Help needed setting up iptables and script to connect devices to VPN service

[F1nchy]

Help needed setting up script for selective routing Asus RT-N66U thru Hide My butt

Hi guys

I want to set up a couple of devices on my home network to connect directly to a VPN service (Hide My butt premium at the moment) and apparently it can be done on an Asus RT-N66U but needs to be done with iptables and scripts.

I don't know where to start with these, so is anyone able to help? Ie scripts I need and where I need to add them to the router?

Many thanks

 

[ozgurcnbyz]

Hi guys

I want to set up a couple of devices on my home network to connect directly to a VPN service (Hide My butt premium at the moment) and apparently it can be done on an Asus RT-N66U but needs to be done with iptables and scripts.

I don't know where to start with these, so is anyone able to help? Ie scripts I need and where I need to add them to the router?

Many thanks

what u want to achieve at the end is to make sure some devices connect via vpn while others continue using the ISP ? if thats the case then search the forums for selective routing

 

[CaptainSTX]

Also as another solution look at the VPN app from Astrill that can be installed on your router. Accomplishes what you want to do and perhaps more without having to create the IP tables.

 

[F1nchy]

what u want to achieve at the end is to make sure some devices connect via vpn while others continue using the ISP ? if thats the case then search the forums for selective routing

Yes, so everything goes through the router normally, but certainly devices are directed straight through to the VPN service - selective routing... thanks, I'll have a search on that.

Also as another solution look at the VPN app from Astrill that can be installed on your router. Accomplishes what you want to do and perhaps more without having to create the IP tables.

Thanks Captain, I'll have a search for that as well. The easier the better really....!

Edit: Just looked at the Astrill. Not cheap at $70 a year. I don't mind paying a one off, but it'd work out much cheaper getting a DDWRT router and using that as a second router for VPN devices.

I'll have a search for selective routing, see what I can suss out.

 

[F1nchy]

what u want to achieve at the end is to make sure some devices connect via vpn while others continue using the ISP ? if thats the case then search the forums for selective routing

Christ....I've had a search but don't have a clue where to start. I can see lots of threads but all seem to be started by people who already have some knowledge of it.

This post - http://forums.smallnetbuilder.com/showpost.php?p=81715&postcount=11 - "for extreme novice users like me....here are the steps" - extreme novices are clearly a lot more knowledgeable than complete novices!

I don't even know what format to save the script in, let alone how to get the VPN keys into it all!

 

[Martineau]

Christ....I don't have a clue where to start. I can see lots of threads but all seem to be started by people who already have some knowledge of it.

This post - http://forums.smallnetbuilder.com/showpost.php?p=81715&postcount=11 - "for extreme novice users like me....here are the steps" - extreme novices are clearly a lot more knowledgeable than complete novices!

I don't even know what format to save the script in, let alone how to get the VPN keys into it all!

1. First you need to follow HMA VPN Client install guide..

Download the HMA OpenVPN config files from http://hidemyass.com/vpn-config/

Locate the "keys" folder. Inside there are three files: "CA.crt", "hmauser.crt" and "hmauser.key"

    Open the "Ca.crt" file with notepad, copy and paste the whole content into the field "CA Cert".

    Open the "hmauser.crt" file with notepad and locate the string between "-BEGIN CERTIFICATE-" and "-END CERTIFICATE-".

    Paste this string into the field "Public Client Cert" 

   (Important: the tags "-Begin certificate-" and "-End certificate-" MUST also be included).

    Open the "hmauser.key" file with notepad, copy and paste the whole content into the field "Private Client Key".

2. Configuration thread for a working HMA RT-N66U here:

http://forums.smallnetbuilder.com/showthread.php?t=12463

OPENVPN Client Settings
Start with WAN: YES
Interface Type: TUN
Protocol: UDP
Server Address: your choice of HMA server
Port: 443 for TCP 53 for UDP
Firewall: Automatic
Authorization mode: TLS
Username/Password Authentication: Yes
Username: your HMA username
Password: your HMA password
Username Auth. Only: No
Extra HMAC authorization: Disabled
Create NAT on tunnel: Yes
Poll Interval: 0
Redirect Internet traffic:Yes
Accept DNS Configuration: Disabled
Encryption cipher: BF-CBC
Compression: Disabled
TLS Renegotiation Time: -1
Connection Retry: 30
Verify Server Certificate: No
Custom Configuration: ns-cert-type server

WAN / Internet Settings
"WAN DNS Setting" should be:
Connect to DNS Server automatically No
DNS Server1: your choice of DNS Server
DNS Server2: your choice of alternate DNS Server

Until you get a working HMA client VPN connection then there is no point with a script!, but if you get a working VPN connection then follow RMerlin's point'n'click guide to enable /jffs/ filesystem.

https://github.com/RMerl/asuswrt-merlin/wiki/JFFS


If you are using a Windows Platform then I recommend WinSCP to be able to create RT-N66U script files directly on the router or alternative use NOTEPAD++ (in Unix LF mode) to edit the script files then drag 'n' drop via WinSCP to the /jffs/scripts directory.


