Policy Based Routing IPTV problem

[Martineau]

Working!

I have added rule

ip rule add from 192.168.1.8/29 to 198.18.0.1 table ovpnc1 prio 8001

in nat-start

I suggest you don't hardcode the RPDB rule in nat-start, perhaps you should consider

Spoiler: Using the openvpn-event trigger to automate the creation of the RPDB rule when the VPN Client is initialised

/jffs/scripts/vpnclient1-route-up

#!/bin/sh

VPN_ID=${dev:4:1}

VPNDNS="$(iptables -t nat -L DNSVPN${VPN_ID}  2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
   DNSONLY_IPS="$(nvram get vpn_client${VPN_ID}_clientlist | sed -n 's/^.*UseDNSOnly\>//p' | tr '>' ' ' | awk '{print $1}')"
   ip rule del prio 800$VPN_ID
   ip rule add from $DNSONLY_IPS to $VPNDNS table 11$VPN_ID prio 800$VPN_ID
   logger -st "($(basename $0))" "Forcing DNS Server $VPNDNS requests via VPN Client $VPN_ID tunnel" 
fi

Also don't hard-code the VPN DNS using

dhcp-option 'xxx.xxx.xxx.xxx'

as the 'UseDNSOnly' GUI entry as shown in post #17 will correctly build the DNSVPNx chain and the forced Exclusive DNS will be applied.

Furthermore, if the VPN ISP change their DNS servers, then you wouldn't know until the VPN connection acted "weird", so this method ensures the Exclusive DNS configuration is always correct.

Additionally, in nat-start you should prevent the creation of duplicates RPDB rules...

# Ensure duplicate rules are not created as nat-start can be called several times.
for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done

Regarding the DNS Leak test, do both of these ipleak.net test and dnsleaktest.com test also indicate a DNS Leak?

Anyway glad you finally got it working to your satisfaction.

 

[Ciccio]

Something went wrong.
Accept DNS Configuration: Exclusive
Removed custom config "dhcp-option xxx.xxx.xxx.xxx"
Removed in nat-start

ip rule add from 192.168.1.8/29 to 198.18.0.1 table ovpnc1 prio 8001

Added in nat-start

for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done

Now nat-start is

#!bin/sh                                            
sleep 10                                            
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark                    
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark                    
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark                    
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
logger "runned nat-start"
# Ensure duplicate rules are not created as nat-start can be called several times.
for VPN_ID in 0 1 2 3 4 5
        do
                ip rule del prio 999$VPN_ID 2>/dev/null
        done

Also i've created vpnclient1-route-up as follow

#!/bin/sh
VPN_ID=${dev:4:1}
VPNDNS="$(iptables -t nat -L DNSVPN$VPN_ID 2>/dev/null | grep -E -m 1 "^1" | awk 'BEGIN { FS = "=" } {print $2}')"
if [ -n "$VPNDNS" ];then
        ip rule del prio 800$VPN_ID
        ip rule add from $(echo nvram get vpn_client${VPN_ID}_clientlist) | tr '>' ' ' | grep -E "UseDNSOnly\>.*\>" | awk '{print $2}' to $VPNDNS table ovpnc1 prio 800$VPN_ID
fi

No internet connection for devices in 192.168.1.8/29

 

[Martineau]

Something went wrong.
Now nat-start is

#!bin/sh                                      
sleep 10                                      
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark              
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark              
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark              
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
logger "runned nat-start"
# Ensure duplicate rules are not created as nat-start can be called several times.
for VPN_ID in 0 1 2 3 4 5
        do
                ip rule del prio 999$VPN_ID 2>/dev/null
        done

To prevent duplicates, you delete any existing matching rules before you attempt to create them, not after!

nat-start should look like this

#!/bin/sh

sleep 10  # During the boot process nat-start may run multiple times so this is required           

# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999$VPN_ID  2>/dev/null
   done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark

# Ensure duplicates are not created
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000 2>dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000

Also did you clone /jffs/scripts/openvpn-event from @john9527's openvpn-event script template so you can explicitly choose which openvpn-event trigger code is actually used by each individual Server/Client - in your case vpnclient1-route-up

EDIT: There was a typo in the vpnclient1-route-up script in post #21 - so please recreate from the edited code.

