Selective Routing with Asuswrt-Merlin

[LeSilverFox]

Hello SmalnetBuilder community. I’m a first poster and would like to begin staying thank you to everyone for the great firmware (thank you Merlin) and outstanding community support. I have a little challenge around rule based routing and hopping to receive some guidance.

I have an ASUS RT-AC66U with Merlin 374.42.

I read this entire post to learn the technique and I have implemented the ‘optimized’ script as listed below. My problem is that while the correct machines are routed through the VPN tunnel I still can’t connect back to my router . As soon as I turn off the VPN client in the router, connection back to the router is restored.

Two additional observation: when I first setup this script, I could only access internet via the VPN tunnel through the two listed clients. The rest, had no internet access via the wan at all. I managed to overcome this problem by inserting a second line to disable reverse filtering on eth0 ( echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter ). Once I added this line, selective routing started and it has been working for weeks. But I can not connect back from Internet ( the machine I’m trying to connect to has a manually assigned fixed IP addess and the port is forwarded correctly to that machine - actually, I’m trying to reach my plex server from outside).

Two questions: does anyone have any experience/success with connecting back to services running in the local network and what that solution is ? Whether I include ‘route-nopull’ in custom configuration or not, makes zero difference - everything still works the same - is this an indication of me doing something wrong ?

Thank you for any suggestions !!
here’s my script

#!/bin/sh

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 12

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.71 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.85 -j MARK --set-mark 10
exit 0

 

[bilboSNB]

Definitely use route-nopull and try without

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 12

and remove or comment the additional line you added and test again.

Although I do seem to remember someone struggling with plex earlier on.

 

[octopus]

tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

 

[LeSilverFox]

Thank you all for coming back with your suggestions, I will certainly give it one more shot, although I tried everything many time before posting. Still one more try wouldn't hurt..

@octupus: the line you highlight has been lifted from previous posts where it worked fine for others. Reading the code, my assessment is that it extracts the ip address for the vpn tunnel exit point.

I think what happens is my connection comes in through the wan address and gets routed back out via the tunnel.

But if this code works for others, it should work for me as well - what could I have missed ?

 

[LeSilverFox]

Well, it seems that my problem is with my ISP, who blocks connecting back to my home network. About two weeks ago they migrated me to a new fibre connection and whilst i enjoy increased speed, I'm double NAT-ed behind their setup. I naively assumed the problem was with my config.

Different battle to fight now....

 

[halex4u]

The selective routing script that used to work on my RT-N66U (now with fw 376.45) doesn't work anymore. I haven't used the script for three months, but now when I needed again I see that all trafic is routed via vpn. I haven't changed anything inside the script:

#!/bin/sh


logger -t "($(basename $0))" $$ VPN Selective customisation starting.... " $0${*:+ $*}."

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING





tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
logger -t "($(basename $0))" $$ VPN Table tun11/client1




logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan0_gateway) dev eth0 table 12"




ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter


logger -t "($(basename $0))" $$ VPN Selective customisation for: RO VPN LAN Traffic

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.113 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.123 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 563 -j MARK --set-mark 12

logger -t "($(basename $0))" $$ VPN Selective Customization completed.

exit

In log I have:

Sep  4 10:50:02 openvpn[1122]: SENT CONTROL [lsugppknfuoeeri]: 'PUSH_REQUEST' (status=1)
Sep  4 10:50:02 openvpn[1122]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.8.0.1,redirect-gateway def1,ping 25,ping-restart 180,route 192.168.1.0 255.255.255.0 10.8.0.1,ifconfig 10.8.0.2 255.255.255.0'
Sep  4 10:50:02 openvpn[1122]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Sep  4 10:50:02 openvpn[1122]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Sep  4 10:50:02 openvpn[1122]: OPTIONS IMPORT: timers and/or timeouts modified
Sep  4 10:50:02 openvpn[1122]: OPTIONS IMPORT: --ifconfig/up options modified
Sep  4 10:50:02 openvpn[1122]: OPTIONS IMPORT: route-related options modified
Sep  4 10:50:02 openvpn[1122]: TUN/TAP device tun11 opened
Sep  4 10:50:02 openvpn[1122]: TUN/TAP TX queue length set to 100
Sep  4 10:50:02 openvpn[1122]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sep  4 10:50:02 openvpn[1122]: /usr/sbin/ip link set dev tun11 up mtu 1500
Sep  4 10:50:02 openvpn[1122]: /usr/sbin/ip addr add dev tun11 10.8.0.2/24 broadcast 10.8.0.255
Sep  4 10:50:02 openvpn[1122]: updown.sh tun11 1500 1558 10.8.0.2 255.255.255.0 init
Sep  4 10:50:03 openvpn[1122]: /usr/sbin/ip route add 84.232.xxx.yyy/32 via 91.177.xxx.zzz
Sep  4 10:50:03 openvpn[1122]: /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Sep  4 10:50:03 openvpn[1122]: /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Sep  4 10:50:03 (selective-routing-second.sh): 1177 VPN Selective customisation starting....  /jffs/scripts/selective-routing-second.sh.
Sep  4 10:50:03 (selective-routing-second.sh): 1177 VPN Table tun11/client1
Sep  4 10:50:04 (selective-routing-second.sh): 1177 CMD: ip route add default via 10.8.0.2 dev tun11 table 10
Sep  4 10:50:04 (selective-routing-second.sh): 1177 CMD: ip route add default via 91.177.0.1 dev eth0 table 12
Sep  4 10:50:04 (selective-routing-second.sh): 1177 VPN Selective customisation for: RO VPN LAN Traffic
Sep  4 10:50:04 (selective-routing-second.sh): 1177 VPN Selective Customization completed.
Sep  4 10:50:04 openvpn[1122]: Initialization Sequence Completed

I Custom Configuration I put the following:

status current_status
ns-cert-type server
topology subnet
route-nopull
script-security 2
route-up /jffs/scripts/selective-routing-second.sh

I would appreciate any help!

Thx

 

[brandon66]

General consensus

Hi, I'm having trouble understanding what's the best way to do selective routing on the RT-N66U. it seems that there are a large amount of great ideas here on this forum for selective VPN routing that are maturing, however it would be great if someone could advise on the most complete, correct and up to date (best general consensus) code for my following application.

Also if anyone cares to comment on: "selective VPN routing is quite tricky to accomplish and cannot be done solely through iptables - you have to manipulate traffic routing".

Thanks!

==============
#Selective Routing
==============
#All traffic forced through the VPN, firewall completely blocking everything else unless defined (see next line)

#I would like to define rules to allow VPN bypass based on the destination IP address/range (for tv services)

================
#general firewall rules:
================
#Blocking of certain ports globally incoming/outgoing

#Blocking of certain Lan/Lan to prevent certain lan IP addresses from accessing another
lan IP (only allow access to WAN)

#Optionally blocking all Lan/Lan connections globally only allowing them to access the internet and later defining a rule to allow one local IP access to router web interface.

 

[dooniem]

In response to #163

Hi. It's nice to see all the knowledge and help that has been provided in this thread, I hope this thread isn't dead yet? :O
I've gone through the entire thread and found the set up that suits my needs the most. That is this one #163, which sets out to allow all traffic to bypass the VPN, except for the Transmission-client running locally on my router.

The problem of course, is I can't get it to work.

My syslog is giving me hints about the rules being applied to the wrong IP, but the described script isn't based on a specific IP...
Here's the syslog:

