openvpn server and client question

[Martineau]

If i want to add it to openvpn-event script, do I have to modify something?

I would recommend that you clone this openvpn-event trigger script template and you can then decide which openvpn-event trigger script is executed by the specific Server/Client.

Does it make more sense to add it in openvpn-event?

It really depends on your desired level of control with the creation/management of the "pass-thru" feature
i.e. You could elect to use the openvpn-event Server UP/DOWN triggers (if they actually work see this post)

e.g. Use the server UP event script to create the "pass-thru" rule

/jff/scripts/vpnserver1-up

# Allow pass-thru for connecting inbound Server clients to use RPDB outbound via VPN Client (see /jffs/scripts/VPNClientConnect.sh)
iptables -t nat -C POSTROUTING -s $(nvram get vpn_server${dev:4:1}_sn)/24 -o tun1+ -j MASQUERADE 2> /dev/null
if [ $? -eq 1 ];then
 logger -st "($(basename $0))" $$ "Allow connecting" $INSTANCE "clients to pass-thru via ANY VPN Client (-I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE)"
 iptables -t nat -I POSTROUTING -s $(nvram get vpn_server${dev:4:1}_sn)/24 -o tun1+ -j MASQUERADE
fi

and /jffs/scripts/vpnserver1-down to delete the "pass-thru" rule.

Alternatively, if you don't mind losing the Selective Routing GUI integration, you can even exploit the OpenVPN '--client-connect/--client-disconnect' triggers (which aren't included in the firmware) to only allow specific users to use the "pass-thru" feature.

IMHO, having the "pass-thru" rule created in nat-start (we are creating a NAT rule after all! ) is, for most users, the easier option, as unfortunately the firmware can (and sometimes 'randomly' does) rebuild all of the firewall rules, so if you decide to use the openvpn-event triggers, you could have a situation where the "pass-thru" rule suddenly disappears, until the appropriate VPN Client is restarted. (For advanced users this issue can easily be resolved, but it's something you should be aware of when making your decision.)

 

[Martineau]

I've enabled routing through the Merlin GUI, and I've written the command supplied verbatim. I don't have the skill set to diagnose what the issue is...
I guess if someone knows why let me know, but otherwise it probably isn't worth your time to help an extreme novice at networking out

Like for most things, "it's easy when you know how..."

I'm sure you have correctly followed the instructions, so whilst it may not solve your issue, providing some diagnostic output will help to boost your confidence.

Run the two commands

ip rule

iptables --line -t nat -nvL POSTROUTING

and post the output...preferably enclosed in 'code' tags as it makes the tabular output easier to read

 

[sickofnetworking]

Hey guys, thanks for your responses... It means more than you know.

*Edit: I'm stupid and didn't know how to copy and paste in PuTTY.

For 'ip rule'

0:      from all lookup local
10101:  from 192.168.1.0/24 lookup ovpnc1
10102:  from 10.8.0.0/24 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

For 'iptables --line -t nat -nvL POSTROUTING'

Chain POSTROUTING (policy ACCEPT 201 packets, 17544 bytes)
num   pkts bytes target     prot opt in     out     source               destina                                                   tion
1       32  1947 MASQUERADE  all  --  *      tun11   192.168.1.0/24       0.0.0.                                                   0/0
2        0     0 MASQUERADE  all  --  *      tun11   10.16.0.0/24         0.0.0.                                                   0/0
3       19  1234 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0                                                   /0
4        4   240 MASQUERADE  all  --  *      eth0   !73.144.147.45        0.0.0.                                                   0/0
5        5   343 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.16                                                   8.1.0/24

I'm obviously a novice, but it seems to me that it should work based on these results. I really don't think my Pi Hole has anything to do with this not working... I made it my DHCP server. I know my OpenVPN server is working because it's sending data to my router, so it has to be the configuration.