 

[Ciccio]

To prevent duplicates, you delete any existing matching rules before you attempt to create them, not after!

Sorry

There was a typo in the vpnclient1-route-up script in post #21 - so please recreate from the edited code.

If you mean UseDNSOnly instead of UseDNSonly, I had already seen it.

Now i have the nat-start as follow

#!/bin/sh

sleep 10  # During the boot process nat-start may run multiple times so this is required         

# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
   do
     ip rule del prio 999$VPN_ID  2>/dev/null
   done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark

# Ensure duplicates are not created
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000 2>dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000

I've created the openvpn-event as follow

#!/bin/sh
scr_name="$(basename $0)[$$]"
case "$1" in
        "tun11")
                vpn_name="client1"
                ;;
        "tun12")
                vpn_name="client2"
                ;;
        "tun13")
                vpn_name="client3"
                ;;
        "tun14")
                vpn_name="client4"
                ;;
        "tun15")
                vpn_name="client5"
                ;;
        "tun21")
                vpn_name="server1"
                ;;
        "tun22")
                vpn_name="server2"
                ;;
        *)
                vpn_name=""
                ;;
esac
# Call appropriate script based on script_type
vpn_script_name="vpn$vpn_name-$script_type"
# Check script state/use nvram to save last script runvpn_script_state=$(nvram get vpn_script_state)
nvram set vpn_script_state="$vpn_script_name"
if [ "$vpn_script_name" = "$vpn_script_state" ]; then         echo "VPN script" $vpn_script_name "already run" | logger -t "$scr_name"
        exit 0
fi
if [[ -f "/jffs/scripts/$vpn_script_name" ]] ; then
        sh /jffs/scripts/$vpn_script_name $*
else
        echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
        exit 0
fi

exit 0

and vpnclient1-route-up

#!/bin/sh

VPN_ID=${dev:4:1}

VPNDNS="$(iptables -t nat -L DNSVPN$VPN_ID  2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
        ip rule del prio 800$VPN_ID
        ip rule add from $(echo nvram get vpn_client${VPN_ID}_clientlist) | tr '>' ' ' | grep -E "UseDNSOnly\>.*\>" | awk '{print $2}' to $VPNDNS table ovpnc1 prio 800$VPN_ID
fi

But no internet connection
In log i have

May 18 01:02:17 openvpn-updown: Forcing 192.168.1.8/29 to use DNS server 198.18.0.1
...
May 18 01:02:17 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1553 172.21.24.235 255.255.254.0 init)
May 18 01:02:17 openvpn-event[1838]: Script not defined for event: vpnclient1-up
May 18 01:02:19 ovpn-client1[1715]: /bin/ip route add 45.56.137.76/32 via 31.156.227.1
May 18 01:02:19 ovpn-client1[1715]: /bin/ip route add 0.0.0.0/1 via 172.21.24.1
May 18 01:02:19 ovpn-client1[1715]: /bin/ip route add 128.0.0.0/1 via 172.21.24.1
May 18 01:02:19 openvpn-routing: Configuring policy rules for client 1
May 18 01:02:19 openvpn-routing: Creating VPN routing table (mode 2)
May 18 01:02:19 openvpn-routing: Removing route for 0.0.0.0/1 to tun11 from main routing table
May 18 01:02:19 openvpn-routing: Removing route for 128.0.0.0/1 to tun11 from main routing table
May 18 01:02:19 openvpn-routing: Removing rule 10101 from routing policy
May 18 01:02:19 openvpn-routing: Adding route for 192.168.1.8/29 to 0.255.255.255 through VPN client 1
May 18 01:02:19 openvpn-routing: Tunnel re-established, restoring WAN access to clients
May 18 01:02:19 openvpn-routing: Completed routing policy configuration for client 1
May 18 01:02:19 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1553 172.21.24.235 )
May 18 01:02:19 ovpn-client1[1715]: Initialization Sequence Completed

 

[Martineau]

Now i have.....no internet connection
vpnclient1-route-up

#!/bin/sh

VPN_ID=${dev:4:1}

VPNDNS="$(iptables -t nat -L DNSVPN$VPN_ID  2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
        ip rule del prio 800$VPN_ID
        ip rule add from $(echo nvram get vpn_client${VPN_ID}_clientlist) | tr '>' ' ' | grep -E "UseDNSOnly\>.*\>" | awk '{print $2}' to $VPNDNS table ovpnc1 prio 800$VPN_ID
fi

