openvpn server and client question

[Net Noob]

Does the IPSec pass-thru now work?

Assuming you will always use VPN Client 1 then all the rules can be hard-coded using scripts that run during the router boot process.

I suggest you try without cloning table 220 as given IPSec is different from OpenVPN it may not actually be required?
​

Iv managed to find out whats happened. I had a look at the ipsec.postconf script & changed it so the tunnel uses the 10.10.10.0/24 subnet. I rebooted the router, ran your original code & hey presto, it works! In this case, should i keep the 220 table clone part? Where would you recommend i put the code so it always runs? Iv had an issue recently where some code has disappeared when amtm updates on the router, i think it overwrites or deletes & re adds files which continuously gets rid of some of my code. I cant put a user defined script in somewhere can i?

Thank you so much for your help, you've been really kind

 

[Net Noob]

If it is working, then you can use the openvpn-event triggers 'vpnclientX-route-up'/'vpnclientX-down' to manage the appropriate ip route/RPDB/iptables.

Apologies for this but i cant think of what commands to put where in 'vpnclientX-route-up'/'vpnclientX-down'

So far iv got this in 'vpnclient1-route-up':

VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

In 'vpnclient1-down', would i only have:

iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null

Would i have to remove the clone of iptable 220? I am not sure what else to add in 'vpnclient1-down'. (I cant have duplicates of iptable 220 can i??)

One last thing if i may, does my mobile have to actually be connected to the IPSec tunnel for the iptable to be generated / updated & for the commands to work?

Thank you

 

[Xentrk]

Apologies for this but i cant think of what commands to put where in 'vpnclientX-route-up'/'vpnclientX-down'

So far iv got this in 'vpnclient1-route-up':

VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

In 'vpnclient1-down', would i only have:

iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null

Would i have to remove the clone of iptable 220? I am not sure what else to add in 'vpnclient1-down'. (I cant have duplicates of iptable 220 can i??)

One last thing if i may, does my mobile have to actually be connected to the IPSec tunnel for the iptable to be generated / updated & for the commands to work?

Thank you

The first line needs to have the shebang

#!/bin/sh

 

[Martineau]

Apologies for this but i cant think of what commands to put where in 'vpnclientX-route-up'/'vpnclientX-down'

So far iv got this in 'vpnclient1-route-up':

VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

In 'vpnclient1-down', would i only have:

iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null

Would i have to remove the clone of iptable 220? I am not sure what else to add in 'vpnclient1-down'. (I cant have duplicates of iptable 220 can i??)

One last thing if i may, does my mobile have to actually be connected to the IPSec tunnel for the iptable to be generated / updated & for the commands to work?

Thank you

Apologies for confusing you ... so it's probably easier to hard-code everything exactly as you did with OpenVPN

I suggest you use Wiki User script nat-start

/jffs/scripts/nat-start

#!/bin/sh

sleep 10

# Ensure all IPSec subnets you have manually added to ipsec.postconf are defined here.
iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE

logger -st "($(basename $0))" $$ "IPSec pass-thru added to '-t nat -j MASQUERADE'"

then simply replicate the same IPSec Server IP pool(s) in the VPN Client 1 Selective Routing GUI

If this works without the need to clone routing table 220 then result! , otherwise you will have to fudge the cloning.

 

[Net Noob]

Apologies for confusing you ... so it's probably easier to hard-code everything exactly as you did with OpenVPN

I suggest you use Wiki User script nat-start

/jffs/scripts/nat-start

#!/bin/sh

# Ensure all IPSEc subnets you have manually added to ipsec.postconf are defined here.
iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE

iptables -t nat -D POSTROUTING -s 10.10.11.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.11.0/24 -o tun11 -j MASQUERADE

then simply replicate the same IPSec Server IP pool(s) in the VPN Client 1 Selective Routing GUI

View attachment 22351

If this works without the need to clone routing table 220 then result! , otherwise you will have to fudge the cloning.

I have tried what you have suggested by adding a nat-start script to jffs/scripts:

#!/bin/sh

# Allow pass-thru for a connecting IPSec Server client to use Selective Policy routing RPDB out via VPN Client

# Ensure all IPSEc subnets you have manually added to ipsec.postconf are defined here.
iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE

And adding the route to the OpenVPN client but no dice. I did not need to add 10.10.11.0/24 as i have chenged the ipsec.postcon file so only the 10.10.10.0/24 ip pool is used. I get "error connection timed out" on any site i try to view on my mobile phone while connected to the IPSec tunnel.

