Selective Routing with Asuswrt-Merlin

[Martineau]

The only way I can tell it's working is because A) my speeds tanked (I expected this) and on the OpenVPN Client 1 stats I was actually seeing some traffic running through it. Also if I looked at the table I could see traffic running over those 2 rules.

So as I said, I "think" this works now. Any other input would be great and also if there's a way to prevent traffic on that port if for some reason the VPN is down would be great. What's that called… IP leak?

Well clearly if you don't know if it is working to your own satisfaction then I doubt anyone else can say for certain if it is or not.

In my post #84, U will see that my script contains the line

iptables -I FORWARD -i br0 -s $IP_RANGE -o eth0 -j DROP

which attempts to force my selected I/P device to ONLY use the VPN and never revert to use the WAN if the VPN connection is severed.

I'm sure you can create a similar rule based on port rather than source I/P.

Regards,

 

[ionblue]

Well clearly if you don't know if it is working to your own satisfaction then I doubt anyone else can say for certain if it is or not.

In my post #84, U will see that my script contains the line

iptables -I FORWARD -i br0 -s $IP_RANGE -o eth0 -j DROP

which attempts to force my selected I/P device to ONLY use the VPN and never revert to use the WAN if the VPN connection is severed.

I'm sure you can create a similar rule based on port rather than source I/P.

Regards,

Thanks for the reply. I guess the point I was trying to make is that I don't know the proper commands and/or what I should expect to see with the commands to know if it's working 100%. I have to assume it worked cause that was the only time I actually saw the stats on the VPN connection change and increase substantially.

As it is, I'm going to try PIA. The other folks log to much for my liking.

I had seen that line and others similar, but I was having a hard time getting the traffic segmented as it was so I haven't tried since I got it working this way. I'll give it a try today and see where I get with it. And if you happen to know the proper way to test from the router to know if port traffic is going where you want it, that would be great as well!

Thanks again.

 

[Martineau]

Thanks for the reply. I guess the point I was trying to make is that I don't know the proper commands and/or what I should expect to see with the commands to know if it's working 100%. I have to assume it worked cause that was the only time I actually saw the stats on the VPN connection change and increase substantially.

As it is, I'm going to try PIA. The other folks log to much for my liking.

I had seen that line and others similar, but I was having a hard time getting the traffic segmented as it was so I haven't tried since I got it working this way. I'll give it a try today and see where I get with it. And if you happen to know the proper way to test from the router to know if port traffic is going where you want it, that would be great as well!

Thanks again.

If there are statistics/logs from the VPN provider then hopefully they will corroborate your expected selective routing traffic alongside the metrics seen on the MARK rules.

Simlarly, if you implement the rule to block the P2P port outbound through the WAN, then if the VPN client connection is DOWN, then hopefully your P2P traffic will only work once you bring the VPN client connection UP.

This would seem to be pretty much the way to go, unless Wireshark would be needed to trace individual packets etc.

Regards,

 

[hiliter]

If only table 12 is correctly populated, then U need to check why table 10 is not being populated.

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10

So you should debug the above statements to see if the variables

   $tun_ip
   $tun_if

are being resolved correctly.

NOTE: On the OpenVPN Client tab do U have 'Redirect Internet Traffic=YES' ?

Regards,

I echoed $tun_ip after those commands and it is "10.102.1.6" - which actually is the IP of tun11 when I run ifconfig.

"Redirect Internet Traffic" was set to "No" - I changed it to "Yes", but it made no difference.

 

[Martineau]

I echoed $tun_ip after those commands and it is "10.102.1.6" - which actually is the IP of tun11 when I run ifconfig.

"Redirect Internet Traffic" was set to "No" - I changed it to "Yes", but it made no difference.

The point about 'Redirect Internet Traffic=NO' was because I recall your original statement said that ALL traffic went via the VPN, so 'Redirect Internet Traffic=NO' would imply that nothing is going via the VPN as the MARK 10 for Table 10 redirection doesn't work.