NOTE: The script you referenced contains a critical bug:

ip route add default table 100 via $(nvram get wan_gateway)

should be

ip route add default table 100 via $(nvram get wan[COLOR="Red"]0[/COLOR]_gateway)

I have included my HMA script which shows how to route two specific devices (Laptop and PS3) via the HMA VPN, whilst all other devices bypass the VPN and use the non-VPN WAN interface.

#!/bin/sh

logger -t "($(basename $0))" $$ HMA VPN Selective customisation starting.... " $0${*:+ $*}."


## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and assign/change value(s) as needed to customize your rules
#
# ip_range1="192.168.10.200-192.168.10.203"
# ip_range2="192.168.10.8/29"
# ip_range3=""
#
# If your IP addresses don't fall in a contiguous range, you'll need separate rules instead.

U200_115="10.88.8.115"
PS3_Bedroom="10.88.8.142"

# ip_address3=""
#
# Spotify
# website_dst_range1="78.31.8.1-78.31.15.254"
# website_dst_range2="193.182.8.1-193.182.15.254"
# Another website
#
# website_dst_range3=""
##
 
# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
#iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
#iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
 
# */* #
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
 
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done
 
#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
 
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
 
#iface_lst=`route | awk ' {print $8}'`
#for tun_if in $iface_lst; do
#  if [ "$tun_if" = "tun11" ]; then
#	exit 0
#  elif [ "$tun_if" = "tun12" ]; then
#	exit 0
#  fi
#done

tun_if="tun21"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if  \
  | while read ROUTE ; do
	  ip route add table 100 $ROUTE
      logger -t "($(basename $0))" $$ HMA VPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan0_gateway)
logger -t "($(basename $0))" $$ HMA VPN default added to Table 100 for $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 
 
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
 
 
# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
 
# IP_RANGES - Uncomment as necessary
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range2 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range3 -j MARK --set-mark 0
 
# IP_ADDRESSES - Uncomment as necessary
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address2 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address3 -j MARK --set-mark 0

logger -t "($(basename $0))" $$ HMA VPN Selective customisation for: "$"PS3_Bedroom $PS3_Bedroom
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $PS3_Bedroom -j MARK --set-mark 0
# Optionally FORCE the use of the VPN tunnel, so if the VPN tunnel drops, the device will not use the unencrypted default WAN
#iptables -I FORWARD -i br0 -s $PS3_Bedroom -o eth0 -j DROP

# Spotify explicitly uses the VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range2 -j MARK --set-mark 0
	
	
# There is a timing issue for Merlin build 270.26b and earlier where the Client VPN starts 
#       before the wan-start execution of this script.
#       As a 'temporary'workaround set the 'VPN enabled on WAN'option to NO on the GUI,
#       then then uncomment the following line

service start_vpnclient1

# Routing for the above devices can be validated by using web page http://www.ip2location.com/
# Although if Port 80 is excluded from the VPN then it will always show the local GEO ISP location! 

logger -t "($(basename $0))" $$ HMA VPN Selective customisation completed.

Regards,

 

[F1nchy]

Thanks!

Just having a go at this and already stuck....

Open the "Ca.crt" file with notepad, copy and paste the whole content into the field "CA Cert".

"Copy the whole content from Ca.crt" - to where? Where is the field "CA Cert"?

And where am I installing the HMA client? On the router or on my PC? I already have their desktop client installed on my PC.

 

[ozgurcnbyz]

Thanks!

Just having a go at this and already stuck....



"Copy the whole content from Ca.crt" - to where? Where is the field "CA Cert"?

And where am I installing the HMA client? On the router or on my PC? I already have their desktop client installed on my PC.

To the vpn keys tab on the router . if you are using client1 for instance select it from the drop down box and paste the content to the ca cert part.