Sep 26 16:39:01 rc_service: httpd 359:notify_rc start_vpnclient1
Sep 26 16:39:02 kernel: tun: Universal TUN/TAP device driver, 1.6
Sep 26 16:39:02 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Sep 26 16:39:02 openvpn[1156]: OpenVPN 2.3.4 mipsel-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 17 2014
Sep 26 16:39:02 openvpn[1156]: library versions: OpenSSL 1.0.0n 6 Aug 2014, LZO 2.08
Sep 26 16:39:02 openvpn[1156]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sep 26 16:39:02 openvpn[1156]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 26 16:39:02 openvpn[1156]: Control Channel Authentication: using 'static.key' as a OpenVPN static key file
Sep 26 16:39:02 openvpn[1156]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 26 16:39:02 openvpn[1156]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 26 16:39:02 openvpn[1156]: Socket Buffers: R=[118784->131072] S=[118784->131072]
Sep 26 16:39:02 openvpn[1164]: UDPv4 link local: [undef]
Sep 26 16:39:02 openvpn[1164]: UDPv4 link remote: [AF_INET]217.170.205.123:1194
Sep 26 16:39:02 openvpn[1164]: TLS: Initial packet from [AF_INET]217.170.205.123:1194, sid=5eba1f84 ff07d6d4
Sep 26 16:39:02 openvpn[1164]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=Fort-Funston CA, emailAddress=me@myhost.mydomain
Sep 26 16:39:02 openvpn[1164]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain
Sep 26 16:39:04 openvpn[1164]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 26 16:39:04 openvpn[1164]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 26 16:39:04 openvpn[1164]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep 26 16:39:04 openvpn[1164]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep 26 16:39:04 openvpn[1164]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sep 26 16:39:04 openvpn[1164]: [server] Peer Connection Initiated with [AF_INET]217.170.205.123:1194
Sep 26 16:39:06 openvpn[1164]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sep 26 16:39:06 openvpn[1164]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.10.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.10.0.242 10.10.0.241'
Sep 26 16:39:06 openvpn[1164]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Sep 26 16:39:06 openvpn[1164]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Sep 26 16:39:06 openvpn[1164]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Sep 26 16:39:06 openvpn[1164]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Sep 26 16:39:06 openvpn[1164]: OPTIONS IMPORT: timers and/or timeouts modified
Sep 26 16:39:06 openvpn[1164]: OPTIONS IMPORT: --ifconfig/up options modified
Sep 26 16:39:06 openvpn[1164]: TUN/TAP device tun11 opened
Sep 26 16:39:06 openvpn[1164]: TUN/TAP TX queue length set to 100
Sep 26 16:39:06 openvpn[1164]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sep 26 16:39:06 openvpn[1164]: /usr/sbin/ip link set dev tun11 up mtu 1500
Sep 26 16:39:06 openvpn[1164]: /usr/sbin/ip addr add dev tun11 local 10.10.0.242 peer 10.10.0.241
Sep 26 16:39:06 openvpn[1164]: updown.sh tun11 1500 1546 10.10.0.242 10.10.0.241 init
Sep 26 16:39:06 (vpn_route_up.sh): 1184 VPN Selective routing starting....  /jffs/scripts/vpn_route_up.sh.
Sep 26 16:39:06 openvpn[1164]: Initialization Sequence Completed
Sep 26 16:39:40 dnsmasq-dhcp[540]: DHCPREQUEST(br0) x.x.x.x d8:xx:95:b5:6b:4a 
Sep 26 16:39:40 dnsmasq-dhcp[540]: DHCPACK(br0) 192.168.1.44 d8:96:95:b5:6b:4a Doonies-iPhone
Sep 26 16:40:44 transmission-daemon[654]: ipMagnet+Tracking+Link Tracker error: "IP: x.x.x.x" (torrent.c:580)

As I said, I have no idea why it chooses to add "/usr/sbin/ip addr add dev tun11 local 10.10.0.242 peer 10.10.0.241", or if it means anything important.

My custom configuration is:
(with "redirect internet traffic" set to NO)

route-nopull
script-security 2
route-up /jffs/scripts/vpn_route_up.sh
tun-mtu 1500
fragment 1300
mssfix 1450

The extra settings I added because of instructions from my vpn-provider. Not sure if I need them?

Since I am trying to force the Transmission daemon and its ports through the VPN client, i wrote "vpn_route_up.sh" as the following:

#!/bin/sh
logger -t "($(basename $0))" $$ VPN Selective routing starting.... " $0${*:+ $*}."

