Policy routing question

[jackoboy9]

I want to edit my openvpn-event file (contents below) so that...

1. certain IP addresses (e.g. netflix.com) are not pushed through the VPN.
2. traffic from certain ports (e.g. port 35000) are not pushed through the VPN.

At the moment all it does is forward all the traffic from IP addresses between 192.168.1.2 and 192.168.1.127 through the OpenVPN client 3.

If request #2 isn't possible, that's ok, but any advice for #1 would be greatly appreciated!

Thank you

File contents:

#!/bin/sh

sleep 2

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun13\
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.127 -j MARK --set-mark 0

exit 1

 

[yorgi]

I want to edit my openvpn-event file (contents below) so that...

1. certain IP addresses (e.g. netflix.com) are not pushed through the VPN.
2. traffic from certain ports (e.g. port 35000) are not pushed through the VPN.

At the moment all it does is forward all the traffic from IP addresses between 192.168.1.2 and 192.168.1.127 through the OpenVPN client 3.

If request #2 isn't possible, that's ok, but any advice for #1 would be greatly appreciated!

Thank you

File contents:

#!/bin/sh

sleep 2

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun13\
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.127 -j MARK --set-mark 0

exit 1

What router are you using? Does it have Merlin Firmware on it?
If you have a Asus router with Merlin you don't need to do that custom script. its complicated for nothing
You can do policy rules way easier then that.
If you are not using merlin let me know and I will post you the scripts you need to make it work.

 

[jackoboy9]

What router are you using? Does it have Merlin Firmware on it?
If you have a Asus router with Merlin you don't need to do that custom script. its complicated for nothing
You can do policy rules way easier then that.
If you are not using merlin let me know and I will post you the scripts you need to make it work.

Thanks for the reply.

I do have ASUS Merlin installed on my AC68U, but from what I can tell there's no way to do the following using the policy rules box at the bottom of the OpenVPN client page:

(my needs have changed slightly since I started this thread)

1. Route all traffic to/from client 192.168.1.5 through the VPN.
2. Route all traffic that goes through ports 1080 and 808 to the 192.168.1.5 client. (I have a proxy set up on that PC and I forward the P2P traffic to that PC's proxy server (using CCProxy program), which in turn goes through the VPN as per #1).
3. If the VPN connection drops, block all internet traffic to/from 192.168.1.5.

It currently works with the script(s) that I've got, but I cannot access the proxy server on the 192.168.1.5 client from outside my internal network (I thought port forwarding was supposed to do that).

 

[yorgi]

Thanks for the reply.

I do have ASUS Merlin installed on my AC68U, but from what I can tell there's no way to do the following using the policy rules box at the bottom of the OpenVPN client page:

(my needs have changed slightly since I started this thread)

1. Route all traffic to/from client 192.168.1.5 through the VPN.
2. Route all traffic that goes through ports 1080 and 808 to the 192.168.1.5 client. (I have a proxy set up on that PC and I forward the P2P traffic to that PC's proxy server (using CCProxy program), which in turn goes through the VPN as per #1).
3. If the VPN connection drops, block all internet traffic to/from 192.168.1.5.

It currently works with the script(s) that I've got, but I cannot access the proxy server on the 192.168.1.5 client from outside my internal network (I thought port forwarding was supposed to do that).

Well you can do what you want with policy rules but you would have to drop the proxi server and scripts and ports.

Enable Policy rules on your router and enable Block routed clients if tunnel goes down

in the Source IP you put 192.168.1.5 destination IP 0.0.0.0 lface VPN
this will tell the router that everything on ip 192.168.1.5 will go to VPN
then you need to use command prompt on a PC or on your router under network tools and do
a nslookup for netflix.com
You are going to have to do it a few times to find out all the netflix subnets.
then in the Source IP you put 0.0.0.0 destnation IP 52.203.83.0/24 lface WAN
Source IP 0.0.0.0 destination IP 52.2.218.0/24 lface WAN
these are just 2 of their ip subnets
they probably have over 30 subnets because they are all over the world. You have room for 100 rules on the merlin firmware.

This will work. basically all your trafiic on IP 192.168.1.5 will go via the VPN and all other traffic will go to WAN local ISP
but when any of those netflix IP addresses are accessed from the VPN 192.168.1.5 they will go through local ISP.
and if VPN drops connection the router will stop all traffic until it resumes connection to the VPN server.

that is the easiest way.
you can do it via your scripts but you don't really need to go that far or setup proxi servers like you are doing.
Also one thing to take note is, when you are on a VPN and are trying to access it outside your lan from the internet even if you port forward, that would never work because you are connected to another LAN which is the VPN servers and it has its own ports etc.
You cannot connect via the Server to your LAN because they have it setup that you can't
think of it this way, when you connect to a VPN server its a different network and it cannot work with your network or ports unless they configure it on their side which is a security problem if they did that because everyone on the tunnel would have access to your network.