 

[F1nchy]

OK, so I'm trying to get the router set up working with Hide My butt. I found another guide on their Wiki which was a bit easier to follow;
https://support.hidemyass.com/entries/28393136-AsusWRT-Merlin-OpenVPN-Setup-

I've followed that step-by-step (choosing one of the UK servers listed in my account options) but everytime I turn the client 1 VPN on it turns back off.

Looking at the syslog it's saying AUTH_FAILED. I've double and treble checked the username and password on my account for my HMA PPTP account and also tried different servers but it keeps failing. Any ideas?

I've also tried the keys from the ones mentioned above and also the ones from the wiki guide (in case they were out of date).

 

[F1nchy]

OK. So I've changed "Verify Server Certificate" to Yes and set;

Custom Configuration: ns-cert-type server

and that seems to have made a difference (the guide on the forum thread says to have verify server cert off, but then you can't add the custom config part so I'm guessing that's wrong?)

It looks like it is now authorising and holding the Open VPN connection (ie still showing as 'on' in the OpenVPN Client settings for Client 1) but still getting an error. The system log is showing the following error;

Nov  7 18:19:52 openvpn[13386]: Socket Buffers: R=[116736->131072] S=[116736->131072]
Nov  7 18:19:52 openvpn[13386]: UDPv4 link local: [undef]
Nov  7 18:19:52 openvpn[13386]: UDPv4 link remote: [AF_INET]91.228.0.4:53
Nov  7 18:19:53 openvpn[13386]: TLS: Initial packet from [AF_INET]91.228.0.4:53, sid=aa61aa4c b8f9f1ff
Nov  7 18:19:54 openvpn[13386]: VERIFY OK: depth=1, /C=UK/ST=NR/L=Attleborough/O=Hide_My_Ass__Pro/OU=VPN/CN=vpn.hidemyass.com/emailAddress=ca@hidemyass.com
Nov  7 18:19:54 openvpn[13386]: VERIFY X509NAME ERROR: /C=UK/ST=NR/L=Attleborough/O=Hide_My_Ass__Pro/OU=VPN/CN=server/emailAddress=vpn@hidemyass.com, must be ns-cert-type
Nov  7 18:19:54 openvpn[13386]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
Nov  7 18:19:54 openvpn[13386]: TLS Error: TLS object -> incoming plaintext read error
Nov  7 18:19:54 openvpn[13386]: TLS Error: TLS handshake failed
Nov  7 18:19:54 openvpn[13386]: SIGUSR1[soft,tls-error] received, process restarting
Nov  7 18:19:54 openvpn[13386]: Restart pause, 2 second(s)

It's just looping with those logs.

Also, with the DNS server settings under WAN, do I need to set the DNS server or can it be left automatic? I initially set it to Google DNS but it didn't make a difference so removed it.

I don't know if it's relevant but where we are my router is then connected to the ISPs router in the service hatch (I don't have the login unfortunately!) which then goes out, so my home network is on 192.168.0.x and anything connected to the wall ethernet ports gets picked up by the ISPs router and gets given a 192.168.1.x address by DHCP (including my Asus router).

 

[F1nchy]

To double check, here are my settings for Client 1;

OPENVPN Client Settings
Start with WAN: YES
Interface Type: TUN
Protocol: UDP
Server Address: 95.154.230.4
Port: 53
Firewall: Automatic
Authorization mode: TLS
Username/Password Authentication: Yes
Username: my HMA username
Password: my HMA password
Username Auth. Only: No
Extra HMAC authorization: Disabled
Create NAT on tunnel: Yes
Poll Interval: 0
Redirect Internet traffic:Yes
Accept DNS Configuration: Disabled
Encryption cipher: BF-CBC
Compression: Disabled
TLS Renegotiation Time: -1
Connection Retry: 30
Verify Server Certificate: Yes
Custom Configuration: ns-cert-type server

Keys are set for CA, CC and Client Key under the OpenVPN Keys tab.

Under WAN I have it set to 'no' to automatically connect to DNS, and DNS servers as 8.8.8.8 and 8.8.4.4.

Thanks

 

[Martineau]

To double check, here are my settings for Client 1;

OPENVPN Client Settings
Start with WAN: YES
Interface Type: TUN
Protocol: UDP
Server Address: 95.154.230.4
Port: 53
Firewall: Automatic
Authorization mode: TLS
Username/Password Authentication: Yes
Username: my HMA username
Password: my HMA password
Username Auth. Only: No
Extra HMAC authorization: Disabled
Create NAT on tunnel: Yes
Poll Interval: 0
Redirect Internet traffic:Yes
Accept DNS Configuration: Disabled
Encryption cipher: BF-CBC
Compression: Disabled
TLS Renegotiation Time: -1
Connection Retry: 30
Verify Server Certificate: Yes
Custom Configuration: ns-cert-type server

Keys are set for CA, CC and Client Key under the OpenVPN Keys tab.