Also on a side note @Salles I didn't know you had to write the code

chmod a+rx /jffs/scripts/firewall-start

outside of the script as an independent command! It still doesn't work.. But you know, at least I don't have to keep on typing the command over and over now lol. Also I meant verbatim as in "word for word".

*Edit: I've tried it without my Pi Hole and it still doesn't work.

 

[L&LD]

Hey guys, thanks for your responses... It means more than you know.

I'm using PuTTY as my ssh client so copying and pasting doesn't work .

Anyways, here are the results from your commands @Martineau (good thing I'm a fast typer ).

For 'ip rule'

0:        from all lookup local
10101: from 192.168.1.0/24 lookup ovpnc1
10102: from 10.8.0.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

For 'iptables --line -t nat -nvL POSTROUTING'

Chain POSTROUTING (policy ACCEPT 467 packets, 3754 bytes)
num   pkts bytes target      prot opt in     out    source                          destination
1     18   1080  MASQUERADE   all --  *      tun11  192.168.1.0/24                  0.0.0.0/0
2     0    0     MASQUERADE   all --  *      tun11  10.16.0.0/24                    0.0.0.0/0
3     139  9272  PUPNP        all --  *      eth0   0.0.0.0/0                       0.0.0.0/0
4     0    0     MASQUERADE   all --  *      eth0   !73.144.147.45                  0.0.0.0/0
5     3    213   MASQUERADE   all --  *      br0    192.168.1.0/24                  192.168.1.0/24

I'm obviously a novice, but it seems to me that it should work based on these results. I really don't think my Pi Hole has anything to do with this not working... I made it my DHCP server. I know my OpenVPN server is working because it's sending data to my router, so it has to be the configuration.

Also on a side note @Salles I didn't know you had to write the code

chmod a+rx /jffs/scripts/firewall-start

outside of the script as an independent command! It still doesn't work.. But you know, at least I don't have to keep on typing the command over and over now lol. Also I meant verbatim as in "word for word".

'Word for word' isn't enough, all spaces and their precision is important too.

Why doesn't copying and pasting work for you? No issue doing that with PuTTY here.

 

[sickofnetworking]

'Word for word' isn't enough, all spaces and their precision is important too.

Why doesn't copying and pasting work for you? No issue doing that with PuTTY here.

Fixed it. I read reviews on the software manager for Linux Mint and assumed you couldn't copy and paste. It's just different commands than in Windows - my bad.

 

[Salles]

Hey guys, thanks for your responses... It means more than you know.

*Edit: I'm stupid and didn't know how to copy and paste in PuTTY.

For 'ip rule'

0:      from all lookup local
10101:  from 192.168.1.0/24 lookup ovpnc1
10102:  from 10.8.0.0/24 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

For 'iptables --line -t nat -nvL POSTROUTING'

Chain POSTROUTING (policy ACCEPT 201 packets, 17544 bytes)
num   pkts bytes target     prot opt in     out     source               destina                                                   tion
1       32  1947 MASQUERADE  all  --  *      tun11   192.168.1.0/24       0.0.0.                                                   0/0
2        0     0 MASQUERADE  all  --  *      tun11   10.16.0.0/24         0.0.0.                                                   0/0
3       19  1234 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0                                                   /0
4        4   240 MASQUERADE  all  --  *      eth0   !73.144.147.45        0.0.0.                                                   0/0
5        5   343 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.16                                                   8.1.0/24

I'm obviously a novice, but it seems to me that it should work based on these results. I really don't think my Pi Hole has anything to do with this not working... I made it my DHCP server. I know my OpenVPN server is working because it's sending data to my router, so it has to be the configuration.

Also on a side note @Salles I didn't know you had to write the code

chmod a+rx /jffs/scripts/firewall-start

outside of the script as an independent command! It still doesn't work.. But you know, at least I don't have to keep on typing the command over and over now lol. Also I meant verbatim as in "word for word".

*Edit: I've tried it without my Pi Hole and it still doesn't work.