I think il have to fudge the cloning. In order for the table to get generated my mobile needs to be connected to the IPSec tunnel first right? Is there any way to run your original script:

#!/bin/sh

VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

as soon as my mobile connects to the tunnel? What would i have to run when my mobile disconnects?

I apologise for all the questions.

Thank you so much.

 

[Martineau]

I have tried what you have suggested by adding a nat-start script to jffs/scripts:

#!/bin/sh

# Allow pass-thru for a connecting IPSec Server client to use Selective Policy routing RPDB out via VPN Client

# Ensure all IPSEc subnets you have manually added to ipsec.postconf are defined here.
iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE

And adding the route to the OpenVPN client but no dice. I did not need to add 10.10.11.0/24 as i have chenged the ipsec.postcon file so only the 10.10.10.0/24 ip pool is used. I get "error connection timed out" on any site i try to view on my mobile phone while connected to the IPSec tunnel.

I think il have to fudge the cloning. In order for the table to get generated my mobile needs to be connected to the IPSec tunnel first right? Is there any way to run your original script:

#!/bin/sh

VPN_ID=1;ip route show table 220 | while read ROUTE;do ip route add table ovpnc$VPN_ID $ROUTE;done
IPSEC_POOL=$(ipsec leases | grep -oEm 1 '([0-9]{1,3}\.){3}[0-9]{1,3}')
iptables -t nat -D POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s $IPSEC_POOL/24 -o tun1$VPN_ID -j MASQUERADE
PRIO=$(($(ip rule | grep -E "^101.*\:" | tail -n 1 | awk -F: '{print $1}')+1))
ip rule del from $IPSEC_POOL/24 table ovpnc$VPN_ID 2>/dev/null
ip rule add from $IPSEC_POOL/24 table ovpnc$VPN_ID prio $PRIO

as soon as my mobile connects to the tunnel? What would i have to run when my mobile disconnects?

I apologise for all the questions.

Thank you so much.

In order for the table to get generated my mobile needs to be connected to the IPSec tunnel first right?

Yes

However, if there are no inbound IPSec connections, we should be able to make an educated guess/prediction as to what table 220 may contain when the device connects.

i.e. To fudge the table 220 cloning, can you try the following (assumes WAN interface name is eth0/vlan2 etc. (retrieved from variable 'wan0_ifname') , so if you use PPoE then use 'wan0_pppoe_ifname'?)

ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1

then connect the phone ….hopefully the pass-thru should again now work, but if not, can you provide the following diagnostics

ip rule

ip route show table ovpnc1

iptables  --line -t nat -nvL POSTROUTING

ip route show table 220

Also can you provide the output of

grep -E "vpn:" /tmp/syslog.log

What would i have to run when my mobile disconnects?

Nothing

 

[Net Noob]

Yes

However, if there are no inbound IPSec connections, we should be able to make an educated guess/prediction as to what table 220 may contain when the device connects.

i.e. To fudge the table 220 cloning, can you try the following (assumes WAN interface name is eth0/vlan2 etc. (retrieved from variable 'wan0_ifname') , so if you use PPoE then use 'wan0_pppoe_ifname'?)

ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1

then connect the phone ….hopefully the pass-thru should again now work, but if not, can you provide the following diagnostics

ip rule

ip route show table ovpnc1

iptables  --line -t nat -nvL POSTROUTING

ip route show table 220

Also can you provide the output of

grep -E "vpn:" /tmp/syslog.log

Nothing

Ok, So, i rebooted the router, i have the nat-start script active as follows:

/jffs/scripts/nat-start

#!/bin/sh

# Ensure all IPSEc subnets you have manually added to ipsec.postconf are defined here.
iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE

I have the selective routing in OpenVPN client 1 as 10.10.10.1/24 to go through the vpn.

I executed the following line by line via SSH:

ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1

I connected my mobile & still the same error "error connection timed out".

