Selective Routing with Asuswrt-Merlin

[Greeno]

I'm sorry but that's how you wrote that in the end i do not know what and how do i change it. I do not want to do anything in the dark because, after the recent changes in the script i sat down quite a routing table and i could not even get to the router. Can you paste a script target?
I'm sorry but so many times I've tried various modifications of the script that has already lost me.

 

[chrisk]

Im still trying to get this selective routing setup but cotinue to have problems.

This is my custom config:
tls-client
remote-cert-tls server
reneg-sec 0
script-security 2
route-up /jffs/scripts/vpn_route_up.sh

and when started i get this error.

WARNING: Failed running command (--route-up): could not execute external program
Feb 8 16:14:26 openvpn[23911]: Initialization Sequence Completed


Please explain...

Thanks
Chris

 

[Martineau]

Ensure the first line of the script is

#!/bin/sh

and that

/jffs/scripts/vpn_route_up.sh

is actually able to execute; if not then chmod 777

If you have used a non unix aware editor such as Windows notepad then recreate the script using vi/nano or Notepad++/WinSCP if on Windows to terminate each line with 'LF' chars rather than 'CRLF',

 

[kncar77]

Hi guys. I hope there's a nice soul out there to help me out. If I got this sorted out one might make a sticky out of it for others to benefit from it?

Backgrund: I’m an expat living in a country where big brother keeps an eye on the traffic. In addition he blocks VOIP and political websites etc etc. Savior is VPN which I’ve got working like a charm on my Asus RT-AC68U with Merlins 378.50 that routes all my traffic trough openVPN back to my home country.
I followed the guide from the VPN provider and highlights are:

Start with WAN: Yes.
Interface: TAP
Firewall: Automatic
Server on same subnet: No
Create NAT on tunnel: Yes

However I’d like to tweak it with the following changes:
1. One specific client (static local IP assigned 192.168.11.100) have a need to access internet directly (non-VPN)
2. Traffic from all clients to a specific website (my office website located a few miles away from my location 113.42.110.227) should be routed outside the VPN, otherwise it becomes extremely slow. About the office websites IP's there might be a range of IP's, not really sure but a ping responds with the current one.

Not as important but a very nice addition would be
3. a guest WiFi routed through the VPN but no access to LAN (i.e no access to my NAS or other clients on the network).

Anyone keen on making a step-by-step guide how to achieve it?


I've read through the thread as well as some extensive googling but whatever I try doesn't seem to work (hangs, continiously rebooting etc). To be honest I'm not used to editing routing tables or writing IP tables scripts. I did set up a linux server about 10 years ago with some IP tables stuff successfully but that's about it.
At the moment the router is flashed with latest firmware, complete reset and setup with VPN running TAP11 and back working again.

Fingers crossed someone out there are able to help out!

All the best and thanks in advance!


Current routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface
143.180.119.2 112.72.64.1 255.255.255.255 UGH 0 0 0 WAN
112.72.64.1 * 255.255.255.255 UH 0 0 0 WAN
143.180.119.128 * 255.255.255.224 U 0 0 0 tap11
192.168.11.0 * 255.255.255.0 U 0 0 0 LAN
default 143.180.119.129 128.0.0.0 UG 0 0 0 tap11
128.0.0.0 143.180.119.129 128.0.0.0 UG 0 0 0 tap11
default 112.72.64.1 0.0.0.0 UG 0 0 0 WAN

 

[chrisk]

Ensure the first line of the script is

#!/bin/sh

and that

/jffs/scripts/vpn_route_up.sh

is actually able to execute; if not then chmod 777

If you have used a non unix aware editor such as Windows notepad then recreate the script using vi/nano or Notepad++/WinSCP if on Windows to terminate each line with 'LF' chars rather than 'CRLF',

Thank you. I used Notepad++ and winscp on windows. I will try your suggestion.

 

[Alfsu]

Show your progress

I've read through the thread as well as some extensive googling but whatever I try doesn't seem to work (hangs, continiously rebooting etc). To be honest I'm not used to editing routing tables or writing IP tables scripts. I did set up a linux server about 10 years ago with some IP tables stuff successfully but that's about it.
At the moment the router is flashed with latest firmware, complete reset and setup with VPN running TAP11 and back working again.

Fingers crossed someone out there are able to help out!

All the best and thanks in advance!

Show how far did you go by describing the process you had follow, and post your script.