There is always that one thing that one has missed .

If you look closely you can see that you have different VPN server subnets 10.8.0.0 and 10.16.0.0 showing up in iptables --line -t nat -nvL POSTROUTING and in ip rule.

If you have not changed the subnets of the routers VPN servers, 10.8.0.0 is the subnet for VPN server 1 and 10.16.0.0 for VPN server 2.

Do check if you have written VPN server 1 and not 2 in
/jffs/scripts/firewall-start?
Then reboot the router and try again .

 

[sickofnetworking]

There is always that one thing that one has missed .

If you look closely you can see that you have different VPN server subnets 10.8.0.0 and 10.16.0.0 showing up in iptables --line -t nat -nvL POSTROUTING and in ip rule.

If you have not changed the subnets of the routers VPN servers, 10.8.0.0 is the subnet for VPN server 1 and 10.16.0.0 for VPN server 2.

Do check if you have written VPN server 1 and not 2 in
/jffs/scripts/firewall-start?
Then reboot the router and try again .

You were indeed correct sir or madam @Salles . No idea why I did that. It works with that updated code!

Really, a big THANK YOU to @Salles and @Martineau!

 

[Kamikaze01]

No, they should be executed at a command prompt....cut'n'paste, then if they work, they should be added to the appropriate script.

Thank u for the help and your explanation
I tried to pot these commands in SSH, but with no effect...

How test if these commands work?
Only cut'n paste via SSH?
Does it work if my tunnel is 21 ?

I crater a file (name it firewall-start) in the script folder and paste your suggestions there.
After reboot my Asus nothing changed.
My Clients still use WAN IP

What I am doing wrong?

:/

 

[Xentrk]

Thank u for the help and your explanation
I tried to pot these commands in SSH, but with no effect...

How test if these commands work?
Only cut'n paste via SSH?
Does it work if my tunnel is 21 ?

I crater a file (name it firewall-start) in the script folder and paste your suggestions there.
After reboot my Asus nothing changed.
My Clients still use WAN IP

What I am doing wrong?

:/

Did you add a she-bang and make the script executable?

Creating Scripts

Did you try executing the script from the command line??

sh /jffs/scripts/myscript.sh

Alternatively, if you are in the directory where the script is located:

./myscript.sh

 

[Martineau]

I tried to pot these commands in SSH, but with no effect...

How test if these commands work?

Try the connection, and if it fails, list the appropriate RPDB rules and iptables.

Does it work if my tunnel is 21 ?

Yes, if you have specified the correct tun21 subnet.

I crater a file (name it firewall-start) in the script folder and paste your suggestions there.
After reboot my Asus nothing changed.
My Clients still use WAN IP

If you have now decided to use this 'scripting' solution to your OP Simultaneous VPN Server and VPN Client, have you also defined which OpenVPN Server inbound clients should be Selectively routed as 'pass-thru' ?

Post the output of the following commands

nvram dump | grep -E "vpn_client[1-5]"_clientlist | sort

nvram dump | grep -E "vpn_server[1-2]_sn" | sort

iptables -nvL OVPN

ip rule

iptables --line -t nat -nvL POSTROUTING

 

[Kamikaze01]

Did you add a she-bang and make the script executable?

Yes i do

Did you try executing the script from the command line??

sh /jffs/scripts/myscript.sh

no i dont... *shameOnMe*
i simply connect via ES FILE EXPLORER and SFTP from my phone and created a file named "firewall-start".
Then opend it as a "text" and paste the stuff in it.
And yes - there is a #!/bin/sh at the beginning.
Do i have to add .sh as File Extension!?!

Try the connection, and if it fails, list the appropriate RPDB rules and iptables.

Connection is okay.

Yes, if you have specified the correct tun21 subnet.

I try to find out my tun Number via the route Command - but i dont know how to interprete the output. i can see tun11 and tun21 but dont know which one is the relevant...