So issue:

ip rule
ip rule del table 10
ip route show table 10
ip route show table 100

then manually enter the command to populate table 10 with the 10.102.1.6 value as per the script

then try and manually create table 100 with the 10.102.1.6 value as per the script

ip rule
ip route show table 10
ip route show table 100

If table 10/100 can be created manually then I can only assume that the current script (that apparently can correctly populate table 12) may need to be recreated

Regards,

 

[hiliter]

admin@RT-AC66U:/tmp/home/root# ip rule
0:      from all lookup local
32764:  from all fwmark 0xc lookup 12
32765:  from all fwmark 0xa lookup 10
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC66U:/tmp/home/root# ip rule del table 10
admin@RT-AC66U:/tmp/home/root# ip route show table 10
default via 10.130.1.6 dev tun11
admin@RT-AC66U:/tmp/home/root# ip route show table 100
admin@RT-AC66U:/tmp/home/root# ip route add default via 10.130.1.6 dev tun11 table 10
RTNETLINK answers: File exists
admin@RT-AC66U:/tmp/home/root# ip route add default via 10.130.1.6 dev tun11 table 100
admin@RT-AC66U:/tmp/home/root# ip rule
0:      from all lookup local
32764:  from all fwmark 0xc lookup 12
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC66U:/tmp/home/root# ip route show table 10
default via 10.130.1.6 dev tun11
admin@RT-AC66U:/tmp/home/root# ip route show table 100
default via 10.130.1.6 dev tun11
admin@RT-AC66U:/tmp/home/root#

So it seems table 10 was populated, that's strange.

 

[Martineau]

admin@RT-AC66U:/tmp/home/root# ip rule
0:      from all lookup local
32764:  from all fwmark 0xc lookup 12
32765:  from all fwmark 0xa lookup 10
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC66U:/tmp/home/root# ip rule del table 10
admin@RT-AC66U:/tmp/home/root# ip route show table 10
default via 10.130.1.6 dev tun11
admin@RT-AC66U:/tmp/home/root# ip route show table 100
admin@RT-AC66U:/tmp/home/root# ip route add default via 10.130.1.6 dev tun11 table 10
RTNETLINK answers: File exists
admin@RT-AC66U:/tmp/home/root# ip route add default via 10.130.1.6 dev tun11 table 100
admin@RT-AC66U:/tmp/home/root# ip rule
0:      from all lookup local
32764:  from all fwmark 0xc lookup 12
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC66U:/tmp/home/root# ip route show table 10
default via 10.130.1.6 dev tun11
admin@RT-AC66U:/tmp/home/root# ip route show table 100
default via 10.130.1.6 dev tun11
admin@RT-AC66U:/tmp/home/root#

So it seems table 10 was populated, that's strange.

OK I suggest you replace the incorrect del command that causes the RTNETLINK errors with

ip rule del table 10

and hopefully in conjunction with the associated flush table 10 commands this will correct the script and fix the root cause of this issue.

However it may be prudent to echo/logger the return code from the commands and/or always issue the rule / route show commands to syslog to be able to see exactly what happens when the script executes.


Regards,

 

[hiliter]

However it may be prudent to echo/logger the return code from the commands and/or always issue the rule / route show commands to syslog to be able to see exactly what happens when the script executes.

Oh, yes, I was meaning to ask: I don't see any of the echoes in my system log, I only see them when I execute the script from the command line? Does the system log simply not show echoes or does it mean the script is not running?

 

[Martineau]

Oh, yes, I was meaning to ask: I don't see any of the echoes in my system log, I only see them when I execute the script from the command line? Does the system log simply not show echoes or does it mean the script is not running?

Echo statements are only useful/visible when running command manually from the command line.

I personally prefer the use of pertinent logger statements:

e.g.

logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 100"

which then appear in syslog

Regards,

 

[hiliter]

I don't get it, it doesn't work! With "Redirect Internet Traffic = Yes" I now don't have Internet access on any client after a reboot of the router, but when I then just hit "Apply" on the VPN Client settings page (without changing anything), Internet access works, but all clients still go through the VPN.

