Questions about advanced VPN routing

[stoli412]

I have an OpenVPN client set up on my AC68 running 380.65. Using policy rules, I have one device set to route all traffic through the VPN. Using john9527's custom openvpn-event script (located here), I've also set up scripts (eg, "vpnclient1-route-up" "vpnclient1-down") to add/remove some port forwards through the VPN. It all works brilliantly.

Here's my new challenge. I have another device where I only want SOME of its traffic to go through the VPN, but NOT block it when the VPN is down. Through some searching, I found Martineau's instructions on how to do this (located here). My question is, instead of adding this to nat-start, can I add this to my vpnclient1-route-up and vpnclient1-down scripts that get called by the openvpn-event script?

So to vpnclient1-route-up, I would add:

ip rule del fwmark 0xy000
ip rule add fwmark 0xy000 table 11y prio 1000y

iptables -t mangle -D PREROUTING -i br0 --src xxx.xxx.xxx.xxx,zzz.zzz.zzz.zzz -p tcp -m multiport --dport nn,pp  -j MARK --set-mark 0xy000/0xy000
iptables -t mangle -A PREROUTING -i br0 --src xxx.xxx.xxx.xxx,zzz.zzz.zzz.zzz -p tcp -m multiport --dport nn,pp  -j MARK --set-mark 0xy000/0xy000

Then, in vpnclient1-down, I would add:

ip rule del fwmark 0xy000

iptables -t mangle -D PREROUTING -i br0 --src xxx.xxx.xxx.xxx,zzz.zzz.zzz.zzz -p tcp -m multiport --dport nn,pp  -j MARK --set-mark 0xy000/0xy000

When the VPN is disconnected, this would restore normal routing to WAN for the specific IP addresses and ports that I have specified...this is the behaviour I'm looking for.

My question is, how reliable would this setup be? I keep my VPN connected for days at a time, so I'm just wondering if any of these rules would get overwritten periodically. I think I read somewhere that some people can see ip rules get reset once a day or so?

And just another quick question: for this to work for web browsing, I would need to specify ports 80, 443, and 53. Any other ports?

 

[Martineau]

My question is, instead of adding this to nat-start, can I add this to my vpnclient1-route-up and vpnclient1-down scripts that get called by the openvpn-event script?

Indeed - if you understand what you are doing!

My question is, how reliable would this setup be? I keep my VPN connected for days at a time, so I'm just wondering if any of these rules would get overwritten periodically. I think I read somewhere that some people can see ip rules get reset once a day or so?

I use nat-start to 'protect' the integrity of the ''-t mangle PREROUTING' rules etc. (just in case the TrendMicro DPI engine/ AiProtection/Network Services GUI etc. decides to rebuild the Firewall) as I can then decide if it is necessary to bounce ACTIVE VPN Clients - does my first reply now make sense?

And just another quick question: for this to work for web browsing, I would need to specify ports 80, 443, and 53. Any other ports?

For simple web browsing, 'http://' and 'https://' Ports 80,443,8080 are common... but it all depends on the host site i.e. you can access other services via the browser 'ftp://' etc.
(NOTE: Port 53 is DNS)

 

[stoli412]

So I gave it a try and it worked...sort of. Very slow and sluggish, sometimes web pages would hang and I would need to manually reload. I didn't have port 8080 in my rules, but I don't think that was the issue. I deliberately had port 53 in there (both UDP and TCP) because I wanted to use my VPN provider's DNS servers. That seems to be the problem. As soon as I removed port 53, web browsing worked relatively normally. Any reason why that would be? For the computer that is fullly behind the VPN, DNS is set to Exclusive in the OpenVPN config, and web browsing works as expected? Might there be some crucial port I'm not including? Something else?

 

[Martineau]

I wanted to use my VPN provider's DNS servers. That seems to be the problem. As soon as I removed port 53, web browsing worked relatively normally.

Any reason why that would be? ?

PEBKAC?? - basically don't mess with Port 53!

DNS resolution is handled 'under the covers' by iptables, and can be influenced by using the VPN GUI as well as AiProtection->DNS Filter.

e.g. for VPN Client 1

iptables --line -t nat -nvL DNSVPN1

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1     1009 77463 RETURN     all  --  *      *       10.88.8.140          0.0.0.0/0  
2        0     0 DNAT       all  --  *      *       10.88.8.90           0.0.0.0/0            to:10.200.194.1
3        0     0 DNAT       all  --  *      *       172.16.1.1           0.0.0.0/0            to:10.200.194.1

So in the example above, devices 10.88.8.90 & 172.16.1.1 use the VPN DNS, but 10.88.8.140 doesn't.

So from a device (I/P) perspective you can choose to force the use of a VPN DNS or not.

(If you need to force DNS for a domain, then you will need to manually tweak dnsmasq).

 

[stoli412]

I've been thinking about this off and on for the past couple days, and I think I have a working solution (inspired by your other post here).

In nat-start I've added:

ip rule add from 0/0 fwmark 0x1000 table ovpnc1 prio 20001

In vpnclient1-route-up I've added:

# Delete rule that blocks specific ports from another client when the VPN goes down
iptables -t mangle -D PREROUTING -i br0 --src 192.168.1.30 -p tcp -m multiport --dport 80,443 -j DROP

# Force specific ports from another client to use the VPN
iptables -t mangle -A PREROUTING -i br0 --src 192.168.1.30 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x1000/0x1000

# Force another client to use the VPN DNS
iptables -t nat -A DNSVPN1 -i br0 --src 192.168.1.30 -j DNAT --to-destination 10.4.0.1

And in vpnclient1-down I've added:

# Delete rule forcing specific ports from another client to use the VPN
iptables -t mangle -D PREROUTING -i br0 --src 192.168.1.30 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x1000/0x1000

# Block specific ports from another client when the VPN goes down
iptables -t mangle -A PREROUTING -i br0 --src 192.168.1.30 -p tcp -m multiport --dport 80,443 -j DROP

# Restore normal DNS function to another client
iptables -t nat -D DNSVPN1 -i br0 --src 192.168.1.30 -j DNAT --to-destination 10.4.0.1

Everything seems to be working well. Web browsing and DNS go through the VPN when it's up. When it's down, Web browsing is blocked, and DNS is restored to "normal".

 

[Martineau]

In nat-start I've added:

ip rule add from 0/0 fwmark 0x1000 table ovpnc1 prio 20001

Ensure you issue a delete otherwise you will have unnecessary duplicates in the RPDB table.

NOTE: You may need to check if the VPN client is UP in nat-start and bounce it since nat-start may indicate that the -t mangle PREROUTING rules have been flushed by GUI activity or the Trend Micro DPI engine if applicable.

 

[stoli412]

I looked through the syslog right after boot and it looks like nat-start is called a few times during startup. But when I look at ip rules, my rule only appears once. Are new rules ignored if they already exist?

If not, how would I ensure my rule only appears once? I'm not sure I follow what you're getting at in your post.

 

[Martineau]

I looked through the syslog right after boot and it looks like nat-start is called a few times during startup. But when I look at ip rules, my rule only appears once. Are new rules ignored if they already exist?

If not, how would I ensure my rule only appears once? I'm not sure I follow what you're getting at in your post.

Precede the add with a del

ip rule del fwmark $TAG_MARK
ip rule add from 0/0 fwmark $TAG_MARK table $VPN_TBL prio "999"$VPN_ID

or use the following format

ip rule del fwmark prio nnnnnn