OpenVPN Selective routing and VOIP issues. Anyone else experiencing this?

[pben613]

A little extra help

I just want to say thanks to everyone who has worked on this. It is a great little script.

I am having one error when I run it. I get this error when I run it manually.

RTNETLINK answers: No such process

I run it manually because it doesn't take when I have it in wan-start.

It also flakes out after 4 or 5 hours of use.

I was also wondering if there was anyway to have a guest wireless channel set to the vpn as well?

Thanks,

Ben

 

[janosek]

I just want to say thanks to everyone who has worked on this. It is a great little script.

I am having one error when I run it. I get this error when I run it manually.

RTNETLINK answers: No such process

I run it manually because it doesn't take when I have it in wan-start.

It also flakes out after 4 or 5 hours of use.

I was also wondering if there was anyway to have a guest wireless channel set to the vpn as well?

Thanks,

Ben

If you are using the .354 firmware, try the openvpn-event script instead of wan-start

it solved a lot of my issues

 

[DerRobinson]

Hey together,

since some days I try to split my traffic: all devices shall communicate via VPN except my NAS and CAM. So I also tried it with the mentioned script:

My openvpn-event script

#!/bin/sh

#script for excluding IP's from VPN (OpenVPN client)
sh /jffs/scripts/VPNrouting.sh&

my VPNrouting.sh script

#!/bin/sh

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


# EXAMPLES:
#
# All LAN traffic will go through the VPN (Useful to put this rule first,
# so all traffic bypasses the VPN and you can configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0


#
# Ports 80 and 443 will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
# All traffic from NAS will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.201 -j MARK --set-mark 1

# All traffic from CAM will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.200 -j MARK --set-mark 1

# All traffic from a ONKYO on the WAN will use the VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.166 -j MARK --set-mark 0

# All traffic from a MACPRO on the WAN will use the VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.159 -j MARK --set-mark 1

# All traffic from a MACPRO on the WAN will use the VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.77 -j MARK --set-mark 1

# All traffic from iPhone on the WAN will use the VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.57 -j MARK --set-mark 1

# service start_vpnclient1

#exit 0

Both made executable by

chmod a+rx /jffs/scripts/VPNrouting.sh

chmod a+rx /jffs/scripts/openvpn-event

All I changed was the default route via VPN (iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0) and of cause the LAN-IPs.

Script is executed, I can see it by the updated 000wanstarted.


But traffic of all devices go via VPN only. If I change the default route to 1 (WAN), all devices communcate via WAN. So default route works, the exceptions CAM and NAS don't. Where is my error?

Thanks!
DerRobinson

 

[janosek]

<SNIP>
My openvpn-event script

#!/bin/sh

#script for excluding IP's from VPN (OpenVPN client)
sh /jffs/scripts/VPNrouting.sh&

<SNIP>

Hello,

Looking at that above code, my feeling is you are defeating the purpose of the openvpn-event script. The purpose is to start the OpenVPN daemon, run the selective script and then bring up the VPN tunnel with no race conditions.

By using the "sh /jffs/scripts/VPNrouting.sh&", I *think* its causing the the openvpn-event script to complete and bring up the vpn tunnel before the selective routing commands are executed.

Try putting the contents of VPNrouting.sh into openvpn-event.

 

[DerRobinson]

Hi Janosek!

thanks for the reply and your work on the script!

Unfortunatly it does not work yet. Starting via extra file as described should not change the timing that much. It's just start one script that does nothing else than starting another right away.

Nontheless I tried it with the routing script directly in the openvpn-event. But nothing changed, same behaviour.

So more tips please, I try everything you recomment - nearly everything

Should I see some new Routings in the routing table? Should I somehow see debug messages in the status log ... ?

Thanks!
DerRobinson

 

[janosek]

OK, at the very least, remove the ampersand (&) at the end of the shell command, as that will fork the process.

Can you post a screenshot of your VPN setup, minus any passwords, etc.?

Hi Janosek!

thanks for the reply and your work on the script!

Unfortunatly it does not work yet. Starting via extra file as described should not change the timing that much. It's just start one script that does nothing else than starting another right away.

Nontheless I tried it with the routing script directly in the openvpn-event. But nothing changed, same behaviour.

So more tips please, I try everything you recomment - nearly everything

Should I see some new Routings in the routing table? Should I somehow see debug messages in the status log ... ?

Thanks!
DerRobinson

 

[DerRobinson]

Here are my settings. The page with the certificates I did not attach since no other settings are available and the certificates do not mater.

Just to mention: VPN works

Thanks again!

DerRobinson

 

[janosek]

Yes, but your VPN works TOO well

Try setting "redirect internet traffic" to nein
Let the script handle directing internet traffic.

Here are my settings. The page with the certificates I did not attach since no other settings are available and the certificates do not mater.

Just to mention: VPN works

Thanks again!

DerRobinson

 

[DerRobinson]

Hi,

so, tried it serveral times. No success, VPN access is dedicated to the setting "Redirect Internet traffic" only - and for all clients, no exceptions

But the script seems to have some influence.
If "Redirect Internet traffic" is set to no and the default route in the script is via VPN (iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0), the VPN is build up but not stable. It will reconnect nearly every minute. Traffic on all Clients via WAN.
If I set default route to WAN, VPN is stable - but exceptions are not handled.

Grrr, still hoping ...

[Edit] Fault Information, VPN is also sometimes instable with default route WAN. Reason

Jul 28 16:11:09 openvpn[1129]: [vpn-xxx] Inactivity timeout (--ping-restart), restarting
Jul 28 16:11:09 openvpn[1129]: SIGUSR1[soft,ping-restart] received, process restarting

Problem: I cannot control, what default route is really used by the router. For shure it is more stable with default=WAN.

DerRobinson

 

[janosek]

Hello,

Here is my config.

 

[Wysie]

Thanks for this thread! I recently went back to the .270 firmware due to this issue (http://forums.smallnetbuilder.com/showthread.php?t=14361) and had to use wan-start instead. The problem was the VPN worked too well, all traffic ended up being routed through it.

Followed janosek's advice and set "Redirect Internet Traffic" to "No", and all is working well now !

 

[saffron]

As a workaround, you can keep using the same script you currently are, but disable the "Connect on WAN" on the webui. At the end of your script put this to start the connection:

service start_vpnclient1

The script references tun11 so must execute AFTER the vpn starts.

Put 'service start_vpnclient1' at the beginning of your script instead. Start the script when the WAN is ready (/jffs/scripts/wan-start ?)

BTW, this script was written for a linux tutorial about 2002. The tut is still online.