What's new

N56U - Padavan Firmware - PIA - VPN Client Setup Help please

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

parvpn

Occasional Visitor
Please HELP with my VPN Client Setup... I want to connect to my VPN provider. PIA (Privateinternetaccess)

I am on ver .81 base firmware.

But I am struggling with configuring the VPN client. I want to use OpenVPN.

I know I have to paste the Root certificate from OpenVPN files but it seems like there is something else that is not correctly set which is not letting it work...

Here is what I have so far in the screenshot below:

http://imgur.com/AdXviXE

and when it connects as in the screen below, I can't browse..the browser times out..

http://imgur.com/Jt59KUK

Also what do I put under "OpenVPN Extended Configuration"

Here is what I want to use..
http://www.privateinternetaccess.com...#ddwrt_openvpn


EDIT- Problem resolved.

I changed the WAN DNS Setting

Get the DNS Server Address Automatically? to No

and keyed in the following Google DNS address - 8.8.8.8
 
Last edited:
I register to add more help to this topic, it's sad even the Padavan firmware website don't have VPN client setup instructions.

After compare PARVPN's screen shot of his router setting. I want to add on the " OpenVPN Certificates and Keys" tab. You only get "Root CA Certificate:" field to paste text if you choose "Authentication:" as "TLS: username/password"

go to your VPN host, mine is PrivateInternetAccess as well. I download their openvpn config zip file. Must unzip it, not just open. then use notepad to open ca.crt file. copy and paste all the text from that file into the "Root CA Certificate:"
 
I have something quite similar, and like your thoughts on my issue.
I am about to setup a serial connection with two routers, in or order to get two different networks (router1: 192.168.1.0 and router2: 192.168.2.0), where router2 is to bring VPN connection for my TV and Bluray, and most other devices running the standard local network (router1).

I have a ASUS RT-N56U (router2) that I installed Padavan (.81) on, in order to get VPN client functionality. To begin with, I intend to test the VPN client functionality by running router2 as single router towards the WAN. The VPN service is Hide my butt (HMA) , running OpenVPN. From HMA I have a startup script for TCP, containing USERNAME="[my username]", PASSWORD="[my pwd]" PROTOCOL="tcp", REMOTE_SERVERS="[list of servers]", CA_CRT="[HEX code]", CLIENT_CRT="[HEX code]", CLIENT_KEY="[HEX code]" and then some
Code:
OPVPNENABLE=`nvram get openvpncl_enable | awk '$1 == "0" {print $1}'`

if [ "$OPVPNENABLE" != 0 ]
then
   nvram set openvpncl_enable=0
   nvram commit
fi

sleep 30
mkdir /tmp/hmavpncl; cd /tmp/hmavpncl
echo -e "$USERNAME\n$PASSWORD" > userpass.conf
echo "$CA_CRT" > ca.crt; echo "$CLIENT_CRT" > client.crt; echo "$CLIENT_KEY" > client.key
echo "#!/bin/sh" > route-up.sh; echo -e "#!/bin/sh\nsleep 2" > route-down.sh
echo "#!/bin/sh
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE" > /tmp/.rc_firewall
chmod 644 ca.crt client.crt; chmod 600 client.key userpass.conf; chmod 700 route-up.sh route-down.sh
chmod 700 /tmp/.rc_firewall
sleep 30
echo "client
dev tun
proto $PROTOCOL
script-security 2
hand-window 60
verb 3
mute 5
mtu-disc yes
cipher bf-cbc
auth sha1
tun-mtu 1500
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
keepalive 20 120
reneg-sec 0
log hmavpn.log
ca ca.crt
cert client.crt
key client.key
daemon
auth-user-pass userpass.conf
remote-random
$REMOTE_SERVERS" > openvpn.conf
ln -s /tmp/hmavpncl/hmavpn.log /tmp/hmavpn.log
(killall openvpn; openvpn --config /tmp/hmavpncl/openvpn.conf --route-up /tmp/hmavpncl/route-up.sh --down-pre /tmp/hmavpncl/route-down.sh) &
exit 0

My question is How do I set it all up in Padavan? Where am I suppose to paste the script? HMA have no guides for anything else other than TomatoUSB and DD-WRT, and I have as of so far not managed to google anyone describing this setup.
 