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"  
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter


iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 49152:65535 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 49152:65535 -j MARK --set-mark 10

exit

I checked my settings.json (for Transmission) and found that I had a random low and random high port range from my chosen port 50000. So I added a port range. Maybe 50000 is sufficient, but this is part of my troubleshooting.
The question here is if I should add the local IP somehow too? Limiting only the specified ports to be affected, not the others...
Or can anyone tell what I'm doing wrong here?

Edit: I forgot to mention the last line in the syslog, the one that says Ipmagnet. I use the IPmagnetTool to check if my torrent client is using the VPN IP I'm trying to get it to broadcast.

 

[dooniem]

This is the sequence I personally use in my custom VPN_Select.sh script which is called each time the VPN Client (#1 or #2) is restarted

ip route flush table 10
ip rule del fwmark 10 10
ip rule del table 10

Regards,

I'd like to implement this...But I can't grasp what/how/where this is supposed to go, to automatically run on restart? Is it sufficient to add it on top and inside "vpn_route_up.sh"? Should anything be replaced if I go about with the "mostly talked about recent" script?

 

[Hakon_H]

PIA WAN Access

Hello.
Sorry for this post, but I have done a lot of reading and searching.

I have Openvpn and Privat Internet Access up and running.
Problem is when openvpn is running I can not access transmission or lighttpd server from wan. both running on my ac68u

Can anyone please point me in the right direction.

 

[dooniem]

Hello.
Sorry for this post, but I have done a lot of reading and searching.

I have Openvpn and Privat Internet Access up and running.
Problem is when openvpn is running I can not access transmission or lighttpd server from wan. both running on my ac68u

Can anyone please point me in the right direction.

You basically have to tell your router NOT to filter the ports you are using for transmission through your VPN. This thread has managed to come up with 2 different ways of solving it. I myself haven't gotten it to work yet, but hoping to bring this thread back to life, I'm telling you what I have grasped so far.

Reading post number #64 and #163 (again) is your pointers.


The first one making two new router tables or "filters". Where 10 means route through VPN, 12 means pass-through. In the second one, you make only one new route table, and the "information" in that route table goes through your VPN.


Since you already have set up transmission, I'm guessing you already have enabled your "jffs drive". Next you need to figure out the port numbers and the affected IPs in your set-up and adjust one of the provied scripts.

The script goes into the scripts folder described in the first pointer. You can get access to that folder using i.e winscp
Don't forget to make your script executable (properties hexa 0777). And use scp connection, not sftp.
A regular problem is that the router don't recognize a script written in WINSCPs note editor. So you should write it in i.e notepad++ (save as all files) and transfer it over from your local drive.
Check your system log on the main page of your merlin firmware for potential errors after turning your vpn service on.
Don't forget to start your script with

#!/bin/sh

It's left out of the code in post #64, if you go for that one.

 

[Hakon_H]

You basically have to tell your router NOT to filter the ports you are using for transmission through your VPN. This thread has managed to come up with 2 different ways of solving it. I myself haven't gotten it to work yet, but hoping to bring this thread back to life, I'm telling you what I have grasped so far.

Reading post number #64 and #163 (again) is your pointers.


The first one making two new router tables or "filters". Where 10 means route through VPN, 12 means pass-through. In the second one, you make only one new route table, and the "information" in that route table goes through your VPN.


Since you already have set up transmission, I'm guessing you already have enabled your "jffs drive". Next you need to figure out the port numbers and the affected IPs in your set-up and adjust one of the provied scripts.

The script goes into the scripts folder described in the first pointer. You can get access to that folder using i.e winscp
Don't forget to make your script executable (properties hexa 0777). And use scp connection, not sftp.
A regular problem is that the router don't recognize a script written in WINSCPs note editor. So you should write it in i.e notepad++ (save as all files) and transfer it over from your local drive.
Check your system log on the main page of your merlin firmware for potential errors after turning your vpn service on.
Don't forget to start your script with

#!/bin/sh

Thank you
I can now connect to transmission and lighttpd web server on my router.
I did this by adding "route-nopull" in custom configuration (router web ui) and leaving my router outside the "vpn_route_up.sh" script.

