Solved: Protocol based VPN ( Port 5060 Blocked )
- Thread starter Asad Ali
- Start date
If you are using a SIP client to connect to a specific server, try a VPN policy rule for the IP address of the SIP server.
Make sure you use UDP - OpenVPN's TCP support can be problematic with SIP (or that's at least what an engineer recently told me at a customer meeting - I was a bit skeptical but didn't argue with him...)
Asad Ali
Very Senior Member
Hello I've tried that and it partially working so is there anyway I can also add port with my sip server address? Like 114.x.x.x:5060
No. Policy rules work at the routing level, they cannot deal with ports.
Asad Ali
Very Senior Member
Note: "Dont use the script on this post, read the further posts below for a better option"
First of all thanks RMerlin for doing the awesome work you're doing and helping me with my problem and guiding me in the correct direction.
Okay so my problem is my ISP is blocking UDP port 5060 and as I am using a mobile app for VoIP which dont have any option for changing ports so the only way I have is to do it myself on router level.
What I end up doing is use OpenVPN with selective routing ( Policy based routing ) to ONLY route traffic on UDP port 5060 to VPN and everything else on my network to bypass it, this way I can use my Internet directly without compromising any speeds due to OpenVPN and I can access my router by WAN without any issues and use my ISP's public IP.
So if anyone of you want to do the same thing this is what I end up doing:
Setup OpenVPN on your router and make sure it's working, after that make a "openvpn-event" script to handle all the routing, make sure you add "route-nopull" in your OpenVPN "Custom Configuration" box.
( I am not the creator of this script I just found it on the Forum here and just edit it a little bit for my issue )
First of all thanks RMerlin for doing the awesome work you're doing and helping me with my problem and guiding me in the correct direction.
Okay so my problem is my ISP is blocking UDP port 5060 and as I am using a mobile app for VoIP which dont have any option for changing ports so the only way I have is to do it myself on router level.
What I end up doing is use OpenVPN with selective routing ( Policy based routing ) to ONLY route traffic on UDP port 5060 to VPN and everything else on my network to bypass it, this way I can use my Internet directly without compromising any speeds due to OpenVPN and I can access my router by WAN without any issues and use my ISP's public IP.
So if anyone of you want to do the same thing this is what I end up doing:
Setup OpenVPN on your router and make sure it's working, after that make a "openvpn-event" script to handle all the routing, make sure you add "route-nopull" in your OpenVPN "Custom Configuration" box.
( I am not the creator of this script I just found it on the Forum here and just edit it a little bit for my issue )
Code:
#!/bin/sh
sleep 2
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush table 12
ip route del default table 12
ip rule del fwmark 12 table 12
ip route flush cache
iptables -t mangle -F PREROUTING
tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
ip route add default via $(nvram get wan_gateway) dev eth0 table 12
ip rule add fwmark 12 table 12
echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 12
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 5060 -j MARK --set-mark 10
exit
Last edited:
Martineau
Part of the Furniture
As previously posted; the script template you have used is flawed and should not be used see https://www.snbforums.com/threads/a...through-vpn-settings.41047/page-2#post-348358
For Selective Port routing do not add 'route-nopull' to the OpenVPN Client 'Custom Configuration' but simply modify
/jffs/scripts/nat-start
e.g.
Code:
VPN_ID=1 # VPN Client #; Change to the appropriate VPN Client to be used (1-5, if available)
DPORT=5060 # Port number (or CSV list of ports) to be routed via VPN Client #
TAG_MARK=0x${VPN_ID}000
PRIO=999${VPN_ID}
ip rule del prio $PRIO 2> /dev/null
ip rule add from 0/0 fwmark $TAG_MARK/$TAG_MARK table 11$VPN_ID prio $PRIO
ip route flush cache
iptables -t mangle -D PREROUTING -i br0 -p udp -m multiport --dport $DPORT -j MARK --set-mark $TAG_MARK/$TAG_MARK 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 -p udp -m multiport --dport $DPORT -j MARK --set-mark $TAG_MARK/$TAG_MARKNOTE: For advanced Selective routing, rather than have explicit PREROUTING rules for IPs/Ports/MAC addresses, they can be defined in custom IPSETs, although you do lose the ability to visually quickly identify/track the number of successful matching 'hits'.
Last edited:
Asad Ali
Very Senior Member
Thanks for telling me about my flawed script but unfortunately the new way you told me is way above my current knowledge so can you please tell me in steps what I need to do here thanks.