Perhaps it might be wise to revert to the previously (non-automated) working state and hardcode both the pushed VPN ISP DNS server, and the IP range 192.168.1.8-192.168.1.15 tagging rule in nat-start


However if you have the desire/time to continue with attempting to implement an automated method, I have finally identified and fixed the brain-dead catastrophic typo (why did I leave the 'echo' command embedded? ) and updated the vpnclient1-route-up script
NOTE: I have also now included a confirmation message to Syslog

(vpnclient1-route-up): Forcing DNS Server 198.18.0.1  requests via VPN Client 1 tunnel

So now it probably makes sense to also move (as alluded to in the Wiki) the Selective Port tagging rule

iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000

from nat-start to vpnclient1-route-up ?

 

[Ciccio]

However if you have the desire/time to continue with attempting to implement an automated method, I have finally identified and fixed the brain-dead catastrophic typo (why did I leave the 'echo' command embedded? ) and updated the vpnclient1-route-up script

Ok, now It work.
Have both nat-start and vpnclient1-route-up.

So now it probably makes sense to also move (as alluded to in the Wiki) the Selective Port tagging rule

iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 80,443,2300 -j MARK --set-mark 0x1000/0x1000

from nat-start to vpnclient1-route-up ?

Ok i moved this iptables rules from nat-start to vpnclient1-route-up before "fi" and it seems to work.

The devices not in 192.168.1.8/29 use defined DNS in WAN config pages (Google's DNS) and all traffic go by WAN.

The devices in 192.168.1.8/29 use VPN DNS and all traffic go by WAN except port 2300 that go by VPN.

Now I ask you, is it technically possible to use VPN DNS only for requests based on the destination port?

 

[Martineau]

Ok, now It work.
Have both nat-start and vpnclient1-route-up.

Ok i moved this iptables rules from nat-start to vpnclient1-route-up before "fi" and it seems to work.

The devices not in 192.168.1.8/29 use defined DNS in WAN config pages (Google's DNS) and all traffic go by WAN.

The devices in 192.168.1.8/29 use VPN DNS and all traffic go by WAN except port 2300 that go by VPN

Thank you for your time and hopefully you were able to understand how we have automated the process and enhanced your skillset whilst demonstrating for others that 'advanced' Selective Routing using scripting isn't that daunting!

P.S. I'm not sure if you still have concerns about the perceived DNS Leak?

 

[Ciccio]

Thank you for your time and hopefully you were able to understand how we have automated the process and enhanced your skillset whilst demonstrating for others that 'advanced' Selective Routing using scripting isn't that daunting!

Thank you for helping me solve the problem and I hope it can serve other forum users

P.S. I'm not sure if you still have concerns about the perceived DNS Leak?

I don't think there are any dns leaks because the dns requests come from an ip referable to the vpn provider

 

[Ciccio]

I'm here again!
Hi guys, I continue this post because I have a similar problem.
I would like to apply the rule to my torrent client that uses 47455 as the local port, so i've added as follow in vpnclient1-route-up:

 iptables -t mangle -D PREROUTING -i br0 -m iprange --src 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
 iptables -t mangle -A PREROUTING -i br0 -m iprange --src 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000

but not working, because on ipleak.net in torrent address detection I see my WAN public IP address.

This is my vpnclient1-route-up:

#!/bin/sh
VPN_ID=${dev:4:1}
VPNDNS="$(iptables -t nat -L DNSVPN${VPN_ID} 2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
        DNSONLY_IPS="$(nvram get vpn_client${VPN_ID}_clientlist | sed -n 's/^.*UseDNSOnly\>//p' | tr '>' ' ' | awk '{print $1}')"
        ip rule del prio 800$VPN_ID
        ip rule add from $DNSONLY_IPS to $VPNDNS table 11$VPN_ID prio 800$VPN_ID

        iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p tcp -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000

        #Rule for Torrent
        iptables -t mangle -D PREROUTING -i br0 -m iprange --src 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -m iprange --src 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000

        logger -st "($(basename $0))" "New Forcing DNS Server $VPNDNS requests via VPN Client $VPN_ID tunnel"
fi

Many Thanks!

