Selective Routing with Asuswrt-Merlin

[ozgreg]

ip route add 184.169.0.0/16 via $(nvram get wan0_gateway)
ip route add 54.241.12.23/32 via $(nvram get wan0_gateway)

Sadly my Plex stopped connecting after I installed a new Plex server update and cannot now get it connecting..

It's a bit fragile..

 

[ozgreg]

Sadly my Plex stopped connecting after I installed a new Plex server update and cannot now get it connecting..

It's a bit fragile..

Well I ended up totally reorganising my routing and instead only route specific ports via my VPN (all other traffic via WAN). I deleted the PLEX port forwards and once again I have PLEX working fine plus I have traffic via VPN on my selected ports..

 

[bdiament]

Your post is awesome; I was not using SCP, to start with, but rather sftp. And I was not saving the script as a Unix format file (.sh). Now I can write the script to the router (under jffs/script), after taking out the .sh extension, but still can’t make it work.

It seems to be running, but at the end my IP is that of the VPN to all my network, instead of having VPN only for Apple TV, as I’d like. BTW, Apple TV is already set to fixed IP, 192.168.1.5

I am reproducing my script below (copied from sources at Smallbridge). Is anyone able to spot any problems in it? Also, I see that the file 000vpnstarted is written to the tmp directory, but the other instances I created to check, 000vpnmiddle and 000vpnended are not written there. Does this mean the script is not running till the end? Any hints here?

I also have changed wan_gateway for wan0_gateway, after some hint. Without that, nothing works and I can’t navigate after rebooting the router (strangely, dropbox works in both conditions).

I appreciate any help to make this selective vpn work

My router is a RT-N66U and I am running Merlin 374.40 (latest version). My openvpn is set and working (I use PIA).


openvpn-event script I am using is below:

#!/bin/sh

sleep 2

touch /tmp/000vpnstarted

AppleTV="192.168.1.5"


# This code goes in the WAN UP section of the Tomato GUI.
# This code based on the contributions from this thread:
#  [url]http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/[/url]
#
# And from material in these articles:
#  [url]http://linux-ip.net/html/adv-multi-internet.html[/url]
#  [url]http://fedorasolved.org/Members/kanarip/iptables-howto[/url]
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#


#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
#
 
#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#



for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done
 
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
 
#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan0_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 
touch /tmp/000vpnmiddle
 
#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
 
 
# By default all traffic will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# Apple TV will go through VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.5 -j MARK --set-mark 0

touch /tmp/000vpnended

exit 0

 
# Spotify explicitly by passes the VPN
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.xxx -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.xxx -j MARK --set-mark 1

 

[ionblue]

Well I ended up totally reorganising my routing and instead only route specific ports via my VPN (all other traffic via WAN). I deleted the PLEX port forwards and once again I have PLEX working fine plus I have traffic via VPN on my selected ports..

@ozreg

Would you mind sharing your configuration for this? I still can't get plex working and bypassing the VPN connection.

Based on your description I gather you're not sending traffic from one local IP over the VPN, but rather routing particular ports over the VPN. I don't know if this will work for what I'm needing to do.

@Martineau

I added the route commands you suggested to my VPN route up script and I saw the routes added to the table, but traffic to those IP blocks still wanted to go out over the VPN. I think I need to add the route commands to the actual OpenVPN custom configuration area, but I have no idea if I can dynamically pull the wan IP in that. Do you think this is where these routes need to go?

 

[ozgreg]

@ozreg

Would you mind sharing your configuration for this? I still can't get plex working and bypassing the VPN connection.

Based on your description I gather you're not sending traffic from one local IP over the VPN, but rather routing particular ports over the VPN. I don't know if this will work for what I'm needing to do.

Sorry for the slow reply work has been time consuming..

