OpenVPN policy routing guide?

[primitivo]

I have now tested various configs running 380.59_beta2 on RT-AC56U and everything seems fine, including:

- policy routing
- 192.168.1.0/24 VPN with certain devices to WAN
- DNS filter

What could be improved:

a) error conflicts, after changing multiple things here and there and despite toggling VPN service state button off and on, there is error conflict. Funny thing however, everything works properly, but the message will go away only after router reboot... There has to be a way to fix it?

b) perhaps Merlin could divide policy rules into two options:
- Route selected (current default)
- Exclude selected

c) Failover to another VPN config, e.g. Client 2 if Client 1 is down (but this may be too complex)

Also does VPN routed devices take advantage of router's UPNP? If not, how can I forward a port to selected device?

 

[Pommes]

Dear Sirs, this is my first post here,
first of all a big thank you for this great firmware upgrade!
I am a beginner when it comes to networking,
I really could use some help:
I set up my Asus RT-AC87U with Merlins Firmware 380.58.
Asus is connected to cable router in bridge mode. Lan IP is 192.168.1.1,
Connected to the Asus is a Apple Timecapsule with DHCP, no NAT, IP 192.168.1.2.
On the Asus i have an open VPN client running.
What i would like to achieve is the following:
Asus Wireless name VPN: All clients connected to the Asus Wifi should go through open VPN client.
AppleWireless name Clean; All clients connected to the Apple Wifi should go through clean WAN.
I set policy rules for 192.168.1.2 to WAN,
192.168.1.0/24 to VPN,
but unfortunately all clients go through the VPN, even the ones connected to Apple.
Anybody who can help?
Thank you
Pommes

 

[RMerlin]

Asus Wireless name VPN: All clients connected to the Asus Wifi should go through open VPN client.
AppleWireless name Clean; All clients connected to the Apple Wifi should go through clean WAN.

That's not possible. All the wireless clients connecting to the Apple AP will have their own IP address, they won't be using 192.168.1.2. You would need to give static IPs to all the wireless devices you want to connect through WAN, and configure each of their IPs as WAN rules on the Asus.

 

[Pommes]

That's not possible. All the wireless clients connecting to the Apple AP will have their own IP address, they won't be using 192.168.1.2. You would need to give static IPs to all the wireless devices you want to connect through WAN, and configure each of their IPs as WAN rules on the Asus.

Thank you very much for the quick reply, i have one more idea, maybe that would work:
The Apple RouterMode is DHCP only, i could set the IP of Apple to 192.168.1.128 and the DHCP range from 192.168.1.129-254,
I could set Asus DHCP Range from 192.168.1.2-128,
but i googled a lot and cannot find it: how to spell 192.168.1.1-128 in CIDR and 192.168.1.129-254 in CIDR,
so i would route half of the subnet to WAN, the other half to VPN.
What do you think? That might work?
Thanks


Edit: I got it; Asus DHCP 192.168.1.0/25, Apple DHCP 192.168.1.128/25
Set this as policy, done.
Thank you

 

[RMerlin]

What do you think? That might work?

You cannot have two DHCP servers at the same time on a LAN. There would need to be something to isolate both LANs, such as a NAT layer.

 

[Pommes]

You cannot have two DHCP servers at the same time on a LAN. There would need to be something to isolate both LANs, such as a NAT layer.

Well, i am really just a beginner of Home Networking, but i tell you that it is working now exactly like i wanted it, non of the routers is complaining, and when a client connect to asus Wifi , it gets an IP in the 1-127 range, on the apple it gets an IP 128-254, which i can easily route through your nice policy feature...
I set DHCP Range on Asus 192.168.1.1-127, and on Apple DHCP Range 192.168.1.128-254.
In Policy i put 192.168.1.0/25, VPN 192.168.1.128/25 WAN,
No issues,(Yet?)
Do you mind explaining briefly, what issues i could run into?
Thanks

 

[RMerlin]

Do you mind explaining briefly, what issues i could run into?

If the two routers aren't isolated and they are both provide services on the same LAN, then it means that when a client requests a DHCP lease, whichever DHCP server responds first will "win" the client.