Here is my script like it is now:

#!/bin/sh

logger -t "($(basename $0))" $$ "Start"

ip route flush table 10
ip rule del table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip rule del table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan_gateway) dev eth0 table 12"

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.101 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 563 -j MARK --set-mark 12

logger -t "($(basename $0))" $$ "End"

exit

And this is the OpenVPN related part of my syslog:

Jan  1 01:00:37 openvpn[474]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan  1 01:00:37 openvpn[474]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan  1 01:00:37 openvpn[474]: Socket Buffers: R=[118784->131072] S=[118784->131072]
Jan  1 01:00:37 openvpn[480]: UDPv4 link local: [undef]
Jan  1 01:00:37 openvpn[480]: UDPv4 link remote: [AF_INET]77.247.182.241:1194
Jan  1 01:00:37 openvpn[480]: TLS: Initial packet from [AF_INET]77.247.182.241:1194, sid=59cb8b6c f774e191
Jan  1 01:00:37 openvpn[480]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan  1 01:00:37 openvpn[480]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Jan  1 01:00:37 openvpn[480]: VERIFY OK: depth=0, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=server, emailAddress=secure@privateinternetaccess.com
Jan  1 01:00:38 openvpn[480]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan  1 01:00:38 openvpn[480]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  1 01:00:38 openvpn[480]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan  1 01:00:38 openvpn[480]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  1 01:00:38 openvpn[480]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan  1 01:00:38 openvpn[480]: [server] Peer Connection Initiated with [AF_INET]77.247.182.241:1194
Jan  1 01:00:41 openvpn[480]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jan  1 01:00:41 openvpn[480]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,route 10.157.32.1,topology net30,ifconfig 10.157.32.6 10.157.32.5'
Jan  1 01:00:41 openvpn[480]: OPTIONS IMPORT: timers and/or timeouts modified
Jan  1 01:00:41 openvpn[480]: OPTIONS IMPORT: --ifconfig/up options modified
Jan  1 01:00:41 openvpn[480]: OPTIONS IMPORT: route options modified
Jan  1 01:00:41 openvpn[480]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan  1 01:00:41 openvpn[480]: TUN/TAP device tun11 opened
Jan  1 01:00:41 openvpn[480]: TUN/TAP TX queue length set to 100
Jan  1 01:00:41 openvpn[480]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip addr add dev tun11 local 10.157.32.6 peer 10.157.32.5
Jan  1 01:00:41 openvpn[480]: updown.sh tun11 1500 1542 10.157.32.6 10.157.32.5 init
Jan  1 01:00:41 rc_service: service 518:notify_rc updateresolv
Jan  1 01:00:41 dnsmasq[392]: exiting on receipt of SIGTERM
Jan  1 01:00:41 dnsmasq[521]: started, version 2.68 cachesize 1500
Jan  1 01:00:41 dnsmasq[521]: asynchronous logging enabled, queue limit is 5 messages
Jan  1 01:00:41 dnsmasq-dhcp[521]: DHCP, IP range 192.168.2.10 -- 192.168.2.90, lease time 1d
Jan  1 01:00:41 dnsmasq-dhcp[521]: DHCP, sockets bound exclusively to interface br0
Jan  1 01:00:41 dnsmasq[521]: using local addresses only for domain router.schnigges.lan
Jan  1 01:00:41 dnsmasq[521]: read /etc/hosts - 8 addresses
Jan  1 01:00:41 dnsmasq[521]: read /etc/hosts.dnsmasq - 2 addresses
Jan  1 01:00:41 dnsmasq-dhcp[521]: read /etc/ethers - 2 addresses
Jan  1 01:00:41 dnsmasq[521]: using nameserver 83.169.184.161#53
Jan  1 01:00:41 dnsmasq[521]: using nameserver 209.222.18.218#53
Jan  1 01:00:41 dnsmasq[521]: using nameserver 209.222.18.222#53
Jan  1 01:00:41 dnsmasq[521]: using local addresses only for domain router.schnigges.lan
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip route add 77.247.182.241/32 via 188.194.255.254
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip route add 0.0.0.0/1 via 10.157.32.5
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip route add 128.0.0.0/1 via 10.157.32.5
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip route add 10.157.32.1/32 via 10.157.32.5
Jan  1 01:00:41 (vpn_route_up.sh): 529 Start
Jan  1 01:00:41 (vpn_route_up.sh): 529 CMD: ip route add default via 10.157.32.6 dev tun11 table 10
Jan  1 01:00:41 (vpn_route_up.sh): 529 CMD: ip route add default via 188.194.255.254 dev eth0 table 12
Jan  1 01:00:41 (vpn_route_up.sh): 529 End
Jan  1 01:00:41 openvpn[480]: Initialization Sequence Completed
Jan  1 01:00:45 nmbd[356]: [2011/01/01 01:00:45, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(392)
Jan  1 01:00:45 nmbd[356]:   Samba name server RT-AC66U is now a local master browser for workgroup WORKGROUP on subnet 192.168.2.1
Mar  4 22:14:37 rc_service: ntp 425:notify_rc restart_upnp
Mar  4 22:14:37 rc_service: ntp 425:notify_rc restart_diskmon
Mar  4 22:14:37 rc_service: waitting "restart_upnp" via ntp ...
Mar  4 22:14:38 disk monitor: be idle
Mar  4 22:14:39 openvpn[480]: [server] Inactivity timeout (--ping-restart), restarting
Mar  4 22:14:39 openvpn[480]: SIGUSR1[soft,ping-restart] received, process restarting
Mar  4 22:14:39 openvpn[480]: Restart pause, 2 second(s)
Mar  4 22:14:41 openvpn[480]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mar  4 22:14:41 openvpn[480]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar  4 22:14:41 openvpn[480]: Socket Buffers: R=[118784->131072] S=[118784->131072]
Mar  4 22:14:45 crond[317]: time disparity of 1668794 minutes detected