It turns out after a LOT of debugging that Plex has a number of way to determine what is the source IP address, including HTTPS and HTTP WGET commands so even although we implemented that port 30800 bypasses the VPN it was a wasted effort because Plex determined that the IP address it was using to communicate was the IP address at the end of the VPN tunnel not the IP address of our WAN connection thus it was never going to work so I instead switched to using a selective port ip routing via the vpn_route_up.sh event using the already posted script modified to instead route a port via the VPN

iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.220 -p tcp --dport xxxxx -j MARK --set-mark 10

Thus only selected ports now get routed via the VPN and Plex correctly locates the WAN IP address not my VPN tunnel termination IP address..

As a tip the Plex script uses port 465 and Port 80 so avoid routing those via your VPN as well

I found the debugging mode on Plex very useful in working out what exactly it was doing and I had to reboot my router a few times because I managed to mangle my iptables and could not route out so it was a lot of trial and error..

I also found that at plex.tv/servers if you click on your server name it will reveal it's IP address and port which helped track down what IP address Plex was binding to..

 

[ryar27]

There is excellent information in this thread, thanks to all who contributed. Is anyone else having the issue that with a VPN active the router cannot be accessed via WAN? I have the line below in my openvpn-event and everything else is working:
iptables -t mangle -A PREROUTING -i br0 -s 192.168.1.1 -p tcp --dport 8080 -j MARK --set-mark 1

I have also tried:
iptables -t mangle -I PREROUTING -i br0 -p tcp -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1
and all ports bypass the VPN, however no matter what I tried I still can't access the router from WAN with the VPN active; no issues whatsoever with out VPN. Any suggestions from anyone?

 

[janosek]

Have you port forwarded the ports on the target machine?

 

[ryar27]

That did the trick, thank you. I never considered setting up the router to forward a port to itself.

edit: NVM, still not working. The VPN shut down when I forwarded the port. Whats weird is other ports are forwarded and working, I just can't access the router via WAN.

edit2: Got it, I started from scratch on a new openvpn-event file and it's working. Guess I grabbed a bad one the first time around.

 

[fediddy]

That did the trick, thank you. I never considered setting up the router to forward a port to itself.

edit: NVM, still not working. The VPN shut down when I forwarded the port. Whats weird is other ports are forwarded and working, I just can't access the router via WAN.

edit2: Got it, I started from scratch on a new openvpn-event file and it's working. Guess I grabbed a bad one the first time around.

How do you do this? I can access my computer remotely while the VPN is on but if i'm at my house I cannot access the WAN ip only the Lan IP.

 

[janosek]

NAT loopback doesn't work when the openvpn client is active. You need to use the internal IP when on the lan

 

[bilboSNB]

Can someone tell me if I am understanding this script correctly

Two routing tables are being added 10 and 12, the ip of the client tunnel is greped and made the default route for table 10 and anything with a fw mark 10 is sent to this table, table 12 is made the
default for everthing else including stuff bound for port 563?

Whats
"echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter"
?

#
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.7.40-192.168.7.49 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 563 -j MARK --set-mark 12

exit

And why eth0 above?

 

[bilboSNB]

I think I am right and am trying to redirect only google play store down the vpn:

#!/bin/sh

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -d play.google.com -j MARK --set-mark 10


exit

Edit, awesome we can now all get the google play store we want without having to piss about with vpn apps. Thanks to those who put this thread together.

 

[bilboSNB]

I have another query, hopefully someone knowledgeable will answer.

I am using the above to selectively route certain destinations over the vpn client of the router.

How do I get the selective rules to apply to clients of the vpn server of the router? At the moment they don't seem to.

 

[Wysie]

I'm having some issues with the selective routing not working ever since I updated to 374.42. I was on 374.38 previously. Using AC66.

The script seems to execute, but all traffic is going through VPN instead of selectively. I've shared my script as follows, can someone tell me what could be wrong? Thanks!

#!/bin/sh

# Script to route traffic from home network through VPN selectively.
# Based off the discussion at http://www.smallnetbuilder.com/forums/showthread.php?t=9311
# The setup is a Roku box, a Home PC running Plex, and a Synology NAS with a torrent client running a web interface.
# The aim is to have all traffic from Roku go through the VPN, all traffic from the Home PC (and all other devices) bypassing the VPN,
# and the Synology NAS using the VPN. There are however some exceptions. Since Plex uses port 32400, Roku has to bypass the VPN when
# using that port. In addition, port 9091 has to bypass the VPN as well in order to access the Synology torrent client. Lastly, ports 5000
# and 5001 has to bypass the VPN for the Synology Management UI.
#
# Requirements: Asuswrt-Merlin with OpenVPN already set up

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization Starting... " $0${*:+ $*}."