It's possible that Apple configured their AP to not provide DHCP services on the WAN interface even when you are using it with NAT disabled. Apple loves to do all kind of weird things without telling anyone... If that were the case, then it means you might be fine, barring any unforeseen problem.

 

[Pommes]

If the two routers aren't isolated and they are both provide services on the same LAN, then it means that when a client requests a DHCP lease, whichever DHCP server responds first will "win" the client.

It's possible that Apple configured their AP to not provide DHCP services on the WAN interface even when you are using it with NAT disabled. Apple loves to do all kind of weird things without telling anyone... If that were the case, then it means you might be fine, barring any unforeseen problem.

Thanks, I rebooted everything several times and it seems to work. But I will put apple into bridge mode, and keep the policys as are. Set dhcp to 128-254 and give static ip lower than 128 when I want to connect to VPN, thank you

 

[strange_guy]

Hi everyone,

I just recently bought an AC-68u to replace my R7000 mainly because I had problems getting optware to work fully under ddwrt. Now I am looking into policy based routing and came across this post as well as a wiki entry that deals with the same problem. Could any of the more knowledgeable folks here tell me which of the two solutions is more secure? My goal is to route all WAN traffic to and from my NAS over a PIA VPN and have the traffic blocked if the VPN goes down. As far as I see it both the solution in the wiki and the policy based routing in the GUI have the same goal - but I don't know which one is preferable and would be very grateful for any input.

 

[RMerlin]

As far as I see it both the solution in the wiki and the policy based routing in the GUI have the same goal - but I don't know which one is preferable and would be very grateful for any input.

Use the newer webui implementation - far simpler, and will do what you need. See the README for more details on how it works.

 

[strange_guy]

Ok, thank you very much for the input. So the webui implementation is just as secure when it comes to dropping the connection if the VPN is down?

 

[RMerlin]

Ok, thank you very much for the input. So the webui implementation is just as secure when it comes to dropping the connection if the VPN is down?

Yes.

 

[strange_guy]

Thank you very much. It's already up and running - throughput seems similar to R7000.

 

[Bogey]

I just spent an hour doing tests with two simultaneous OpenVPN clients, and everything is working as expected for me.

Client 1: German vpnbook server, with my Win7 VM forced through it
Client 2: Canadian vpnbook server, with my Linux VM forced through it

After a reboot, visiting WhatismyIP:

Win7 VM gives me a German IP
Linux VM gives me a Canadian IP (not my ISP's)
My desktop (unrouted) gives me my ISP's IP

If you want to do more tinkering with this:

1) Make a copy of /usr/sbin/vpnrouting.sh to /jffs/
2) Create an init-start script that will do a "mount -o bind /jffs/vpnrouting.sh /usr/sbin/vpnrouting.sh"
3) Insert more logger debugging entries into /jffs/vpnrouting.sh

That way, you will be able to get additional debug info even at boot time (init-start runs as soon as the JFFS partition becomes available, which is very early in the boot process).

It took me a year and a new router to figure out, but I think I found what's causing not being able to use two simultaneous OpenVPN clients!
I'm using AirVPN and I today gave it a try with vpnbook. Guess what? Two simultaneous OpenVPN clients!

The difference between the two are:
VPN Provider: AirVPN - vpnbook
Protocol: UDP - TCP
Extra HMAC authorization: Outgoing - Disabled
Accept DNS Configuration: Exclusive - Disabled
Encryption cipher: AES-256-CBC - AES128-CBC
Compression: none - adaptive
Custom: remote-cert-tls server - fast-io
route-delay 5 - route-delay 2
explicit-exit-notify 5 - pull

I've read in a post (I can't find it back) that the Encryption cipher could be the cause of this....
Ideas?