 

[octopus]

I should add your new port to exiting rule, 2300,47455 as its already in ip-range.

 

[Ciccio]

I should add your new port to exiting rule, 2300,47455 as its already in ip-range.

The torrent port 47455 is source port, the port 2300 is destination port, so i've created new rule

 

[octopus]

The torrent port 47455 is source port, the port 2300 is destination port, so i've created new rule

Im not sure -p all is working try with tcp and udp rules and test.

 

[Ciccio]

Im not sure -p all is working try with tcp and udp rules and test.

I'm trying with -p tcp and -p udp but not working.

 

[Xentrk]

I'm trying with -p tcp and -p udp but not working.

Since there is no IP range, try removing the -m iprange directive. Optionally, you can specify -s rather than --src. Both will work

 #Rule for Torrent
 iptables -t mangle -D PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
 iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000

 

[Ciccio]

Since there is no IP range, try removing the -m iprange directive. Optionally, you can specify -s rather than --src. Both will work

 #Rule for Torrent
 iptables -t mangle -D PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
 iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000

I tried what you suggested, but it doesn't work. I also tried to perform the same thing for transmission installed on the router as described here https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-Port-routing-(manual-method), but I keep seeing my public ip. Here are the iptables rules

#!/bin/sh
VPN_ID=${dev:4:1}
VPNDNS="$(iptables -t nat -L DNSVPN${VPN_ID} 2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
        DNSONLY_IPS="$(nvram get vpn_client${VPN_ID}_clientlist | sed -n 's/^.*UseDNSOnly\>//p' | tr '>' ' ' | awk '{print $1}')"
        ip rule del prio 800$VPN_ID
        ip rule add from $DNSONLY_IPS to $VPNDNS table 11$VPN_ID prio 800$VPN_ID

        iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p all -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p all -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000

        #Rule for Dell Torrent
        iptables -t mangle -D PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
        
        #Rule for Transmission on Merlin
        iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 51413  -j MARK --set-mark 0x1000/0x1000
        iptables -t nat -A POSTROUTING -s $(nvram get wan0_ipaddr) -o tun11 -j MASQUERADE

        logger -st "($(basename $0))" "New Forcing DNS Server $VPNDNS requests via VPN Client $VPN_ID tunnel"
fi

Thanks for any reply

 

[Salles]

I tried what you suggested, but it doesn't work. I also tried to perform the same thing for transmission installed on the router as described here https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-Port-routing-(manual-method), but I keep seeing my public ip. Here are the iptables rules

#!/bin/sh
VPN_ID=${dev:4:1}
VPNDNS="$(iptables -t nat -L DNSVPN${VPN_ID} 2>/dev/null | grep -E -m 1 "^DNAT" | awk 'BEGIN { FS = ":" } {print $2}')"
if [ -n "$VPNDNS" ];then
        DNSONLY_IPS="$(nvram get vpn_client${VPN_ID}_clientlist | sed -n 's/^.*UseDNSOnly\>//p' | tr '>' ' ' | awk '{print $1}')"
        ip rule del prio 800$VPN_ID
        ip rule add from $DNSONLY_IPS to $VPNDNS table 11$VPN_ID prio 800$VPN_ID

        iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p all -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.8-192.168.1.15 -p all -m multiport --dport 2300 -j MARK --set-mark 0x1000/0x1000

        #Rule for Dell Torrent
        iptables -t mangle -D PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
        iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.13 -p all -m multiport --sport 47455 -j MARK --set-mark 0x1000/0x1000
       
        #Rule for Transmission on Merlin
        iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 51413  -j MARK --set-mark 0x1000/0x1000
        iptables -t nat -A POSTROUTING -s $(nvram get wan0_ipaddr) -o tun11 -j MASQUERADE

        logger -st "($(basename $0))" "New Forcing DNS Server $VPNDNS requests via VPN Client $VPN_ID tunnel"
fi

Thanks for any reply

If you want Transmission installed on the router to use a VPN, you can use this method. Works well.
https://www.snbforums.com/threads/transmission-for-asuswrt-merlin.31278/page-3#post-266164

 

[Ciccio]

