Selective Routing with Asuswrt-Merlin

[Martineau]

Hi

I am getting RTNETLINK error on Asus RT-Ac68U. I have tried earlier script from this thread and Wysie's as the latest trial. No matter what I get the RTNETLINK answers: no such process error

Running this code in #!/bin/sh script as well as commandline


ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10

This error occurs right after ip route del default table 10
I have used it within a #!/bin/sh script as well as commandline, both throw the same error
All suggestions in earlier posts didn't help me to resolve the problem.
However even with the error the routing tables are populated and traffic is directed as wanted.
Can anyone suggest how to sort this out please.

Thanks

This is the sequence I personally use in my custom VPN_Select.sh script which is called each time the VPN Client (#1 or #2) is restarted

ip route flush table 10
ip rule del fwmark 10 10
ip rule del table 10

Regards,

 

[superkrups20056]

Get only Utorrent, Transmission, and ASUS Download Master to run through the VPN

Hey guys,

Ever since I have permanently activated my OpenVPN from PIA (Private Internet Access) on my Asus RT-AC66U, I've been having loads of trouble doing various things, including the following:
1) connecting to my FTP server via WAN
2) VPNing into my router from the outside
3) accessing certain web sites that block my VPNs IP address due to "spammers"
4) certain games not connecting to the internet.

I know selective routing is an answer to these problems. I read through this thread and I now know how to disable the VPN from being used by default (I'm hoping this will fix my problems) but I was wondering if someone knowledgeable would help me develop a script that will force ASUS Download master and any utorrent clients on Windows/Mac and Transmission clients on iOS devices to work through the VPN.

Would this be possible, or would the easiest way to do this result from creating a script only to make ASUS Download Master work through the VPN, while setting up the individual uTorrent/Transmission applications to work using PIA proxies? Would this latter idea result in a speed decrease for these applications if they are working through proxies rather through a VPN on a router?

 

[bilboSNB]

Hey guys,

Ever since I have permanently activated my OpenVPN from PIA (Private Internet Access) on my Asus RT-AC66U, I've been having loads of trouble doing various things, including the following:
1) connecting to my FTP server via WAN
2) VPNing into my router from the outside
3) accessing certain web sites that block my VPNs IP address due to "spammers"
4) certain games not connecting to the internet.

I know selective routing is an answer to these problems. I read through this thread and I now know how to disable the VPN from being used by default (I'm hoping this will fix my problems) but I was wondering if someone knowledgeable would help me develop a script that will force ASUS Download master and any utorrent clients on Windows/Mac and Transmission clients on iOS devices to work through the VPN.

Would this be possible, or would the easiest way to do this result from creating a script only to make ASUS Download Master work through the VPN, while setting up the individual uTorrent/Transmission applications to work using PIA proxies? Would this latter idea result in a speed decrease for these applications if they are working through proxies rather through a VPN on a router?

In your selective routing script:

#!/bin/sh
logger -t "($(basename $0))" $$ VPN Selective routing starting.... " $0${*:+ $*}."

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"  
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter


iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 456 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 123 -j MARK --set-mark 10
(edit the ports for the torrent programs you want to redirect)

exit

Then in firewall-start script a rule to drop traffic to those ports if vpn is down.

#!/bin/sh
iptables -I FORWARD -s 192.168.0.0/24 -o ! tun11 -p tcp --dport 456 -j DROP
iptables -I FORWARD -s 192.168.0.0/24 -o ! tun11 -p tcp --dport 123 -j DROP

Note I have changed my subnet to 192.168.0.0/24
The ! inverts the meaning so if output interface is not tun11 then drop. (I assume your vpn client is tun11)
You can then test, the programs using the ports specified should only work when the vpn is up. You will have to experiment to get this working if it doesn't
I am new to this and only learnt from reading this thread, hopefully someone more knowledgeable will reply if I am wrong!!

 

[superkrups20056]

In your selective routing script:

#!/bin/sh
logger -t "($(basename $0))" $$ VPN Selective routing starting.... " $0${*:+ $*}."

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"  
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter


iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 456 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 123 -j MARK --set-mark 10
(edit the ports for the torrent programs you want to redirect)

exit

Then in firewall-start script a rule to drop traffic to those ports if vpn is down.

#!/bin/sh
iptables -I FORWARD -s 192.168.0.1/24 -o ! tun11 -p tcp --dport 456 -j DROP
iptables -I FORWARD -s 192.168.0.1/24 -o ! tun11 -p tcp --dport 123 -j DROP

The ! inverts the meaning so if output interface is not tun11 then drop. (I assume your vpn client is tun11)
You can then test, the programs using the ports specified should only work when the vpn is up. You will have to experiment to get this working if it doesn't
I am new to this and only learnt from reading this thread, hopefully someone more knowledgeable will reply if I am wrong!!

Thanks! Does the IP 192.168.0.1/24 have to be the IP address the respective uTorrent client is running on? Also, does this script route all ASUS Download Master traffic through the VPN?

Thanks!

 

[bilboSNB]

192.168.0.0/24 covers the whole lan, change it if you use a different network eg 192.168.1.0/24, you can make it device specfic by dropping the /24.

Re download master, not sure. As the traffic is not coming in from a wired or wireless client but the router itself you may need to drop the -i br0. Try it and see what happens.

 

[superkrups20056]

192.168.0.1/24 covers the whole lan, change it if you use a different network eg 192.168.1.1/24, you can make it device specfic by dropping the /24.

Re download master, not sure. As the traffic is not coming in from a wired or wireless client but the router itself you may need to drop the -i br0. Try it and see what happens.

Thanks, but it is not working. I copied the first script to a Notepad+ document, changed the port number to the same port in uTorrent options, saved it as All files(".") so it wouldn't have an extension, named the script open-vpn-event.

Then I made the firewall script using the same methods, changed the 192.168.0.1/24 to 192.168.1.1/24 (because the IP of my computer is 192.168.1.7) and named it "firewall-start"

I copied both scripts over to the jffs scripts folder and changed the octal values of both to 0777.

I rebooted my router, and I checked my IP with the VPN still on the router and firefox is still showing my VPN IP address.

Thanks for trying. I don't mind setting up individual proxies to get uTorrent to work with the VPN. All I really want is to route ONLY ASUS Download Master traffic to go through the router VPN and everything else to go through my regular network.

 

[RMerlin]

That subnet CDR is wrong. It should be 192.168.1.0/24 (last digit should be the network address, not the first device IP address).

 

[bilboSNB]

Can you run the script manually?

Please see this particular post, this is what I base mine script on:
http://forums.smallnetbuilder.com/showpost.php?p=101202&postcount=64

Note the additional openvpn options:
route-nopull < V important
script-security 2
route-up /jffs/scripts/vpn_route_up.sh

As per this thread my script is called vpn_route_up.sh , dont use the openvpn-event.

The script gets called by the additional option on the openvpn settings above.

Personally I use nano to create and edit files rather than mess about in windows and copying.

 

[frankyto71]

This is the sequence I personally use in my custom VPN_Select.sh script which is called each time the VPN Client (#1 or #2) is restarted

ip route flush table 10
ip rule del fwmark 10 10
ip rule del table 10

Regards,

I have tried to change as you suggested, but now the error is RTNETLINK ansers: No such file or directory
first I tried your suggestion in the script, then manually
@RT-AC68U-3860:/tmp/mnt/AsusSSD/SharedDoc# ip rule del fwmark 10 10
RTNETLINK answers: No such file or directory

when I run my script manually
@RT-AC68U-3860:/tmp/mnt/AsusSSD/SharedDoc# ip route del default table
10
RTNETLINK answers: No such process

I have tried all other suggestions in this thread but none of the work.
RIght now I am on 374.42.2 firmware

 

[Martineau]

I have tried to change as you suggested, but now the error is RTNETLINK ansers: No such file or directory
first I tried your suggestion in the script, then manually
@RT-AC68U-3860:/tmp/mnt/AsusSSD/SharedDoc# ip rule del fwmark 10 10
RTNETLINK answers: No such file or directory

when I run my script manually
@RT-AC68U-3860:/tmp/mnt/AsusSSD/SharedDoc# ip route del default table
10
RTNETLINK answers: No such process

I have tried all other suggestions in this thread but none of the work.
RIght now I am on 374.42.2 firmware

The purpose of the three commands is to ensure that (in this case table 10) does not contain unnecessary duplicate entries prior to customisation.

So when the router is booted, table 10 will (hopefully) not exist so the three commands failing to wipe table 10 will ALWAYS fail regardless of the use of the incorrect commands!!

I too can show that the commands will fail, until I actually create table 10 at which point the ip rule del table commands will work!

ASUSWRT-Merlin RT-AC56U_3.0.0.4 Fri Jun  6 20:34:06 UTC 2014
admin@RT-AC56U:/tmp/home/root# ip rule del fwmark 10 10
RTNETLINK answers: No such file or directory
admin@RT-AC56U:/tmp/home/root# ip rule del table 10
RTNETLINK answers: No such file or directory

admin@RT-AC56U:/tmp/home/root# ip rule

0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

admin@RT-AC56U:/tmp/home/root# ip rule add fwmark 10 table 10

admin@RT-AC56U:/tmp/home/root# ip rule
0:      from all lookup local
32765:  from all fwmark 0xa lookup 10
32766:  from all lookup main
32767:  from all lookup default
admin@RT-AC56U:/tmp/home/root# ip rule del fwmark 10

admin@RT-AC56U:/tmp/home/root# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

As the improved version of this selective routing script is tied to the VPN client UP/DOWN event, imagine the chaos/ with rogue iptable entries if the VPN client was restarted 50 times! without using the corrected three commands from above.

NOTE: I originally used this on my RT-N66U, and on my RT-AC56U it should still work although to be honest I no longer use selective routing anymore.

Regards,

 

[alwaysbless]

Can you run the script manually?

Please see this particular post, this is what I base mine script on:
http://forums.smallnetbuilder.com/showpost.php?p=101202&postcount=64

Note the additional openvpn options:
route-nopull < V important
script-security 2
route-up /jffs/scripts/vpn_route_up.sh

As per this thread my script is called vpn_route_up.sh , dont use the openvpn-event.

The script gets called by the additional option on the openvpn settings above.

Personally I use nano to create and edit files rather than mess about in windows and copying.

I have been trying to test these settings and after adding the route up portion to the custom config im getting an error like this in syslog

Jun 15 07:51:04 openvpn[10161]: WARNING: Failed running command (--route-up): could not execute external program

Ive already chmod + x the script so it should be working right? or do I need do anything else? Im using the newest .43 fw does anyone else on this version have the same problem?

 

[Martineau]

I have been trying to test these settings and after adding the route up portion to the custom config im getting an error like this in syslog

Jun 15 07:51:04 openvpn[10161]: WARNING: Failed running command (--route-up): could not execute external program

Ive already chmod + x the script so it should be working right? or do I need do anything else? Im using the newest .43 fw does anyone else on this version have the same problem?

Have you verified this?

http://forums.smallnetbuilder.com/showpost.php?p=101589&postcount=69

Regards,

 

[alwaysbless]

Have you verified this?

http://forums.smallnetbuilder.com/showpost.php?p=101589&postcount=69

Regards,

WOW! that was it alright. I really just copied that as a template to my textedit and replaced his script w/ mine without even thinking about it. All is working as expected now! Thx for the help I really do appreciate it!

 

[alwaysbless]

Hey guys, I have another question if anyone wouldnt mind assisting! Ive been trying to use this method for blocking traffic not going through the VPN and it works great with my torrents

iptables -I FORWARD -i br0 -s 192.168.1.0/24 -o eth0 -j DROP

BUT it blocks ALL traffic until the VPN is up, ive tried to be more specific with it by doing

iptables -I FORWARD -i br0 -s 192.168.1.0/24 -o eth0 -p tcp --dport 34674 -j DROP
iptables -I FORWARD -i br0 -s 192.168.1.0/24 -o eth0 -p udp --dport 34674 -j DROP

but this still allows the client to download even while the VPN is off. Whats even weird is if I do

iptables -I FORWARD -i br0 -s 192.168.1.0/24 -o eth0 -p tcp --dport 80 -j DROP

This will kill my internet access right away. So it appears the syntax is correct if its working for other ports but its not working correctly with 34674 for some reason

How can I specify which ports specifically must be forward through the VPN or drop? Im gonna try changing the port and seeing if that matters but if anyone else has any ideas id appreciate the input. Thx in advance!

Update: didnt work on alternate port either..

 

[bilboSNB]

Maybe try shortening it to not be input specific

ptables -I FORWARD -o eth0 -p tcp --dport 34674 -j DROP

or -o ! tun11

In my case do not block specific ports just hosts and I have to use either
-o ! tun11 or
-o ppp0

 

[Jeff146]

Hi Everyone,

Was just wondering if I can use the script on DD-WRT if I can't can someone know what I need to change to use it? I know I definitely have to change tun11 to tun1

I have looked all over and no one has this selective routing for VPN down to the tee except here but the script was only for Merlin so that's why I'm asking.

Please help me.

Thanks,
Jeff

 

[alwaysbless]

Maybe try shortening it to not be input specific

ptables -I FORWARD -o eth0 -p tcp --dport 34674 -j DROP

or -o ! tun11

In my case do not block specific ports just hosts and I have to use either
-o ! tun11 or
-o ppp0

Ive actually got it working using iptables like this

iptables -I FORWARD -i br0 -s 192.168.1.0/24 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p tcp --dport 443 -j ACCEPT

This forces all traffic going out on lan 1 except ports 80/443 to drop if using the eth0 interface (which stops the torrent clients from doing anything until i bring the vpn).

 

[hosh]

First time poster and may I say thank you to all before for the great info contained in this thread.

It looks like I have this sorted and routed all but my Mede8er and nas box thought the wan.

Is there a way to verify that the Mede8er and nas are indeed connected to the US VPN other than the increase in statistics on the VPN status tab?

This is my log on connection

Jun 18 11:11:10 rc_service: httpd 543:notify_rc start_vpnclient1
Jun 18 11:11:10 kernel: tun: Universal TUN/TAP device driver, 1.6
Jun 18 11:11:10 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jun 18 11:11:11 openvpn[2502]: OpenVPN 2.3.4 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 7 2014
Jun 18 11:11:11 openvpn[2502]: library versions: OpenSSL 1.0.0m 5 Jun 2014, LZO 2.06
Jun 18 11:11:11 openvpn[2502]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jun 18 11:11:11 openvpn[2502]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jun 18 11:11:12 openvpn[2509]: UDPv4 link local: [undef]
Jun 18 11:11:12 openvpn[2509]: UDPv4 link remote: [AF_INET]xxx.xxx.x.xxx:1194
Jun 18 11:11:13 openvpn[2509]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jun 18 11:11:17 openvpn[2509]: [us1.vyprvpn.com] Peer Connection Initiated with [AF_INET]xxx.xxx.x.xxx:1194
Jun 18 11:11:19 openvpn[2509]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Jun 18 11:11:19 openvpn[2509]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jun 18 11:11:19 openvpn[2509]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Jun 18 11:11:19 openvpn[2509]: TUN/TAP device tun11 opened
Jun 18 11:11:19 openvpn[2509]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jun 18 11:11:19 openvpn[2509]: /usr/sbin/ip link set dev tun11 up mtu 1500
Jun 18 11:11:19 openvpn[2509]: /usr/sbin/ip addr add dev tun11 10.10.2.161/16 broadcast 10.10.255.255
Jun 18 11:11:19 openvpn[2509]: updown.sh tun11 1500 1542 10.10.2.161 255.255.0.0 init
Jun 18 11:11:20 openvpn[2509]: Initialization Sequence Completed

Does this look right?? Are the warnings anything to be concerned about?

Thanks

 

[alwaysbless]

iptables -I FORWARD -i br0 -s 192.168.1.0/24 -o eth0 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p tcp -m multiport --dport 80,443,25,110,143,8888 -j ACCEPT

So ive been using the above for a few weeks now to block torrent traffic until the VPN goes up ands its been working as expected with my utorrent clients but not with the download station client on my synology nas. Blocking all traffic and adding exceptions for internet, email etc works but seems to have slowed down my internet for certain clients and if I allow sip traffic torrents will function on those ports -_- so I lose voip. Im stumped and I guess just wondering if there is a better solution to not allow torrent downloads until the VPN is up or to block torrent traffic together or bind it maybe to a specific port or range of ports.

Update: I tried layer 7 blocking too with

insmod /lib/modules/2.6.22.19/kernel/net/netfilter/xt_layer7.ko
iptables -I FORWARD -m layer7 --l7proto bittorrent -j DROP

But this does not work either.

 

[rostar99]

Selective routing to vpn of all netflix streaming traffic

I had actually purchased a year of PIA openvpn to workaround the poor performance of Netflix on Verizon Fios. I had been happily using DJR747 elegant script for directing certain internal ip addresses to the vpn with no issues until recently. Hulu is now blocking many vpn services ip address blocks including PIA. After trying to create an exception for Hulu services I gave up and instead sent only Netflix streaming services to the vpn service. It appears to work but as I am sending just a particular website through it is harder to verify all of the streaming traffic is going through the vpn.

#!/bin/sh

#Netflix Website IP blocks
website_dst_range01="108.175.32.1-108.175.47.254"
website_dst_range02="192.119.16.225-192.119.16.238"
website_dst_range03="192.173.64.1-192.173.127.254"
website_dst_range04="198.38.96.1-198.38.127.254"
website_dst_range05="198.45.48.1-198.45.63.254"
website_dst_range06="208.75.76.1-208.75.79.254"
website_dst_range07="216.21.170.97-216.21.170.110"
website_dst_range08="216.21.170.129-216.21.170.142"
website_dst_range09="216.21.170.145-216.21.170.158"
website_dst_range10="23.246.0.1-23.246.63.254"
website_dst_range11="23.246.16.1-23.246.16.254"
website_dst_range12="23.246.17.1-23.246.17.254"
website_dst_range13="63.195.98.17-63.195.98.22"
website_dst_range14="69.53.224.1-69.53.255.254"

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 563 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range01 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range02 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range03 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range04 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range05 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range06 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range07 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range08 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range09 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range10 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range11 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range12 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range13 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range $website_dst_range14 -j MARK --set-mark 10

exit

These represent all Netflix addresses that are related to connecting to the website and streaming service that I could verify. I noticed that many scripts on the web use include Netflix's peering partners in the address blocks (Level 3, Quest etc.). Should I include these addresses also? Any feedback would be appreciated.