bypass openvpnclient for hamachi?

[Mike65]

Hello there,

i tried to find a solution by reading the forum and Merlins Wikipages to no avail. Either i didn't find help or i'm not able to understand it.
I'm using Asuswrt-Merlin 378.55 on an AC87U. For different reasons i've choosen to route every Internettraffic through the buildin VPN-Client (i'm using Earthvpn) which works great.
So far so good. and btw. thanks Merlin. (donate'd)

recently my son wanted to host a onlinegame on his pc and this is where the trouble starts. i'm pretty sure it's not working because of the shared ip's and stuff because of the vpnservice i use. Good for privacy, bad for gaming.

He and his friends used to use hamachi for there sessions.
Is there a way to bypass the vpnclient from his pc only for hamachi? so that in case he uses hamachi the router will use the isp's wan?
during the time we had the vpnclients on the pcs it was easy to stop the vpn and use hamachi. But that's not the way i wanted to go again. bypassing the vpn MUST be an exception. therefore the router must handle it.
I hope the question is understandable. sry for my english.

thanks in advance and regards,

Mike

 

[bilboSNB]

Hello, have you seen this thread : http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/
if not read it, you should be able to find what you need within it.

I am guessing you will need to selectively route based on hamachi port numbers.

 

[Mike65]

Hello, have you seen this thread : http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/
if not read it, you should be able to find what you need within it.

I am guessing you will need to selectively route based on hamachi port numbers.

Yeah, thanks.
That's the "don't understand"-part i mentioned above.
20 Pages of questions and codesnippets and "i do i like this" and "doesn't work for me" and "here is my script, did not work. why?"
over and over again. Most of the posts want route nothing but a few ips through the vpn.
I want to rout everything but hamachi through the vpn.
Some talk about dport or should it be sport? one or two iptables, lot's of coding involved. Scripts to start other scripts.

I hoped there is someplace in the gui where i can type some ports or ips to bypass the vpnclient.
Looks like one has to be a programmer to do what i want. 8-(
I'm not. So either i sacrifice security and privacy or will have ongoing fights with my son about how paranoid i am.
(He's the one who refuses to read '1984' or 'Brave New World')

Nevermind. thanks for answering.

Mike

 

[bilboSNB]

No problem. I am not a programmer either but was able to figure something out for what I needed reading that thread.

Tell you what, I will spend an hour later reading that thread again for you and guess what ports hamachi uses and try and figure something out. I have nothing better to do.

 

[Mike65]

No problem. I am not a programmer either but was able to figure something out for what I needed reading that thread.

Tell you what, I will spend an hour later reading that thread again for you and guess what ports hamachi uses and try and figure something out. I have nothing better to do.

Wow, that caught me off guard. I didn't expect something like this.
That would be awesome. Thanks in advance.
Mike

 

[bilboSNB]

lol

You use rmerlin-asuswrt right?
There is nowhere in the gui to selective route ports or programs only ip addresses/devices
The easiest way would be to route a specific ip through the wan using the gui method and change your sons
ip address to this whenever using hamachi.

The harder way for specific ports:

Backup your config before doing any of this so you can restore if it breaks everything.

You need to have enabled the jffs partition which you do in the gui and ssh access

on the vpn client page change redirect internet dropdown to NO.
In the custom options section remove any options referencing routes and add
route-nopull
route-up /jffs/scripts/vpn.sh

Presuming you have windows machines download winscp and connect to your router VIA SCP and browse to the /jffs/scripts folder
and create vpn.sh Rightclick on it properties and tick all the x's to make it executable.

put this in the file

#!/bin/sh
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.0/24 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport ??? -j MARK --set-mark 12  (?=insert hamachi ports here)
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport ??? -j MARK --set-mark 12

exit

create another file in jffs called nat-start make executable as above

#!/bin/sh
service stop_vpnclient1
sleep 10
service start_vpnclient1

I believe this is now necessary to rewrite the rules which get flushed out occasionally. The dpi engine also wipes the rules occasionally if you
use it, not sure how to get around this.