If you want Transmission installed on the router to use a VPN, you can use this method. Works well.
https://www.snbforums.com/threads/transmission-for-asuswrt-merlin.31278/page-3#post-266164

I follow this guide, the https://ipleak.net/ in Torrent address detection show me the VPN IP address, but transmission not downloading, and in log I have Tracker error: "Connection failed"
I have install Transmission how reported here https://github.com/RMerl/asuswrt-merlin/wiki/Installing-Transmission-through-Entware, and I have binded IPv4 address to 192.168.1.2
I have added in VPN Client1 Table the 192.168.1.2 to go trought VPN (0.0.0.0 as destination)
This is my firewall-start

#!/bin/sh
ifconfig br0:0 192.168.1.2 up
iptables -I INPUT -p tcp --destination-port 51413 -j ACCEPT
iptables -I INPUT -p udp --destination-port 51413 -j ACCEPT

This is my services-start

#wait for VPN
until [ $(nvram get vpn_client1_state) -gt 1 ]
  do
  logger "Waiting 5 seconds for VPN..."
  sleep 5
  done

Many Thanks

 

[Salles]

I follow this guide, the https://ipleak.net/ in Torrent address detection show me the VPN IP address, but transmission not downloading, and in log I have Tracker error: "Connection failed"
I have install Transmission how reported here https://github.com/RMerl/asuswrt-merlin/wiki/Installing-Transmission-through-Entware, and I have binded IPv4 address to 192.168.1.2
I have added in VPN Client1 Table the 192.168.1.2 to go trought VPN (0.0.0.0 as destination)
This is my firewall-start

#!/bin/sh
ifconfig br0:0 192.168.1.2 up
iptables -I INPUT -p tcp --destination-port 51413 -j ACCEPT
iptables -I INPUT -p udp --destination-port 51413 -j ACCEPT

This is my services-start

#wait for VPN
until [ $(nvram get vpn_client1_state) -gt 1 ]
  do
  logger "Waiting 5 seconds for VPN..."
  sleep 5
  done

Many Thanks

In services-start you need to start the script with:

#!/bin/sh

Otherwise the script will not execute.

[Edit]
Then reboot router.
If that does not work, try to stop and start transmission manually through ssh. I had to do that once for some reason (I have transmission through debian though).

 

[octopus]

Need som help..........

I just implemented this and it's working fine with some desires.

Using rules without any port specified and working fine.

iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.12.120-192.168.12.127 -p tcp -j MARK --set-mark 0x1000/0x1000 2>dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.12.120-192.168.12.127 -p tcp -j MARK --set-mark 0x1000/0x1000

I want to add some exception in vpnclient1, Have tried add it in "Rules for routing client traffic through the tunnel"
But when use "UseDNSOnly 192.168.12.120/29 0.255.255.255 VPN" and add exception it wont work and I have DNS-leak.

Example:
exception1 192.168.12.120 123.123.123.123 WAN
@Martineau

 

[Martineau]

Need som help..........

I just implemented this and it's working fine with some desires.

Using rules without any port specified and working fine.

iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.12.120-192.168.12.127 -p tcp -j MARK --set-mark 0x1000/0x1000 2>dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.12.120-192.168.12.127 -p tcp -j MARK --set-mark 0x1000/0x1000

I want to add some exception in vpnclient1, Have tried add it in "Rules for routing client traffic through the tunnel"
But when use "UseDNSOnly 192.168.12.120/29 0.255.255.255 VPN" and add exception it wont work and I have DNS-leak.

Example:
exception1 192.168.12.120 123.123.123.123 WAN
@Martineau

Rightly or wrongly, my script generated custom RPDB rules take priority over GUI generated rules

i.e.

     Script: UseDNSOnly                                               <-HIGHEST priority
     Script: Selective Routing IPSET / Port / MAC (fwmark tagging)

     GUI:    Selective Routing Source/Destination (Client 1 WAN)
     GUI:    Selective Routing Source/Destination (Client 1 VPN)
     <snip>
     GUI:    Selective Routing Source/Destination (Client 5 WAN)
     GUI:    Selective Routing Source/Destination (Client 5 VPN)      <-LOWEST priority

NOTE: The crude 'UseDNSOnly' hack was intended to allow a non-VPN Client to use the VPN ISP DNS (via the VPN tunnel), but access the Internet via the WAN.