jonny_noog
New Around Here
Hello,
I am trying to get some selective routing working with a VPN and my Asus RT-AC68U. I've been reading through the thread found here in order to try and get some custom scripting sorted out.
I have installed the latest Merlin firmware and set up my VPN connection, which is all working great. I've set the VPN to "Start with WAN" = Yes and "Redirect Internet Traffic" = No.
My custom configuration for the VPN is this:
My goal is to try and get the Transmission p2p application running through the VPN and all other traffic bypassing the VPN. I'm using a custom shell script called vpn_route_up.sh and I'm also wanting to set things up using the firewall-start script so that if the VPN is down, then the Transmission application is barred from any activity. I have Transmission set to use its default 51413 port.
I have set up the jffs partition on my router and transferred the two scripts over to the router using scp. I have also made the scripts executable as outlined here.
my two scripts currently look like this:
/jffs/scripts/vpn_route_up.sh:
/jffs/scripts/firewall-start:
When the VPN is up, it seems that Transmission is making use of the VPN connection, on the VPN Status tab of the router UI I can see traffic going through the VPN and if I check my IP through a web browser (port 80), it shows my normal IP address and not the IP of the VPN. So it would seem that selective routing is occurring as far as I can tell. But when I shut down the VPN (I'm using OpenVPN client 1 AKA tun11) then Transmission appears to still be allowed to transfer data, so it would seem that at the least, I've got something wrong with my firewall-start script. Both scripts do run, as I can see my logger statements show up in the system log on the router.
I've done my best to try and cobble together working scripts from the info already found on this forum but I'm a bit of a noob when it comes to iptables so if anyone can give me some tips as to how I can achieve what I'm trying to do here, that would be much appreciated. Also if anyone has any tips on how I can better verify what's working and what isn't in my overall config, that would also be great.
Some scripts that I have seen on this forum make use of two new routing tables (e.g. table 10 and table 12, or table 100 and table nnn) rather than one new one. Do I need two different tables to do what I'm trying to do? Do I need any new tables? What's the general point of creating new tables? what relevance - if any - does the table number have?
I gather the line "echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter" has to do with turning off reverse path filtering for the tun11 VPN interface, is this required for what I'm trying to do?
If there is any useful information that I haven't provided, please don't hesitate to ask.
I am trying to get some selective routing working with a VPN and my Asus RT-AC68U. I've been reading through the thread found here in order to try and get some custom scripting sorted out.
I have installed the latest Merlin firmware and set up my VPN connection, which is all working great. I've set the VPN to "Start with WAN" = Yes and "Redirect Internet Traffic" = No.
My custom configuration for the VPN is this:
Code:
tls-client
remote-cert-tls server
reneg-sec 0
auth-nocache
route-nopull
script-security 2
route-up /jffs/scripts/vpn_route_up.shMy goal is to try and get the Transmission p2p application running through the VPN and all other traffic bypassing the VPN. I'm using a custom shell script called vpn_route_up.sh and I'm also wanting to set things up using the firewall-start script so that if the VPN is down, then the Transmission application is barred from any activity. I have Transmission set to use its default 51413 port.
I have set up the jffs partition on my router and transferred the two scripts over to the router using scp. I have also made the scripts executable as outlined here.
my two scripts currently look like this:
/jffs/scripts/vpn_route_up.sh:
Code:
#!/bin/sh
logger -t "($(basename $0))" $$ VPN selective routing customization starting... " $0${*:+ $*}."
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush cache
iptables -t mangle -F PREROUTING
tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter
iptables -t mangle -I PREROUTING -p tcp --sport 51413 -j MARK --set-mark 10
iptables -t mangle -I PREROUTING -p udp --sport 51413 -j MARK --set-mark 10
logger -t "($(basename $0))" $$ VPN selective routing customization ended... " $0${*:+ $*}."
exit/jffs/scripts/firewall-start:
Code:
!/bin/sh
# Output message to system log.
logger -t "($(basename $0))" $$ Firewall customization starting... " $0${*:+ $*}."
# Drop any TCP/UDP packets from port 51413 (Transmission BitTorrent client)
# that aren't going through OpenVPN client 1 (tun11).
iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p tcp --sport 51413 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p udp --sport 51413 -j DROP
# Output message to system log.
logger -t "($(basename $0))" $$ Firewall customization ended... " $0${*:+ $*}."
exitWhen the VPN is up, it seems that Transmission is making use of the VPN connection, on the VPN Status tab of the router UI I can see traffic going through the VPN and if I check my IP through a web browser (port 80), it shows my normal IP address and not the IP of the VPN. So it would seem that selective routing is occurring as far as I can tell. But when I shut down the VPN (I'm using OpenVPN client 1 AKA tun11) then Transmission appears to still be allowed to transfer data, so it would seem that at the least, I've got something wrong with my firewall-start script. Both scripts do run, as I can see my logger statements show up in the system log on the router.
I've done my best to try and cobble together working scripts from the info already found on this forum but I'm a bit of a noob when it comes to iptables so if anyone can give me some tips as to how I can achieve what I'm trying to do here, that would be much appreciated. Also if anyone has any tips on how I can better verify what's working and what isn't in my overall config, that would also be great.
Some scripts that I have seen on this forum make use of two new routing tables (e.g. table 10 and table 12, or table 100 and table nnn) rather than one new one. Do I need two different tables to do what I'm trying to do? Do I need any new tables? What's the general point of creating new tables? what relevance - if any - does the table number have?
I gather the line "echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter" has to do with turning off reverse path filtering for the tun11 VPN interface, is this required for what I'm trying to do?
If there is any useful information that I haven't provided, please don't hesitate to ask.
