Selective Routing over OpenVPN tunnel gone awry

[Xentrk]

This script works great for selective routing of LAN clients over three OpenVPN clients:

#!/bin/sh
logger -t "($(basename $0))" $$ Starting IPSET_VPN_Routing.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
# set -xo
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset create OVPNC1 hash:net family inet hashsize 1024 maxelem 65536
ipset create OVPNC2 hash:net family inet hashsize 1024 maxelem 65536
ipset create OVPNC3 hash:net family inet hashsize 1024 maxelem 65536

# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)

# extract OVPNC1 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC1)
    do
        ipset add OVPNC1 $ip
    done

# extract OVPNC2 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC2)
    do
        ipset add OVPNC2 $ip
    done

# extract OVPNC3 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC3)
    do
        ipset add OVPNC3 $ip
    done

# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991

#VPN Client 2
ip rule del fwmark 0x2000
ip rule add fwmark 0x2000 table 112 prio 9992

#VPN Client 3
ip rule del fwmark 0x3000
ip rule add fwmark 0x3000 table 113 prio 9993

ip route flush cache

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
# WAN
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

# VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000

# VPN Client 2
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC2 src,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC2 src,dst -j MARK --set-mark 0x2000/0x2000

# VPN Client 3
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC3 src,dst -j MARK --set-mark 0x3000/0x3000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC3 src,dst -j MARK --set-mark 0x3000/0x3000

logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."

What I like about the script is I can set Accept DNS Configuration to Exclusive which prevents DNS leaks when using selective routing and allows AB-Solution to work over the VPN tunnel.

I have another script that performs additional routing thru the OpenVPN clients using using domain names mined from dnsmasq. The scripted worked for several months and recently stopped working. So, in attempt to fix the script on the AC88U, I tried to duplicate the success I have with Selective Routing on pfSense using the features of pfBlockerNG to create IPv4 lists using AS Numbers rather than domain names. It can be done in a few mouse clicks on pfSense which is a nice feature! But I still experienced issues on the AC88U.

To better understand what is occurring, I wrote the following script to route queries to www.whatismyipaddress.com to OpenVPN Client 2. I used several other ip location sites to validate that my laptop remained in its assigned interface and the sites always reported the correct location. But where whatismyipaddress ended up is a different story. Here is the code of ipbypass.sh script to test and see what was occuring:

#!/bin/sh
#set -xo
ipset create WHATISMYIPADDRESS hash:net family inet hashsize 1024 maxelem 65536

for domain_name in whatismyipaddress.com
    do
      for ip in $(nslookup $domain_name | grep -v ":" | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
        echo "ip address is:" $ip
        ipset add WHATISMYIPADDRESS $ip
    done
done

###########################################################
#Create table to contain items added automatically by wan #
###########################################################

iptables -v -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set WHATISMYIPADDRESS dst,dst -j MARK --set-mark 0x2000/0x2000
iptables -v -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set WHATISMYIPADDRESS dst,dst -j MARK --set-mark 0x2000/0x2000

logger -t "($(basename $0))" $$ ending ipbypass.sh..." $0${*:+ $*}."

Test Case #1 - Three OpenVPN Clients 1=SD, 2=LA, 3=UK

Laptop set to either WAN, OVPNC1, 2, or 3. Where does WHATISMYIPADDRESS end up?
Laptop    whatismyipaddress.com Location      
0 WAN     LA (Pass)
1 SD      UK (Fail)
2 LA      LA (Pass)
3 UK      UK (Fail)

Chain PREROUTING (policy ACCEPT 8726 packets, 3342K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        2   156 MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3     1750 1345K MARK       all  --  tun13  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
4        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set LAN_GW src,dst MARK or 0x7000
5     3610  407K MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set OVPNC1 src,dst MARK or 0x1000
6     3609  407K MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set OVPNC2 src,dst MARK or 0x2000
7        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set OVPNC3 src,dst MARK or 0x3000
8      100 11050 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set WHATISMYIPADDRESS dst,dst MARK or 0x2000