Under WAN I have it set to 'no' to automatically connect to DNS, and DNS servers as 8.8.8.8 and 8.8.4.4.

Thanks

I have followed my own guide that I posted in #6 with WAN DNS set to 8.8.8.8/8.8.4.4 and a target HMA UDP socket:

95.154.230.4:53

and it connected without any fuss......

Nov  7 17:36:37 rc_service: httpd 318:notify_rc start_vpnclient1
Nov  7 17:36:37 openvpn[27863]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov  1 2013
Nov  7 17:36:37 openvpn[27863]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Nov  7 17:36:37 openvpn[27867]: UDPv4 link local: [undef]
Nov  7 17:36:37 openvpn[27867]: UDPv4 link remote: [AF_INET][COLOR="Red"]95.154.230.4:53[/COLOR]
Nov  7 17:36:37 openvpn[27867]: TLS: Initial packet from [AF_INET][COLOR="Red"]95.154.230.4:53[/COLOR], sid=848fdbb1 bb03fc4d
Nov  7 17:36:37 openvpn[27867]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov  7 17:36:37 openvpn[27867]: VERIFY OK: depth=1, C=UK, ST=NR, L=Attleborough, O=Hide My butt! Pro, OU=VPN, CN=vpn.hidemyass.com, emailAddress=ca@hidemyass.com
Nov  7 17:36:37 openvpn[27867]: VERIFY OK: nsCertType=SERVER
Nov  7 17:36:37 openvpn[27867]: VERIFY OK: depth=0, C=UK, ST=NR, L=Attleborough, O=Hide My butt! Pro, OU=VPN, CN=server, emailAddress=vpn@hidemyass.com
Nov  7 17:36:38 openvpn[27867]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov  7 17:36:38 openvpn[27867]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov  7 17:36:38 openvpn[27867]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov  7 17:36:38 openvpn[27867]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov  7 17:36:38 openvpn[27867]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov  7 17:36:38 openvpn[27867]: [server] Peer Connection Initiated with [AF_INET][COLOR="Red"]95.154.230.4:53[/COLOR]
Nov  7 17:36:41 openvpn[27867]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov  7 17:36:41 openvpn[27867]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.200.4.1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,ping 10,ping-restart 90,redirect-gateway def1,ifconfig 10.200.5.55 255.255.252.0'
Nov  7 17:36:41 openvpn[27867]: OPTIONS IMPORT: timers and/or timeouts modified
Nov  7 17:36:41 openvpn[27867]: OPTIONS IMPORT: --ifconfig/up options modified
Nov  7 17:36:41 openvpn[27867]: OPTIONS IMPORT: route options modified
Nov  7 17:36:41 openvpn[27867]: OPTIONS IMPORT: route-related options modified
Nov  7 17:36:41 openvpn[27867]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Nov  7 17:36:41 openvpn[27867]: TUN/TAP device tun11 opened
Nov  7 17:36:41 openvpn[27867]: TUN/TAP TX queue length set to 100
Nov  7 17:36:41 openvpn[27867]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov  7 17:36:41 openvpn[27867]: /usr/sbin/ip link set dev tun11 up mtu 1500
Nov  7 17:36:41 openvpn[27867]: /usr/sbin/ip addr add dev tun11 10.200.5.55/22 broadcast 10.200.7.255
Nov  7 17:36:41 openvpn[27867]: /usr/sbin/ip route add 95.154.230.4/32 via xxx.xxx.xxx.xxx
Nov  7 17:36:41 openvpn[27867]: /usr/sbin/ip route add 0.0.0.0/1 via 10.200.4.1
Nov  7 17:36:41 openvpn[27867]: /usr/sbin/ip route add 128.0.0.0/1 via 10.200.4.1
Nov  7 17:36:41 openvpn[27867]: Initialization Sequence Completed

The settings you have supplied above seem to differ with respect to my settings from post #6 for

Verify Server Certificate: NO

I assume the HMA certificates that you have inserted into the Client1 tab match the ones I used from HMA??


Regards,

 

[F1nchy]

Yes, I have those three keys in under client 1

When I change that one setting (ie set Verify Server Certificate: NO) and also tried with and without "ns-cert-type server" in the custom config it still doesn't work. This is the log when I make these changes;

Nov  8 13:09:01 rc_service: httpd 305:notify_rc restart_vpnclient1
Nov  8 13:09:01 kernel: tun: Universal TUN/TAP device driver, 1.6
Nov  8 13:09:01 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Nov  8 13:09:01 openvpn[3854]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov  1 2013
Nov  8 13:09:01 openvpn[3854]: Socket Buffers: R=[116736->131072] S=[116736->131072]
Nov  8 13:09:01 openvpn[3860]: UDPv4 link local: [undef]
Nov  8 13:09:01 openvpn[3860]: UDPv4 link remote: [AF_INET]95.154.230.4:53
Nov  8 13:09:02 openvpn[3860]: TLS: Initial packet from [AF_INET]95.154.230.4:53, sid=5dac7b91 86bc9437
Nov  8 13:09:02 openvpn[3860]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov  8 13:09:03 openvpn[3860]: VERIFY OK: depth=1, C=UK, ST=NR, L=Attleborough, O=Hide My butt! Pro, OU=VPN, CN=vpn.hidemyass.com, emailAddress=ca@hidemyass.com
Nov  8 13:09:03 openvpn[3860]: VERIFY OK: nsCertType=SERVER
Nov  8 13:09:03 openvpn[3860]: VERIFY OK: depth=0, C=UK, ST=NR, L=Attleborough, O=Hide My butt! Pro, OU=VPN, CN=server, emailAddress=vpn@hidemyass.com
Nov  8 13:09:06 openvpn[3860]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov  8 13:09:06 openvpn[3860]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov  8 13:09:06 openvpn[3860]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov  8 13:09:06 openvpn[3860]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov  8 13:09:06 openvpn[3860]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov  8 13:09:06 openvpn[3860]: [server] Peer Connection Initiated with [AF_INET]95.154.230.4:53
Nov  8 13:09:08 openvpn[3860]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov  8 13:09:09 openvpn[3860]: AUTH: Received control message: AUTH_FAILED
Nov  8 13:09:09 openvpn[3860]: SIGTERM[soft,auth-failure] received, process exiting

Anyone have any ideas what might be wrong/causing the auth failure...?

 

[Martineau]

Yes, I have those three keys in under client 1

When I change that one setting (ie set Verify Server Certificate: NO) and also tried with and without "ns-cert-type server" in the custom config it still doesn't work. This is the log when I make these changes;

Nov  8 13:09:01 rc_service: httpd 305:notify_rc restart_vpnclient1
Nov  8 13:09:01 kernel: tun: Universal TUN/TAP device driver, 1.6
Nov  8 13:09:01 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Nov  8 13:09:01 openvpn[3854]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov  1 2013
Nov  8 13:09:01 openvpn[3854]: Socket Buffers: R=[116736->131072] S=[116736->131072]
Nov  8 13:09:01 openvpn[3860]: UDPv4 link local: [undef]
Nov  8 13:09:01 openvpn[3860]: UDPv4 link remote: [AF_INET]95.154.230.4:53
Nov  8 13:09:02 openvpn[3860]: TLS: Initial packet from [AF_INET]95.154.230.4:53, sid=5dac7b91 86bc9437
Nov  8 13:09:02 openvpn[3860]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov  8 13:09:03 openvpn[3860]: VERIFY OK: depth=1, C=UK, ST=NR, L=Attleborough, O=Hide My butt! Pro, OU=VPN, CN=vpn.hidemyass.com, emailAddress=ca@hidemyass.com
Nov  8 13:09:03 openvpn[3860]: VERIFY OK: nsCertType=SERVER
Nov  8 13:09:03 openvpn[3860]: VERIFY OK: depth=0, C=UK, ST=NR, L=Attleborough, O=Hide My butt! Pro, OU=VPN, CN=server, emailAddress=vpn@hidemyass.com
Nov  8 13:09:06 openvpn[3860]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov  8 13:09:06 openvpn[3860]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov  8 13:09:06 openvpn[3860]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov  8 13:09:06 openvpn[3860]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov  8 13:09:06 openvpn[3860]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov  8 13:09:06 openvpn[3860]: [server] Peer Connection Initiated with [AF_INET]95.154.230.4:53
Nov  8 13:09:08 openvpn[3860]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov  8 13:09:09 openvpn[3860]: AUTH: Received control message: AUTH_FAILED
Nov  8 13:09:09 openvpn[3860]: SIGTERM[soft,auth-failure] received, process exiting

Anyone have any ideas what might be wrong/causing the auth failure...?