If you have now decided to use this 'scripting' solution to your OP Simultaneous VPN Server and VPN Client, have you also defined which OpenVPN Server inbound clients should be Selectively routed as 'pass-thru' ?

hehe... okay - i see u have read my other post Thanks for that !!
Yes - because there is no other way - i try to get it fixed with scripting.
I already installed amtm and the entware package. And finally i can use sftp

And no - i do not defined which OpenVPN Server inbound clients should be routed.
I want ALL devices connected to my OpenVPN Server to be routet over my VPN Provider (outbound)
But i would be glad to know HOW to selectively define them...

Or do u mean in the GUI of the Client to define which one over WAN and which one over VPN?
YES, i have set some rules there (see output later)

Post the output of the following commands

nvram dump | grep -E "vpn_client[1-5]"_clientlist | sort

nvram dump | grep -E "vpn_server[1-2]_sn" | sort

iptables -nvL OVPN

ip rule

iptables --line -t nat -nvL POSTROUTING

Here is the output of
nvram dump | grep -E "vpn_client[1-5]"_clientlist | sort

vpn_client1_clientlist=<ALL devices>192.168.1.0/24>0.0.0.0>VPN<Kami-SHIELD_1>192.168.1.3>0.0.0.0>WAN<Kami-SHIELD_2>192.168.1.4>0.0.0.0>WAN<Kami-NAS>192.168.1.6>0.0.0.0>WAN<Router itself>192.168.1.1>0.0.0.0>WAN
vpn_client2_clientlist=<All devices>192.168.1.0/24>0.0.0.0>VPN<Kami-SHIELD_1>192.168.1.3>0.0.0.0>WAN<Kami-SHIELD_2>192.168.1.4>0.0.0.0>WAN<Kami-NAS>192.168.1.6>0.0.0.0>WAN<Router itself>192.168.1.1>0.0.0.0>WAN
vpn_client3_clientlist=<All devices>192.168.1.0/24>0.0.0.0>VPN<Kami-SHIELD_1>192.168.1.3>0.0.0.0>WAN<Kami-SHIELD_2>192.168.1.4>0.0.0.0>WAN<Kami-NAS>192.168.1.6>0.0.0.0>WAN<Router itself>192.168.1.1>0.0.0.0>WAN
vpn_client4_clientlist=<All devices>192.168.1.0/24>0.0.0.0>VPN<Kami-SHIELD_1>192.168.1.3>0.0.0.0>WAN<Kami-SHIELD_2>192.168.1.4>0.0.0.0>WAN<Kami-NAS>192.168.1.6>0.0.0.0>WAN<Router itself>192.168.1.1>0.0.0.0>WAN
vpn_client5_clientlist=<All devices>192.168.1.0/24>0.0.0.0>VPN<Kami-SHIELD_1>192.168.1.3>0.0.0.0>WAN<Kami-SHIELD_2>192.168.1.4>0.0.0.0>WAN<Kami-NAS>192.168.1.6>0.0.0.0>WAN<Router itself>192.168.1.1>0.0.0.0>WAN

Router itself over WAN because of my DDNS update...
Shield is Android TV - because of Netflix over WAN (Geo problem...)
And my NAS over WAN because i managed it in another way.
ALL other devices connected is over VPN

And here is the output of
nvram dump | grep -E "vpn_server[1-2]_sn" | sort

vpn_server1_sn=10.8.0.0
vpn_server2_sn=10.16.0.0

And here is the output of
iptables -nvL OVPN

Chain OVPN (2 references)
 pkts bytes target     prot opt in     out     source               destination
   30  2651 DROP       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
   99  6328 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0

And here is the output of
ip rule

0:      from all lookup local
10001:  from 192.168.1.3 lookup main
10002:  from 192.168.1.4 lookup main
10003:  from 192.168.1.6 lookup main
10004:  from 192.168.1.1 lookup main
10101:  from 192.168.1.0/24 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

And here ist the Output of
iptables --line -t nat -nvL POSTROUTING

Chain POSTROUTING (policy ACCEPT 5422 packets, 327K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     2852  370K MASQUERADE  all  --  *      tun11   192.168.1.0/24       0.0.0.0/0
2     5599 1341K PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
3     1352 1060K MASQUERADE  all  --  *      eth0   !WAN-IP         0.0.0.0/0
4      146 64620 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24

Thank u so much for your help !!!!!
Without you and this form i would never get this to work !!