Cheers

 

[scaramonga]

This is the code from page 2 of this wonderful thread.

#!/bin/sh


sleep 2

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
done



#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
 done



ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 



#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#




#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

   iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
 


# All traffic from Roku Wireless will use the UK VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.103 -j MARK --set-mark 0




exit 0

I basically need very similar to this, as the following:

One LAN device on a static IP (192.168.1.105) to use the VPN, solely.
All other LAN devices to bypass the VPN completely.
All wireless devices to bypass the VPN completely.

So, only one device using the VPN permanently.

OpenVPN is setup and working in router (AC68U) and have jffs set up correctly also.

Any help much appreciated. Thank you

 

[Martineau]

Try this script VPN_Select.sh, and U will need to add the directives

route-nopull
script-security 2
route-up /jffs/scripts/VPN_Select.sh


to the Custom VPN dialog box

#!/bin/sh

MY_VPNTAB=101 # Now read from /jffs/configs/VPNSelect
TAG_MARK=1 # Now read from /jffs/configs/VPNSelect

# Use the OpenVPN environment variables
if [ "X$dev" = "X" ]; then
logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!"
exit 1
fi

# Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
# or to be associated with a WiFi Guest SSID.
ip route flush table $MY_VPNTAB
ip rule del fwmark $TAG_MARK
ip rule del table $MY_VPNTAB


# Disable Reverse Path Filtering on current VPN network interface:
echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter

ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB
ip rule add fwmark $TAG_MARK table $MY_VPNTAB

#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.105 -j MARK --set-mark $TAG_MARK

# Use Routing Policy Database Base (RPDB) as of Apr 2015 to eliminate '-t mangle table' chain corruption
ip rule add from 192.168.1.105 lookup 101
ip route flush cache

 

[chrisk]

I was able to get selective routing finally setup and working thanks to this site and thread.
My only issue now is how to get my DDNS name to work?
I have no-ip.com set up on my N66U and now with the VPN my domain is not getting resolved. Is there a port I need to open in the script?

Again thanks for the continued help.

 

[faria]

I was able to get selective routing finally setup and working thanks to this site and thread.
My only issue now is how to get my DDNS name to work?
I have no-ip.com set up on my N66U and now with the VPN my domain is not getting resolved. Is there a port I need to open in the script?

Again thanks for the continued help.

Have you added

route-nopull

to the vpn custom configuration ?

 

[chrisk]

Yes I do have this in the config.

 

[faria]

Hi guys. I hope there's a nice soul out there to help me out. If I got this sorted out one might make a sticky out of it for others to benefit from it?

Backgrund: I’m an expat living in a country where big brother keeps an eye on the traffic. In addition he blocks VOIP and political websites etc etc. Savior is VPN which I’ve got working like a charm on my Asus RT-AC68U with Merlins 378.50 that routes all my traffic trough openVPN back to my home country.
I followed the guide from the VPN provider and highlights are:

Start with WAN: Yes.
Interface: TAP
Firewall: Automatic
Server on same subnet: No
Create NAT on tunnel: Yes

However I’d like to tweak it with the following changes:
1. One specific client (static local IP assigned 192.168.11.100) have a need to access internet directly (non-VPN)
2. Traffic from all clients to a specific website (my office website located a few miles away from my location 113.42.110.227) should be routed outside the VPN, otherwise it becomes extremely slow. About the office websites IP's there might be a range of IP's, not really sure but a ping responds with the current one.

Not as important but a very nice addition would be
3. a guest WiFi routed through the VPN but no access to LAN (i.e no access to my NAS or other clients on the network).

Anyone keen on making a step-by-step guide how to achieve it?


I've read through the thread as well as some extensive googling but whatever I try doesn't seem to work (hangs, continiously rebooting etc). To be honest I'm not used to editing routing tables or writing IP tables scripts. I did set up a linux server about 10 years ago with some IP tables stuff successfully but that's about it.
At the moment the router is flashed with latest firmware, complete reset and setup with VPN running TAP11 and back working again.

Fingers crossed someone out there are able to help out!

All the best and thanks in advance!