I just want to route the traffic on UDP port 5060 via VPN and EVERYTHING ELSE on my network via WAN , I do want to use my ISP's public IP and DNS and also I want to access my router via WAN.
The script I posted above allowed me to do all of this but how can I change it to the new way you told me.
Best Regards!!
Martineau
Part of the Furniture
Obviously you may continue to use your custom script as-is in your environment but please do not recommend it for others.
Since you were able to copy'n'paste the flawed script and tweak it for your needs, then I assume you are more than capable of simply copy'n'pasting the code I provided 'as-is' (no modifications required) into the relevant script to see if it also meets your requirements.
NOTE: You will need to enable 'Policy Rules' in the OpenVPN Client GUI to have the firmware configure the correct routing tables etc.
Martineau
Part of the Furniture
Simply by enabling 'Policy Rules' mode in the OpenVPN Client GUI creates the robust environment for Selective Routing.
However, the GUI (currently) does not support Selective routing of Ports (nor MAC addresses / IPSETs).
So disable the openvpn-event script and remove 'route-nopull' from the OpenVPN configuration.
At this point when the OpenVPN client is started, ALL traffic will be via the WAN, until the two rules are added either by the nat-start script or manually entered via the command line:
Code:
ip rule add from 0/0 fwmark 0x1000/0x1000 table 111 prio 9991
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 5060 -j MARK --set-mark 0x1000/0x1000
Last edited:
Asad Ali
Very Senior Member
OK so I used your way now and it's working great, thanks a lot. Just two lines of code replaces twenty lines lol.
I just changed the "nat-start" script to use a different port protocol and number.
By the way when I manually stop the VPN I see two errors in the web log and according to my search it's due to some permission issues so anyway I can fix them? I dont think I am getting any issues due to that but I just dont like errors hehe
I just changed the "nat-start" script to use a different port protocol and number.
Code:
#!/bin/sh
ip rule add from 0/0 fwmark 0x1000/0x1000 table 111 prio 9991
iptables -t mangle -A PREROUTING -i br0 -p udp -m multiport --dport 5060 -j MARK --set-mark 0x1000/0x1000By the way when I manually stop the VPN I see two errors in the web log and according to my search it's due to some permission issues so anyway I can fix them? I dont think I am getting any issues due to that but I just dont like errors hehe
Code:
Oct 15 04:53:28 rc_service: httpd 480:notify_rc stop_vpnclient1
Oct 15 04:53:29 openvpn[22585]: event_wait : Interrupted system call (code=4)
Oct 15 04:53:29 openvpn[22585]: vpnrouting.sh tun11 1500 1557 10.211.2.5 10.211.2.6 init
Oct 15 04:53:29 openvpn-routing: Configuring policy rules for client 1
Oct 15 04:53:29 openvpn[22585]: /usr/sbin/ip route del 222.97.145.240/32
Oct 15 04:53:29 openvpn[22585]: /usr/sbin/ip route del 0.0.0.0/1
Oct 15 04:53:29 openvpn[22585]: ERROR: Linux route delete command failed: external program exited with error status: 2
Oct 15 04:53:29 openvpn[22585]: /usr/sbin/ip route del 128.0.0.0/1
Oct 15 04:53:29 openvpn[22585]: ERROR: Linux route delete command failed: external program exited with error status: 2
Oct 15 04:53:29 openvpn[22585]: Closing TUN/TAP interface
Oct 15 04:53:29 openvpn[22585]: /usr/sbin/ip addr del dev tun11 local 10.211.2.5 peer 10.211.2.6
Oct 15 04:53:29 openvpn[22585]: SIGTERM[hard,] received, process exitingAsad Ali
Very Senior Member
Also just for my own understanding if I call this script with "openvpn-event" instead of "nat-start" is there any issues in doing that?
Because I assume "nat-start" only run once on reboot so what if the VPN get disconnected or I disconnect it myself will the "nat-start" script runs again like "openvpn-event" or it's not needed?
Because I assume "nat-start" only run once on reboot so what if the VPN get disconnected or I disconnect it myself will the "nat-start" script runs again like "openvpn-event" or it's not needed?
Last edited:
john9527
Part of the Furniture
No, its not a permissions problem....vpnrouting.sh cleans up and deletes the added routes.....then openvpn tries to delete the same routes and complains when it can't find them. Just ignore the error.