 

[Martineau]

I try to find out my tun Number via the route Command - but i dont know how to interprete the output. i can see tun11 and tun21 but dont know which one is the relevant...

OpenVPN Server 1 uses interface tun21
OpenVPN Server 2 uses interface tun22

And no - i do not defined which OpenVPN Server inbound clients should be routed.

vpn_server1_sn=10.8.0.0
vpn_server2_sn=10.16.0.0

You need to include the appropriate inbound OpenVPN Server client subnet that you wish to 'pass-thru' outbound via the VPN in the Selective Routing GUI.

e.g. ALL inbound OpenVPN Server 1 clients

ALL Server1   10.8.0.0/24   0.0.0.0   VPN

or
say 8 Connecting OpenVPN Server 1 connected clients (with static IPs assigned)in the range 10.8.0.16-10.8.0.31

Subnet Server1   10.8.0.16/29   0.0.0.0   VPN

And here ist the Output of
iptables --line -t nat -nvL POSTROUTING

Chain POSTROUTING (policy ACCEPT 5422 packets, 327K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     2852  370K MASQUERADE  all  --  *      tun11   192.168.1.0/24       0.0.0.0/0
2     5599 1341K PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
3     1352 1060K MASQUERADE  all  --  *      eth0   !WAN-IP         0.0.0.0/0
4      146 64620 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24

Also, there doesn't seem to be the required 'pass-thru' rule MASQUERADE 'tun11 10.8.0.0/24 0.0.0.0/0' in the above chain?

 

[Kamikaze01]

OpenVPN Server 1 uses interface tun21
OpenVPN Server 2 uses interface tun22

But in the script I have to write tun11?
Or tun1+

You need to include the appropriate inbound OpenVPN Server client subnet that you wish to 'pass-thru' outbound via the VPN in the Selective Routing GUI.

Check - I added the ruse for the whole IP net.

vpn_client1_clientlist=<ALL devices>192.168.1.0/24>0.0.0.0>VPN<Kami-SHIELD_1>192.168.1.3>0.0.0.0>WAN<Kami-SHIELD_2>192.168.1.4>0.0.0.0>WAN<Kami-NAS>192.168.1.6>0.0.0.0>WAN<Router itself>192.168.1.1>0.0.0.0>WAN<ALL Server1>10.8.0.0/24>0.0.0.0>VPN
vpn_client2_clientlist=<All devices>192.168.1.0/24>0.0.0.0>VPN<Kami-SHIELD_1>192.168.1.3>0.0.0.0>WAN<Kami-SHIELD_2>192.168.1.4>0.0.0.0>WAN<Kami-NAS>192.168.1.6>0.0.0.0>WAN<Router itself>192.168.1.1>0.0.0.0>WAN<ALL Server1>10.8.0.0/24>0.0.0.0>VPN
vpn_client3_clientlist=<All devices>192.168.1.0/24>0.0.0.0>VPN<Kami-SHIELD_1>192.168.1.3>0.0.0.0>WAN<Kami-SHIELD_2>192.168.1.4>0.0.0.0>WAN<Kami-NAS>192.168.1.6>0.0.0.0>WAN<Router itself>192.168.1.1>0.0.0.0>WAN<ALL Server1>10.8.0.0/24>0.0.0.0>VPN
vpn_client4_clientlist=<All devices>192.168.1.0/24>0.0.0.0>VPN<Kami-SHIELD_1>192.168.1.3>0.0.0.0>WAN<Kami-SHIELD_2>192.168.1.4>0.0.0.0>WAN<Kami-NAS>192.168.1.6>0.0.0.0>WAN<Router itself>192.168.1.1>0.0.0.0>WAN<ALL Server1>10.8.0.0/24>0.0.0.0>VPN
vpn_client5_clientlist=<All devices>192.168.1.0/24>0.0.0.0>VPN<Kami-SHIELD_1>192.168.1.3>0.0.0.0>WAN<Kami-SHIELD_2>192.168.1.4>0.0.0.0>WAN<Kami-NAS>192.168.1.6>0.0.0.0>WAN<Router itself>192.168.1.1>0.0.0.0>WAN<ALL Server1>10.8.0.0/24>0.0.0.0>VPN