PC_Home="192.168.1.50"
Synology_NAS="192.168.1.51"
Roku="192.168.1.52"

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
# List Contents by line number
# iptables -L PREROUTING -t mangle -n --line-numbers
#
# Delete rules from mangle by line number
# iptables -D PREROUTING type-line-number-here -t mangle
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING

#
# Disable Reverse Path Filtering on all current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
tun_if="tun11"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
| while read ROUTE ; do
ip route add table 100 $ROUTE
logger -t "($(basename $0))" $$ ExpressVPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

logger -t "($(basename $0))" $$ Selective customisation for: "$"Roku $Roku
# By default Roku uses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $Roku -j MARK --set-mark 0

logger -t "($(basename $0))" $$ Selective customisation for: "$"Synology_NAS $Synology_NAS
# By default Synology uses the VPN, and FORCES the use of the VPN tunnel except for port 9443, 5000, 5001, 5050, 8083
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $Synology_NAS -j MARK --set-mark 0
iptables -I FORWARD -i br0 -s $Synology_NAS -o eth0 -j DROP
iptables -I FORWARD -i br0 -s $Synology_NAS -o eth0 -p tcp -m multiport --port 9443,5000,5001,5050,8083 -j ACCEPT

# Ports 22 (SSH), 9443 (Torrent RPC/WebUI) and 32400 (Plex) will bypass the VPN
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --port 22,9443,5000,5001,5050,8083,32400 -j MARK --set-mark 1

# There is a timing issue for Merlin build 270.26b and earlier where the Client VPN starts before the wan-start execution of this script.
# As a 'temporary' workaround set the 'VPN enabled on WAN' option to NO on the GUI, then uncomment the following line
# service start_vpnclient1

logger -t "($(basename $0))" $$ ExpressVPN Selective Customization completed.

 

[Wysie]

Got it working now! Thanks to this forum, I saw a tip on changing:

ip route add default table 100 via $(nvram get wan_gateway)

To:

ip route add default table 100 via $(nvram get wan0_gateway)

Not sure why it worked in earlier versions of the firmware though. All good now

 

[HiSoC8Y]

Hi

Can we do a selective routing with a range of IP? meaning, let's say i want all IPs in the range of 192.168.1.11 to 192.168.1.20 to go through VPN and all other IPs to go through my ISP traffic?

 

[bilboSNB]

Hi

Can we do a selective routing with a range of IP? meaning, let's say i want all IPs in the range of 192.168.1.11 to 192.168.1.20 to go through VPN and all other IPs to go through my ISP traffic?

Somethin like this:

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.7.40-192.168.7.49 -j MARK --set-mark 10

its earlier in the thread somewhere.

 

[sammyano]

Have to reboot after setting the option to format it.

Do you have to set Format JFFS partition at next boot = No, after reboot or should it be let at Yes going forward. I have Enable JFFS = Yes by default?

thanks

 

[RMerlin]

Do you have to set Format JFFS partition at next boot = No, after reboot or should it be let at Yes going forward. I have Enable JFFS = Yes by default?

thanks

The router will automatically set the format option to No after the reboot.

 

[frankyto71]

RTNETLINK answers: No such process

Hi

I am getting RTNETLINK error on Asus RT-Ac68U. I have tried earlier script from this thread and Wysie's as the latest trial. No matter what I get the RTNETLINK answers: no such process error

Running this code in #!/bin/sh script as well as commandline


ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10

This error occurs right after ip route del default table 10
I have used it within a #!/bin/sh script as well as commandline, both throw the same error
All suggestions in earlier posts didn't help me to resolve the problem.
However even with the error the routing tables are populated and traffic is directed as wanted.
Can anyone suggest how to sort this out please.

Thanks