Help needed setting up iptables and script to connect devices to VPN service

[Martineau]

I can't use Unblockus out here unfortunately - I'm unable to update my IP address as it's blocked unless I connect through a VPN, so when I do connect via a VPN it's not my true local IP address, bit of a catch 22. Unotelly is having a problem out here as well, so for now I'm stuck with having to use a slower VPN for certain sites

I'm not aware of DNSMASQ or how to use it with a router (presumably it's installed on the router?)

My main absolute must it to just get the script set up so my TV, iPod Touch and Sonos kit get directed to the UK VPN and none of the others do.

I'm quite confused about what to do (I'm new to this...!) When you say call the script, how do I actually do that? Does it not automatically run by being in the script folder then? And why use a different name for the HMA script during testing? Just so it's easier to identify or for security reasons?

Thanks

If the script is not being executed automatically (as part of RMerlin's) firmware then either it is not the correct name, nor in the correct location or contains invalid EOL termination characters.

So logic states that if U name it something unique it cannot be inadvertently invoked by 'accident'.

I suggested that you use WinSCP to be able to edit files on the RT-N66U (ensuring that they are truly Unix LF terminated rather than illegal LFCR terminated as produced by NOTEPAD), then set the properties and right click the file to execute

Otherwise SSH/TELNET into the router, cd to the location of the file

/jffs/scripts

then use

vi

to correct the script then ensure

chmod a+rx

then issue

./script_file_name



Regards,

 

[F1nchy]

Thanks. Does it matter what the script file is called, or will any script in there run when the router boots then?

 

[Martineau]

Thanks. Does it matter what the script file is called, or will any script in there run when the router boots then?

If you want the script to be automatically executed then it must conform to RMerlin's documentation:

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts


Regrads,

 

[F1nchy]

OK.... so I'd need to use a script called services-start to tell it to run the script openvpn-event to start the VPN? Presumably if I called my script services-start it would still run on start up, but if it then stopped it wouldn't automatically try to restart as it would with openvpn-event? Am I understanding these correctly?

 

[Martineau]

OK.... so I'd need to use a script called services-start to tell it to run the script openvpn-event to start the VPN? Presumably if I called my script services-start it would still run on start up, but if it then stopped it wouldn't automatically try to restart as it would with openvpn-event? Am I understanding these correctly?

As per RMerlin's documentation, if the script you create is one of those listed, then it will indeed be correctly executed at the appropriate time.

As my original script stated, it works best if called AFTER wan-start has executed. Putting a call in services-start would probably be too early in the RT-N66U BOOT sequence.

Manually check the EOL chars in openvpn-start script then manually execute it and list the results of the SSH/TELNET session.

Regrads,

 

[F1nchy]

I'm sorry, I'm getting really confused here (I think you're assuming I know more than I do!) but I think I'm making slow progress....!

I renamed the script to wan-start (I deleted the orginal, created a new file in WinSCP directly in the folder and pasted the script in there, then changed the properties to octal 0777).

When I go into WinSCP and execute the script manually from there it works - it starts the VPN and does the selective routing, my TV and Touch are getting a UK IP address and everything else is using the normal connection - definitely good news!

But it's not autostarting when I reboot the router.

As my original script stated, it works best if called AFTER wan-start has executed. Putting a call in services-start would probably be too early in the RT-N66U BOOT sequence.

Manually check the EOL chars in openvpn-start script then manually execute it and list the results of the SSH/TELNET session.

Regrads,

I'm not sure what you mean. So wan-start and services-start are too early? Which should I use then?

And what do you mean the EOL chars? How do I list the results of the SSH/TELNET sessions (I'm connecting with WinSCP so can I get those from that?)

I don't understand this bit either - do I still need to do this if it's running manually?

Otherwise SSH/TELNET into the router, cd to the location of the file

/jffs/scripts

then use

vi

to correct the script then ensure

chmod a+rx

then issue

./script_file_name

####### hell... now it's not working even manually. It just starts the OpenVPN connection and all is connected again.

 

[Martineau]

I renamed the script to wan-start (I deleted the orginal, created a new file in WinSCP directly in the folder and pasted the script in there, then changed the properties to octal 0777).

When I go into WinSCP and execute the script manually from there it works - it starts the VPN and does the selective routing, my TV and Touch are getting a UK IP address and everything else is using the normal connection - definitely good news!

But it's not autostarting when I reboot the router.

OK <sigh>

So the following sequence works every time?

1. Reboot RT-N66U

2. Executing the WinSCP created [B]wan-start[/B] script manually, achieves your goal of selectively routing traffic via the UK VPN.

Can you please post a screen shot showing that the /jffs/ partition is indeed formatted and working, and your WinSCP windows:

Here is mine showing that the left pane shows the backup of my scripts on Windows and the right pane showing the RT-N66U scripts...

Regards,

 

[F1nchy]

It did, then it didn't. Just tried it again, and it did [work when executed manually], so yes, steps 1 and 2 seem to be ok.

Here's the screen grab;

 

[Martineau]

It did, then it didn't. Just tried it again, and it did [work when executed manually], so yes, steps 1 and 2 seem to be ok.

Here's the screen grab;

Well the script /jffs/scripts/wan-start would appear to be in the correct location and unix executable format, so if the SysInfo tab appears simialr to the attached screen shot then I have no idea why wan-start does not execute after every RT-N66U reboot.



Regards,

 

[F1nchy]

Should I set the 'start with WAN' option to no? Could it be that having it set to yes starts the VPN before it executes the script, and when it then looks at the script it doesn't run it because the VPN is already running?

 

[F1nchy]

Ah, it looks like it is working now.

The last couple of times I've rebooted I can see the script in the system log and the Touch is connecting to a UK server.

I did make things confusing for myself for a while by putting the TCP port for a UDP connection....(doh!), which leads me back to one of my earlier questions - TCP and UDP - which is best to use? Will UDP give better speeds for things like streaming? Are there any downsides to using UDP over TCP?

I'll add the Sonos devices to the script and see if they go through the VPN as well (I'll have to wait until there's a match on that Five Live are commentating on to check it's they're not getting geo-blocked).

A couple of other questions;

If I want the Samsung TV to be blocked if it the VPN connection is lost presumably I just remove the comment # from the line I've made bold below?

logger -t "($(basename $0))" $$ HMA VPN Selective customisation for: "$"SamsungTV $SamsungTV
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $SamsungTV -j MARK --set-mark 0
# Optionally FORCE the use of the VPN tunnel, so if the VPN tunnel drops, the device will not use the unencrypted default WAN
[B][U]#iptables -I FORWARD -i br0 -s $SamsungTV -o eth0 -j DROP[/U][/B]

And if I wanted to specify a range of addresses to go through the VPN - in your example Spotify's ranges, do I need to uncomment all of these?

# ip_range3=""
# ip_address3=""

# Spotify
# website_dst_range1="78.31.8.1-78.31.15.254"
# website_dst_range2="193.182.8.1-193.182.15.254"

#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range2 -j MARK --set-mark 0

 

[F1nchy]

Strange. As soon as I add the Sonos devices to the script everything goes through the VPN. :thinking:

Enough for today.... I'll try again tomorrow. So far so good, and many thanks for the help (and patience...!) so far...!