The output requested in the previous post is as follows:

ASUSWRT-Merlin RT-AC86U 384.15_0 Sat Feb  8 18:41:28 UTC 2020
RT-AC86U:/tmp/home/root# ip rule
0:   from all lookup local
10101:   from 192.168.1.246 lookup ovpnc1
10102:   from 192.168.1.137 lookup ovpnc1
10103:   from 192.168.1.35 lookup ovpnc1
10104:   from 192.168.1.215 lookup ovpnc1
10105:   from 192.168.1.45 lookup ovpnc1
10106:   from 192.168.1.88 lookup ovpnc1
10107:   from 10.10.10.0/24 lookup ovpnc1
32766:   from all lookup main
32767:   from all lookup default
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# ip route show table ovpnc1
default via 10.70.0.101 dev tun11
10.10.10.0/24 via 82.222.222.1 dev eth0  proto static
10.70.0.101 dev tun11  proto kernel  scope link  src 10.70.0.102
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# iptables  --line -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 590 packets, 84461 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1       80  4149 MASQUERADE  all  --  *      tun11   192.168.1.0/24       0.0.0.0/0          
2      123 42108 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0          
3        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec
4        1    60 MASQUERADE  all  --  *      eth0   !82.222.222.221         0.0.0.0/0           mode: fullcone
5        3   711 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24    
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# ip route show table 220
10.10.10.1 via 82.222.222.1 dev eth0  proto static
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# 
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#  grep -E "vpn:" /tmp/syslog.log
Apr  3 19:18:47 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:20:37 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:24:18 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:26:09 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 22:35:47 vpn: + user 10.10.10.1/32 == 81.111.111.110 -- 82.222.222.221 == 0.0.0.0/0
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#

(The 81.111.111.110 is NOT a mistake, the ip value for that was one down from the ones above).

I hope this helps.

Thanks again.

 

[Martineau]

Ok, So, i rebooted the router, i have the nat-start script active as follows:

/jffs/scripts/nat-start

#!/bin/sh

# Ensure all IPSEc subnets you have manually added to ipsec.postconf are defined here.
iptables -t nat -D POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o tun11 -j MASQUERADE

I have the selective routing in OpenVPN client 1 as 10.10.10.1/24 to go through the vpn.

I executed the following line by line via SSH:

ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc1

I connected my mobile & still the same error "error connection timed out".

The output requested in the previous post is as follows:

ASUSWRT-Merlin RT-AC86U 384.15_0 Sat Feb  8 18:41:28 UTC 2020
RT-AC86U:/tmp/home/root# ip rule
0:   from all lookup local
10101:   from 192.168.1.246 lookup ovpnc1
10102:   from 192.168.1.137 lookup ovpnc1
10103:   from 192.168.1.35 lookup ovpnc1
10104:   from 192.168.1.215 lookup ovpnc1
10105:   from 192.168.1.45 lookup ovpnc1
10106:   from 192.168.1.88 lookup ovpnc1
10107:   from 10.10.10.0/24 lookup ovpnc1
32766:   from all lookup main
32767:   from all lookup default
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# ip route show table ovpnc1
default via 10.70.0.101 dev tun11
10.10.10.0/24 via 82.222.222.1 dev eth0  proto static
10.70.0.101 dev tun11  proto kernel  scope link  src 10.70.0.102
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# iptables  --line -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 590 packets, 84461 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       80  4149 MASQUERADE  all  --  *      tun11   192.168.1.0/24       0.0.0.0/0 
2      123 42108 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0 
3        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec
4        1    60 MASQUERADE  all  --  *      eth0   !82.222.222.221         0.0.0.0/0           mode: fullcone
5        3   711 MASQUERADE  all  --  *      br0     192.168.1.0/24       192.168.1.0/24
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root# ip route show table 220
10.10.10.1 via 82.222.222.1 dev eth0  proto static
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#  grep -E "vpn:" /tmp/syslog.log
Apr  3 19:18:47 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:20:37 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:24:18 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:26:09 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 22:35:47 vpn: + user 10.10.10.1/32 == 81.111.111.110 -- 82.222.222.221 == 0.0.0.0/0
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#
RT-AC86U:/tmp/home/root#

(The 81.111.111.110 is NOT a mistake, the ip value for that was one down from the ones above).

I hope this helps.

Thanks again.

It appears that the 'nat-start' script either didn't run during the router boot process, or immediately after your MASQUERADE rule was added the table was wiped.

I suggest you debug/modify the 'nat-start' script using the updated version in post #84 which includes a 10 second delay and will also print a message to Syslog to help track that it did physically execute.

So having modifed 'nat-start', execute it manually to check for syntax errors etc.

/jffs/scripts/nat-start

then reboot and check to see if the required rule has been successfully created.

Hopefully fudging the cloning of table 220 actually works, so download the recommended 'openvpn-event' template script, and create

/jffs/scripts/vpnclient1-route-up

#!/bin/sh

VPN_ID=${dev:4:1}

ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc${VPN_ID} 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc${VPN_ID}

to ensure that the table 220 fudge is executed whenever the VPN Client is (re)started.