Current routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface
143.180.119.2 112.72.64.1 255.255.255.255 UGH 0 0 0 WAN
112.72.64.1 * 255.255.255.255 UH 0 0 0 WAN
143.180.119.128 * 255.255.255.224 U 0 0 0 tap11
192.168.11.0 * 255.255.255.0 U 0 0 0 LAN
default 143.180.119.129 128.0.0.0 UG 0 0 0 tap11
128.0.0.0 143.180.119.129 128.0.0.0 UG 0 0 0 tap11
default 112.72.64.1 0.0.0.0 UG 0 0 0 WAN

#!/bin/sh

touch /tmp/000vpn_route_up.ran
logger -t "($(basename $0))" $$ "Starting custom vpn_route_up.sh"
echo "($(basename $0))" $$ "Starting vpn_route_up.sh"

ip route flush table 10
ip rule del table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip rule del table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

echo "($(basename $0))" $$ "RTNETLINK errors are from deleting tables that don't exist yet and can be ignored."

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan_gateway) dev eth0 table 12"

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.11.0-192.168.11.254 -j MARK --set-mark 10 #ALL TRAFFIC GOES VIA VPN ROUTE BY DEFAULT
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.11.100 -j MARK --set-mark 12 # Client bypasses the Vpn



######################### External Websites/IPs Bypass#######################

#Some Banks/Websites will Block your account if traffic goes via vpn (routed via another country other that your usual)
#By adding a rule with the Website ip all traffic to that website will bypass the vpn route.

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 113.42.110.227 -j MARK --set-mark 12 # traffic to the Office goes via ISP
######################### External Websites/IPs Bypass#######################

# script-security 2
# route-nopull
# route-up /jffs/scripts/route-up.sh

exit

https://www.dropbox.com/s/uo54or03i5lbxip/route-up.sh?dl=0
Download script then copy it to jffs/scripts
SET the proper permissions (755)
now go to the vpn client tab and add this to the custom configuration box
script-security 2
route-nopull
route-up /jffs/scripts/route-up.sh

 

[scaramonga]

Try this script VPN_Select.sh, and U will need to add the directives

route-nopull
script-security 2
route-up /jffs/scripts/VPN_Select.sh


to the Custom VPN dialog box

#!/bin/sh

MY_VPNTAB=100 # Now read from /jffs/configs/VPNSelect
TAG_MARK=1 # Now read from /jffs/configs/VPNSelect

# Use the OpenVPN environment variables
if [ "X$dev" = "X" ]; then
logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!"
exit 1
fi

# Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
# or to be associated with a WiFi Guest SSID.
ip route flush table $MY_VPNTAB
ip rule del fwmark $TAG_MARK
ip rule del table $MY_VPNTAB

ip route flush cache
iptables -t mangle -F PREROUTING

# Disable Reverse Path Filtering on current VPN network interface:
echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter

ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB
ip rule add fwmark $TAG_MARK table $MY_VPNTAB

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.105 -j MARK --set-mark $TAG_MARK

Thank you very much buddy for helping, but it's a no go VPN on and ALL devices bypass the VPN now?? Unless I have boobed? Thought it was gonna work too till I loaded up device I wanted to use VPN, and it still uses same IP?

Here is screens of configs if that helps?

Using your script from above.

 

[Martineau]

Thank you very much buddy for helping, but it's a no go VPN on and ALL devices bypass the VPN now?? Unless I have boobed? Thought it was gonna work too till I loaded up device I wanted to use VPN, and it still uses same IP?

Here is screens of configs if that helps?

Using your script from above.

The main difference between my script and Janosek's original in post #5 (and Faria 's post #252) is that by default ALL traffic will continue to use the WAN even after the VPN Client is started (assuming the route-nopull directive has been used!). This means only one VPN table is created and there is no cloning of any of the NVRAM variables ('wan_' vs. 'wan0_' ) nor using the wrong VPN interface device name etc. (NOTE: Faria's script is hard coded to assume the WAN interface is eth0 which wouldn't be the case for ppp?)

Unless there is a conflict with using TABLE 100 and fwmark 1 then I can only think of the following:

issue commands

   iptables -t mangle -L -nv --line

   ip   rule

   ip route show table 100

to see if TABLE 100 does contain the line to redirect the VPN interface via your VPN gateway and the target device is listed in the mangle table.

Your original request was for a single device to use the VPN, whilst all others use the WAN:

I basically need very similar to this, as the following:

One LAN device on a static IP (192.168.1.105) to use the VPN, solely.
All other LAN devices to bypass the VPN completely.
All wireless devices to bypass the VPN completely.

So, only one device using the VPN permanently.

OpenVPN is setup and working in router (AC68U) and have jffs set up correctly also.

Any help much appreciated. Thank you

so if the device you wish to have routed via the VPN does not have a static I/P then you can simply issue the following commands from a SSH/TELNET prompt for individual I/P addresses to test others:

1. Route the device via the VPN

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx -j MARK 1

2. Reset the device to use the WAN

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx -j MARK 0

or even

1. Route ALL devices through VPN

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.0/24 -j MARK 1

2. Reset routing for ALL devices via WAN

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.0/24 -j MARK 0

I know that someone had reported that when using 378.50, a previously working selective routing setup no longer works. I suggested that the VPN Client is not started automatically, then start the VPN Client manually to see if there is a timing issue

i.e. specify, after an appropriate delay, the manual start of the VPN Client in wan-start.

Ony differences in the VPN configuration panel; I have 'Accept DNS=DISABLED' which shouldn't affect the ability to perform the selective routing and I use HMA rather than PIA.

Also I'm not sure how you verify if a device is actually using the VPN?...I use the ip2location webpage.

Not sure if this helps


Regards,

 

[faria]

Thank you very much buddy for helping, but it's a no go VPN on and ALL devices bypass the VPN now?? Unless I have boobed? Thought it was gonna work too till I loaded up device I wanted to use VPN, and it still uses same IP?

Here is screens of configs if that helps?

Using your script from above.

with my script the router Wan ip will always be the isp.
Only devices routed via the Vpn will report the vpn Ip.
If im not mistaken if you remove route-nopull then your Router Wan ip reported will be the Vpn client you use.
(Desclosure)Im Quite new to this stuff and I m posting from what I learned.
Any help or improvement is welcomed specially from Martineau.

 

[chrisk]

I was able to get selective routing finally setup and working thanks to this site and thread.
My only issue now is how to get my DDNS name to work?
I have no-ip.com set up on my N66U and now with the VPN my domain is not getting resolved. Is there a port I need to open in the script?

Again thanks for the continued help.

I'm still stuck with this problem.

 

[faria]

I'm still stuck with this problem.

To the best on my knowledge , in order to get the ddns to work you have 3 options;
1-add route-nopull, or
2- add a rule in the script to to bypass the ddns port used for updating.
# Ports 80 and 443 will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
# Although if Port 80 is excluded from the VPN then it will always show the local GEO ISP location!
#credit to Martineau fort the above. or
3- ask the vpn client provider to open the port in their side

 

[chrisk]

Thanks for the info. I already have the route-nopull in the config but still no success. I will try the 2nd option.

Thanks again.

 

[Roy360]

I'm having trouble using wizin's script from post 11.

In the end I want everything to goes through the VPN except for the VoIP, but for now, I copied his script exactly.

I'm pretty sure I have it saved in the right place:
[img=http://s27.postimg.org/55itqf15r/Capture.jpg]

VPN is set to start on WAN.

But still no luck. VOIP (192.168.1.227) still doesn't work, and ROG loses internet access.

Turning off the VPN fixes everything.

 

[Martineau]

I'm having trouble using wizin's script from post 11.

In the end I want everything to goes through the VPN except for the VoIP, but for now, I copied his script exactly.

I'm pretty sure I have it saved in the right place:
[img=http://s27.postimg.org/55itqf15r/Capture.jpg]

VPN is set to start on WAN.

But still no luck. VOIP (192.168.1.227) still doesn't work, and ROG loses internet access.

Turning off the VPN fixes everything.

Try this script VPN_Select.sh, and U will need to add the directives

route-nopull
script-security 2
route-up /jffs/scripts/VPN_Select.sh


to the Custom VPN dialog box

#!/bin/sh

MY_VPNTAB=101 # Now read from /jffs/configs/VPNSelect
TAG_MARK=1 # Now read from /jffs/configs/VPNSelect

# Use the OpenVPN environment variables
if [ "X$dev" = "X" ]; then
logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!"
exit 1
fi

# Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
# or to be associated with a WiFi Guest SSID.
ip route flush table $MY_VPNTAB
ip rule del fwmark $TAG_MARK
ip rule del table $MY_VPNTAB

ip route flush cache
iptables -t mangle -F PREROUTING

# Disable Reverse Path Filtering on current VPN network interface:
echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter

ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB
ip rule add fwmark $TAG_MARK table $MY_VPNTAB

# Everything via VPN except .227
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.226 -j MARK --set-mark $TAG_MARK
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.228-192.168.1.254 -j MARK --set-mark $TAG_MARK