[GUIDE] PPTP selective routing / split tunnel

[dpjanda]

Following on from the thread on selective routing with OpenVPN, I am providing a similar solution that works for PPTP VPN client connections.

This post details the method and a simple PPTP start-up script. In a following post (few days as am busy) I will post a more detailed script that allows for VPN state detection etc.

The following has been tested on a RT-N66U running 3.0.0.4.374.38_2-em. I am confident that it will work on other devices. In fact, the method is generic. Because of this I will go into the method in some detail, in the hope that others will adapt it for other Linux based platforms. So please feel free to contribute and distribute! Chuck me a "thanks" if it's been of any use to you.

I do *not* in any way claim that I have discovered anything. I have simply brought together, with my own investigations, a simple solution. Too often I see simple made hard. I like it the other way round.

The problem: When running the PPTP client on the N66U, all traffic is diverted via said interface. This is by design, and keeps things fairly secure. With selective routing, or split tunneling as it's also known, traffic can be routed.

Prior to running the VPN client, your routing table may look similar to this:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.5.1     *               255.255.255.255 UH        0 0          0 eth0
192.168.5.0     *               255.255.255.0   U         0 0          0 eth0
192.168.1.0     *               255.255.255.0   U         0 0          0 br0
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
default         192.168.5.1     0.0.0.0         UG        0 0          0 eth0

Yes, yes. I know I am double-NAT'ing. It's not relevant.

After the VPN is started:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.5.1     *               255.255.255.255 UH        0 0          0 eth0
78.x.x.x        192.168.5.1     255.255.255.255 UGH       0 0          0 eth0
192.168.5.0     *               255.255.255.0   U         0 0          0 eth0
192.168.1.0     *               255.255.255.0   U         0 0          0 br0
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
default         10.255.240.1    0.0.0.0         UG        0 0          0 ppp5
default         192.168.5.1     0.0.0.0         UG        0 0          0 eth0

A new default route is added on the ppp5 interface and all traffic will go that way. The 78.x.x.x address is the VPN destination address - though not important.

What is important is to take note of the VPN interface name. In my case ppp5. With this we can enter the following:

ip route delete default via 10.255.240.1 dev ppp5
route -n add -net 10.255.240.0 netmask 255.255.255.0 ppp5
ip route add default dev ppp5 table 3

And that's it! Almost.

You will have to do a little working out math wise for the second line for the route -n add. But you should be able to work out the netmask by looking at the second table after the VPN has been started.

Looking at the routing table now we see ...

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.5.1     *               255.255.255.255 UH    0      0        0 WAN
78.x.x.x        192.168.5.1     255.255.255.255 UGH   0      0        0 WAN
192.168.5.0     *               255.255.255.0   U     0      0        0 WAN
10.255.240.0    *               255.255.255.0   U     0      0        0 ppp5
192.168.1.0     *               255.255.255.0   U     0      0        0 LAN
default         192.168.5.1     0.0.0.0         UG    1      0        0 WAN

The first line removes the default route for ppp5.
The second line brings ppp5 back up, but not as a default route.
The third applies a default route to table 3 via ppp5.

At this stage *all* traffic will go via the "normal" route. Not the VPN. To do that we add ip rules.

ip rule add from 192.168.1.70 table 3 pref 300

The above says any traffic from 192.168.1.70 go via table 3, which happens to have the default route for ppp5. The pref is important (not so the number itself).

To route via table 3 you can use ip rule add to/from whatever. Just make sure any rules or conditions relating to ppp5 go in table 3.

The example above is for my PS3. But it's a blanket rule - all traffic from the PS3 will go via the VPN. No so good for logging into the PlayStation Network. No problem, we can do this:

ip rule add to 198.107.128.0/22 table main
ip rule add to 198.107.156.0/22 table main

That will route traffic to the PSN via the normal interface. Further, it will do so because the pref 300 has a lower priority than the rules in main which take higher priority. ip rule shows this better:

0: from all lookup local
300: from 192.168.1.70 lookup 3
32764: from all to 198.107.156.0/22 lookup main
32765: from all to 198.107.128.0/22 lookup main
32766: from all lookup main
32767: from all lookup default

Using the script below (donated to me by someone who wishes to remain anonymous), we can start up a PPTP connection when the router is booted. Add the ifconfig and the ip route add default dev commands after the sleep 20, followed by rules to add.