Test Results with 2 OVPN Clients (1=SD, 2=LA):

Laptop set to either WAN or OVPNC1 or 2. Where does WHATISMYIPADDRESS end up?
Laptop    whatismyipaddress.com Location      
0 WAN     LA (Pass)
1 SD      WAN (Fail)
2 LA      LA (Pass)

Chain PREROUTING (policy ACCEPT 87 packets, 7110 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     3399 1981K MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2    10459 8933K MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3       18   725 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set WHATISMYIPADDRESS dst,dst MARK or 0x2000
4        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set LAN_GW src,dst MARK or 0x7000
5       16  1878 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set OVPNC1 src,dst MARK or 0x1000
6       15  1838 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set OVPNC2 src,dst MARK or 0x2000
7        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set OVPNC3 src,dst MARK or 0x3000

ip rule

0:      from all lookup local
9990:   from all fwmark 0x7000 lookup main
9991:   from all fwmark 0x1000 lookup ovpnc1
9992:   from all fwmark 0x2000 lookup ovpnc2
9993:   from all fwmark 0x3000 lookup ovpnc3
32766:  from all lookup main
32767:  from all lookup default

I repeated test case 2 but moved Chain Num 3 to the bottom to Chain 7. I got the same results.

I don't use QOS and tried with AI Protection turned off and on.

 

[Xentrk]

I tried a similar test using another ip location site. I created a rule to route whatismypublicip.com to OVPN2 in LA and placed it before the chains for the LAN IP clients.

iptables –t mangle -A PREROUTING -d 108.160.151.39/32 -i br0 -j MARK --set-xmark 0x2000/0x2000

Laptop is set to use OVPNC1 in SD. However, whatismypublicip.com shows location of OVPNC3 in UK. I don’t see any packets going to OVPNC3 though. I do see packets going to OVPNC2 for whatismypublicip.com. Why does whatismypublicip.com report location of OVPNC3 when is is routed to OVPNC2?

iptables -nvL PREROUTING -t mangle --line

Chain PREROUTING (policy ACCEPT 39935 packets, 14M bytes)
num   pkts bytes target     prot opt in     out    source               destination
1     5972 4468K MARK       all  --  tun11  *      0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  tun12  *      0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3       97 35215 MARK       all  --  tun13  *      0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
4      108 11664 MARK       all  --  br0    *      0.0.0.0/0            108.160.151.39       MARK or 0x2000
5        0     0 MARK       tcp  --  br0    *      0.0.0.0/0            0.0.0.0/0            match-set LAN_GW src,dst MARK or 0x7000
6     7066  878K MARK       tcp  --  br0    *      0.0.0.0/0            0.0.0.0/0            match-set OVPNC1 src,dst MARK or 0x1000
7        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set OVPNC2 src,dst MARK or 0x2000
8        0     0 MARK       tcp  --  br0    *      0.0.0.0/0            0.0.0.0/0            match-set OVPNC3 src,dst MARK or 0x3000

 

[Xentrk]

Here is another test.

Three OVPNC clients. Laptop defaults to OVPNC1.

Add whatismypublicip.com IP address to Destination IP in OVPNC2 and Apply:

Result:

FAIL - whatismypublicip.com reports OVPNC1 location rather than OVPNC2 location.

PASS - Shutdown OVPNC1. Laptop now defaults to WAN. Whatismypublicip.com reports OVPNC2 location.

iptables -nvL PREROUTING -t mangle --line

Chain PREROUTING (policy ACCEPT 13369 packets, 2440K bytes)
num   pkts bytes target     prot opt in     out    source               destination
1       59 44134 MARK       all  --  tun12  *      0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        1    60 MARK       all  --  tun13  *      0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set LAN_GW src,dst MARK or 0x7000
4     5217  743K MARK       tcp  --  br0    *      0.0.0.0/0            0.0.0.0/0            match-set OVPNC1 src,dst MARK or 0x1000
5        0     0 MARK       tcp  --  br0    *      0.0.0.0/0            0.0.0.0/0            match-set OVPNC2 src,dst MARK or 0x2000
6        0     0 MARK       tcp  --  br0    *      0.0.0.0/0            0.0.0.0/0            match-set OVPNC3 src,dst MARK or 0x3000

Interesting is that no packets are shows for the LAN_GW . Yet I did other IP location site lookups to validate I was defaulting to the WAN.