This may or may not work and will involve some trial and error if it does not.

you need another file to block use of the wan when the vpn goes down in jffs again "firewall-start" with some block rules in it if that is a problem.

Reading that thread again there is obviously lots of ways of doing it and there are newer policy based ways as well which I do not fully understand myself atm.

 

[Mike65]

lol

You use rmerlin-asuswrt right?
There is nowhere in the gui to selective route ports or programs only ip addresses/devices
The easiest way would be to route a specific ip through the wan using the gui method and change your sons
ip address to this whenever using hamachi.

The harder way for specific ports:

Backup your config before doing any of this so you can restore if it breaks everything.

You need to have enabled the jffs partition which you do in the gui and ssh access

on the vpn client page change redirect internet dropdown to NO.
In the custom options section remove any options referencing routes and add
route-nopull
route-up /jffs/scripts/vpn.sh

Presuming you have windows machines download winscp and connect to your router VIA SCP and browse to the /jffs/scripts folder
and create vpn.sh Rightclick on it properties and tick all the x's to make it executable.

put this in the file

#!/bin/sh
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.0/24 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport ??? -j MARK --set-mark 12  (?=insert hamachi ports here)
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport ??? -j MARK --set-mark 12

exit

create another file in jffs called nat-start make executable as above

#!/bin/sh
service stop_vpnclient1
sleep 10
service start_vpnclient1

I believe this is now necessary to rewrite the rules which get flushed out occasionally. The dpi engine also wipes the rules occasionally if you
use it, not sure how to get around this.

This may or may not work and will involve some trial and error if it does not.

you need another file to block use of the wan when the vpn goes down in jffs again "firewall-start" with some block rules in it if that is a problem.

Reading that thread again there is obviously lots of ways of doing it and there are newer policy based ways as well which I do not fully understand myself atm.

Thanks a lot.
Unfortunately all traffic bypasses the vpn. it says vpn is up. But ipleak.net clearly shows my isp.
What to do with "nat-start". Where am i supposed to put that?

Thnx

Mike

 

[bilboSNB]

nat-start /jffs/scripts but forget that for now.

for the vpn.sh add the line
logger -t "($(basename $0))" $$ ExpressVPN Selective Customization Started. to the beginning and
logger -t "($(basename $0))" $$ ExpressVPN Selective Customization finished. to the end before exit

the script will now put these entries in the system log, stop and start the client and check the log to at least see that the vpn.sh script is running.

You might need to change the line
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
to
ip route add default via $(nvram get wan_gateway) dev ppp0 table 12 (this is what mine is depends on your wan set up)
if that doesnt work try
ip route add default via $(nvram get wan0_gateway) dev eth0

as you can see from the thread I linked there are a few variations.

 

[Mike65]

nat-start /jffs/scripts but forget that for now.

for the vpn.sh add the line
logger -t "($(basename $0))" $$ ExpressVPN Selective Customization Started. to the beginning and
logger -t "($(basename $0))" $$ ExpressVPN Selective Customization finished. to the end before exit

the script will now put these entries in the system log, stop and start the client and check the log to at least see that the vpn.sh script is running.

You might need to change the line
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
to
ip route add default via $(nvram get wan_gateway) dev ppp0 table 12 (this is what mine is depends on your wan set up)
if that doesnt work try
ip route add default via $(nvram get wan0_gateway) dev eth0

as you can see from the thread I linked there are a few variations.

Seems like there is somehing missing.
The log says:
Sep 12 22:33:33 (vpn.sh): 21121 ExpressVPN Selective Customization Started
Sep 12 22:33:33 openvpn[21108]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Sep 12 22:33:33 openvpn[21108]: Initialization Sequence Completed

Do you have anymore ideas? where to get this "route-up" ?
thnx.,
Mike

 

[bilboSNB]

add
script-security 2
to your custom config at the bottom of vpn client page

 

[Mike65]

add
script-security 2
to your custom config at the bottom of vpn client page

I tried in at the end of the config , i tried it before the two additional lines you mentioned.
I tried it with or without reboot.
No success. always the same error in the log file.

