Selective Routing with Asuswrt-Merlin

[john9527]

My Windows laptop is connecting, well at least for the last 20 minutes. but android phones and tablets dont. Wireless says 'no internet' again.... flummoxed!!

Try changing 'Accept DNS configuration' from Exclusive to Strict.....

 

[MajesticBob]

Try changing 'Accept DNS configuration' from Exclusive to Strict.....

That didnt help unfortunately. But as the android devices aren't routed through the VPN i cannot see how they would be affected at all.

 

[john9527]

That didnt help unfortunately. But as the android devices aren't routed through the VPN i cannot see how they would be affected at all.

The router by default only uses one set of DNS servers. When you set exclusive, you are using only the VPN DNS servers for all DNS requests, whether they are going thru the VPN or not. Some VPNs reject DNS requests that don't come through their VPN.

 

[MajesticBob]

The router by default only uses one set of DNS servers. When you set exclusive, you are using only the VPN DNS servers for all DNS requests, whether they are going thru the VPN or not. Some VPNs reject DNS requests that don't come through their VPN.

Thank you .... in the end you were correct. It took about 10 minutes for my phone to get its shirt together and decide it liked the new setup. Your explanation of why is also very helpful as it didnt seem logical to me that things not going through the VPN would be affected.

 

[RMerlin]

Here is the settings.

When switched on, the server connects to the net. Every other device loses internet connection after a period of time or a reset. I'm flummoxed

You are setting your DNS to exclusive, which means all the clients that aren't using the tunnel are also forced to use those same DNS servers. Set it to "Disabled" instead. If your tunnel requires that you use their DNS server, apply them through Parental Control -> DNSFilter, by assigning a Custom DNS to your client that must use the tunnel.

This is a technical limitation of policy-based routing. The DNS servers are globally set on the router, dnsmasq cannot use different nameservers based on their source IP. DNSFilter provides a way around this, by redirecting DNS lookups coming from specific clients.

 

[giopas]

Sorry, what about using the VPN for access to a single website? Is that somehow possibile?

 

[MajesticBob]

You are setting your DNS to exclusive, which means all the clients that aren't using the tunnel are also forced to use those same DNS servers. Set it to "Disabled" instead. If your tunnel requires that you use their DNS server, apply them through Parental Control -> DNSFilter, by assigning a Custom DNS to your client that must use the tunnel.

This is a technical limitation of policy-based routing. The DNS servers are globally set on the router, dnsmasq cannot use different nameservers based on their source IP. DNSFilter provides a way around this, by redirecting DNS lookups coming from specific clients.

Changing from exclusive to strict has done the trick but i have bookmarked your response for further reading in case i have other issues.

I had both set to use google dns so i dont care who does it, but it seems that my vpn cares about the security.

 

[RMerlin]

Sorry, what about using the VPN for access to a single website? Is that somehow possibile?

Have you read the documentation (which I have even reposted a few posts just above yours)? There's even an example right there on how to do precisely that.

 

[dangermoose]

I'm having real problems getting selective routing working. I'm only trying to route one machine at the moment over the VPN and the rest out of the WAN. in the gui I have:

http://picpaste.com/pics/Capture-MPco3CXZ.1447088278.PNG


and I see the following in the logs:

Nov 9 16:33:20 kernel: tun: Universal TUN/TAP device driver, 1.6
Nov 9 16:33:20 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Nov 9 16:33:20 openvpn[549]: OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 2 2015
Nov 9 16:33:20 openvpn[549]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Nov 9 16:33:20 openvpn[550]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 9 16:33:20 openvpn[550]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Nov 9 16:33:21 openvpn[550]: UDPv4 link local: [undef]
Nov 9 16:33:21 openvpn[550]: UDPv4 link remote: [AF_INET]62.212.73.52:1195
Nov 9 16:33:21 openvpn[550]: TLS: Initial packet from [AF_INET]62.212.73.52:1195, sid=76ef40e3 9d16ec7d
Nov 9 16:33:21 openvpn[550]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 9 16:33:21 openvpn[550]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=Fort-Funston CA, emailAddress=me@myhost.mydomain
Nov 9 16:33:21 openvpn[550]: VERIFY OK: nsCertType=SERVER
Nov 9 16:33:21 openvpn[550]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain
Nov 9 16:33:22 openvpn[550]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1546'
Nov 9 16:33:22 openvpn[550]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Nov 9 16:33:22 openvpn[550]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 9 16:33:22 openvpn[550]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 9 16:33:22 openvpn[550]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 9 16:33:22 openvpn[550]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 9 16:33:22 openvpn[550]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 9 16:33:22 openvpn[550]: [server] Peer Connection Initiated with [AF_INET]62.212.73.52:1195
Nov 9 16:33:24 openvpn[550]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov 9 16:33:24 openvpn[550]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.10.30.1,topology subnet,ping 10,ping-restart 60,redirect-gateway def1,dhcp-option DNS 1.2.3.4,ifconfig 10.10.30.6 255.255.255.0'
Nov 9 16:33:24 openvpn[550]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Nov 9 16:33:24 openvpn[550]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Nov 9 16:33:24 openvpn[550]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 9 16:33:24 openvpn[550]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 9 16:33:24 openvpn[550]: OPTIONS IMPORT: route-related options modified
Nov 9 16:33:24 openvpn[550]: TUN/TAP device tun11 opened
Nov 9 16:33:24 openvpn[550]: TUN/TAP TX queue length set to 100
Nov 9 16:33:24 openvpn[550]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 9 16:33:24 openvpn[550]: /sbin/ifconfig tun11 10.10.30.6 netmask 255.255.255.0 mtu 1500 broadcast 10.10.30.255
Nov 9 16:33:26 openvpn-routing: Configuring policy rules for client 1
Nov 9 16:33:26 openvpn-routing: Creating VPN routing table
Nov 9 16:33:27 openvpn-routing: Added 192.168.1.249 to 0.0.0.0 through VPN to routing policy
Nov 9 16:33:27 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Nov 9 16:33:27 openvpn-routing: Completed routing policy configuration
Nov 9 16:33:27 openvpn[550]: Initialization Sequence Completed

I'm not sure what I am missing as the log has the routing at the end? Any pointers?

 

[Martineau]

I'm having real problems getting selective routing working. I'm only trying to route one machine at the moment over the VPN and the rest out of the WAN. in the gui I have:

http://picpaste.com/pics/Capture-MPco3CXZ.1447088278.PNG


and I see the following in the logs:

Nov 9 16:33:20 kernel: tun: Universal TUN/TAP device driver, 1.6
Nov 9 16:33:20 kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Nov 9 16:33:20 openvpn[549]: OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov 2 2015
Nov 9 16:33:20 openvpn[549]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Nov 9 16:33:20 openvpn[550]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 9 16:33:20 openvpn[550]: Socket Buffers: R=[122880->131072] S=[122880->131072]
Nov 9 16:33:21 openvpn[550]: UDPv4 link local: [undef]
Nov 9 16:33:21 openvpn[550]: UDPv4 link remote: [AF_INET]62.212.73.52:1195
Nov 9 16:33:21 openvpn[550]: TLS: Initial packet from [AF_INET]62.212.73.52:1195, sid=76ef40e3 9d16ec7d
Nov 9 16:33:21 openvpn[550]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 9 16:33:21 openvpn[550]: VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=Fort-Funston CA, emailAddress=me@myhost.mydomain
Nov 9 16:33:21 openvpn[550]: VERIFY OK: nsCertType=SERVER
Nov 9 16:33:21 openvpn[550]: VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, CN=server, emailAddress=me@myhost.mydomain
Nov 9 16:33:22 openvpn[550]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1546'
Nov 9 16:33:22 openvpn[550]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Nov 9 16:33:22 openvpn[550]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 9 16:33:22 openvpn[550]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 9 16:33:22 openvpn[550]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 9 16:33:22 openvpn[550]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 9 16:33:22 openvpn[550]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Nov 9 16:33:22 openvpn[550]: [server] Peer Connection Initiated with [AF_INET]62.212.73.52:1195
Nov 9 16:33:24 openvpn[550]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Nov 9 16:33:24 openvpn[550]: PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.10.30.1,topology subnet,ping 10,ping-restart 60,redirect-gateway def1,dhcp-option DNS 1.2.3.4,ifconfig 10.10.30.6 255.255.255.0'
Nov 9 16:33:24 openvpn[550]: Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS])
Nov 9 16:33:24 openvpn[550]: Options error: option 'dhcp-option' cannot be used in this context ([PUSH-OPTIONS])
Nov 9 16:33:24 openvpn[550]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 9 16:33:24 openvpn[550]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 9 16:33:24 openvpn[550]: OPTIONS IMPORT: route-related options modified
Nov 9 16:33:24 openvpn[550]: TUN/TAP device tun11 opened
Nov 9 16:33:24 openvpn[550]: TUN/TAP TX queue length set to 100
Nov 9 16:33:24 openvpn[550]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 9 16:33:24 openvpn[550]: /sbin/ifconfig tun11 10.10.30.6 netmask 255.255.255.0 mtu 1500 broadcast 10.10.30.255
Nov 9 16:33:26 openvpn-routing: Configuring policy rules for client 1
Nov 9 16:33:26 openvpn-routing: Creating VPN routing table
Nov 9 16:33:27 openvpn-routing: Added 192.168.1.249 to 0.0.0.0 through VPN to routing policy
Nov 9 16:33:27 openvpn-routing: Tunnel re-established, restoring WAN access to clients
Nov 9 16:33:27 openvpn-routing: Completed routing policy configuration
Nov 9 16:33:27 openvpn[550]: Initialization Sequence Completed