It does not appear that selective routing rules from the Web Gui have iptable rules created for them.. iptables-save | grep 108.160.151.39 returns nothing.

 

[john9527]

Rules are evaluated sequentially, with first match determining the action. OVPNC1 rules and routing occur before OVPNC2. Reverse your logic so that the the 'exception' routing to a specific host is in OVPNC1, and the default action is in OVPNC2.

 

[Xentrk]

Rules are evaluated sequentially, with first match determining the action. OVPNC1 rules and routing occur before OVPNC2. Reverse your logic so that the the 'exception' routing to a specific host is in OVPNC1, and the default action is in OVPNC2.

Thanks @john9527. I will look at that again. I may have given up on that path too soon and may have missed something. I found a quick and dirty way to change the order of the rules is to do an
iptables-save > somefilename

Then, use an editor to move the rules. Then reload it by typing
iptables-restore < somefilename

 

[Xentrk]

I removed the entries from the VPN Client Web GUI. I will need to eventually do this all by shell script rather than manually in the web gui. Where do the rules get executed that are in the web gui? I could not find a iptables entry for them. When I used to list client IP address in the web gui, I use the ip rule command to list what LAN clients are assigned to what OpenVPN client.

The rule to send destination packets to OVPNC2 is listed first in the mangle table PREROUTING Chain. But the whatismypublicip.com query still shows up in OVPNC3 or UK when the default for the Laptop is OVPNC1. There is something I am not getting. On my pfSense, I have the exception rules listed first and the client rules listed last. That works.

iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 1917 packets, 384K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      102 11388 MARK       all  --  br0    *       0.0.0.0/0            108.160.151.39       MARK or 0x2000
2     3531 2066K MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3        0     0 MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
4      206 72255 MARK       all  --  tun13  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
5        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set LAN_GW src,dst MARK or 0x7000
6      349 44915 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set OVPNC1 src,dst MARK or 0x1000
7        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set OVPNC2 src,dst MARK or 0x2000
8        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set OVPNC3 src,dst MARK or 0x3000

 

[john9527]

You don't need any custom iptables rules to do what you want......just put the exception in the lower VPN instance, and the default in the higher instance in the gui. It's all handled in the routing rules. For example, I just set it up on my fork, and generated the following rules which work. Make sure you don't have any global/CIDR rules for your subnet in the lower instance.

/tmp/home/root# ip rule
0:      from all lookup local
10000:  from all fwmark 0x7000/0x7000 lookup main
10101:  from 192.168.1.101 to 108.160.151.39 lookup ovpnc1
10301:  from 192.168.1.101 lookup ovpnc2
32766:  from all lookup main
32767:  from all lookup default

The 10000 rule is my vpnbypass driven out of iptables.

 

[Xentrk]

You don't need any custom iptables rules to do what you want......just put the exception in the lower VPN instance, and the default in the higher instance in the gui. It's all handled in the routing rules. For example, I just set it up on my fork, and generated the following rules which work. Make sure you don't have any global/CIDR rules for your subnet in the lower instance.

/tmp/home/root# ip rule
0:      from all lookup local
10000:  from all fwmark 0x7000/0x7000 lookup main
10101:  from 192.168.1.101 to 108.160.151.39 lookup ovpnc1
10301:  from 192.168.1.101 lookup ovpnc2
32766:  from all lookup main
32767:  from all lookup default

The 10000 rule is my vpnbypass driven out of iptables.

