J
jesica
Guest
Thanks RMerlin for the excellent wiki page
Try this script VPN_Select.sh, and U will need to add the directives
route-nopull
script-security 2
route-up /jffs/scripts/VPN_Select.sh
to the Custom VPN dialog box
#!/bin/sh
MY_VPNTAB=101 # Now read from /jffs/configs/VPNSelect
TAG_MARK=1 # Now read from /jffs/configs/VPNSelect
# Use the OpenVPN environment variables
if [ "X$dev" = "X" ]; then
logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!"
exit 1
fi
# Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
# or to be associated with a WiFi Guest SSID.
ip route flush table $MY_VPNTAB
ip rule del fwmark $TAG_MARK
ip rule del table $MY_VPNTAB
ip route flush cache
iptables -t mangle -F PREROUTING
# Disable Reverse Path Filtering on current VPN network interface:
echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter
ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB
ip rule add fwmark $TAG_MARK table $MY_VPNTAB
# Everything via VPN except .227
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.226 -j MARK --set-mark $TAG_MARK
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.228-192.168.1.254 -j MARK --set-mark $TAG_MARK
Thanks for the help,
but running this script makes everything including the VoIP bypass the VPN.
The VPN is running though,
At the very least, it looks like I am putting the scripts in the right place
System log: 1drv.ms/1Ai4Lqz
if I remove
route-nopull
script-security 2
route-up /jffs/scripts/VPN_Select.sh
everything goes thru the VPN.
The log shows that the script did not execute
WARNING: Failed running command (--route-up): could not execute external program
so by default everything goes via the WAN even if the VPN is UP, which for most people is what they want as they only want to selectively route certain devices via the VPN, but in your case you want the opposite to be true!
Did you use Notepad under windows to create the file on the router? - if you did then this won't work you will need to use say Notepad++ and ensure that the EOL character is set to Unix format, or use WinSCP to open an SCP connection to the router and then cut'n'paste the code into the WinSCP editor window.
Also ensure that the script has 'execute' attributes....and the 1st line of the script is definitely
#!/bin/sh
Thanks, I just downloaded the script you posted, and forgot to remove the extra lines. This works now.
I saw this in another thread, but I can't find it now. If I want to connect to site without the VPN, can I do that with the current script? or will it get complicated?
# Site xxx.xxx.xxx.xxx via the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range xxx.xxx.xxx.xxx -j MARK --set-mark 0
# Everything else via VPN except .227
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.226 -j MARK --set-mark $TAG_MARK
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.228-192.168.1.254 -j MARK --set-mark $TAG_MARK
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range www.facebook.com -j MARK --set-mark 0
To the best on my knowledge , in order to get the ddns to work you have 3 options;
1-add route-nopull, or
2- add a rule in the script to to bypass the ddns port used for updating.
# Ports 80 and 443 will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
# Although if Port 80 is excluded from the VPN then it will always show the local GEO ISP location!
#credit to Martineau fort the above. or
3- ask the vpn client provider to open the port in their side
I know that someone had reported that when using 378.50, a previously working selective routing setup no longer works. I suggested that the VPN Client is not started automatically, then start the VPN Client manually to see if there is a timing issue
i.e. specify, after an appropriate delay, the manual start of the VPN Client in wan-start.
Ony differences in the VPN configuration panel; I have 'Accept DNS=DISABLED' which shouldn't affect the ability to perform the selective routing and I use HMA rather than PIA.
Also I'm not sure how you verify if a device is actually using the VPN?...I use the ip2location webpage.
Not sure if this helps
Regards,
Feb 26 18:03:40 openvpn[724]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 26 18:03:45 openvpn[724]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Feb 26 18:03:45 openvpn[724]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Feb 26 18:03:45 openvpn[724]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Feb 26 18:03:45 openvpn[724]: Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Just wanna say that your script is actually working fine, and that it was I who failed to save the file correctly Martineau.
All good now!
Thank you very much for this, it really is much appreciated. Your a star
I do notice these errors in log now though, although I'm not bothered as its working how I want lol. Any ideas?
#!/bin/sh
sleep 2
touch /tmp/000wanstarted
# This code goes in the WAN UP section of the Tomato GUI.
# This code based on the contributions from this thread:
# http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
# http://linux-ip.net/html/adv-multi-internet.html
# http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING
#
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
#
# Delete and table 10 & 12 and flush any existing rules if they exist.
#
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING
tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12
echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
# iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# Ports 80 and 443 will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
# All traffic from a particular computer on the LAN will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
# All traffic to a specific Internet IP address will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
# All UDP and ICMP traffic will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
# By default all traffic goes through the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 10
# Spotify explicitly by passes the VPN
# All traffic from a particular computer on the LAN will use the VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 72.247.8.235 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 72.247.8.194 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 23.212.109.42 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 23.212.109.56 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 208.91.157.66 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 173.222.211.42 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange —-dst-range 173.222.211.66 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 3478:3497 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 443 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 5223 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 16384:16387 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 16393:16402 -j MARK --set-mark 12
exit
hello
I am using the route no-pull option which works great.