 

[Martineau]

I don't get it, it doesn't work! With "Redirect Internet Traffic = Yes" I now don't have Internet access on any client after a reboot of the router, but when I then just hit "Apply" on the VPN Client settings page (without changing anything), Internet access works, but all clients still go through the VPN.

Here is my script like it is now:

#!/bin/sh

logger -t "($(basename $0))" $$ "Start"

ip route flush table 10
ip rule del table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip rule del table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

logger -t "($(basename $0))" $$ "CMD: ip route add default via $tun_ip dev $tun_if table 10"
logger -t "($(basename $0))" $$ "CMD: ip route add default via $(nvram get wan_gateway) dev eth0 table 12"

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.2.101 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 563 -j MARK --set-mark 12

logger -t "($(basename $0))" $$ "End"

exit

And this is the OpenVPN related part of my syslog:

Jan  1 01:00:37 openvpn[474]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan  1 01:00:37 openvpn[474]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan  1 01:00:37 openvpn[474]: Socket Buffers: R=[118784->131072] S=[118784->131072]
Jan  1 01:00:37 openvpn[480]: UDPv4 link local: [undef]
Jan  1 01:00:37 openvpn[480]: UDPv4 link remote: [AF_INET]77.247.182.241:1194
Jan  1 01:00:37 openvpn[480]: TLS: Initial packet from [AF_INET]77.247.182.241:1194, sid=59cb8b6c f774e191
Jan  1 01:00:37 openvpn[480]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan  1 01:00:37 openvpn[480]: VERIFY OK: depth=1, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, emailAddress=secure@privateinternetaccess.com
Jan  1 01:00:37 openvpn[480]: VERIFY OK: depth=0, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=server, emailAddress=secure@privateinternetaccess.com
Jan  1 01:00:38 openvpn[480]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan  1 01:00:38 openvpn[480]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  1 01:00:38 openvpn[480]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan  1 01:00:38 openvpn[480]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  1 01:00:38 openvpn[480]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan  1 01:00:38 openvpn[480]: [server] Peer Connection Initiated with [AF_INET]77.247.182.241:1194
Jan  1 01:00:41 openvpn[480]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Jan  1 01:00:41 openvpn[480]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 209.222.18.222,dhcp-option DNS 209.222.18.218,ping 10,route 10.157.32.1,topology net30,ifconfig 10.157.32.6 10.157.32.5'
Jan  1 01:00:41 openvpn[480]: OPTIONS IMPORT: timers and/or timeouts modified
Jan  1 01:00:41 openvpn[480]: OPTIONS IMPORT: --ifconfig/up options modified
Jan  1 01:00:41 openvpn[480]: OPTIONS IMPORT: route options modified
Jan  1 01:00:41 openvpn[480]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan  1 01:00:41 openvpn[480]: TUN/TAP device tun11 opened
Jan  1 01:00:41 openvpn[480]: TUN/TAP TX queue length set to 100
Jan  1 01:00:41 openvpn[480]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip addr add dev tun11 local 10.157.32.6 peer 10.157.32.5
Jan  1 01:00:41 openvpn[480]: updown.sh tun11 1500 1542 10.157.32.6 10.157.32.5 init
Jan  1 01:00:41 rc_service: service 518:notify_rc updateresolv
Jan  1 01:00:41 dnsmasq[392]: exiting on receipt of SIGTERM