Thanks for the tip. It has passed all of the test cases so far:

# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9970

#whatismypublicip.com
ip rule del to 108.160.151.39
ip rule add to 108.160.151.39 table 112 prio 9990

#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991

#VPN Client 2
ip rule del fwmark 0x2000
ip rule add fwmark 0x2000 table 112 prio 9992

#VPN Client 3
ip rule del fwmark 0x3000
ip rule add fwmark 0x3000 table 113 prio 9993

ip route flush cache

0:      from all lookup local
9970:   from all fwmark 0x7000 lookup main
9990:   from all to 108.160.151.39 lookup ovpnc2
9991:   from all fwmark 0x1000 lookup ovpnc1
9992:   from all fwmark 0x2000 lookup ovpnc2
9993:   from all fwmark 0x3000 lookup ovpnc3
32766:  from all lookup main
32767:  from all lookup default

Things started changing with the original script when I recently added the 3rd OpenVPN client. So I turned off this tunnel and have been recently trying to understand why this impacted the way things had been working. Now I see why. Glad to have the problem finally solved. I will do some more reading on ip rule. I now need to incorporate the other changes for directing traffic and build that functionality in.

I am very grateful for the help!

 

[john9527]

Glad to hear things are moving in the right direction!

BTW....you should also apply a mask when you set the ip rules.....i.e.
ip rule add fwmark 0x7000/0x7000 table 254 prio 9970

otherwise when you do things like turn on QoS (gives final marks like 0x7003) you won't get the desired match. Even though there aren't tc rules for the vpn interfaces, the mark still gets set.

 

[Xentrk]

Glad to hear things are moving in the right direction!

BTW....you should also apply a mask when you set the ip rules.....i.e.
ip rule add fwmark 0x7000/0x7000 table 254 prio 9970

otherwise when you do things like turn on QoS (gives final marks like 0x7003) you won't get the desired match. Even though there aren't tc rules for the vpn interfaces, the mark still gets set.

It appears I was able to get the selective routing script working in my proof of concept state. It is broken up in separate scripts right now as doing so helped me break it up in small pieces in my analysis.

I believe I now understand the precedent and priority order of ip rules, OpenVPN clients and the iptables rules. That is what it took to make it work. I have moved away from using IPSET lists for the LAN clients as I have it in my OP. I did some more testing and found it worked sometimes and not others, especially when the third OpenVPN client come into play. I found using the ip rule add worked best for the LAN clients, which is the same method as placing the LAN clients in the WEB gui. It have me consistent results each time I removed a LAN client from it's assigned interface and added it to another.

I am still using iptables with ipset lists for the traffic I need to selectively route. I tried to use a mega list of IPv4 addresses and create ip rules for each one. But the script would stop after it reach a certain limit. Any idea what the limit is?

To make this code easier to maintain and understand, I would like to use the same table priority number for the LAN clients that I want to route to a OpenVPN client. For example, all LAN clients that will use OVPNC1 will have priority 5001. Likewise, all OVPNC2 clients will use 5002 and all OVPNC3 clients will use 5003. An example is below:

4000:   from 192.168.22.152 lookup main
4001:   from all fwmark 0x7000/0x7000 lookup main
4997:   from all fwmark 0x3000/0x3000 lookup ovpnc3
4998:   from all fwmark 0x2000/0x2000 lookup ovpnc2
4999:   from all to 108.160.151.39 lookup ovpnc2
5000:   from all fwmark 0x1000/0x1000 lookup ovpnc1
5001:   from 192.168.22.152 lookup ovpnc1
5001:   from 192.168.22.153 lookup ovpnc1
5001:   from 192.168.22.154 lookup ovpnc1
5002:  from 192.168.22.170 lookup ovpnc2
5002:  from 192.168.22.171 lookup ovpnc2
5003:   from 192.168.22.160 lookup ovpnc3
5003:  from 192.168.22.161 lookup ovpnc3
32766:  from all lookup main
32767:  from all lookup default

Does not seem to be a problem with this but wanted to check to see what best practice is. The firmware creates a unique priority for each entry in the table if entered thru the GUI.

 

[Martineau]

To make this code easier to maintain and understand, I would like to use the same table priority number for the LAN clients that I want to route to a OpenVPN client.

Does not seem to be a problem with this but wanted to check to see what best practice is.

The man page http://man7.org/linux/man-pages/man8/ip-rule.8.html states:

priority PREFERENCE
    the priority of this rule.  PREFERENCE is an unsigned
    integer value, higher number means lower priority, and
    rules get processed in order of increasing number.
    Each rule should have an explicitly set unique priority value.
    The options preference and order are synonyms with priority.

So (as advised in the man-page) personally I'd always prefer an explicit unique priority for each rule, then there can be no ambiguity - relying on chance isn't a great way to determine routing.

In the case of rules with the same priority, I believe they will be evaluated in the order they were added.
If rules are mutually exclusive this isn't much of a risk; however, mixing subnets and discrete IPs should be carefully checked to ensure no inadvertent overlaps are created.

Performance issues aside, I would prefer a human readable RPDB table, i.e. using a single RPDB rule for IPSETs is preferred.

The efficiency of the IPSET lookup algorithm has been well documented, but I am not sure how much of a performance penalty is imposed though the (necessary?) sequential processing of the RPDB rules if there are hundreds?

NOTE: I have already patched my custom copy of '/usr/sbin/vpnrouting.sh' to accommodate the enforced use of multiple rules with the same priority due to ASUS' poor design choice

# v382.xx for Dual WAN etc. uses prio 100,200 and 400 :-(
if [ -z "$(ip rule | grep -Eo -m 1 "^[1|2|4]00:")" ];then
 START_PRIO=$((10000+(200*($VPN_UNIT-1))))
 END_PRIO=$(($START_PRIO+199))
 VPN_PRIO=$(($START_PRIO+100))
 OFFSET=1
else
 START_PRIO=$VPN_UNIT"0"    
 END_PRIO=$(($START_PRIO+9))
 VPN_PRIO=$(($START_PRIO+5))
 OFFSET=0                     # Limit the VPN Clients to a single (multiple) rule prio 10,15 and 20,25 etc.
fi
WAN_PRIO=$START_PRIO
#VPN_PRIO=$(($START_PRIO+100))

 

[Xentrk]

The man page http://man7.org/linux/man-pages/man8/ip-rule.8.html states:

priority PREFERENCE
    the priority of this rule.  PREFERENCE is an unsigned
    integer value, higher number means lower priority, and
    rules get processed in order of increasing number.
    Each rule should have an explicitly set unique priority value.
    The options preference and order are synonyms with priority.

So (as advised in the man-page) personally I'd always prefer an explicit unique priority for each rule, then there can be no ambiguity - relying on chance isn't a great way to determine routing.

In the case of rules with the same priority, I believe they will be evaluated in the order they were added.
If rules are mutually exclusive this isn't much of a risk; however, mixing subnets and discrete IPs should be carefully checked to ensure no inadvertent overlaps are created.

Performance issues aside, I would prefer a human readable RPDB table, i.e. using a single RPDB rule for IPSETs is preferred.

Thanks for the tip. Unique priorities it is then. I will use a counter to increment the priority to make it unique for each LAN ip address. For example:

# extract OVPNC1 ip addresses
count=5100
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC1); do
       ip rule add from $ip table 111 prior $count
       count=`expr $count + 1`
    done
unset ip

I am using a single RPDB rule for IPSET lists containing the IPv4 addresses of the traffic I want to route and that is working well. So, a combination of separate RPDB rules for each LAN client and RPDB rules for each OpenVPN Client masked with a fwmark are passing all of my test cases so far. Just need to test some more and fine tune a few things. Have been able to convert some selective routing from using domain names to AS Numbers. Great when it works. But for some sites, I have to resort to mining dnsmasq.log.