By simply changing the 1st char of my HMA UserID I can easily replicate your AUTH failure....

Nov  8 15:56:33 openvpn[11340]: OpenVPN 2.3.2 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov  1 2013
Nov  8 15:56:33 openvpn[11340]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov  8 15:56:33 openvpn[11340]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Nov  8 15:56:33 openvpn[11346]: UDPv4 link local: [undef]
Nov  8 15:56:33 openvpn[11346]: UDPv4 link remote: [AF_INET]103.246.114.68:53
Nov  8 15:56:33 openvpn[11346]: TLS: Initial packet from [AF_INET]103.246.114.68:53, sid=aee248d9 aba1500e
Nov  8 15:56:33 openvpn[11346]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov  8 15:56:36 openvpn[11346]: VERIFY OK: depth=1, C=UK, ST=NR, L=Attleborough, O=Hide My butt! Pro, OU=VPN, CN=vpn.hidemyass.com, emailAddress=ca@hidemyass.com
Nov  8 15:56:36 openvpn[11346]: VERIFY OK: depth=0, C=UK, ST=NR, L=Attleborough, O=Hide My butt! Pro, OU=VPN, CN=server, emailAddress=vpn@hidemyass.com
Nov  8 15:56:42 openvpn[11346]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov  8 15:56:42 openvpn[11346]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov  8 15:56:42 openvpn[11346]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov  8 15:56:42 openvpn[11346]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov  8 15:56:42 openvpn[11346]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov  8 15:56:42 openvpn[11346]: [server] Peer Connection Initiated with [AF_INET]103.246.114.68:53
Nov  8 15:56:44 openvpn[11346]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov  8 15:56:45 openvpn[11346]: AUTH: Received control message: AUTH_FAILED
Nov  8 15:56:45 openvpn[11346]: SIGTERM[soft,auth-failure] received, process exiting

I can only surmise that you are not correctly supplying your true HMA account credentials..... i.e. DO NOT use the HMA PPTP password.

Regards,

 

[F1nchy]

Ah! Bingo! Yes, that was it. I didn't spot that. I've changed it to my normal HMA password and it has now connected! Excellent, thanks!

Now to try the next step..... (tomorrow!)

Just looking at file formats in Notepad++. I can only see Unix script file format, either .bsh or .sh. Which should I use?

 

[F1nchy]

A question on how flexible you can be with the scripts....

Can I set Client 2 as a US VPN and specify routing by device IP address and website at the same time? Ie, can I set my Samsung Smart TV to go through, say, Client 1 with a UK VPN for accessing BBC iPlayer and ITV Player but Client 2 with a US VPN for Netflix and Spotify? Or can I only use one VPN at a time?

Also, with each device, can I, for example, set my iPod Touch to go through the VPN only when it is connecting to BBC Radio player but when connecting to anything else it doesn't go through it?

Just trying to get my head around your example script....!

 

[F1nchy]

Hi again guys
Here's my first attempt at a script for my setup to push my TV and Ipod Touch through the VPN but nothing else (I'll later add the Sonos system once I know it's working). I've one it based on the one Wizin gave for his setup - would Martinuea's be better?

Does this look correct?

#!/bin/sh

sleep 2

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
done


#UK VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

SamsungTV="192.168.0.15"
IpodTouch="192.168.0.14"
#SonosBridge="192.168.0.30"
#SonosPlaybar="192.168.0.31"
#SonosPlay5="192.168.0.32"

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
 done


ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#


#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

   iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
 

# All traffic from SamsungTV & IpodTouch will use the UK VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $SamsungTV -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $IpodTouch -j MARK --set-mark 0

exit 0

Hmmm... that hasn't worked. When I reboot the VPN is on, but everything is still going through it.

 

[F1nchy]

OK, so I have also now tried Martinuea's script edited for my two devices, but it's also not working - all traffic is still going through the VPN.

I don't understand all the commands going on in there to know where to look.

Here's my script (saved as openvpn-event with no extension, the properties changed to 0777 and FTPd to the router);

#!/bin/sh

logger -t "($(basename $0))" $$ HMA VPN Selective customisation starting.... " $0${*:+ $*}."


## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and assign/change value(s) as needed to customize your rules
#
# ip_range1="192.168.10.200-192.168.10.203"
# ip_range2="192.168.10.8/29"
# ip_range3=""
#
# If your IP addresses don't fall in a contiguous range, you'll need separate rules instead.

SamsungTV="192.168.0.15"
IpodTouch="192.168.0.14"
#SonosBridge="192.168.0.30"
#SonosPlaybar="192.168.0.31"
#SonosPlay5="192.168.0.32"

# ip_address3=""
#
# Spotify
# website_dst_range1="78.31.8.1-78.31.15.254"
# website_dst_range2="193.182.8.1-193.182.15.254"
# Another website
#
# website_dst_range3=""
##
 
# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
#iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
#iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
 
# */* #
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
 
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done
 
#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
 
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
 
#iface_lst=`route | awk ' {print $8}'`
#for tun_if in $iface_lst; do
#  if [ "$tun_if" = "tun11" ]; then
#	exit 0
#  elif [ "$tun_if" = "tun12" ]; then
#	exit 0
#  fi
#done

tun_if="tun21"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if  \
  | while read ROUTE ; do
	  ip route add table 100 $ROUTE
      logger -t "($(basename $0))" $$ HMA VPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan0_gateway)
logger -t "($(basename $0))" $$ HMA VPN default added to Table 100 for $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 
 
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
 
 
# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
 
# IP_RANGES - Uncomment as necessary
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range2 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range3 -j MARK --set-mark 0
 
# IP_ADDRESSES - Uncomment as necessary
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address2 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address3 -j MARK --set-mark 0

logger -t "($(basename $0))" $$ HMA VPN Selective customisation for: "$"SamsungTV $SamsungTV
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $SamsungTV -j MARK --set-mark 0
# Optionally FORCE the use of the VPN tunnel, so if the VPN tunnel drops, the device will not use the unencrypted default WAN
#iptables -I FORWARD -i br0 -s $SamsungTV -o eth0 -j DROP

logger -t "($(basename $0))" $$ HMA VPN Selective customisation for: "$"IpodTouch $IpodTouch
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $IpodTouch -j MARK --set-mark 0
# Optionally FORCE the use of the VPN tunnel, so if the VPN tunnel drops, the device will not use the unencrypted default WAN
#iptables -I FORWARD -i br0 -s $IpodTouch -o eth0 -j DROP

# Spotify explicitly uses the VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range2 -j MARK --set-mark 0
	
service start_vpnclient1

# Routing for the above devices can be validated by using web page http://www.ip2location.com/
# Although if Port 80 is excluded from the VPN then it will always show the local GEO ISP location! 

logger -t "($(basename $0))" $$ HMA VPN Selective customisation completed.

Any ideas?

Looking through the Syslog I cannot see any trace of the openvpn-event script file being referred to - how do I know if it's being used?

Ultimately I would like to direct those devices to a UK VPN, plus any traffic for Spotify and RDIO to a US VPN and any traffic for BBC Iplayer and BBC Radio player to the UK VPN. I can see the commands referring to Spotify's IP range but don't quite understand how to use it properly (or how to find IP ranges/addresses for RDio, BBC Iplayer, etc)

Is this all possible?

 

[Martineau]

OK, so I have also now tried Martinuea's script edited for my two devices, but it's also not working - all traffic is still going through the VPN.

I don't understand all the commands going on in there to know where to look.

Here's my script (saved as openvpn-event with no extension, the properties changed to 0777 and FTPd to the router);

#!/bin/sh

logger -t "($(basename $0))" $$ HMA VPN Selective customisation starting.... " $0${*:+ $*}."


## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and assign/change value(s) as needed to customize your rules
#
# ip_range1="192.168.10.200-192.168.10.203"
# ip_range2="192.168.10.8/29"
# ip_range3=""
#
# If your IP addresses don't fall in a contiguous range, you'll need separate rules instead.