 

[jaydee99]

Hi,

I have a NAS Synology that uses VPN connection (policy rules GUI) and i'd like to keep ports 5000 and 5001 opened. Here is what i did :

services-start :

#!/bin/sh

logger -t "($(basename $0))" $$ Creating RPDB tables
ip rule add fwmark 1 table 111 prio 30001
ip rule add fwmark 2 table 112 prio 30002
ip rule add fwmark 3 table main prio 30003
ip route flush cache

nat-start :
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --port 5000,5001 -j MARK --set-mark 3

But ports 5000 and 5001 are still closed on Synology... Any ideas of what i did wrong ? Thanx !

 

[jackoboy9]

So when I add this to my original openvpn-event script, which is(partially shown here as the rest is from Merlin's wiki) :
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
| while read ROUTE ; do
ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

It becomes this?
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
| while read ROUTE ; do
ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 111 prio 30001 #vpn client1
ip rule add fwmark 2 table 112 prio 30002 #vpn client2
ip rule add fwmark 3 table main prio 30003 #no vpn, just plain wan
ip route flush cache

I'm trying to setup the following:

• Openvpn client 1 connects to the UK, Openvpn client 2 connects to the US
• PC1 with 192.168.0.100 should use openvpn client1
• PC2 with 192.168.0.115 should use openvpn client2
• PC3 with 192.168.0.103 should use wan

Thanks,
Erwin

I'd like to set up something which I believe is similar to what you're trying to do.

I want all P2P traffic (port 35000) to go through my VPN (I have a working OpenVPN client set up on my router). And all other traffic to go through my ISP.

How did you do it?

 

[Martineau]

I want all P2P traffic (port 35000) to go through my VPN (I have a working OpenVPN client set up on my router). And all other traffic to go through my ISP.

I don't believe member @Bogey has logged in since Aug?

However, the main Selective Routing thread has examples...

e.g. for Selective port routing via VPN Client 1.....assuming Policy rules are enabled in the VPN Client GUI with at least 1 entry (real or dummy) and that port 35000 is outbound?

NOTE: If firmware version is <380.63 then the prio value should be 991 rather than 9991

SSH / Telnet to router and issue:

ip rule add fwmark 0x1000 table 111 prio 9991
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 35000 -j MARK --set-mark 0x1000/0x1000

then see if it works.

 

[jackoboy9]

I don't believe member @Bogey has logged in since Aug?

However, the main Selective Routing thread has examples...

e.g. for Selective port routing via VPN Client 1.....assuming Policy rules are enabled in the VPN Client GUI with at least 1 entry (real or dummy) and that port 35000 is outbound?

NOTE: If firmware version is <380.63 then the prio value should be 991 rather than 9991

SSH / Telnet to router and issue:

ip rule add fwmark 0x1000 table 111 prio 9991
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 35000 -j MARK --set-mark 0x1000/0x1000

then see if it works.

Thanks for the reply. What file should I add this text to? (I'm new to the whole SSH thing).

It could be any port, I just picked 35000 as it's the one I have selected in qBittorrent. I assume that all traffic from that program will use that port and so I'd be anonymous while downloading/uploading torrents?

 

[Martineau]

What file should I add this text to? (I'm new to the whole SSH thing).
<snip>
.....so I'd be anonymous while downloading/uploading torrents?

I don't torrent and so have no idea if you can fully obfuscate your (apparently) imperative secretive activities.

If the rule is found to work then you should add the commands to /jffs/scripts/nat-start.
(The additional delete commands are necessary to prevent adding duplicate rules as nat-start may be executed multiple times.)

ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991
ip route flush cache

iptables -t mangle -D PREROUTING -i br0 -p tcp -m multiport --dport 35000 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 35000 -j MARK --set-mark 0x1000/0x1000

Good luck

 

[jackoboy9]

I don't torrent and so have no idea if you can fully obfuscate your (apparently) imperative secretive activities.

If the rule is found to work then you should add the commands to /jffs/scripts/nat-start.
(The additional delete commands are necessary to prevent adding duplicate rules as nat-start may be executed multiple times.)

ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991
ip route flush cache

iptables -t mangle -D PREROUTING -i br0 -p tcp -m multiport --dport 35000 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 35000 -j MARK --set-mark 0x1000/0x1000

Good luck

Thank you!
Since there is no nat-start file, do I need to add any lines before or after this code to make it work?