309]
COMMIT
# Completed on Mon Jun  1 16:37:28 2015
# Generated by iptables-save v1.4.14 on Mon Jun  1 16:37:28 2015
*nat
:PREROUTING ACCEPT [333:58344]
:INPUT ACCEPT [73:15485]
:OUTPUT ACCEPT [88:9666]
:POSTROUTING ACCEPT [90:9778]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:PCREDIRECT - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j ACCEPT
-A PREROUTING -d 80.80.80.80/32 -j VSERVER
-A POSTROUTING -s 192.168.2.0/24 -o tun11 -j MASQUERADE
-A POSTROUTING ! -s 80.80.80.80/32 -o eth0 -j MASQUERADE
-A POSTROUTING -m mark --mark 0xb400 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 8882 -j DNAT --to-destination 192.168.2.42:80
-A VSERVER -p tcp -m tcp --dport 8883 -j DNAT --to-destination 192.168.2.43:80
-A VSERVER -p tcp -m tcp --dport 8880 -j DNAT --to-destination 192.168.2.40:80
-A VSERVER -p tcp -m tcp --dport 32400 -j DNAT --to-destination 192.168.2.5:32400
-A VSERVER -p udp -m udp --dport 32400 -j DNAT --to-destination 192.168.2.5:32400
-A VSERVER -j VUPNP
COMMIT
# Completed on Mon Jun  1 16:37:28 2015
# Generated by iptables-save v1.4.14 on Mon Jun  1 16:37:28 2015
*mangle
:PREROUTING ACCEPT [3533:859030]
:INPUT ACCEPT [2254:479606]
:FORWARD ACCEPT [1226:360800]
:OUTPUT ACCEPT [1643:636842]
:POSTROUTING ACCEPT [2900:1002414]
-A PREROUTING -i br0 -j MARK --set-xmark 0xc/0xffffffff
-A PREROUTING -i br0 -p tcp -m multiport --dports 80,443 -j MARK --set-xmark 0xc/0xffffffff
-A PREROUTING -i br0 -p udp -j MARK --set-xmark 0xc/0xffffffff
-A PREROUTING -i br0 -m iprange --src-range 192.168.2.15-192.168.2.15 -j MARK --set-xmark 0xa/0xffffffff
-A PREROUTING -i br0 -m iprange --src-range 192.168.2.15-192.168.2.15 -j MARK --set-xmark 0xa/0xffffffff
-A PREROUTING -i br0 -m iprange --src-range 192.168.2.5-192.168.2.5 -j MARK --set-xmark 0xa/0xffffffff
-A PREROUTING -d 184.72.0.0/16 -i br0 -j MARK --set-xmark 0xc/0xffffffff
-A PREROUTING -d 50.18.0.0/16 -i br0 -j MARK --set-xmark 0xc/0xffffffff
-A PREROUTING -d 184.169.0.0/16 -i br0 -j MARK --set-xmark 0xc/0xffffffff
-A PREROUTING -d 54.241.0.0/16 -i br0 -j MARK --set-xmark 0xc/0xffffffff
-A PREROUTING -d 54.176.0.0/16 -i br0 -j MARK --set-xmark 0xc/0xffffffff
-A PREROUTING -s 192.168.2.5/32 -i br0 -p tcp -m multiport --sports 32400 -j MARK --set-xmark 0xc/0xffffffff
COMMIT
# Completed on Mon Jun  1 16:37:28 2015
# Generated by iptables-save v1.4.14 on Mon Jun  1 16:37:28 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1735:647454]
:FUPNP - [0:0]
:PControls - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i tun11 -j ACCEPT
-A INPUT -i tun21 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -m state --state INVALID -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -i br0 -o eth0 -p udp -m udp --dport 1701 -j DROP
-A FORWARD -i tun11 -j ACCEPT
-A FORWARD -i tun21 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j logdrop
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -i eth0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A PControls -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Mon Jun  1 16:37:28 2015

tun11 is the Private Internet Access VPN on the router,
tun21 is the dialup VPN I use to access my home network from elsewhere.

It looks like I don't have a working route from tun21 to the home network as soon as the Private Internet Access VPN is up and the piavpn.sh is loaded.

Any ideas?

 

[soniccool]

#!/bin/sh
logger -t "($(basename $0))" $$ "Starting custom nordvpn.sh"
echo "($(basename $0))" $$ "Starting nordvpn.sh"

ip route flush table 10
ip rule del table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip rule del table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

echo "($(basename $0))" $$ "RTNETLINK errors are from deleting tables that don't exist yet and can be ignored."

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan_gateway) dev eth0 table 12"

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "10" will pass through the VPN. If MARK is set
# to "12" it will bypass the VPN.

# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 12

# Ports 80 and 443 will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 12

# All UDP and ICMP traffic will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 12

# All traffic from the PlexServer on the LAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.4 -j MARK --set-mark 10


# All traffic to a specific Internet IP address will bypass the VPN
# Plex web
iptables -t mangle -A PREROUTING -i br0 -d 184.72.0.0/16 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -d 50.18.0.0/16 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -d 184.169.0.0/16 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -d 54.241.0.0/16 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -d 54.176.0.0/16 -j MARK --set-mark 12

# Exception for some ports on the PlexServer that should bypass the VPN:
# plex
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.4 -p tcp -m multiport --sport 32400 -j MARK --set-mark 12
exit

I went ahead and added this. My PlexServer is now behind a VPN, but Plex isnt bypassing it. Any idea?