My next problem is forwarding the ports 8080 and 11348 to 10.0.0.44. This destination is using the VPN

 

[Hakon_H]

When I enable DMZ in web UI I am able to connect to port 8080 and 11348.
I think it has something to do with double nat

 

[aeolius]

Two Vpn Client Connections

Ok, I have followed the selective routing until now, and I can get it working for the most part with ports, ip address, ranges of addresses as I want it, however, I was hoping to go one step beyond, I can connect as a client to two openvpn servers simultaneously and was hoping to route some ip's to lets say server A, some to server B and some via default gateway. So if we take for example

#!/bin/sh

#
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush table 14
ip route del default table 14
ip rule del fwmark 14 table 14

ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
tun_ips=$(ifconfig tun12 | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12
ip route add default via tun_ips dev tun12 table 14
ip rule add fwmark 14 table 14

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/tun12/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.5-192.168.1.120 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.228-192.168.1.232 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 563 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.136-192.168.1.138 -j MARK --set-mark 14


exit

What else would I need to make this work properly?

 

[aeolius]

Thinking...

I'm thinking I need to modify this guide :

http://tomatousb.org/forum/t-810441/tutorial:openvpn-split-vpn-clients-pia-with-port-forwarding

but I'm not sure if that is or is not overly complicated for my purposes.

 

[aeolius]

Been Playing

I've managed to make both clients connect and tun12 and tun11 appear to be being properly routed when I look at the syslog, however the ip's assigned to tun12 are defaulting to the default WAN gateway instead of the vpn's gateway. So, I'm still not sure how I'm supposed to write this into the script or a script.

 

[Martineau]

I've managed to make both clients connect and tun12 and tun11 appear to be being properly routed when I look at the syslog, however the ip's assigned to tun12 are defaulting to the default WAN gateway instead of the vpn's gateway. So, I'm still not sure how I'm supposed to write this into the script or a script.

I only created two new tables for VPN_Client1 and VPN_Client2

So I don't think you need to create table 12

I suggest you issue the following commands to identify the table configs

ip rule

and there should be two 'lookup' entries so in your case you would then issue

ip route show table 10
ip route show table 14

to check the correct VPN gateways are defined for the two VPN clients.

The next two commands should show which devices are being tagged etc.

iptables -t mangle -L -nv --line
iptables -t nat -L -nv --line

Regards,

 

[aeolius]

will check

ok, I'm definitely going to check on this when I get home, just ssh'd into it from work to check run those commands but don't have a lot of time at work to see what I need to change. Where would you recommend I put the script, I'm not sure its in a good place now cause I have it in the custom config of client 1 and client 2 on the gui, which theoretically means it runs everytime I flip the switch on one of those, not sure if that is going to cause any conflicts, should I put it in wan-start to run the vpn_route_up script or elsewhere instead of my current config? Really appreciate the help, from what you've said briefly there it appears as if I've made this more complicated than I need to.

 

[aeolius]

This is the log when I start client two, it says its connected but the log appears as if it connects and then immediately disconnects and retries several times, I'm not sure if anybody has any idea what is happening here? I'm in mid-process of simplifying that vpn_route_up script so that it just has the two tables and not 3.