 

[jackoboy9]

Well you can do what you want with policy rules but you would have to drop the proxi server and scripts and ports.
...
you can do it via your scripts but you don't really need to go that far or setup proxi servers like you are doing.

Currently, using the scripts, I have it so that any computer in the internal network can use the proxy server that I have set up on 192.168.1.5 for P2P applications, which uses ports 1080 for SOCKS and 808 for HTTP.

i.e. I am on my main PC (192.168.1.2) and i open my P2P software and in the proxy settings, I have the address as 192.168.1.5 and the port as 1080 using the SOCKS protocol. This routes all torrent traffic to the 192.168.1.5 PC and this in turn is routed through the VPN, as set up by the scripts.

I also have set it up so that a couple of websites on all devices in the network are automatically routed through the VPN.
All this stuff works.

I want the proxy server (nothing to do with the VPN) that I have set up to be accessible when outside the internal network when I'm away from home and want to use P2P. Surely in the proxy settings of the P2P software I can set the address to the public IP of the network with the proxy server on it and then ports of 1080 and 808? Haven't been able to test that yet but I'm sure that can be done one way or another?

 

[yorgi]

Wow what a complicated setup to do something that can be done in a couple of command lines.
If you put your Source IP at 192.168.1.5 Destination IP 0.0.0.0 lface VPN
then you can do all the P2P you want on that pc it will always be on the VPN and you will get protection if the tunnel drops.
All other traffic goes to WAN local ISP. Its exactly what you are doing in 2 lines and no scripts.
I use to run scripts as well but they are not 100 percent. You may think everything is working well until you get an email from your ISP about downloading copyright materials. you are relying on software and scripts to do a pretty complicated task.
Once again you cannot reach your local computer that is on a VPN outside the internet. You can port forward until you are blue in the face. The only way you can do that is to have a pc that is not on VPN and is on the LAN of the VPN pc then you can remote desktop to the non VPN pc and then remote desktop to the VPN pc. that would work because once you have remote desktop into your LAN there is nothing you cant do afterwards.
I know you are set on your ways, I just advice a little caution because I was there once and then I changed everything because its simpler and safer going the Merlin route with policy rules that work
Good luck with your setup.

 

[yorgi]

Currently, using the scripts, I have it so that any computer in the internal network can use the proxy server that I have set up on 192.168.1.5 for P2P applications, which uses ports 1080 for SOCKS and 808 for HTTP.

i.e. I am on my main PC (192.168.1.2) and i open my P2P software and in the proxy settings, I have the address as 192.168.1.5 and the port as 1080 using the SOCKS protocol. This routes all torrent traffic to the 192.168.1.5 PC and this in turn is routed through the VPN, as set up by the scripts.

I also have set it up so that a couple of websites on all devices in the network are automatically routed through the VPN.
All this stuff works.

I want the proxy server (nothing to do with the VPN) that I have set up to be accessible when outside the internal network when I'm away from home and want to use P2P. Surely in the proxy settings of the P2P software I can set the address to the public IP of the network with the proxy server on it and then ports of 1080 and 808? Haven't been able to test that yet but I'm sure that can be done one way or another?

A think a proxi server works kind of like a VPN which is its own server and you cannot access it from outside the internet like with a VPN.
So trying to open ports to get into the proxy is probably not going to work. When you open ports on a router its to access the routers ports to allow programs within the network to use specific protocols. This is why when you run other services from the router such as VPN because they are independent services that have their own network and ports forwarding, therefore when opening ports from the router those ports don't necessarily reflect the ports of the VPN or Proxi server.

 

[jackoboy9]

A think a proxi server works kind of like a VPN which is its own server and you cannot access it from outside the internet like with a VPN.
So trying to open ports to get into the proxy is probably not going to work. When you open ports on a router its to access the routers ports to allow programs within the network to use specific protocols. This is why when you run other services from the router such as VPN because they are independent services that have their own network and ports forwarding, therefore when opening ports from the router those ports don't necessarily reflect the ports of the VPN or Proxi server.

Ah I see. Thanks for that.

I've taken your advice and switched to using policy rules. The main thing stopping me from using it in the first place was that I didn't know how to forward all network traffic on a specific internal IP (the 0.0.0.0 thing).