Next post in a few days will have a better startup script, plus some notes on DNS when using the above.

#!/bin/sh
logger "$0 $1"
nvram set vpnc_dnsenable_x="1"
nvram set vpnc_heartbeat_x="vpn server"
nvram set vpnc_pppoe_passwd="password"
nvram set vpnc_pppoe_username="user name"
nvram set vpnc_pptp_options_x="+mppe-128"
nvram set vpnc_proto="pptp"
service restart_vpncall
sleep 20

A final note: This method will allow you to access the router via the WAN.

Regards

PS. This has been edited by myself to reflect a more elegant, and I hope, more generic method of removing and adding the VPN interface.

 

[mazoo]

Hi dpjanda,

Thanks for posting your scripts of selective routing. This is exactly what I am trying to do. I have ASUS RT-AC68U. When I run the ifconfig up and down on the VPN interface I seem to loss my DNS access, all lookups fail. You mentioned that you where going to post more about DNS issues and was wondering if you know what the problem I am having might be,

Thanks,

Mazoo

 

[dpjanda]

Hello there

See my re-edited first post.

Try the new method and see if it works for you. The original method of tearing down, and then bringing up the VPN interface was, to say the least, a little brutal.

It ^could* have affected your DNS issues, but I don't know for sure.

My reference to DNS is relating to the fact that once it's all up and running, all traffic uses the DNS supplied by the VPN provider. This may not be desirable for all, but not a show stopper.

I am investigating the possibility of using two DNS at the same time. One for the VPN and the second for "normal" traffic.

Got a lot of real-world work on at the moment, so if anyone would care to chip in please do so. Otherwise wait until next weekend where I will post (I hope) a solution.

Regards

 

[mazoo]

Thanks for the reply, your changed didn't help, but its definitely neater. Its looks like the problem was that the DNS servers assigned when the VPN is connect can't be used unless the connection comes through the VPN. So I think the solution is either add route for the DNS server to route through table 3 or use different DNS servers such as googles.

I did run into an issue trying to start the VPN connection from a script with:

service restart_vpncall

I get the following error:

Unknown applet: service

Has anyone seen this before? I am using the stock firmware, do I need to install asus-merlin to get this to work?

Thanks

 

[RMerlin]

I did run into an issue trying to start the VPN connection from a script with:

service restart_vpncall

I get the following error:

Unknown applet: service

Has anyone seen this before? I am using the stock firmware, do I need to install asus-merlin to get this to work?

The service applet is only available in my firmware.

 

[mazoo]

Thanks I will install it

 

[frankyto71]

I am a newbie to all this. how do you install this applet?

 

[AsusWrtDXB]

Hi,

Thank you for this great post. I am thinkinng of applying this script in my router as connection through L2TP is much faster than OpenVPn which is equired for netflix streaming. In my case, I would like to pass all traffic through VPN except Plex which is located on a mac-mini with static address:
Is the below script correct for this purpose (I think it is valid for OpenVPN but ow is it for L2TP vpn connection):

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
iptables -t mangle -I PREROUTING -p tcp --dport 32400 -j MARK --set-mark 1

Thanks for your help

 

[stoli412]

dpjanda,

Thanks so much for this post. I really didn't want to switch to OpenVPN due to speed issues. I've created a 'wan-start' script following your instructions, and it works perfectly. I have some questions though:

1) If the VPN disconnects, will it still automatically reconnect if set to do so in the GUI?

2) Will the selective routing rules remain intact if the VPN disconnects and reconnects?

3) If not, is there a way I can have the script automatically re-run following a reconnect?

 

[drsebestyen]

script on connect pptp client

You could set up a script to run on startup.

First the script, I recommend to put it onto the jffs partition.