Oct  1 12:47:51 rc_service: httpd 741:notify_rc start_vpnclient2
Oct  1 12:47:52 openvpn[17641]: OpenVPN 2.3.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 20 2014
Oct  1 12:47:52 openvpn[17641]: library versions: OpenSSL 1.0.0n 6 Aug 2014, LZO 2.08
Oct  1 12:47:52 openvpn[17641]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Oct  1 12:47:52 openvpn[17641]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct  1 12:47:52 openvpn[17641]: Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
Oct  1 12:47:52 openvpn[17641]: Socket Buffers: R=[128000->131072] S=[128000->131072]
Oct  1 12:47:52 openvpn[17644]: Attempting to establish TCP connection with [AF_INET]81.171.110.67:1194 [nonblock]
Oct  1 12:47:53 openvpn[17644]: TCP connection established with [AF_INET]81.171.110.67:1194
Oct  1 12:47:53 openvpn[17644]: TCPv4_CLIENT link local: [undef]
Oct  1 12:47:53 openvpn[17644]: TCPv4_CLIENT link remote: [AF_INET]81.171.110.67:1194
Oct  1 12:47:53 openvpn[17644]: TLS: Initial packet from [AF_INET]81.171.110.67:1194, sid=be4a019f 4ae15289
Oct  1 12:47:53 openvpn[17644]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Oct  1 12:47:54 openvpn[17644]: VERIFY OK: depth=1, C=US, ST=VPN, L=VPN, O=VPN, OU=VPN, CN=VPN, name=VPN, emailAddress=VPN
Oct  1 12:47:54 openvpn[17644]: VERIFY OK: depth=0, C=US, ST=VPN, L=VPN, O=VPN, OU=VPN, CN=vpn, name=VPN
Oct  1 12:47:55 openvpn[17644]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct  1 12:47:55 openvpn[17644]: Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct  1 12:47:55 openvpn[17644]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct  1 12:47:55 openvpn[17644]: Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Oct  1 12:47:55 openvpn[17644]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Oct  1 12:47:55 openvpn[17644]: [vpn] Peer Connection Initiated with [AF_INET]81.171.110.67:1194
Oct  1 12:47:57 openvpn[17644]: SENT CONTROL [vpn]: 'PUSH_REQUEST' (status=1)
Oct  1 12:47:57 openvpn[17644]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 262144,explicit-exit-notify 5,route-gateway 172.20.44.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.20.47.64 255.255.252.0'
Oct  1 12:47:57 openvpn[17644]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Oct  1 12:47:57 openvpn[17644]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Oct  1 12:47:57 openvpn[17644]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Oct  1 12:47:57 openvpn[17644]: OPTIONS IMPORT: timers and/or timeouts modified
Oct  1 12:47:57 openvpn[17644]: OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
Oct  1 12:47:57 openvpn[17644]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Oct  1 12:47:57 openvpn[17644]: Socket Buffers: R=[131072->241664] S=[131072->131072]
Oct  1 12:47:57 openvpn[17644]: OPTIONS IMPORT: --ifconfig/up options modified
Oct  1 12:47:57 openvpn[17644]: OPTIONS IMPORT: route-related options modified
Oct  1 12:47:57 openvpn[17644]: TUN/TAP device tun12 opened
Oct  1 12:47:57 openvpn[17644]: TUN/TAP TX queue length set to 100
Oct  1 12:47:57 openvpn[17644]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Oct  1 12:47:57 openvpn[17644]: /usr/sbin/ip link set dev tun12 up mtu 1500
Oct  1 12:47:57 openvpn[17644]: /usr/sbin/ip addr add dev tun12 172.20.47.64/22 broadcast 172.20.47.255
Oct  1 12:47:58 openvpn[17644]: updown.sh tun12 1500 1572 172.20.47.64 255.255.252.0 init
Oct  1 12:47:58 openvpn[17644]: Initialization Sequence Completed
Oct  1 12:51:54 openvpn[15826]: event_wait : Interrupted system call (code=4)
Oct  1 12:51:54 openvpn[15826]: OpenVPN STATISTICS
Oct  1 12:51:54 openvpn[15826]: Updated,Wed Oct  1 12:51:54 2014
Oct  1 12:51:54 openvpn[15826]: TUN/TAP read bytes,76141564
Oct  1 12:51:54 openvpn[15826]: TUN/TAP write bytes,848575067
Oct  1 12:51:54 openvpn[15826]: TCP/UDP read bytes,895001028
Oct  1 12:51:54 openvpn[15826]: TCP/UDP write bytes,102227571
Oct  1 12:51:54 openvpn[15826]: Auth read bytes,848579809
Oct  1 12:51:54 openvpn[15826]: pre-compress bytes,10141501
Oct  1 12:51:54 openvpn[15826]: post-compress bytes,8953049
Oct  1 12:51:54 openvpn[15826]: pre-decompress bytes,3872983
Oct  1 12:51:54 openvpn[15826]: post-decompress bytes,5526805
Oct  1 12:51:54 openvpn[15826]: END
Oct  1 12:51:55 openvpn[17644]: event_wait : Interrupted system call (code=4)
Oct  1 12:51:55 openvpn[17644]: OpenVPN STATISTICS
Oct  1 12:51:55 openvpn[17644]: Updated,Wed Oct  1 12:51:55 2014
Oct  1 12:51:55 openvpn[17644]: TUN/TAP read bytes,0
Oct  1 12:51:55 openvpn[17644]: TUN/TAP write bytes,0
Oct  1 12:51:55 openvpn[17644]: TCP/UDP read bytes,5467
Oct  1 12:51:55 openvpn[17644]: TCP/UDP write bytes,2831
Oct  1 12:51:55 openvpn[17644]: Auth read bytes,176
Oct  1 12:51:55 openvpn[17644]: pre-compress bytes,0
Oct  1 12:51:55 openvpn[17644]: post-compress bytes,0
Oct  1 12:51:55 openvpn[17644]: pre-decompress bytes,0
Oct  1 12:51:55 openvpn[17644]: post-decompress bytes,0
Oct  1 12:51:55 openvpn[17644]: END
Oct  1 12:54:15 openvpn[15826]: event_wait : Interrupted system call (code=4)
Oct  1 12:54:15 openvpn[15826]: OpenVPN STATISTICS
Oct  1 12:54:15 openvpn[15826]: Updated,Wed Oct  1 12:54:15 2014
Oct  1 12:54:15 openvpn[15826]: TUN/TAP read bytes,76196731
Oct  1 12:54:15 openvpn[15826]: TUN/TAP write bytes,849042758
Oct  1 12:54:15 openvpn[15826]: TCP/UDP read bytes,895492896
Oct  1 12:54:15 openvpn[15826]: TCP/UDP write bytes,102291347
Oct  1 12:54:15 openvpn[15826]: Auth read bytes,849047564
Oct  1 12:54:15 openvpn[15826]: pre-compress bytes,10183093
Oct  1 12:54:15 openvpn[15826]: post-compress bytes,8989083
Oct  1 12:54:15 openvpn[15826]: pre-decompress bytes,3872983
Oct  1 12:54:15 openvpn[15826]: post-decompress bytes,5526805
Oct  1 12:54:15 openvpn[15826]: END
Oct  1 12:54:16 openvpn[17644]: event_wait : Interrupted system call (code=4)
Oct  1 12:54:16 openvpn[17644]: OpenVPN STATISTICS
Oct  1 12:54:16 openvpn[17644]: Updated,Wed Oct  1 12:54:16 2014
Oct  1 12:54:16 openvpn[17644]: TUN/TAP read bytes,0
Oct  1 12:54:16 openvpn[17644]: TUN/TAP write bytes,0
Oct  1 12:54:16 openvpn[17644]: TCP/UDP read bytes,6034
Oct  1 12:54:16 openvpn[17644]: TCP/UDP write bytes,3412
Oct  1 12:54:16 openvpn[17644]: Auth read bytes,288
Oct  1 12:54:16 openvpn[17644]: pre-compress bytes,0
Oct  1 12:54:16 openvpn[17644]: post-compress bytes,0
Oct  1 12:54:16 openvpn[17644]: pre-decompress bytes,0
Oct  1 12:54:16 openvpn[17644]: post-decompress bytes,0
Oct  1 12:54:16 openvpn[17644]: END

 

[aeolius]

alright

I've changed the vpn_route_up script and made it so it only has lines pertinent to table 10 and table 14, however when I run ip route show table 14 I get nothing, so I'm not sure where it happens but table 14 is not getting populated whereas table 10 is.