Jan  1 01:00:41 dnsmasq[521]: started, version 2.68 cachesize 1500
Jan  1 01:00:41 dnsmasq[521]: asynchronous logging enabled, queue limit is 5 messages
Jan  1 01:00:41 dnsmasq-dhcp[521]: DHCP, IP range 192.168.2.10 -- 192.168.2.90, lease time 1d
Jan  1 01:00:41 dnsmasq-dhcp[521]: DHCP, sockets bound exclusively to interface br0
Jan  1 01:00:41 dnsmasq[521]: using local addresses only for domain router.schnigges.lan
Jan  1 01:00:41 dnsmasq[521]: read /etc/hosts - 8 addresses
Jan  1 01:00:41 dnsmasq[521]: read /etc/hosts.dnsmasq - 2 addresses
Jan  1 01:00:41 dnsmasq-dhcp[521]: read /etc/ethers - 2 addresses
Jan  1 01:00:41 dnsmasq[521]: using nameserver 83.169.184.161#53
Jan  1 01:00:41 dnsmasq[521]: using nameserver 209.222.18.218#53
Jan  1 01:00:41 dnsmasq[521]: using nameserver 209.222.18.222#53
Jan  1 01:00:41 dnsmasq[521]: using local addresses only for domain router.schnigges.lan
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip route add 77.247.182.241/32 via 188.194.255.254
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip route add 0.0.0.0/1 via 10.157.32.5
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip route add 128.0.0.0/1 via 10.157.32.5
Jan  1 01:00:41 openvpn[480]: /usr/sbin/ip route add 10.157.32.1/32 via 10.157.32.5
Jan  1 01:00:41 (vpn_route_up.sh): 529 Start
Jan  1 01:00:41 (vpn_route_up.sh): 529 CMD: ip route add default via 10.157.32.6 dev tun11 table 10
Jan  1 01:00:41 (vpn_route_up.sh): 529 CMD: ip route add default via 188.194.255.254 dev eth0 table 12
Jan  1 01:00:41 (vpn_route_up.sh): 529 End
Jan  1 01:00:41 openvpn[480]: Initialization Sequence Completed
Jan  1 01:00:45 nmbd[356]: [2011/01/01 01:00:45, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(392)
Jan  1 01:00:45 nmbd[356]:   Samba name server RT-AC66U is now a local master browser for workgroup WORKGROUP on subnet 192.168.2.1
Mar  4 22:14:37 rc_service: ntp 425:notify_rc restart_upnp
Mar  4 22:14:37 rc_service: ntp 425:notify_rc restart_diskmon
Mar  4 22:14:37 rc_service: waitting "restart_upnp" via ntp ...
Mar  4 22:14:38 disk monitor: be idle
Mar  4 22:14:39 openvpn[480]: [server] Inactivity timeout (--ping-restart), restarting
Mar  4 22:14:39 openvpn[480]: SIGUSR1[soft,ping-restart] received, process restarting
Mar  4 22:14:39 openvpn[480]: Restart pause, 2 second(s)
Mar  4 22:14:41 openvpn[480]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mar  4 22:14:41 openvpn[480]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar  4 22:14:41 openvpn[480]: Socket Buffers: R=[118784->131072] S=[118784->131072]
Mar  4 22:14:45 crond[317]: time disparity of 1668794 minutes detected

Have U tried

route-nopull

in the OpenVPN Client Custom config?, and "Redirect Internet Traffic = NO"

Regards,

 

[hiliter]

Have U tried

route-nopull

in the OpenVPN Client Custom config?, and "Redirect Internet Traffic = NO"

Regards,

Woohoo, that was it! Thank you so much for all your help!
One more question, since this routing stuff is still pretty much over my head, how would I go about handling more than one IP address (but not a range) with this script?

Thanks so much!

 

[Martineau]

Woohoo, that was it! Thank you so much for all your help!
One more question, since this routing stuff is still pretty much over my head, how would I go about handling more than one IP address (but not a range) with this script?

Thanks so much!