I found a solution for my own needs. I did not end up using a script. I use PIA (PrivateInternetAccess) for my VPN client through the Asus RT-N56U router with Padavan FW.

For the WAN settings, I changed the connection type to L2TP. This allowed me to enter my client information into the fields that popped up below. I tried PPTP, but the connection speed was significantly slower. . . Some people may dislike this, but it works for me.

I checked the log as the connection was established to make sure there were no issues with this method. Nothing seemed to arise.

I had attempted a connection through the "VPN Client" tab with no success. The connection was dropped over and over again by the VPN provider.

Using the L2TP connection, I have had a continuous connection with awesome speeds. Currently, I'm getting 50Mb/s, which is the max of my ISP.

Let me know if you have any questions!

******Edit******
In order to get this to work:

Log into your PIA account through their website. (https://www.privateinternetaccess.com)

At the bottom of the screen (after you log in) there should be a green box that says
PPTP/L2TP/SOCKS Username and Password (Optional)

Click on: “Generate Username and Password”

Whatever Username and Password that gives you is what needs to put put into the router’s login information.
 

Attachments

  • Screen Shot 2014-10-15 at 4.18.28 PM.jpg
    Screen Shot 2014-10-15 at 4.18.28 PM.jpg
    47.8 KB · Views: 2,632
Last edited:
I found a solution for my own needs. I did not end up using a script. I use PIA (PrivateInternetAccess) for my VPN client through the Asus RT-N56U router with Padavan FW.

For the WAN settings, I changed the connection type to L2TP. This allowed me to enter my client information into the fields that popped up below. I tried PPTP, but the connection speed was significantly slower. . . Some people may dislike this, but it works for me.

I checked the log as the connection was established to make sure there were no issues with this method. Nothing seemed to arise.

I had attempted a connection through the "VPN Client" tab with no success. The connection was dropped over and over again by the VPN provider.

Using the L2TP connection, I have had a continuous connection with awesome speeds. Currently, I'm getting 50Mb/s, which is the max of my ISP.

Let me know if you have any questions!

Thanks for the screen shot and walk through. I'm trying to do the same with the same set up as yourself (ASUS RT-N56U running Padavan FW). I use PIA successfully on my PC. I wasn't unable to get this to work myself however. Were there any other changes you made other than the steps you listed above?

Thanks,
Dave
 
Last edited:
Forgot to mention...

In order to get this to work:

Log into your PIA account through their website. (https://www.privateinternetaccess.com)

At the bottom of the screen (after you log in) there should be a green box that says
PPTP/L2TP/SOCKS Username and Password (Optional)

Click on: “Generate Username and Password”

Whatever Username and Password that gives you is what needs to put put into the router’s login information.

Let me know if that helps!
 
After all this time it's still wonky.

First, nearly all VPN providers that support DD-WRT/Tamato, have you use a preconfigured script file. But on this firmware, there is no command line section where you can input this.
The OpenVPN Extended Configuration looks like it's meant to do the trick, but doesn't work quite the same.
Additionally, if you've already put the majority of the information into the GUI, using the command line should not be required except for 'extended' features, such as persist flags and kill switch commands.

Equally frustrating is there's no log file for the VPN client - not that I have found any ways.
 
Last edited:
Hi all,

OpenVPN is probably the fastest and most reliable connection to use with the ASUS RT-N56U and PIA.

It is also possible to guide only a given IP range of your local network through the VPN connection, and let all other computers connect to your standard ISP, making the use of a second router redundant. It took me a while to get it right, but it works flawlessly. There is good information out on the internet about how to set up the script. It's mostly copy/paste, with a possible few tweaks.

Give me a buzz here if I can be of any help.
 
Last edited:
Hi all,

OpenVPN is probably the fastest and most reliable connection to use with the ASUS RT-N56U and PIA.

It is also possible to guide only a given IP range of your local network through the VPN connection, and let all other computers connect to your standard ISP, making the use of a second router redundant. It took me a while to get it right, but it works flawlessly. There is good information out on the internet about how to set up the script. It's mostly copy/paste, with a possible few tweaks.