TL;DR

Is there any way to run your original [table 2220 clone command] as soon as my mobile connects to the tunnel?

Your post

RT-AC86U:/tmp/home/root#  grep -E "vpn:" /tmp/syslog.log
Apr  3 19:18:47 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:20:37 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:24:18 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:26:09 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 22:35:47 vpn: + user 10.10.10.1/32 == 81.111.111.110 -- 82.222.222.221 == 0.0.0.0/0

shows Syslog contains event messages for when your phone connected to IPsec ('vpn: +') and when it disconnected ('vpn: -').

So although there is no equivalent 'openvpn-event' script in the firmware for IPSec events?, it is fairly trivial to monitor Syslog for a specific trigger message and execute the desired script.

e.g. Old-skool Syslog real-time event monitoring

Spoiler: IPSecConnect.sh script

#!/bin/sh
VER="v1.01"
#======================================================================================================= © 2020 Martineau, v1.01
# Called from IPSec Syslog Event Monitor to clone IPsec routing table 220 to nominated VPN Client Selective Routing table
#
#          IPSecConnect          { ip_address } [ vpn_id ]
#
Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}

IP=$1                                                        # IPSec assigned IP address of connected client

[ -z "$2" ] && VPN_ID=1 || VPN_ID=$2
TABLE="ovpnc"$VPN_ID                                         # 11X

CLIENTNAME=$(ipsec leases | grep "$1" | awk '{print $3}')    # Translate IP into IPSec client name

# If target pass-thru VPN Client Selective Routing table exists, then clone IPSec table 220 route if it doesn't exist in VPN table
if [ -n "$(ip route show table $TABLE)" ];then
    ip route show table 220 | while read ROUTE
        do
            if [ -z "$(ip route show table $TABLE | grep "$ROUTE")" ];then   # Route doesn't exist....so add it
                # If IPSec client connects via LAN or via Internet, then the route will change so delete existing conflicting route
                IPSEC_IP=$(echo "$ROUTE" | awk '{print $1}')
                ip route del $(ip route show table $TABLE | grep -E "^$IPSEC_IP" | awk '{$(NF-1)=$NF=""}1') table $TABLE 2>/dev/null
                ip route add $ROUTE table $TABLE                 # Clone table 220
                Say "IPSec client name "$CLIENTNAME" ==> '"$ROUTE"' added to Selective Routing table $TABLE"
            else
                Say "IPSec client name "$CLIENTNAME" ("$IP") route exists in Selective Routing table $TABLE"
            fi
        done
else
    Say "VPN Client Selective Routing table $TABLE does NOT exist!"
fi

script in action....

RT-AX56U (IPSecSyslogEventMonitor.sh): 13929 v1.01 IPSec Event Monitor started.....

RT-AX56U vpn: + 10.88.8.150 10.10.10.1/32 == 10.88.8.150 -- 10.88.8.251 == 0.0.0.0/0
RT-AX56U (IPSecSyslogEventMonitor.sh): 31871 IPSec Event Monitor IPSec Client connection detected 10.10.10.1; Action='/jffs/scripts/IPSecConnect.sh'
RT-AX56U (IPSecConnect.sh): 32201 IPSec client name 'iPhone' ==> '10.10.10.1 via 10.88.8.150 dev eth0 proto static' added to Selective Routing table ovpnc1


RT-AX56U vpn: - 10.88.8.150 10.10.10.1/32 == 10.88.8.150 -- 10.88.8.251 == 0.0.0.0/0
RT-AX56U (IPSecSyslogEventMonitor.sh): 31871 IPSec Event Monitor IPSec client disconnect detected 10.10.10.1; Action='''

 

[Chris0815]

Look through the following to make sure it is correct!

I was searching for this possibility (Paththrough Routing Clients over VPN) since weeks, finally I found this thread. After reading the posts (several times...) it works now! Never been in contact with these scripts before...
Thanks for the advices in this thread (especially Martineau)!

 

[Net Noob]

It appears that the 'nat-start' script either didn't run during the router boot process, or immediately after your MASQUERADE rule was added the table was wiped.

I suggest you debug/modify the 'nat-start' script using the updated version in post #84 which includes a 10 second delay and will also print a message to Syslog to help track that it did physically execute.

So having modifed 'nat-start', execute it manually to check for syntax errors etc.

/jffs/scripts/nat-start

then reboot and check to see if the required rule has been successfully created.