I'm not sure what I am missing as the log has the routing at the end? Any pointers?

Remove all of the custom directives, see if the Policy routing works, then you can add back the config items one by one to see if you find one that affects the selective routing,
but I suspect route-nopull is possibly the cause of the error.

Issue the following to show the selective routing config

ip   route

ip   rule

ip   route   show   table   111

 

[Eet_46]

You are setting your DNS to exclusive, which means all the clients that aren't using the tunnel are also forced to use those same DNS servers. Set it to "Disabled" instead. If your tunnel requires that you use their DNS server, apply them through Parental Control -> DNSFilter, by assigning a Custom DNS to your client that must use the tunnel.

This is a technical limitation of policy-based routing. The DNS servers are globally set on the router, dnsmasq cannot use different nameservers based on their source IP. DNSFilter provides a way around this, by redirecting DNS lookups coming from specific clients.

Just to get this straight, as i'm using the selective routing feature all the time.. In my case, I have one device with a static ip, which i'm routing all traffic through a VPN client (Mydevice Souce IP -> destination IP 0.0.0.0 -> VPN) In my VPN client, DNS is set to STRICT, will it be necessary to set it to DISABLED? It won't work with STRICT?
So, now all devices connected to the router will use the DNS provided by the VPN, right?
If I want ONLY my device using the VPN tunnel to use the VPN DNS, and every other device using my ISP DNS, in the DNS Filter settings, should I set "Global Filter Mode" to "custom 1" and define the ISP DNS in the list. Then add my device to the drop-down list, add it's MAC and then set filter mode to "custom 1". Is that right?

 

[RMerlin]

Just to get this straight, as i'm using the selective routing feature all the time.. In my case, I have one device with a static ip, which i'm routing all traffic through a VPN client (Mydevice Souce IP -> destination IP 0.0.0.0 -> VPN) In my VPN client, DNS is set to STRICT, will it be necessary to set it to DISABLED? It won't work with STRICT?
So, now all devices connected to the router will use the DNS provided by the VPN, right?
If I want ONLY my device using the VPN tunnel to use the VPN DNS, and every other device using my ISP DNS, in the DNS Filter settings, should I set "Global Filter Mode" to "custom 1" and define the ISP DNS in the list. Then add my device to the drop-down list, add it's MAC and then set filter mode to "custom 1". Is that right?

Not exactly. Leave Global untouched, so all regular clients will keep using the router like they previously were. But have the VPN client added in the filter list, and set for Custom 1.

 

[Skirk]

Thank you .... in the end you were correct. It took about 10 minutes for my phone to get its shirt together and decide it liked the new setup. Your explanation of why is also very helpful as it didnt seem logical to me that things not going through the VPN would be affected.

This maybe of some help;

I use a paid DNS service for geo-unblocking and on occasion I use the vpn client with selective routing. Once my ISP issued ip address changes to the VPN client gateway of choice I cant use the paid service for obvious reasons


This is what I have done; I have the dns filtering enabled with the paid DNS servers entered into the router in the WAN page/tab and the “connect to dns servers automatically” set to “no”


Under the dns filtering settings, global filter mode is set to router. I have openDNS servers entered as custom servers for the kids’ devices.


The OpenVPN client DNS configuration is set to strict and under custom configuration I have:


dhcp-option DNS 8.8.8.8

dhcp-option DNS 8.8.4.4


This set-up works for me. I’m not sure if the custom configuration is absolutely necessary, but on occasion dns lookups were failing prior to this. I could also use my VPN providers DNS servers but I’m not too concerned with absolute privacy in regards to Netflix.

 

[rolandb5]

Trying to decide whether I want to buy a router to install Merlin on it; does selective routing/policy routing also work on port level? I want to connect only specific ports of several devices to connect via the VPN

 

[Mikeyy]

Trying to decide whether I want to buy a router to install Merlin on it; does selective routing/policy routing also work on port level? I want to connect only specific ports of several devices to connect via the VPN

No, but you can use script.
http://www.snbforums.com/threads/port-forward-while-using-vpn-client.28014/

 

[canufrank]

Wow, this thread was not a fun read, but very informative. Thanks to everyone who contributed, including the mysterious once-ever-poster DJR747.

After fiddling around for a week, I finally have selective routing working. One machine can only communicate on the VPN except for those ports where I wish it to communicate via eth0 (but I'm not sure it is). I'm stumped though on what rules to add that will allow port forwarding to work for my machine, for either interface.

firewall-start
iptables -I FORWARD -s 192.168.0.46 ! -o tun11 -j DROP

route-up
... table 10 & 12 setup, plus default routes ...
iptables -t mangle -A PREROUTING -s 192.168.0.46 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -s 192.168.0.46 -p tcp -m multiport --sports 80,88,443,8000,8001,32400,36667 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -s 192.168.0.46 -p udp -m multiport --sports 88,8888,8889,36667 -j MARK --set-mark 12

The 192.168.0.46 machine is listening on 2 ports. 32400 is for Plex and 51413 is for transmissionbt. I get a random port from my VPN provider after the connection is established- let's call is 12345. Let us also say that my ISP public IP is 104.1.2.3 and my VPN public IP is 172.4.5.6

Issue 1:
I have a port forwarding rule defined in the GUI for port 32400. I know that rules defined there work for the other machines on the network (which all communicate via eth0). This rule, like the others appears in nat/VSERVER.

However, Plex seems to think it is communicating on the VPN and reports 172.4.5.6:32400 as being inaccessible although I would like it to be communicating via 104.1.2.3:32400. So my route-up rules must have issues. If I can get help solving this one, I'd assume that I can get 80, etc. listening too.

Issue 2:
As per my interpretation of this, I've added the following entries after getting a port from my VPN provider.

route-up continued
iptables -t nat -I (VSERVER and/or PREROUTING) -p tcp --dport 12345 -j DNAT --to 192.168.0.46:51413

I also added the following to no effect

route-up redacted
iptables -t nat -I PREROUTING -j VSERVER -d $tun_ip

Despite my efforts, transmission reports a timeout. Note that running the following on 192.168.0.46 returns 0 (success), so my problem does not lie there.

nc -w2 127.0.0.1 51413

 

[Mikeyy]

Check link I posted before your post.

Post #2 is code for port forwarding trough VPN, so you can reach VPN server on that port and it will forward to your machine.
Post #6 is code for port forwarding trough WAN, so you can reach your machine trough your ISP real IP even when policy rules say it uses only VPN.

 

[canufrank]

@Mikeyy et al I already have the code from post #6 (mangle/PREROUTING) in my route-up script as you can see above. (Using mark 12 for ISP.) This does not seem to be making a difference for issue 1 where port 32400 seems to be going over the VPN despite the inclusion of those rules.

I've also tried the chain as specified in post #2 and in my route-up (continued) script as you can see above. The difference being that I want to specify the destination's listening port. If I change transmissionbt's listening port to the VPN forwarded port (e.g. 12345) and add the following, communication is fine:

iptables -t nat -I PREROUTING -p tcp --dport 12345 -j DNAT --to-destination 192.168.0.46

(This would also seem to indicate that the other rule from post #2

iptables -I FORWARD -p tcp -d 192.168.0.46 --dport 12345 -j ACCEPT

is unecessary for my config.)

I actually had already seen part of this. The problem is that I can't change transmissionbt's listening port on the fly. I want to have the port forwarding address it correctly. Yet, modifying the line to

iptables -t nat -I PREROUTING -p tcp --dport 12345 -j DNAT --to-destination 192.168.0.46:51413

doesn't work.

So, no joy with that alternate thread.

 

[Mikeyy]

I see you changed tables to 10 and 12 instead defaults and also marks.
If I remember correctly port forwarding trough vpn wasn't working correctly for some when more then 1 VPN client is active.

Script in post #6 is working since I'm using it for some time now. I have it in openvpn-event and it's good to restart router after setup and don't touch anything since it's unstable when changing other router settings.

 

[canufrank]

I only have 1 VPN client active. The use of table 10 and 12 is from the scripts in this thread (first posted by DJR747 and then continued throughout the thread, especially by @Martineau ). I didn't think the use of marks was 'default'.