Give me a buzz here if I can be of any help.
I would like a bit of help. I tried to set it up through the VPN client, and while it connects, I cannot get selective routing to work. I basically want to route all of my traffic through PIA except for my 2 Playstations. If you could help me out I would really appreciate it!

Edit: After struggling with this random days over the course of a few weeks, it FINALLY seems to be working. Thank you anyway!
 
Last edited:
VPN Client Protocol = OpenVPN
Remote VPN Server = us-east.privateinternetaccess.com
Port = 1194
Transport = UDP
Encapsulation Layer = L3 TUN IP
Authentication Type = TLS username/password
Login = PIA username [p12345678]
Password = [your_password]
Auth Algorithm = [SHA1] SHA-1, 160 bit
Encryption Cipher = [BF-CBC] Blowfish , 128 bit
Enable LZO ... = Yes, adaptive compression
HMAC Signature Check (TLS-Auth) = No


----

OpenVPN extended configuration (NOTHING NEEDED HERE]

----
Settings Depending on Remote VPN Server Role

Restrict Access from VPN Server Site = No (Site-to-Site), using NAT Translation
Obtaining DNS from VPN Server = Replace all existing (For PIA DNS Server usage)
Route All Traffic through the VPN interface? = No

-----

ca.crt (Root CA Certificate)

[Paste the contents of PIA's ca.crt file]


-----BEGIN CERTIFICATE-----
MIID2jCCA0OgAwIBAgIJAOtqMkR2JSXrMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCT0gxETAPBgNVBAcTCENvbHVtYnVzMSAwHgYDVQQK
ExdQcml2YXRlIEludGVybmV0IEFjY2VzczEjMCEGA1UEAxMaUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MgQ0ExLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50
ZXJuZXRhY2Nlc3MuY29tMB4XDTEwMDgyMTE4MjU1NFoXDTIwMDgxODE4MjU1NFow
gaUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMx
IDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2
YXRlIEludGVybmV0IEFjY2VzcyBDQTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHBy
aXZhdGVpbnRlcm5ldGFjY2Vzcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAOlVlkHcxfN5HAswpryG7AN9CvcvVzcXvSEo91qAl/IE8H0knKZkIAhe/z3m
hz0t91dBHh5yfqwrXlGiyilplVB9tfZohvcikGF3G6FFC9j40GKP0/d22JfR2vJt
4/5JKRBlQc9wllswHZGmPVidQbU0YgoZl00bAySvkX/u1005AgMBAAGjggEOMIIB
CjAdBgNVHQ4EFgQUl8qwY2t+GN0pa/wfq+YODsxgVQkwgdoGA1UdIwSB0jCBz4AU
l8qwY2t+GN0pa/wfq+YODsxgVQmhgaukgagwgaUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJPSDERMA8GA1UEBxMIQ29sdW1idXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50
ZXJuZXQgQWNjZXNzMSMwIQYDVQQDExpQcml2YXRlIEludGVybmV0IEFjY2VzcyBD
QTEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j
b22CCQDrajJEdiUl6zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAByH
atXgZzjFO6qctQWwV31P4qLelZzYndoZ7olY8ANPxl7jlP3YmbE1RzSnWtID9Gge
fsKHi1jAS9tNP2E+DCZiWcM/5Y7/XKS/6KvrPQT90nM5klK9LfNvS+kFabMmMBe2
llQlzAzFiIfabACTQn84QLeLOActKhK8hFJy2Gy6
-----END CERTIFICATE-----
 
I would like a bit of help. I tried to set it up through the VPN client, and while it connects, I cannot get selective routing to work. I basically want to route all of my traffic through PIA except for my 2 Playstations. If you could help me out I would really appreciate it!

Edit: After struggling with this random days over the course of a few weeks, it FINALLY seems to be working. Thank you anyway!

I am trying to do the same think and have not found a way yet, If you discover how to bypass the VPN with selective routing, let us know please!
 