#!/bin/sh

set -e

DATE=$(date +"%Y/%m/%d %H:%M:%S")
LOGFILE="/jffs/scripts/pptp-up.log"
VPN_GW="192.168.2.1"
VPN_SUBNET="192.168.2.0"
VPN_DEV="ppp5"

echo -n "[ $DATE ] " >>${LOGFILE}
ip route delete default via ${VPN_GW} dev ${VPN_DEV} >>${LOGFILE} 2>&1
route -n add -net ${VPN_SUBNET} netmask 255.255.255.0 ${VPN_DEV} >>${LOGFILE} 2>&1
ip route add default dev ${VPN_DEV} table 3 >>${LOGFILE} 2>&1
echo "Traffic from ${VPN_GW} dev ${VPN_DEV} redirected to WAN" >> ${LOGFILE}

Just put the above code into the file on /jffs/scripts/pptp-up.sh
Don't forget to make it executable.

chmod +x /jffs/scripts/pptp-up.sh

And finally, create the necessary symlink:

cd /tmp/ppp/
rm /tmp/ppp/vpnc-ip-up
ln -s /jffs/scripts/pptp-up.sh vpnc-ip-up

At the end, it should look similar to this:

admin@RT-AC56U:/tmp/ppp# ls -la
drwxrwxrwx    3 admin    root           300 Oct  7 22:14 .
drwxrwxrwx   11 admin    root           620 Oct  7 22:05 ..
lrwxrwxrwx    1 admin    root             8 Jan  1  2011 auth-fail -> /sbin/rc
lrwxrwxrwx    1 admin    root             8 Jan  1  2011 ip-down -> /sbin/rc
lrwxrwxrwx    1 admin    root             8 Jan  1  2011 ip-pre-up -> /sbin/rc
lrwxrwxrwx    1 admin    root             8 Jan  1  2011 ip-up -> /sbin/rc
lrwxrwxrwx    1 admin    root             8 Jan  1  2011 ipv6-down -> /sbin/rc
lrwxrwxrwx    1 admin    root             8 Jan  1  2011 ipv6-up -> /sbin/rc
drwxrwxrwx    2 admin    root            40 Jan  1  2011 peers
-rw-r--r--    1 admin    root            46 Oct  7 22:18 resolv.conf
lrwxrwxrwx    1 admin    root             8 Jan  1  2011 vpnc-auth-fail -> /sbin/rc
lrwxrwxrwx    1 admin    root             8 Jan  1  2011 vpnc-ip-down -> /sbin/rc
lrwxrwxrwx    1 admin    root             8 Jan  1  2011 vpnc-ip-pre-up -> /sbin/rc
lrwxrwxrwx    1 admin    root            24 Oct  7 22:14 vpnc-ip-up -> /jffs/scripts/pptp-up.sh
-rw-rw-rw-    1 admin    root           518 Oct  7 22:18 vpnc_options.pptp

This should do the trick. Now, you got a script that runs on every pptp client startup, redirects the traffic to the WAN and adds some routes to access the VPN LAN.

Of course, you can do the same thing, if the client disconnects, if you wish.

Experiment with it. For errors, you can access the logfile at /jffs/scripts/pptp-up.log

Feel free to leave a feedback if it works for you.

Hope that helps.


Cheers,
István

 

[manuelreinaldo]

PPTP disconnect leaves routing broken

Hi, thanks a lot for the script. I use it and it works fine although I run it manually because I don't want to change the symlink to point to it.
I have a problem though, after I disconnect the VPN, the routing table breaks. No entry shows up in the routing table. As a workaround, I enable and then disable static routing from the web interface and the router recreates the correct routing table.
Any idea of why this is happening?

Thanks

 

[lukaszg]

...
Just put the above code into the file on /jffs/scripts/pptp-up.sh
Don't forget to make it executable.

chmod +x /jffs/scripts/pptp-up.sh

And finally, create the necessary symlink:

cd /tmp/ppp/
rm /tmp/ppp/vpnc-ip-up
ln -s /jffs/scripts/pptp-up.sh vpnc-ip-up

...