Martineau
Part of the Furniture
In an ideal world, once set, the Selective routing fwmark rules (when added to the '-t mangle' PREROUTING chain) would be permanent.
If you manually stop the OpenVPN Client, you can prove to yourself that both the PREROUTING and RPDB rules correctly remain.
Unfortunately if you have a TrendMicro enabled router, the DPI engine will arbitrarily flush the '-t mangle' PREROUTING chain, wiping out your Selective Port fwmark routing.
So using nat-start ensures that if the DPI (flush) engine runs, your custom Selective Port routing commands will be reapplied.
NOTE: I believe the DPI engine will randomly kick-in when required by TrendMicro (@02:00?) to perform its signature housekeeping i.e. it doesn't happen every day)
However, now that you have proved that the two (safe) rules are way better than a flawed script, you should now prudently add the appropriate logic to the openvpn-event 'route-up' script:
i.e. Check if the expected Selective Port routing rules are missing; if so then re-add them.
NOTE: Ideally you should create a separate script such as 'VPNPortRouting.sh' (which is then called from both nat-start and vpnclient1-route-up) to ensure that your Selective Port routing tagging will hopefully survive any unexpected event.
Asad Ali
Very Senior Member
Alright so what I did now is I create a "VPNPortRouting.sh" file in /jffs/scripts/ and I am calling it from "nat-start" like this:
Code:
#!/bin/sh
sh /jffs/scripts/VPNPortRouting.shAnd then in "openvpn-event" file I add this code ( found it from this forum )
#!/bin/sh
scr_name="$(basename $0)[$$]"
case "$dev" in
"tun11")
vpn_name="client1"
;;
"tun12")
vpn_name="client2"
;;
"tun13")
vpn_name="client3"
;;
"tun14")
vpn_name="client4"
;;
"tun15")
vpn_name="client5"
;;
"tun21")
vpn_name="server1"
;;
"tun22")
vpn_name="server2"
;;
*)
vpn_name=""
;;
esac
# Call appropriate script based on script_type
vpn_script_name="vpn$vpn_name-$script_type"
# Check script state/use nvram to save last script run
vpn_script_state=$(nvram get vpn_script_state)
nvram set vpn_script_state="$vpn_script_name"
if [ "$vpn_script_name" = "$vpn_script_state" ]; then
echo "VPN script" $vpn_script_name "already run" | logger -t "$scr_name"
exit 0
fi
if [[ -f "/jffs/scripts/$vpn_script_name" ]] ; then
sh /jffs/scripts/$vpn_script_name $*
else
echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
exit 0
fi
exit 0
scr_name="$(basename $0)[$$]"
case "$dev" in
"tun11")
vpn_name="client1"
;;
"tun12")
vpn_name="client2"
;;
"tun13")
vpn_name="client3"
;;
"tun14")
vpn_name="client4"
;;
"tun15")
vpn_name="client5"
;;
"tun21")
vpn_name="server1"
;;
"tun22")
vpn_name="server2"
;;
*)
vpn_name=""
;;
esac
# Call appropriate script based on script_type
vpn_script_name="vpn$vpn_name-$script_type"
# Check script state/use nvram to save last script run
vpn_script_state=$(nvram get vpn_script_state)
nvram set vpn_script_state="$vpn_script_name"
if [ "$vpn_script_name" = "$vpn_script_state" ]; then
echo "VPN script" $vpn_script_name "already run" | logger -t "$scr_name"
exit 0
fi
if [[ -f "/jffs/scripts/$vpn_script_name" ]] ; then
sh /jffs/scripts/$vpn_script_name $*
else
echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
exit 0
fi
exit 0
This way I'm calling the required "vpnclient1-route-up" so I want to know is this still the preferred method to call this file? I'm just new to all this and trying to learn myself
Thanks for all the help
Similar threads
Similar threads
Similar threads
-
[Solved]Configure Policy based routing for transparent proxy
- Started by tamasbalogh
- Replies: 6
-
-
-
(Solved - Bad router) RT-AX88U node causes network instability (3004.388.7)
- Started by nbjam
- Replies: 2
-
(solved) Dnscrypt blocked-names.txt automatically deleted upon modification
- Started by Boji
- Replies: 4
-
Miracast problems solved by router reboot -RT-AC86U 386.12_4
- Started by GunnarH
- Replies: 0
-
Solved Solved (for me): WiFi issues and/or crashes with Merlin on RT-AC86U
- Started by Woody
- Replies: 1
-
-