Looks like this won't work.

Some thoughts about the last days:
I found lots of threads with questions and a lot of answers.
But no place for the beginners. i know this is a complex topic. I see a lot of people asking the same questions and gettin an incredible amount of answers. (which ist great, it shows how willing to help you guys are) You can also see they're all struggle at some time in the process with missing prerequisites or unclear obstacles. (Because there are no technerds,programmers or it-specialists, or simply just don't have the time or knowledge to dive that deep in the topic. i don't need some degree in rocketscience to lit the fusecord of a rocket)

It would be really helpfull if there where some
"Step by Step Instruction to selectively bypass the VPN client on your router (if you really must)"
People do have security concerns. But if you don't have your personal nerd at hand you won't get any security 'cause it's so difficult to configure the router. (Beyond setting up a vpnclient by uploading a .opvn file and follow some step-by-step instruction with pictures from the vpn provider.)

Thanks for your help. really appreciated it.

Mike

 

[Mike65]

Hi,

i did trial and error and right now it looks like i'm half way there.

i used the following script:
#!/bin/sh
logger -t "($(basename $0))" $$ Selective Customization Started

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do

echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
# By default all traffic USES the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0

# Set PORTS to bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 12975,32976,17771 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp -m multiport --dport 12975,32976,17771 -j MARK --set-mark 1
logger -t "($(basename $0))" $$ Selective Customization finished
exit

at the end of the vpnclient customscript:
route-nopull
route-up /jffs/scripts/vpn.sh
script-security 2

The systemlog shows both logentrys (customization start/finish)

iptables shows:

xxxxx@RT-AC87U-EA78:/tmp/home/root# iptables -t mangle -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere MARK and 0x0
MARK tcp -- anywhere anywhere multiport dports 12975,32976,17771 MARK set 0x1
MARK udp -- anywhere anywhere multiport dports 12975,32976,17771 MARK set 0x1

the vpn stats:
TUN/TAP read bytes 0 (????)
TUN/TAP write bytes 25733
TCP/UDP read bytes 57097
TCP/UDP write bytes 23201
Auth read bytes 30837

and thats where i don't know what to do next.
ipleak.net clearly shows my ISP and IP.
The DNS Servers shown at ipleak are the VPN DNS IPs.

What am i doing wrong?

Can someone assist please?

regards,

Mike

 

[bilboSNB]

What is your wan connection type?
What firmware version are you on?
In vpn client options to you have redirect inter net traffic set to "no"?

 

[Mike65]

What is your wan connection type?
What firmware version are you on?
In vpn client options to you have redirect inter net traffic set to "no"?

WAN: automatic IP (from ISP s router)

Firmware: 378.55

vpnclient redirect traffic = no

Update: sry, i just learned that i mistook the google´s dns servers with the vpn ones.
ipleak.net shows the google dns from my nearest country. that's okay. i configured it that way.

 

[bilboSNB]

I dont know why the original script I posted doesnt work then, it a variation of this except the iptable rules are inversed:
http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-4#post-101202

I would try sticking with that method.

 

[Mike65]

I dont know why the original script I posted doesnt work then, it a variation of this except the iptable rules are inversed:
http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-4#post-101202

I would try sticking with that method.

i don't know either. i just fumbled around with the scripts trying to find out what is going on.
unfortunately it does not work.

what does that "route-nopull" by the way?

 

[bilboSNB]

Its stops the route over the vpn being pulled from the provider allowing to create your own route over the vpn.
In addition doing it the way I linked enables incoming connections to your normal wan and allows you to uses the openvpn Server etc simultaneously.