SamsungTV="192.168.0.15"
IpodTouch="192.168.0.14"
#SonosBridge="192.168.0.30"
#SonosPlaybar="192.168.0.31"
#SonosPlay5="192.168.0.32"

# ip_address3=""
#
# Spotify
# website_dst_range1="78.31.8.1-78.31.15.254"
# website_dst_range2="193.182.8.1-193.182.15.254"
# Another website
#
# website_dst_range3=""
##
 
# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
#iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
#iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
 
# */* #
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
 
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done
 
#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
 
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
 
#iface_lst=`route | awk ' {print $8}'`
#for tun_if in $iface_lst; do
#  if [ "$tun_if" = "tun11" ]; then
#	exit 0
#  elif [ "$tun_if" = "tun12" ]; then
#	exit 0
#  fi
#done

tun_if="tun21"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if  \
  | while read ROUTE ; do
	  ip route add table 100 $ROUTE
      logger -t "($(basename $0))" $$ HMA VPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan0_gateway)
logger -t "($(basename $0))" $$ HMA VPN default added to Table 100 for $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 
 
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
 
 
# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
 
# IP_RANGES - Uncomment as necessary
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range2 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range3 -j MARK --set-mark 0
 
# IP_ADDRESSES - Uncomment as necessary
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address2 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address3 -j MARK --set-mark 0

logger -t "($(basename $0))" $$ HMA VPN Selective customisation for: "$"SamsungTV $SamsungTV
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $SamsungTV -j MARK --set-mark 0
# Optionally FORCE the use of the VPN tunnel, so if the VPN tunnel drops, the device will not use the unencrypted default WAN
#iptables -I FORWARD -i br0 -s $SamsungTV -o eth0 -j DROP

logger -t "($(basename $0))" $$ HMA VPN Selective customisation for: "$"IpodTouch $IpodTouch
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $IpodTouch -j MARK --set-mark 0
# Optionally FORCE the use of the VPN tunnel, so if the VPN tunnel drops, the device will not use the unencrypted default WAN
#iptables -I FORWARD -i br0 -s $IpodTouch -o eth0 -j DROP

# Spotify explicitly uses the VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range2 -j MARK --set-mark 0
	
service start_vpnclient1

# Routing for the above devices can be validated by using web page http://www.ip2location.com/
# Although if Port 80 is excluded from the VPN then it will always show the local GEO ISP location! 

logger -t "($(basename $0))" $$ HMA VPN Selective customisation completed.

Any ideas?

Looking through the Syslog I cannot see any trace of the openvpn-event script file being referred to - how do I know if it's being used?

Ultimately I would like to direct those devices to a UK VPN, plus any traffic for Spotify and RDIO to a US VPN and any traffic for BBC Iplayer and BBC Radio player to the UK VPN. I can see the commands referring to Spotify's IP range but don't quite understand how to use it properly (or how to find IP ranges/addresses for RDio, BBC Iplayer, etc)

Is this all possible?

My script is named HMA_Select.sh and I used to have wan-start call it (see comments at the end of my script).

(I currently find that DNSMASQ/Unblock-US, whilst not device-specific selective, suits my purposes far better at present in terms of streaming performance.)

If you call your openvpn-event script manually, then if it is based on my version of 'HMA_Select.sh' then Syslog should show the various logger statements to aid debugging..however I strongly suggest that U use a different name for the HMA script during testing!

The comments in my script should be able to assist in answering your own queries, i.e. fine tune the selective routing based on a combination of source device and /or destination etc.

Having both OpenVPN Clients 1 and 2 active at the same time is not something I have used.
(RMerlin provisioned the use of having both OpenVPN Server configs active concurrently as it is useful to have say both TCP and UDP inbound connections to allow cater for access to the RT-N66U from within a corporate network.)

Identifying the actual alias I/P addresses of a site is tedious, so unless someone has already correctly identified them and posted them previously on the web, then you will need to do a little research for yourself.

Try searching the web for all I/P addresses for say 'www.facebook.com' and you'll quickly see how the many definitive lists differ!!.

Unfortunately iptables may initially appear to work with human-friendly URLs such as 'www.bbciplayer.com' but won't cover ALL alias I/P addresses.

Regards,

 

[F1nchy]

I can't use Unblockus out here unfortunately - I'm unable to update my IP address as it's blocked unless I connect through a VPN, so when I do connect via a VPN it's not my true local IP address, bit of a catch 22. Unotelly is having a problem out here as well, so for now I'm stuck with having to use a slower VPN for certain sites

I'm not aware of DNSMASQ or how to use it with a router (presumably it's installed on the router?)

My main absolute must it to just get the script set up so my TV, iPod Touch and Sonos kit get directed to the UK VPN and none of the others do.

I'm quite confused about what to do (I'm new to this...!) When you say call the script, how do I actually do that? Does it not automatically run by being in the script folder then? And why use a different name for the HMA script during testing? Just so it's easier to identify or for security reasons?

Thanks