Thanks for great tutorial.
I noticed that when I update the vpnc-ip-up reference, the vpn connection is not properly setup.

In the Webpage UI "Connection Status" of VPN keeps spinning.

As vpnc-ip-up I added very simple script which is touching some file.

What I noticed:
- routing table is only partially updated (i.e. no default gateway for ppp5 is created)
- my script is invoked
- /etc/resolv.conf is updated according to the VPN nameserver.

 

[brownstein]

The first line removes the default route for ppp5.
The second line brings ppp5 back up, but not as a default route.
The third applies a default route to table 3 via ppp5.

At this stage *all* traffic will go via the "normal" route. Not the VPN. To do that we add ip rules.

ip rule add from 192.168.1.70 table 3 pref 300

The above says any traffic from 192.168.1.70 go via table 3, which happens to have the default route for ppp5. The pref is important (not so the number itself).

To route via table 3 you can use ip rule add to/from whatever. Just make sure any rules or conditions relating to ppp5 go in table 3.

The example above is for my PS3. But it's a blanket rule - all traffic from the PS3 will go via the VPN. No so good for logging into the PlayStation Network. No problem, we can do this:

ip rule add to 198.107.128.0/22 table main
ip rule add to 198.107.156.0/22 table main

That will route traffic to the PSN via the normal interface. Further, it will do so because the pref 300 has a lower priority than the rules in main which take higher priority. ip rule shows this better:

0: from all lookup local
300: from 192.168.1.70 lookup 3
32764: from all to 198.107.156.0/22 lookup main
32765: from all to 198.107.128.0/22 lookup main
32766: from all lookup main
32767: from all lookup default

Using the script below (donated to me by someone who wishes to remain anonymous), we can start up a PPTP connection when the router is booted. Add the ifconfig and the ip route add default dev commands after the sleep 20, followed by rules to add.

Next post in a few days will have a better startup script, plus some notes on DNS when using the above.

#!/bin/sh
logger "$0 $1"
nvram set vpnc_dnsenable_x="1"
nvram set vpnc_heartbeat_x="vpn server"
nvram set vpnc_pppoe_passwd="password"
nvram set vpnc_pppoe_username="user name"
nvram set vpnc_pptp_options_x="+mppe-128"
nvram set vpnc_proto="pptp"
service restart_vpncall
sleep 20

A final note: This method will allow you to access the router via the WAN.

Regards

PS. This has been edited by myself to reflect a more elegant, and I hope, more generic method of removing and adding the VPN interface.

Would really love to get this working. Any chance you can post the scripts you use? (edited for privacy, of course). Tried to follow this thread (and the openvpn one) to get it going but cannot seem to get it done right.

If an example is script is posted that I can edit to suit my settings and then just list all the steps necessary to get this working, I would appreciate it. Great work all the same!

Edit: I just wanted to mention that the reason I ask for a clearer step by step is that I am finding the first post in this thread hard to follow for some reason. Do I add all of those snippets of code into one script? Is more than one script required to get this working?

I am fairly good at picking this stuff up quickly but admittedly am not very proficient at it at this point. I have my router formatted with the jffs partition already and am able to ssh and telnet into it. I have my L2TP connection setup as well as an openvpn config (however the performance of openvpn makes it unusable for me). All this to give you an idea of what stage in the game I am at.

Edit2: BTW, I have an RT-AC66U

 

[patx]

Hey guys!

First, thanks for the information in this thread. I had a hard time trying to get the l2pt-vpn working on my new rt-ac56u but thanks to this thread I'm getting closer...

By now, I managed to delete the vpn-default gw and add the correct one to route only a specific net through the vpn. But it's a deal-breaker for me that den DNS changes also to the vpn... I already found a solution in this thread:

nvram set vpnc_dnsenable_x="1"
service restart_vpncall

Now to my problem: The service-restart causes my vpn-connection to drop immediately -> reconnect -> script -> drop -> reconnect... you see

Is there a way to implement the vpnc_dnsenable_x without restarting the service and prevent the vpn-connection to drop?