I would like a bit of help. I tried to set it up through the VPN client, and while it connects, I cannot get selective routing to work. I basically want to route all of my traffic through PIA except for my 2 Playstations. If you could help me out I would really appreciate it!

Edit: After struggling with this random days over the course of a few weeks, it FINALLY seems to be working. Thank you anyway!

Great! Just got in from a busy week, didn't have a chance to reply earlier. Glad it all worked out for you.
 
Last edited:
I am trying to do the same think and have not found a way yet, If you discover how to bypass the VPN with selective routing, let us know please!

I use those same settings for OpenVPN. The only difference is that I have "Route All Traffic through the VPN interface?" Set to YES, the script I use resets that anyways. I think the setting would be irrelevant using the script I do, but I'm not 100% sure.

I use the script found here (with some small modifications):
http://torguard.net/forums/index.ph...adavan-route-specific-traffic-around-the-vpn/

Now, the page says to run nvram show | grep wan over ssh (could also be done or in the padavan interface administration->console) to get the correct setting for the wan gateway. I got fooled by this and used nvram get wan_gateway for a long time with no success. The correct setting for my n56U in the script is indeed nvram get wan0_gateway, so I assume that goes for all N56U's.

Here are my modifications. I added som tun alternatives, not sure if they are needed (but if it ain't broke, don't fix it :) ). This script gives me selective VPN routing for IP addresses 192.168.1.200-192.168.1.220, all other IP addresses in my lan bypassing the VPN:

Code:
## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and set value(s) as needed to customize your rules
#
# IP addresses, contiguous range AND/OR individual.
#
ip_addrs_lst="192.168.1.200-192.168.1.220"

##Server ports to bypass VPN
server_ports="3389,27,23045"

#
# Specific destination websites ip range - Spotify , Netflix...
#
web_range_lst="192.168.10.1-192.168.10.254"
#67.202.0.1-67.202.63.254
#207.223.0.1-207.223.15.254
#98.207.0.1-98.207.255.254
#208.85.40.1-208.85.47.254
#78.31.8.1-78.31.15.254
#193.182.8.1-193.182.15.254"

########################################
# NO NEED TO CHANGE BELOW THIS LINE #
########################################

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#     iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#     iptables -t mangle -F PREROUTING
sleep 1
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Let's find out the tunnel interface
#
iface_lst=`route | awk ' {print $8}'`
for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "tun0" ] || [ $tun_if == "tun1" ] || [ $tun_if == "ppp0" ]; then
    break
  fi
done

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
  | while read ROUTE ; do
     ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
for ip_addrs in $ip_addrs_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
done

######   Ports that bypass VPN    ######
###### Normal portforwarding will ######
######    need to be applied      ######

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1

# WEBSITES_IP_RANGES -
for web_dst_range in $web_range_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
done

The values for web_range_lst is just a dummy range, in order to keep the script as intact as possible I didn't comment the last command out. The same goes for the ports, they (too) can of course be tweaked as needed.

The script first bypasses all VPN, then just adds the selected IP range. This is why I suspect the setting "Route All Traffic through the VPN interface?" is irrelevant.

I run this script in the padavan interface, Customization -> Run after firewall rules restarted, keeping the original
Code:
#!/bin/sh
as my first line.

Works great on-the-fly, and doesn't require a reboot.

Hope this helps,

cheers Pat
 
Last edited:
I use those same settings for OpenVPN. The only difference is that I have "Route All Traffic through the VPN interface?" Set to YES, the script I use resets that anyways. I think the setting would be irrelevant using the script I do, but I'm not 100% sure.

I use the script found here (with some small modifications):
http://torguard.net/forums/index.ph...adavan-route-specific-traffic-around-the-vpn/

Now, the page says to run nvram show | grep wan over ssh (could also be done or in the padavan interface administration->console) to get the correct setting for the wan gateway. I got fooled by this and used nvram get wan_gateway for a long time with no success. The correct setting for my n56U in the script is indeed nvram get wan0_gateway, so I assume that goes for all N56U's.