Also, there doesn't seem to be the required 'pass-thru' rule MASQUERADE 'tun11 10.8.0.0/24 0.0.0.0/0' in the above chain?

Yeah - I see... How to fix this?
I just tried everything and still have my WAN IP of ISP when connected to my VPN Server...

Chain POSTROUTING (policy ACCEPT 595 packets, 37229 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       27  1620 MASQUERADE  all  --  *      tun11   192.168.1.0/24       0.0.0.0/0
2      110 20452 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
3       20 14480 MASQUERADE  all  --  *      eth0   !WAN-IP from ISP         0.0.0.0/0
4        5  1043 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24

Here is my firewall-start from the script folder

#!/bin/sh

# Allow pass-thru for a connecting OpenVPN Server client to use Selective Policy routing RPDB out via VPN Client

iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE

iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE

I restart my Router, but still uses WAN IP as a VPN Client...


please forgive my inexperience ... but I learn more and more ...

 

[Kamikaze01]

Facepalm !!!! Pls don't kill me !!!
I am soo sorry, but I did not check the unix line ending



After saving with the right options and reboot my router: everything works like a charme

Chain POSTROUTING (policy ACCEPT 72 packets, 5312 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       36 12885 MASQUERADE  all  --  *      tun11   192.168.1.0/24       0.0.0.0/0
2        0     0 MASQUERADE  all  --  *      tun1+   10.16.0.0/24         0.0.0.0/0
3      120 10058 MASQUERADE  all  --  *      tun1+   10.8.0.0/24          0.0.0.0/0
4      114 27559 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
5       24 19938 MASQUERADE  all  --  *      eth0   !WAN-IP of ISP         0.0.0.0/0
6        3   661 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24

A huge THANK to @Martineau and @Xentrk for there patient !!!

I have learned a lot and I am happy again.
Thanks thanks thanks !!!

 

[Salles]

The GUI primarily only allows selective routing of source LAN devices/target IPs (see the Wiki entry Policy based routing) but for Selective Port routing you will need a script:

Spoiler: Selective Port Routing script

./VPN_PortSelect.sh -h

#======================================================================================================= © 2016-2018 Martineau, v1.04
# Selective PORT routing to VPN (will use VPN DNS if VPN Client is in DNS 'Exclusive' mode)
#                        or WAN if say a NAS is forced out via the VPN
#
#   e.g.   VPN_PortSelect   [status|status full] | [help|-h] |
#                           { 0 | 1 | 2 | 3 | 4 | 5 | 9} { IP_Address_list | host_name_list | all | mac_address} { [!]port1[,port2] ['udp'] ['logfwmark']} ['src'|'dst]'
#                           ['del'|'test'|'nodns'] ['forcerpf']
#
#          VPN_PortSelect   2 hp-envy14 80,443
#                           TCP Ports 80 and 443 for the HP-Envy14 device will be routed via VPN Client 2 and HP-Envy14 device will now use VPN DNS
#                           Check using https://ipleak.net/ or http://whatismyipaddress.com/ or issue 'curl "http://ipecho.net/plain";echo'
#          VPN_PortSelect   2 hp-envy14 80,443 del
#                           TCP Ports 80 and 443 for the HP-Envy14 device will be no longer be routed via VPN Client 2
#          VPN_PortSelect   2 hp-envy14 80,443 nodns
#                           TCP Ports 80 and 443 for the HP-Envy14 device will be routed via VPN Client 2 and HP-Envy14 device will continue to use WAN DNS
#          VPN_PortSelect   1 12:34:de:ad:00:00 80,443
#                           TCP Ports 80 and 443 for the device with MAC address 12:34:de:ad:00:00 will be routed via VPN Client 1
#          VPN_PortSelect   1 12:34:de:ad:00:00 80,443 logfwmark
#                           TCP Ports 80 and 443 for the device with MAC address 12:34:de:ad:00:00 will be routed via VPN Client 1 and iptable LOG messages sent to Syslog
#          VPN_PortSelect   2 hp-envy13,hpenvy14 !80,443
#                           ALL TCP Ports except ports 80 and 443 for both the HP-Envy13 and HP-Envy14 devices will be routed via VPN Client 2
#          VPN_PortSelect   2 10.88.8.66 22,9001:9005
#                           TCP Ports 22 and 9001 thru 9005 for the 10.88.8.66 device will be routed via VPN Client 2
#          VPN_PortSelect   0 10.88.8.66 3389 udp src
#                           UDP Port 3389 for the 10.88.8.66 device will be routed inbound via WAN (assuming 3389 has port forward in GUI)
#          VPN_PortSelect   0 all 80,443
#                           TCP Ports 80 and 443 for all devices will be routed via WAN
#                           (Assumes that ALL traffic is via the VPN!!!)
#          VPN_PortSelect   0 all 5000,5001 src
#                           TCP Ports 5000 and 5001 will be routed IN via WAN assuming Port Forwarding is also configured!
#                           (Assumes that ALL outbound traffic from the NAS is via the VPN!!!)
#          VPN_PortSelect   1 cameras 80,8080
#                           TCP Ports 80 and 8080 for the 'cameras' device group will be routed via VPN Client 1
#                           (Assumes /jffs/configs/IPGroups exists with valid pair entry - Uppercase text!)
#                                    e.g. CAMERAS  10.88.8.11:10.88.8.13
#                                         or
#                                         PHONES   10.88.8.156,10.88.8.172
#
#

@Martineau
Now some time has passed and I would like to try using Aria2 on my router NAS through tun11.

I do think the best solution would be to set --interface for aria2 to tun11 and port forward port 6800 (which is used for aria2 rpc server) to use tun11.

Does perhaps your script have a solution to port forward a port router NAS to tun11 (that I could modify)?
If so, would you mind PM it to me?

 

[Net Noob]

Hello everyone.

Thanks to the good people on SNB, iv managed to do quite a lot with my Asus AC86u router. I have managed to successfully setup Diversion, DNScrypt, an OpenVPN client which connects to NordVPN and an IPsec / IKEV2 server which my android mobile connects to.

My question is: would there be a way to send internet traffic from my mobile through the IPsec / IKEV2 server through to the OpenVPN client? (which I assume would go through DNScrypt / Diversion etc). I have been trying to adapt:

iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE

This code works when trying to send OpenVPN server internet traffic through to an OpenVPN client. Could this be altered in a way which could send the IPsec / IKEV2 server internet traffic through to the OpenVPN client instead? I can't find the reference to the IPsec / IKEV2 tunnel when I try:

nvram show

Via SSH on the router itself.

I'm not sure if this is even possible?

Any help would be greatly appreciated.

Thanks.

 

[Xentrk]

Hello everyone.

Thanks to the good people on SNB, iv managed to do quite a lot with my Asus AC86u router. I have managed to successfully setup Diversion, DNScrypt, an OpenVPN client which connects to NordVPN and an IPsec / IKEV2 server which my android mobile connects to.