 

[cimtico]

I'm currently using a WAN pptp vpn setup. if I run ifconfig -a I can see eth0 has my ISP public ip, ppp0 is my vpn (it has my vpn ip) and br0 is my ruoter's ip. I'm ok with having all my traffic going through the wan vpn, however I need my ISP ip to work to port forwarding over to my DVR. How can I set it up?
I tried a similar process from http://www.dondeg.com/vpn/tut3a.html (although its for openvpn, it should be pretty much the same as the one described here).
I understand it is mostly a matter of setting up the correct routes and firewall settings, but I'm fairly new to routing configs and any help would be appreciated.

PS: I'm using an asus rt-n66u and my dvr is using a static 192.168.1.50 ip (my internal network ips are setup from 192.168.1.2~192.168.1.40)

 

[Naz]

I am a newbie to all this. how do you install this applet?

I'm in the same boat.. I really want to make this work.. I've connected to my router via SSH.. Then.. I'm lost.. I've read through each post here.. I also read the script on connect pptp client post and i still don't really understand.. Would anyone be able to link me to the knowledge I'd need to do this.. Thank you so much again for posting this.

Naz

 

[PerG]

I tried to follow the guides in this thread and setup split tunneling for my vpn but had some problems doing so. I'm a newbie to asuswrt-merlin and haven't used unix/linux for something like 10 years or so, so I'm sure there's probably better solutions than mine...

I tried to setup a script like István suggested but the vpn connection didn't work properly so I thought I'd share my solution that's based on his original idea (the tweak I did is to chain the call to the original ip-up script)!

Create the following file with this content.
/jffs/scripts/pptp-up.sh:

#!/bin/sh
/jffs/scripts/vpnc-ip-up $@

VPN_GW="192.168.253.100"
VPN_SUBNET="192.168.0.0"
VPN_NETMASK="255.255.0.0"
VPN_DEV="ppp5"

ip route delete default via ${VPN_GW} dev ${VPN_DEV}
route -n add -net ${VPN_SUBNET} netmask ${VPN_NETMASK} ${VPN_DEV}
ip route add default dev ${VPN_DEV} table 3
logger Traffic to ${VPN_GW} dev ${VPN_DEV} configured for split tunnel

Make sure you make it executable:

chmod 777 /jffs/scripts/pptp-up.sh

Create a symbolic link for vpnc-ip-up to /sbin/rc (to simulate original behaivour) stored in the jffs file system

ln -s /jffs/scripts/vpnc-ip-up /sbin/rc

Create a service-start file with the following content:
/jffs/scripts/services-start:

#!/bin/sh
logger Installing pptp script
sleep 20
cd /tmp/ppp/
rm /tmp/ppp/vpnc-ip-up
ln -s /jffs/scripts/pptp-up.sh vpnc-ip-up
service restart_vpncall
logger pptp script installed

 

[markssvpn]

hi,
i tried all the codes above to make the vpn route rules automatically add after the router started . But my script always run before the pptp vpn call. I think i should add it after the pptp vpn call. How can I do that?
Also, the above codes which add the route info is not working, they will make my vpn connection in "error"

thanks

 

[andresmorago]

Hello there

See my re-edited first post.

Try the new method and see if it works for you. The original method of tearing down, and then bringing up the VPN interface was, to say the least, a little brutal.

It ^could* have affected your DNS issues, but I don't know for sure.

My reference to DNS is relating to the fact that once it's all up and running, all traffic uses the DNS supplied by the VPN provider. This may not be desirable for all, but not a show stopper.

I am investigating the possibility of using two DNS at the same time. One for the VPN and the second for "normal" traffic.

Got a lot of real-world work on at the moment, so if anyone would care to chip in please do so. Otherwise wait until next weekend where I will post (I hope) a solution.

Regards

hello
i have been testing this and works perfect.
have you had any change in looking the possibility of using 2 DNS's?

thanks so much

 

[primitivo]

Any plans for Merlin FW to implement policy based routing similarly to OpenVPN?