Here are my modifications. I added som tun alternatives, not sure if they are needed (but if it ain't broke, don't fix it :) ). This script gives me selective VPN routing for IP addresses 192.168.1.200-192.168.1.220, all other IP addresses in my lan bypassing the VPN:

Code:
## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and set value(s) as needed to customize your rules
#
# IP addresses, contiguous range AND/OR individual.
#
ip_addrs_lst="192.168.1.200-192.168.1.220"

##Server ports to bypass VPN
server_ports="3389,27,23045"

#
# Specific destination websites ip range - Spotify , Netflix...
#
web_range_lst="192.168.10.1-192.168.10.254"
#67.202.0.1-67.202.63.254
#207.223.0.1-207.223.15.254
#98.207.0.1-98.207.255.254
#208.85.40.1-208.85.47.254
#78.31.8.1-78.31.15.254
#193.182.8.1-193.182.15.254"

########################################
# NO NEED TO CHANGE BELOW THIS LINE #
########################################

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#     iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#     iptables -t mangle -F PREROUTING
sleep 1
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Let's find out the tunnel interface
#
iface_lst=`route | awk ' {print $8}'`
for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "tun0" ] || [ $tun_if == "tun1" ] || [ $tun_if == "ppp0" ]; then
    break
  fi
done

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
  | while read ROUTE ; do
     ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
for ip_addrs in $ip_addrs_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
done

######   Ports that bypass VPN    ######
###### Normal portforwarding will ######
######    need to be applied      ######

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1

# WEBSITES_IP_RANGES -
for web_dst_range in $web_range_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
done

The values for web_range_lst is just a dummy range, in order to keep the script as intact as possible I didn't comment the last command out. The same goes for the ports, they (too) can of course be tweaked as needed.

The script first bypasses all VPN, then just adds the selected IP range. This is why I suspect the setting "Route All Traffic through the VPN interface?" is irrelevant.

I run this script in the padavan interface, Customization -> Run after firewall rules restarted, keeping the original
Code:
#!/bin/sh
as my first line.

Works great on-the-fly, and doesn't require a reboot.

Hope this helps,

cheers Pat

I got it working I think by manually assigning IPs via DHCP, and then just put the device i needed outside of the range in the script. So far it seems to work! Thanks!!
 
I'm running the latest Padavan FW on my Asus N56U and just subscribed to PIA VPN. I followed this guide using the user name and password I received via e-mail (did not generate a PPTP/L2TP/SOCKS password). Everything works (checked IP and DNS via various sites) but the speeds are slowish (on a 100M connecting that can sometimes go as low as 35M I got only 12M trying two servers closest to my location). Is there a fix or is this the best that this router and OpenVPN can do? I've read something about changing the Encryption Cipher Algorithm (currently Blowfish, tried AES-128 but lost Internet connection) or the WAN settings but not sure what to do.

Please help!
 
I'm running the latest Padavan FW on my Asus N56U and just subscribed to PIA VPN. I followed this guide using the user name and password I received via e-mail (did not generate a PPTP/L2TP/SOCKS password). Everything works (checked IP and DNS via various sites) but the speeds are slowish (on a 100M connecting that can sometimes go as low as 35M I got only 12M trying two servers closest to my location). Is there a fix or is this the best that this router and OpenVPN can do? I've read something about changing the Encryption Cipher Algorithm (currently Blowfish, tried AES-128 but lost Internet connection) or the WAN settings but not sure what to do.

Please help!

Probably the best this router can do. :(

If I recall correctly, Blowfish is slowing you down a lot (AES-128 should be better), it may be worth trying to get AES-128 working instead.

But as far as the actual (older) hardware? It is impressive that it even works at all, imo. ;)
 
Probably the best this router can do. :(

If I recall correctly, Blowfish is slowing you down a lot (AES-128 should be better), it may be worth trying to get AES-128 working instead.

But as far as the actual (older) hardware? It is impressive that it even works at all, imo. ;)

I tried switching Blowfish to AES-128 but lost Internet connection. I'd previously read that this had happened to someone else as well so I guess it won't work.