When down in the weeds trying to debug stubborn scripts it easy to overlook the obvious pre-reqs that were assumed to already be configured

The easiest way is to simply add the appropriate number of additional script statements

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx -j MARK --set-mark 10

unless the devices are in a contiguous range in which case they can be included in a single statement.

I have personally created an external psuedo lookup table which allows me to simply flip the routing for a logical set of devices using human friendly code via cron jobs etc....

# Select the I/P devices to be routed.
# Call VPN_select_ON_OFF [host.dnsmasq | ip_address | KEY_tag] [ON | OFF] {FORCE}
#
#
#      where  Host.dnsmasq will be matched against /etc/hosts.dnsmasq contents
#                                  
#             Key_tag      will be matched against /mnt/$MYROUTER/VPN_MASKS.txt     
#                               
#             FORCE will ensure designated target will ONLY use the VPN. 
# 

# Use HOSTS.DNSMASQ to resolve PS3-Bedroom and ensure it ONLY uses the VPN
/jffs/scripts/VPN_Select_ON_OFF.sh PS3-Bedroom ON FORCE

# Others that are not individual I/P addresses.......
#/jffs/scripts/VPN_Select_ON_OFF.sh ALL ON
#/jffs/scripts/VPN_Select_ON_OFF.sh ANDROID ON

Good luck.

 

[ionblue]

I finally have a config that works for my needs. Since 99.9% of the traffic I wanted to route through the VPN comes from one IP I just routed all it's traffic to the VPN port and then added a couple ports to be sent over the the regular wan connection. Seems to be working well so far.

Now what I want to figure out is putting in some kind of kill switch to counter the VPN route IF the VPN loses it's connection. For some reason nothing I try seems to work though. Maybe someone can have a look at my config and tell me how I might be able to accomplish this?

Here's my config:

---
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.100 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 563 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark 12

exit
---

Many thanks to whoever originally posted this method for routing, BTW.

 

[Martineau]

I finally have a config that works for my needs. Since 99.9% of the traffic I wanted to route through the VPN comes from one IP I just routed all it's traffic to the VPN port and then added a couple ports to be sent over the the regular wan connection. Seems to be working well so far.

Now what I want to figure out is putting in some kind of kill switch to counter the VPN route IF the VPN loses it's connection. For some reason nothing I try seems to work though. Maybe someone can have a look at my config and tell me how I might be able to accomplish this?

Here's my config:

---
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan0_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.100 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 563 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 32400 -j MARK --set-mark 12

exit
---

Many thanks to whoever originally posted this method for routing, BTW.

So adding

iptables -I FORWARD -i br0 -s 192.168.1.100 -o eth0 -j DROP

doesn't block outbound access from 192.168.1.100 if you turn off the VPN Client?

 

[ionblue]

So adding

iptables -I FORWARD -i br0 -s 192.168.1.100 -o eth0 -j DROP

doesn't block outbound access from 192.168.1.100 if you turn off the VPN Client?

I'll let you know in a minute or two. Stupid question, should that be at the end of the list or the bottom? Or does it matter?

 

[ionblue]

So adding

iptables -I FORWARD -i br0 -s 192.168.1.100 -o eth0 -j DROP

doesn't block outbound access from 192.168.1.100 if you turn off the VPN Client?

And YES - that worked perfectly. So I must have had something FUBARed in what I tried.

So as I asked previously, should this go at the beginning or end of the list? I guess the end works since I just added it on the command line which would put it at the end. Yes?

 

[Martineau]

And YES - that worked perfectly. So I must have had something FUBARed in what I tried.

So as I asked previously, should this go at the beginning or end of the list? I guess the end works since I just added it on the command line which would put it at the end. Yes?

Actually I would ensure that this blocker statement is moved to one of the following:

wan-start
or
firewall-start
or 
nat-start

This would mean that imediately after a router reboot, the source address cannot briefly use the WAN........just in case the VPN Client is slow in establishing a valid connection and before your tagging occurs.

Regards,

 

[ionblue]

Actually I would ensure that this blocker statement is moved to one of the following:

wan-start
or
firewall-start
or 
nat-start

This would mean that imediately after a router reboot, the source address cannot briefly use the WAN........just in case the VPN Client is slow in establishing a valid connection and before your tagging occurs.

Regards,

Ummm… and where does one find those? And thanks BTW.

 

[Martineau]

Ummm… and where does one find those? And thanks BTW.

RTFM

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts