What's new

Selective Routing with Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Unusual to see 169.254.*.* not sure of the impact.

I have it too. I think it comes from avahi, used by the Time Machine support.
 
I've been trying to get this to work, and from what I can tell the policy rules option in the openvpn client section doesn't work properly for me. I set my pc (connected by wifi) as the source ip but then all other devices on my network lose internet connectivity. I tried on two android phones and all I get is DNS_PROBE_FINISHED_BAD_CONFIG on chrome. I also tried doing the reverse and setting my phone to use the vpn but I get the same result.

Any ideas?
 
I've been trying to get this to work, and from what I can tell the policy rules option in the openvpn client section doesn't work properly for me. I set my pc (connected by wifi) as the source ip but then all other devices on my network lose internet connectivity. I tried on two android phones and all I get is DNS_PROBE_FINISHED_BAD_CONFIG on chrome. I also tried doing the reverse and setting my phone to use the vpn but I get the same result.

Any ideas?

What are you using as DNS mode on the VPN client? If it's set to exclusive, try changing it - it's possible that your tunnel provider's DNS don't work outside of the tunnel.
 
What are you using as DNS mode on the VPN client? If it's set to exclusive, try changing it - it's possible that your tunnel provider's DNS don't work outside of the tunnel.
After about 5 hours of fiddling I got to that conclusion and everything works now :) Thanks for the reply though
 
After about 5 hours of fiddling I got to that conclusion and everything works now :) Thanks for the reply though

I spent some time trying to come up with an elegant solution to this, and unfortunately none that comes to mind, beside disabling exclusive mode whenever policy-based routing is enabled.

Ideally, what we'd need is for dnsmasq to be able to use a specific nameserver based on the client's IP. Otherwise, people will have to disable strict mode, and rely on DNSFilter to enforce their provider's DNS for the routed clients.
 
Is it possible to forward/direct specific traffic from an OpenVPN server to an OpenVPN client?
I'm running both a server and client on my AC68U router (378.53) and traffic to specific IPs (e.g. 216.146.38.70 This is a 'what is my ip' site) goes through the VPN client when accessing the site on the LAN. However when connected through the VPN server, the connection is dropped due to a firewall rule:
iptables -I FORWARD ! -o tun11 -d 216.146.38.70 -j DROP
Disabling this command in firewall-start allows traffic on the VPN server to access the site but the IP is of my ISP, not the VPN client. This means that traffic from the VPN server is not being redirected to the VPN client. Is there an iptables rule to do this?
 
Phase 1 selective routing script

Hello,

Here is my script. I originally planned to learn how to do this in 3 phases.

phase 1: selectively route PS3, Nexus 10 and Laptop over US VPN, but keep VOIP and desktop PC on WAN

phase 2: create up and down scripts to prevent leakages for phase 3

phase 3: set up a second Swiss VPN and selectively route P2P communication from PC over Swiss VPN.

Suffice to say, I am stuck on phase 1. My wife doesn't like the internet to go down for extended periods of time, so I cannot tinker.


Amazing how things have changed in the past two years. What Merlin recently implemented in .54 was what I dreamt of when I thought about the above quote. Suffice to say, I was able to take a few minutes (all it took with some googling) and implemented phase 3. I am even considering upgrading to an RT-AC87U from my RT-AC66U to get some extra VPN performance!

So what I did was set up both VPN clients. The first in the US, without any encryption or compression in order to bypass location restrictions for Netflix. I used policy routing to route my PS3, Nexus 10 and my basement "Smart TV" to use the US VPN for Netflix. The second client is more interesting and will require the faster RT-AC87U if I want it to work well. Anyway, I set it up using the Swiss VPN address. I created a second IP address on my PC using the instructions here:
http://www.daktronics.com/Support/KB/Pages/how to add a secondary ip address to a computer.aspx
I set up IP addresses 192.168.1.100 and 192.168.1.200 to my desktop.

I then set the VPN to accept DNS configuration exclusively and to block routed clients if the VPN goes down. I then policy routed 192.168.1.200 through the Swiss VPN.

Finally, I googled how to bind utorrent to 192.168.1.200 and found this site:
http://www.ibvpn.com/billing/knowle...ad-Torrents-only-via-VPN-Windows-OpenVPN.html

I then fired up utorrent and then logged onto my torrent site and confirmed the my torrents were seeding through the Swiss VPN. I then checked http://www.iplocation.net/ and found that my normal traffic on my PC is still going through my ISP. So it looks like I finally got to phase 3, thanks to Merlin's fantastic work!
 
Hello..

I have an issue that, while on the surface looks like a private internet access VPN issue, its actually a routing and route issue.

Here is the situation.
I am on .54_1 on an RT-AC66u
I have client 1 as US VPN with no encryption or compression
I have client 2 as Swiss VPN with encryption.

I have policy routing for my TV and tablet to go through client 1 and I set up a second IP address for my desktop such that 192.168.1.100 goes through ISP and 192.168.1.200 is policy routed through swiss VPN. Everything looks great.

I use forcebindip to force bind firefox to 192.168.1.200 and I set utorrent to bind to 192.168.1.200 as well. I set my DNS to be google because I had dns leaks that I could not resolve.

Here is the issue. I am trying to use Private Internet Access port forwarding to open up a port for utorrent, but in the above setup, I keep getting "Port forwarding not available for this region". The Swiss VPN has port forwarding. After some googling, I discovered that the request for the port forward opening needs to go through the Swiss VPN in order to return a port. In order to test that the script works, I turned off client 1 and set client 2 (swiss VPN) to route all traffic. When I ran the script below with my credentials, I got a port back. When I set swiss vpn to policy routing, and turned back client 1, I get "Port forwarding not available for this region". The thing is, I bind the HTTP connection to 192.168.1.200, which is policy routed through the Swiss VPN. The call to http://myexternalip.com/raw returns the swiss VPN IP address, so why does the second call think it is not coming from the network?

One thing I can think of is that I am using google DNS on both windows and overriding my ISP on the router. Could the DNS lookup interfere? If all traffic goes through the Swiss VPN, does it use the PIA DNS server?

Any insight would be helpful.



Code:
import urllib, urllib2, httplib, socket, re, random, string, json, sys


API_URL = "https://www.privateinternetaccess.com/vpninfo/port_forward_assignment"
user = '*'
pw = '*'
pia_client_id = ''
Internal_IP = '192.168.1.200'


#********************************
#This code binds the HTTP request to the selected Internal_IP above
#Code from
#http://stackoverflow.com/questions/1150332/source-interface-with-python-and-urllib2

class BindableHTTPConnection(httplib.HTTPConnection):
    def connect(self):
        """Connect to the host and port specified in __init__."""
        self.sock = socket.socket()
        self.sock.bind((self.source_ip, 0))
        if isinstance(self.timeout, float):
            self.sock.settimeout(self.timeout)
        self.sock.connect((self.host,self.port))

def BindableHTTPConnectionFactory(source_ip):
    def _get(host, port=None, strict=None, timeout=0):
        bhc=BindableHTTPConnection(host, port=port, strict=strict, timeout=timeout)
        bhc.source_ip=source_ip
        return bhc
    return _get

class BindableHTTPHandler(urllib2.HTTPHandler):
    def http_open(self, req):
        return self.do_open(BindableHTTPConnectionFactory(Internal_IP), req)
opener = urllib2.build_opener(BindableHTTPHandler)
#******************************

#install opener so that this interface will be used throughout
urllib2.install_opener(opener)
ip = re.search("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$",urllib2.urlopen('http://myexternalip.com/raw').read())
print "IP Address:", ip.group(0)



if pia_client_id == "":
  pia_client_id = "".join([random.choice(string.letters) for i in xrange(32)])
print "PIA Client ID:", pia_client_id


# This code is from:
#https://www.privateinternetaccess.com/forum/discussion/180/port-forwarding-without-the-application-advanced-users/p2
#
# Gather the (possibly multi-line) JSON response and create a python dict
# out of it


request = urllib2.Request(API_URL, urllib.urlencode(
        { 'user':user
        , 'pass':pw
        , 'client_id':pia_client_id
        , 'local_ip':ip.group(0)
        }
        ))

response = ""

for line in urllib2.urlopen(request).readlines():
    response += line
resp =  json.loads(response)


# Now either print out the forwarded port or an error message.
if "port" in resp:
    print "Forwarded port:", resp["port"]
elif "error" in resp:
    print "Error: %s" % resp["error"]
    sys.exit(-1)
else:
    print "Error: no idea what failed!"
    sys.exit(-2)
 
OK. Here is the route information where the above script works:

Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
23.233.6.129    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
10.183.1.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun12
23.233.6.128    0.0.0.0         255.255.255.224 U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         23.233.6.129    0.0.0.0         UG    0      0        0 eth0

In the above set up, everything is routed through the tunnel 2 VPN and PIA recognizes the HTTPS call and provides a port.



When I turn on the other VPN and policy route the IP I want, it does not work and the route looks like:
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
208.167.254.98  23.233.6.129    255.255.255.255 UGH   0      0        0 eth0
10.182.1.9      0.0.0.0         255.255.255.255 UH    0      0        0 tun12
23.233.6.129    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
10.100.3.5      0.0.0.0         255.255.255.255 UH    0      0        0 tun11
81.17.25.2      23.233.6.129    255.255.255.255 UGH   0      0        0 eth0
23.233.6.128    0.0.0.0         255.255.255.224 U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         23.233.6.129    0.0.0.0         UG    0      0        0 eth0
Again the HTTP request in the above script correctly gives me the external ip of tunnel 2, but the HTTPS call is not being recognized as going through the tunnel 2 VPN, I feel the solution is simple, but it is beyond my knowledge.
 
If I get rid of my second ip address to my network card and just route the single ip address, 192.168.1.100, through the second tunnel, the script also works fine.

So I have to figure out why I can make an HTTP request that binds to 192.168.1.200 that is policy routed through tunnel 2 and get the external ip of the tunnel, but when I try to use the same interface to make an HTTPS request, the PIA server doesn't recognize me as going through the tunnel 2.
 
Hi, I'm currently trying to redirect all traffic on one of my ports to the VPN and have it also block the traffic should the VPN go down. That doesn't seem to be the case when I toggle the ON/OFF switch. Is this normal?

Custom Configuration:
Code:
...
route-nopull
script-security 2
route-up /jffs/scripts/vpn_route_up.sh

vpn_route_up.sh:
Code:
#!/bin/sh

logger -t "($(basename $0))" $$ Selective OpenVPN Starting... " $0${*:+ $*}."

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10

ip route flush cache

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 59606 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 59606 -j MARK --set-mark 10

firewall-start:
Code:
iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p tcp --dport 59606 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p udp --dport 59606 -j DROP
 
Last edited:
Hi, I'm currently trying to redirect all traffic on one of my ports to the VPN and have it also block the traffic should the VPN go down. That doesn't seem to be the case when I toggle the ON/OFF switch. Is this normal?

Custom Configuration:
Code:
...
route-nopull
script-security 2
route-up /jffs/scripts/vpn_route_up.sh

vpn_route_up.sh:
Code:
#!/bin/sh

logger -t "($(basename $0))" $$ Selective OpenVPN Starting... " $0${*:+ $*}."

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10

ip route flush cache

tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 59606 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 59606 -j MARK --set-mark 10

firewall-start:
Code:
iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p tcp --dport 59606 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p udp --dport 59606 -j DROP


Did you check if the firewall-start rules were created/applied?

Code:
iptables   -nv   -L   --line

I think the firewall-start syntax should be:

Code:
iptables -I FORWARD -s 192.168.1.0/24 ! -o tun11 -p tcp --dport 59606 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 ! -o tun11 -p udp --dport 59606 -j DROP
 
Did you check if the firewall-start rules were created/applied?

Code:
iptables   -nv   -L   --line

I think the firewall-start syntax should be:

Code:
iptables -I FORWARD -s 192.168.1.0/24 ! -o tun11 -p tcp --dport 59606 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 ! -o tun11 -p udp --dport 59606 -j DROP

Unfortunately it's still not appearing in the list:

Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
2      358 38893 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3        0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
4       18   724 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
5        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
6        0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0
7        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT
8      252 25171 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
 
Unfortunately it's still not appearing in the list:

Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
2      358 38893 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3        0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
4       18   724 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
5        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
6        0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0
7        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT
8      252 25171 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

As I posted, the iptable syntax in your original post doesn't work...here is the output when I tried your command then my revised command:

Code:
admin@RT-AC56U:/tmp/home/root# iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p udp --dport 59606 -j DROP
Bad argument `tun11'
Try `iptables -h' or 'iptables --help' for more information.


admin@RT-AC56U:/tmp/home/root# iptables -I FORWARD -s 192.168.1.0/24 ! -o tun11 -p udp --dport 59606 -j DROP
admin@RT-AC56U:/tmp/home/root#

If the iptable rule can be added manually, but not automatically after a reboot, then the invocation script must be in error.
 
As I posted, the iptable syntax in your original post doesn't work...here is the output when I tried your command then my revised command:

Code:
admin@RT-AC56U:/tmp/home/root# iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p udp --dport 59606 -j DROP
Bad argument `tun11'
Try `iptables -h' or 'iptables --help' for more information.


admin@RT-AC56U:/tmp/home/root# iptables -I FORWARD -s 192.168.1.0/24 ! -o tun11 -p udp --dport 59606 -j DROP
admin@RT-AC56U:/tmp/home/root#

If the iptable rule can be added manually, but not automatically after a reboot, then the invocation script must be in error.

Yeah the invocation script must be in error; I made the correction to the script awhile ago and I can add the rule manually it just does not appear when used in firewall-start. The script's permissions are correct, any idea what else I could troubleshoot?
 
Yeah the invocation script must be in error; I made the correction to the script awhile ago and I can add the rule manually it just does not appear when used in firewall-start. The script's permissions are correct, any idea what else I could troubleshoot?

Just the usual tedious testing...

i.e. add appropriate debugging lines in the script

Code:
logger -s -t "($(basename $0))"  $$ Blocking WAN Port 59606

iptables -I FORWARD -s 192.168.1.0/24 ! -o tun11 -p udp --dport 59606 -j DROP

logger -s -t "($(basename $0))"  $$ Blocked WAN Port 59606

etc.

Run firewall-start manually

..and of course you have allowed the JFFS scripts to be executed on the Admin->System tab? for firmwares 378.53+
 
This is a very elegant solution - everything is in one place - not only in the OpenVPN Cleint GUI, but also in the Syslog:
Hi everybody this script look very good because it works with both a vpnclient and vpn server running on my Merlin routeur. I'm trying to adapt this script to my situation but I have a little problem : the tun_ip I should use is not the inet addr given by ifconfig but the gateway pushed the vpnclient by the server. So to succeed I need

- to avoid the route nopull directive
- find that gateway ip from a route -n or a ip route list
- deleting the route pushed to the client
- running the script with the the gateway address as tun_ip

I succeed to do this manually but I'm unable to write a script that extract the gateway from route -n I hope someone can tell me a good trick. Thank you in advance.

Here is the ip route list output :
74.131.173.17 via 192.168.0.1 dev eth0
192.168.0.1 dev eth0 scope link
74.131.168.128/27 dev tap11 proto kernel scope link src 74.131.162.132
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.10
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.1
127.0.0.0/8 dev lo scope link lo scope link
0.0.0.0/1 via 74.131.169.129 dev tap11
128.0.0.0/1 via 74.131.169.129 dev tap11
default via 192.168.0.1 dev eth0

the ip gateway I need to extract is the 74.131.169.129 from the line 8
afterward I delete that route a run the script and it works
 
Hi All

First off, this thread is a terrific source of information for selective routing. Thank you to everyone that has taken the time to contribute their knowledge and experience.

Based on many of the posts in this thread, I have almost gotten my routing setup working.

My ideal situation is to have two active OpenVPN client configurations: client 1 (tun11) is configured to use a US VPN; client 2 (tun12) is configured to use a UK VPN. I want to route traffic to either the WAN, tun11 or tun12 based on the IP addresses of machines on my LAN.

Based on this thread - and some broader reading - my current openvpn-event script is as follows:

Code:
#!/bin/sh

# This code based on the contributions from these threads:
# http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
# http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/
# And from material in these articles:
# http://linux-ip.net/html/adv-multi-internet.html
# http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures selective VPN routing for Asuswrt-Merlin firmware and two OpenVPN
# client connections. These changes to iptables allow some outbound traffic to use OpenVPN
# client 1, some traffic to use OpenVPN client 2, and some traffic to bypass the VPN
# client connections and use the regular internet.


# The following two commands are listed for reference.
# To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING


# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done


# Delete and table 10, 20 and 30 and flush any existing rules if they exist.
# Table 10 will be used for the WAN/internet.
# Table 20 will be used for OpenVPN client 1, and table 30 for OpenVPN client 2.

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 20
ip route del default table 20
ip rule del fwmark 20 table 20
ip route flush table 30
ip route del default table 30
ip rule del fwmark 30 table 30
ip route flush cache
iptables -t mangle -F PREROUTING


# Define "tun11" (OpenVPN client 1) and "tun12" (OpenVPN client 2).
# Associate table 10 with the WAN/internet, table 20 with "tun11" (OpenVPN client 1)
# and table 30 with "tun12" (OpenVPN client 2).

tun_if="tun11"
tun_ifs="tun12"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
tun_ips=$(ifconfig $tun_ifs | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $(nvram get wan_gateway) dev eth0 table 10
ip rule add fwmark 10 table 10
ip route add default via $tun_ip dev $tun_if table 20
ip rule add fwmark 20 table 20
ip route add default via $tun_ips dev $tun_ifs table 30
ip rule add fwmark 30 table 30


# Define the routing policies for the traffic. The rules will be applied in the order that
# they are listed. Packets with MARK set to "10" will pass through the WAN/internet. If
# MARK is set to "20" it will pass through OpenVPN client 1. If MARK is set to "30" it
# will pass through OpenVPN client 2.
#
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 10
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 10
#  All traffic from a particular computer on the LAN will use the OpenVPN client 1
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 20
#  All traffic to a specific Internet IP address will use the OpenVPN client 2
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 30
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 10
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 10


# By default all traffic goes through the WAN/internet
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 10

# Set specific IP range traffic to go through OpenVPN client 1 (tun11)
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.20-192.168.1.40 -j MARK --set-mark 20

#Set specific IP range traffic to go through OpenVPN client 2 (tun12)
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.120-192.168.1.140 -j MARK --set-mark 30

exit

The routing appears to be working. If a machine on the LAN has an IP that is outside the 192.168.1.20-192.168.1.40 and 192.168.1.120-192.168.1.140 ranges, the traffic routes over the WAN. If the machine has an IP within the 192.168.1.20-192.168.1.40 range, then it routes through tun11 (the US VPN). Similarly, if the machine has an IP within the 192.168.1.120-192.168.1.140 range, then it routes through tun12 (the UK VPN).

So far, so good.

But there is one remaining issue: DNS leaks. At the moment - regardless of whether traffic routes through the WAN, tun11 or tun 12 - all connections end up utilising the DNS server(s) specified in the 'WAN' --> 'WAN DNS Setting' section of the router's settings. This is not ideal. When traffic routes through the WAN, I want queries to resolve using my ISP's DNS. When traffic is routed through tun11 or tun12, however, I want queries to resolve using the respective DNS server(s) for that VPN (and not my ISP's DNS).

Is there a simple way to achieve this outcome? Any help would be most appreciated!
I noticed janosek is trying to achieve the same, as are a few others. But haven't seen any replies, does that mean nobody knows or nobody cares?
Anyway, I found this post, where the guy has achieved the same that a couple of us are after. Unfortunately it's for DD-WRT and not AsusWRT.
http://cornasdf.blogspot.nl/2012/10/dd-wrt-openvpn-and-selectively-routing.html
Surely a network guru must be able to interpret this and translate it to an Asuswrt usable script for mere mortals like me ;)

Thanks,
Erwin
 
I noticed janosek is trying to achieve the same, as are a few others. But haven't seen any replies, does that mean nobody knows or nobody cares?
Anyway, I found this post, where the guy has achieved the same that a couple of us are after. Unfortunately it's for DD-WRT and not AsusWRT.
http://cornasdf.blogspot.nl/2012/10/dd-wrt-openvpn-and-selectively-routing.html
Surely a network guru must be able to interpret this and translate it to an Asuswrt usable script for mere mortals like me ;)

Thanks,
Erwin

Probably the second?

I already replied to you in your other thread..

http://www.snbforums.com/threads/openvpn-policy-routing-guide.24384/page-2#post-191834

basically the DD-WRT information you refer to has already been 'translated' to work under RMerlin's firmware...although adapted/cloned would be a better description as the example iptable rules work unmodified on any Linux based environment.

I haven't seen any indication that you have followed my previous advice and ditched the use of your custom openvpn-event script in favour of using the user-friendly Policy routing rules provided by the GUI.

i.e. prove that you can selectively route devices through either of the VPN Client connections.

Then since Selective port routing is not available via the GUI, you will need to manually add the three RPDB rules for fwmark tagging and then simply apply the fwmark tagging iptables rules for your selected port requirements.
 
Probably the second?
I know you're kidding! (and so was I) ;)
I haven't seen any indication that you have followed my previous advice and ditched the use of your custom openvpn-event script in favour of using the user-friendly Policy routing rules provided by the GUI.
I followed up on your post telling that; I want to be able to selectively rout ports. I haven't laid out the complete network, not to make things more complicated than they already are. But to shed some light: I have a few applications (that use a unique port) that connect to the office, these require a VPN. BUT I also have my personal VPN. So when travelling abroad (for a living that is, not the occasional holiday (*) ) I want uhm...need to be able to redirect ports to WAN, VPN1 and VPN2 from the same computer. And that's just one computer.
i.e. prove that you can selectively route devices through either of the VPN Client connections.
I already achieved that with both the script and the GUI. Thanks to your suggestions I was able to do that in multiple ways; selectively routing devices is not the problem.
Then since Selective port routing is not available via the GUI, you will need to manually add the three RPDB rules for fwmark tagging and then simply apply the fwmark tagging iptables rules for your selected port requirements.
Exactly! Question remains: how do I do that, is it as simple as altering the script with the few lines (as I wrote in the post in red)?

Thanks for helping me out Martineau, I really appreciate it.

Regards,
Erwin

(*) We (me and 2 to 3 collegues) set up shop at the client's office, and we bring our own router (so we can connect to eachother without the hassle of security, permission etc.). Every team member (team members rotate) requires VPN access to the office, but we'd like to watch national television remote as well, hence the 2 VPNs and selective port routing.
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top