I have an ip set to for all traffic to go over the vpn:
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.2 -j MARK --set-mark 10
However I want certain ports from only this ip only to not go over the vpn, eg I have been trying with little success eg:
iptables -t mangle -I PREROUTING -i br0 -m iprange --src-range 192.168.0.2 -p tcp -m multiport --dport 0:2000 -j MARK --set-mark 12
Maybe something like:
iptables -t mangle -I PREROUTING -i br0 -m iprange --src-range 192.168.0.2 -p tcp -m multiport –dport ! 0:2000 -j MARK --set-mark 10
Am I on the right path, guessing order –I, -A is critical? Calling Martineau….
-A PREROUTING -m set --set youtube dst,src -j MARK --set-mark 0x9
-A PREROUTING -m set --set youtube dst,src -j LOG --log-prefix "MARK check "
Who wrote this article? fwmarks isn't working on MIPS routers, something wrong with kernel I suppose. You may check that fwmarks is used for ARM devices only.
gives no traces of "MARK=0x9" in the syslog. H/W NAT was turned off.Code:-A PREROUTING -m set --set youtube dst,src -j MARK --set-mark 0x9 -A PREROUTING -m set --set youtube dst,src -j LOG --log-prefix "MARK check "
I discovered it earlier, when tried ipset-dns.
Tried on RT-N66U, f\w 378.50.Not sure if I completely understand your statement - are you saying that MIPS routers have never been able to use FWMARKS for selective routing, or simply highlighting the fact that it is now broken in the latest release 37x.xx of the MIPS firmware?
#!/bin/sh
MY_VPNTAB=101 # Now read from /jffs/configs/VPNSelect
TAG_MARK=1 # Now read from /jffs/configs/VPNSelect
# Use the OpenVPN environment variables
if [ "X$dev" = "X" ]; then
logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!"
exit 1
fi
# Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
# or to be associated with a WiFi Guest SSID.
ip route flush table $MY_VPNTAB
ip rule del fwmark $TAG_MARK
ip rule del table $MY_VPNTAB
ip route flush cache
iptables -t mangle -F PREROUTING
# Disable Reverse Path Filtering on current VPN network interface:
echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter
ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB
ip rule add fwmark $TAG_MARK table $MY_VPNTAB
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.100 -j MARK 0
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.2-10.10.1.99 -j MARK --set-mark $TAG_MARK
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.101-10.10.1.254 -j MARK --set-mark $TAG_MARK
exit
Ok so I've been banging my head against this all day. Figured I would ask for some help.
I would like to pass all traffic to the VPN, except one local IP that I need to go straight out.
Router: RT-AC68U
FW: Merlin 376.49_5
I have set my vpn extra options with
route-nopull
script-security 2
route-up /jffs/scripts/vpn_passthrough.sh
and my vpn_passthrough.sh file is as followed.
Code:#!/bin/sh MY_VPNTAB=101 # Now read from /jffs/configs/VPNSelect TAG_MARK=1 # Now read from /jffs/configs/VPNSelect # Use the OpenVPN environment variables if [ "X$dev" = "X" ]; then logger -s -t "($(basename $0))" $$ "*** ERROR not called by VPN Client route-up?...ABORTing!" exit 1 fi # Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747) # or to be associated with a WiFi Guest SSID. ip route flush table $MY_VPNTAB ip rule del fwmark $TAG_MARK ip rule del table $MY_VPNTAB ip route flush cache iptables -t mangle -F PREROUTING # Disable Reverse Path Filtering on current VPN network interface: echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter ip route add default via $ifconfig_local dev $dev table $MY_VPNTAB ip rule add fwmark $TAG_MARK table $MY_VPNTAB iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.100 -j MARK 0 iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.2-10.10.1.99 -j MARK --set-mark $TAG_MARK iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.1.101-10.10.1.254 -j MARK --set-mark $TAG_MARK exit
As it stands now everything is sent though the VPN, the machine at 10.10.1.100 is also still routed through the VPN.
Any help would be great, thanks.
There is no DPI engine on MIPS builds.
Tried on RT-N66U, f\w 378.50.
In keeping with stating the obvious, there is no DPI engine on the ARM RT-AC56U using build 378.50B1 but I can still force the '-t mangle PREROUTING' entries to be 'accidentally' flushed when I use the GUI , which then breaks the selective routing.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!