Someone at PIA-forums suggested this a while back:

"Add the following lines to your OpenVPN config;
Increasing the buffers improved my speed. Not what it should be but 3x better than it was.

fast-io
mssfix 0
sndbuf 524288
rcvbuf 524288"

However, I'm not really sure how to do this. Does this mean that I have to click on the "OpenVPN Extended Configuration" link in the VPN Client section of N56U-settings and add those lines at the end of the parameters like this:

"...
### Syslog verbose level
verb 0
mute 10

fast-io
mssfix 0
sndbuf 524288
rcvbuf 524288"

And the click Apply?
 
I use those same settings for OpenVPN. The only difference is that I have "Route All Traffic through the VPN interface?" Set to YES, the script I use resets that anyways. I think the setting would be irrelevant using the script I do, but I'm not 100% sure.

I use the script found here (with some small modifications):
http://torguard.net/forums/index.ph...adavan-route-specific-traffic-around-the-vpn/

Now, the page says to run nvram show | grep wan over ssh (could also be done or in the padavan interface administration->console) to get the correct setting for the wan gateway. I got fooled by this and used nvram get wan_gateway for a long time with no success. The correct setting for my n56U in the script is indeed nvram get wan0_gateway, so I assume that goes for all N56U's.

Here are my modifications. I added som tun alternatives, not sure if they are needed (but if it ain't broke, don't fix it :) ). This script gives me selective VPN routing for IP addresses 192.168.1.200-192.168.1.220, all other IP addresses in my lan bypassing the VPN:

Code:
## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and set value(s) as needed to customize your rules
#
# IP addresses, contiguous range AND/OR individual.
#
ip_addrs_lst="192.168.1.200-192.168.1.220"

##Server ports to bypass VPN
server_ports="3389,27,23045"

#
# Specific destination websites ip range - Spotify , Netflix...
#
web_range_lst="192.168.10.1-192.168.10.254"
#67.202.0.1-67.202.63.254
#207.223.0.1-207.223.15.254
#98.207.0.1-98.207.255.254
#208.85.40.1-208.85.47.254
#78.31.8.1-78.31.15.254
#193.182.8.1-193.182.15.254"

########################################
# NO NEED TO CHANGE BELOW THIS LINE #
########################################

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
#  List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
#  Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
#  To list the current rules on the router, issue the command:
#     iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#     iptables -t mangle -F PREROUTING
sleep 1
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Let's find out the tunnel interface
#
iface_lst=`route | awk ' {print $8}'`
for tun_if in $iface_lst; do
    if [ $tun_if == "tun11" ] || [ $tun_if == "tun12" ] || [ $tun_if == "tun0" ] || [ $tun_if == "tun1" ] || [ $tun_if == "ppp0" ]; then
    break
  fi
done

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
  | while read ROUTE ; do
     ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first,
#  so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1

# Default behavior: MARK = 1 all traffic bypasses VPN, MARK = 0 all traffic goes VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# IP_ADDRESSES - RANGE(S) AND/OR INDIVIDUAL(S)
for ip_addrs in $ip_addrs_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_addrs -j MARK --set-mark 0
done

######   Ports that bypass VPN    ######
###### Normal portforwarding will ######
######    need to be applied      ######

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport $server_ports -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --sport $server_ports -j MARK --set-mark 1

# WEBSITES_IP_RANGES -
for web_dst_range in $web_range_lst ; do
  iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $web_dst_range -j MARK --set-mark 0
done

The values for web_range_lst is just a dummy range, in order to keep the script as intact as possible I didn't comment the last command out. The same goes for the ports, they (too) can of course be tweaked as needed.

The script first bypasses all VPN, then just adds the selected IP range. This is why I suspect the setting "Route All Traffic through the VPN interface?" is irrelevant.

I run this script in the padavan interface, Customization -> Run after firewall rules restarted, keeping the original
Code:
#!/bin/sh
as my first line.

Works great on-the-fly, and doesn't require a reboot.

Hope this helps,

cheers Pat
Hi.

I have tried using your script, but it doesn't use my forwarding rules I have set up in the settings. So I can't access my web server, ftp etc from outside the local network.
Do you know by chance how to activate the forwarding rules in the script?
 
Similar threads
Thread starter Title Forum Replies Date
A Can't recover my RT-N56U ASUS N Routers & Adapters 0

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top