Hopefully fudging the cloning of table 220 actually works, so download the recommended 'openvpn-event' template script, and create

/jffs/scripts/vpnclient1-route-up

#!/bin/sh

VPN_ID=${dev:4:1}

ip route del 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc${VPN_ID} 2>/dev/null
ip route add 10.10.10.0/24 via $(nvram get wan0_gateway) dev $(nvram get wan0_ifname) proto static table ovpnc${VPN_ID}

to ensure that the table 220 fudge is executed whenever the VPN Client is (re)started.


TL;DR



Your post

RT-AC86U:/tmp/home/root#  grep -E "vpn:" /tmp/syslog.log
Apr  3 19:18:47 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:20:37 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:24:18 vpn: + user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 19:26:09 vpn: - user 10.10.10.1/32 == 81.111.111.111 -- 82.222.222.221 == 0.0.0.0/0
Apr  3 22:35:47 vpn: + user 10.10.10.1/32 == 81.111.111.110 -- 82.222.222.221 == 0.0.0.0/0

shows Syslog contains event messages for when your phone connected to IPsec ('vpn: +') and when it disconnected ('vpn: -').

So although there is no equivalent 'openvpn-event' script in the firmware for IPSec events?, it is fairly trivial to monitor Syslog for a specific trigger message and execute the desired script.

e.g. Old-skool Syslog real-time event monitoring

Spoiler: IPSecConnect.sh script

#!/bin/sh
VER="v1.01"
#======================================================================================================= © 2020 Martineau, v1.01
# Called from IPSec Syslog Event Monitor to clone IPsec routing table 220 to nominated VPN Client Selective Routing table
#
#          IPSecConnect          { ip_address } [ vpn_id ]
#
Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}

IP=$1                                                        # IPSec assigned IP address of connected client

[ -z "$2" ] && VPN_ID=1 || VPN_ID=$2
TABLE="ovpnc"$VPN_ID                                         # 11X

CLIENTNAME=$(ipsec leases | grep "$1" | awk '{print $3}')    # Translate IP into IPSec client name

# If target pass-thru VPN Client Selective Routing table exists, then clone IPSec table 220 route if it doesn't exist in VPN table
if [ -n "$(ip route show table $TABLE)" ];then
    ip route show table 220 | while read ROUTE
        do
            if [ -z "$(ip route show table $TABLE | grep "$ROUTE")" ];then   # Route doesn't exist....so add it
                # If IPSec client connects via LAN or via Internet, then the route will change so delete existing conflicting route
                IPSEC_IP=$(echo "$ROUTE" | awk '{print $1}')
                ip route del $(ip route show table $TABLE | grep -E "^$IPSEC_IP" | awk '{$(NF-1)=$NF=""}1') table $TABLE 2>/dev/null
                ip route add $ROUTE table $TABLE                 # Clone table 220
                Say "IPSec client name "$CLIENTNAME" ==> '"$ROUTE"' added to Selective Routing table $TABLE"
            else
                Say "IPSec client name "$CLIENTNAME" ("$IP") route exists in Selective Routing table $TABLE"
            fi
        done
else
    Say "VPN Client Selective Routing table $TABLE does NOT exist!"
fi

script in action....

RT-AX56U (IPSecSyslogEventMonitor.sh): 13929 v1.01 IPSec Event Monitor started.....

RT-AX56U vpn: + 10.88.8.150 10.10.10.1/32 == 10.88.8.150 -- 10.88.8.251 == 0.0.0.0/0
RT-AX56U (IPSecSyslogEventMonitor.sh): 31871 IPSec Event Monitor IPSec Client connection detected 10.10.10.1; Action='/jffs/scripts/IPSecConnect.sh'
RT-AX56U (IPSecConnect.sh): 32201 IPSec client name 'iPhone' ==> '10.10.10.1 via 10.88.8.150 dev eth0 proto static' added to Selective Routing table ovpnc1


RT-AX56U vpn: - 10.88.8.150 10.10.10.1/32 == 10.88.8.150 -- 10.88.8.251 == 0.0.0.0/0
RT-AX56U (IPSecSyslogEventMonitor.sh): 31871 IPSec Event Monitor IPSec client disconnect detected 10.10.10.1; Action='''

Hello Mr Martineau,

Suffice it to say, It finally works! At last! Thank you so much for your help. From what i can tell, the script wasnt running on startup. you were right. I have no idea how you figured that out. I wish i knew half as much as you do about these things. You are a genuine credit to this forum. I dont normally sign up to forums but im glad i signed up to this. Thank you once again for all your help. You are a diamond!