My question is: would there be a way to send internet traffic from my mobile through the IPsec / IKEV2 server through to the OpenVPN client? (which I assume would go through DNScrypt / Diversion etc). I have been trying to adapt:

iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun11 -j MASQUERADE

This code works when trying to send OpenVPN server internet traffic through to an OpenVPN client. Could this be altered in a way which could send the IPsec / IKEV2 server internet traffic through to the OpenVPN client instead? I can't find the reference to the IPsec / IKEV2 tunnel when I try:

nvram show

Via SSH on the router itself.

I'm not sure if this is even possible?

Any help would be greatly appreciated.

Thanks.

Not sure about IPSec or IKEV2. But this script will create the iptable rules for VPN Server 1 to VPN Client 1 as follows:

This is what will get created.

###vpnserver1-up
#!/bin/sh
# example of sending server 1 to vpn client 1
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE

##vpnserver1-down
#!/bin/sh
# example of sending server 1 to vpn client 1
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE 2>/dev/null

Add a routing rule for the VPN Server is a manual step. The new version coming out soon will perform this setup.

 

[Net Noob]

Not sure about IPSec or IKEV2. But this script will create the iptable rules for VPN Server 1 to VPN Client 1 as follows:

This is what will get created.

###vpnserver1-up
#!/bin/sh
# example of sending server 1 to vpn client 1
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE

##vpnserver1-down
#!/bin/sh
# example of sending server 1 to vpn client 1
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE 2>/dev/null

Add a routing rule for the VPN Server is a manual step. The new version coming out soon will perform this setup.

View attachment 22276

Hello,

Thank you for your reply.

I believe this code provided will not work due to me coming in from an IPSec tunnel into my router. However, the code you have provided sparked an idea:

###vpnserver1-up
#!/bin/sh
# example of sending server 1 to vpn client 1
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE

I modified the above thinking i could use the IP range of connected clients to the IPSec tunnel instead which according to the GUI is 10.10.10.1 - 10.10.10.254 (as default). I tried the following:

(At this point the IPSec IKEV2 tunnel was already up and accepting connections)

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE

I also added 10.10.10.0/24 to the OpenVPN client rules for routing traffic through the tunnel through the GUI.

Unfortunately running the code through SSH on the router did not force the traffic from the IPSec tunnel through to the OpenVPN client & onward through to NordVPN. I am not sure if the IPsec tunnel is even using the specified range?

Thank you for any help.

 

[Xentrk]

Hello,

Thank you for your reply.

I believe this code provided will not work due to me coming in from an IPSec tunnel into my router. However, the code you have provided sparked an idea:

###vpnserver1-up
#!/bin/sh
# example of sending server 1 to vpn client 1
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o tun11 -j MASQUERADE

I modified the above thinking i could use the IP range of connected clients to the IPSec tunnel instead which according to the GUI is 10.10.10.1 - 10.10.10.254 (as default). I tried the following:

(At this point the IPSec IKEV2 tunnel was already up and accepting connections)

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE

I also added 10.10.10.0/24 to the OpenVPN client rules for routing traffic through the tunnel through the GUI.

Unfortunately running the code through SSH on the router did not force the traffic from the IPSec tunnel through to the OpenVPN client & onward through to NordVPN. I am not sure if the IPsec tunnel is even using the specified range?

Thank you for any help.

I'm away from home now, but if you run the "ip route" command, it will show you the interface names and IP addresses assigned to the routes. You will need to find out the IP assigned to the IPSec tunnel.

 

[Net Noob]

I'm away from home now, but if you run the "ip route" command, it will show you the interface names and IP addresses assigned to the routes. You will need to find out the IP assigned to the IPSec tunnel.

Hiya,

I have run that through SSH & there is no mention of the IPSec tunnel at all? I have: eth0, tun11, lo & br0. I have run the command while actually connected to the IPSec tunnel. This seems very strange.