Il test this to see how it goes. I cant foresee any problems. If my mobile disconnects from the IPSec server, there isnt any code that needs to be run is there?

Thank you once again

 

[Martineau]

Hello Mr Martineau,

Suffice it to say, It finally works! At last!

Thank you so much for your help. From what i can tell, the script wasnt running on startup. you were right. I have no idea how you figured that out. I wish i knew half as much as you do about these things. You are a genuine credit to this forum. I dont normally sign up to forums but im glad i signed up to this. Thank you once again for all your help. You are a diamond!

Il test this to see how it goes. I cant foresee any problems.

Thank you once again

Glad to be of assistance.

If my mobile disconnects from the IPSec server, there isnt any code that needs to be run is there?

Unless you want to restrict the IPSec pass-thru to say only specific devices or perhaps time-of-day etc. then the policy restrictions would be best applied on detection of an IPSec client connecting, so I doubt there is a need for your current use-case to do anything on an IPSec client disconnect.

 

[Net Noob]

Apologies, im an idiot....

Thanks for everything guys.

 

[jorgsmash]

The two commands allow both OpenVPN Server instances to 'pass-thru' a connecting client directly out through ANY (active) VPN Client connection.

If you never change the OpenVPN Server IP pools from their defaults (10.8.0.0 and 10.16.0.0 for Server 1 and Server 2 respectively) then firewall-start is probably a good place for the rules as-is.
NOTE: It is good practice to also issue a delete command to prevent unnecessary duplicates

/jffs/scripts/firewall-start

#!/bin/sh

# Allow pass-thru for a connecting OpenVPN Server client to use Selective Policy routing RPDB out via VPN Client
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -D POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE

iptables -I POSTROUTING -t nat -s $(nvram get vpn_server1_sn)/24 -o tun1+ -j MASQUERADE
iptables -I POSTROUTING -t nat -s $(nvram get vpn_server2_sn)/24 -o tun1+ -j MASQUERADE

However, your requirements may require a finer control, i.e. if the OpenVPN Server configuration changes, then it may be prudent to only insert the rule during the execution of the appropriate "openvpn-event" /jffs/scripts/vpnserverX-up script; similarly delete the rule during execution of the /jffs/scripts/vpnserverX-down script.

Also you may feel that use of 'tun1+' should really explicity only reference a specific VPN Client e.g. tun11.



Yes

Usage

1. User scripts

There are numerous examples of scripts, just make sure you use the correct name, ensure that you don't use a Windows editor (if you do run dos2unix against the file on the router) and make sure the file is executable etc.

Hi there. I know this post was from 2017 but it still works! I just got it working to where I can VPN into my home network and exit the network to the Internet through the VPN client! I do have one issue though. My remote computer connected to the VPN server cannot access any devices on the LAN. I can't ping or ssh into anything accept the router. I have the router VPN server settings set to allow access to both the LAN and Internet.

Any ideas? Thanks!

 

[Xentrk]

Hi there. I know this post was from 2017 but it still works! I just got it working to where I can VPN into my home network and exit the network to the Internet through the VPN client! I do have one issue though. My remote computer connected to the VPN server cannot access any devices on the LAN. I can't ping or ssh into anything accept the router. I have the router VPN server settings set to allow access to both the LAN and Internet.

Any ideas? Thanks!

Missing routing policy entry in GUI?

x3mRouting will do all of the set up for you. See VPN Server to VPN Client Routing

I think you will need to dedicate the second VPN Server to access LAN devices. You won't be able to access LAN devices if you route VPN Server 1 to the VPN Client 1.

 

[jorgsmash]

Missing routing policy entry in GUI?
View attachment 26482

x3mRouting will do all of the set up for you. See VPN Server to VPN Client Routing

I think you will need to dedicate the second VPN Server to access LAN devices. You won't be able to access LAN devices if you route VPN Server 1 to the VPN Client 1.

I do have the 10.8.0.0/24 in my VPN routing policy. And as for your comment about x3mRouting being able to set it up for me, I assume you are not talking about having the VPN server route through the VPN client as well as access the lan, because you said that wasn't possible. I did come to find I can access the LAN through a separate VPN. So I have one VPN to access the LAN and one to access the Internet through the client VPN.

Just curious, what is the point of VPN(ning?) into my home network and exiting through the VPN client if I can't access the LAN? Wouldn't this just add extra latency and reduce speeds drastically with no real gain? I have a VPN client app on my phone/other remote computers I could use without the additional hop to my home network to leave through the client VPN.

Just wondering why that would be desired. Thanks!