VPN routing issue

[BenC]

Hi, sorry for the probably stupid question. I have an AC66 with Merlin 380.59.

I have a PIA VPN account.

My goal is to have the router connect to this VPN account, and then send exclusively port 80 and 443 traffic through the VPN, and nothing else. All other traffic proceeds by the normal gateway. This is probably the opposite of what most people want to do and Ive struggled to find information for this purpose and configuration.

Any assistance appreciated.

 

[Martineau]

My goal is to have the router connect to this VPN account, and then send exclusively port 80 and 443 traffic through the VPN, and nothing else. All other traffic proceeds by the normal gateway

Ensure you have enabled 'Redirect Internet traffic=Policy Rules' in the VPN Client GUI used for the PIA connection.

Manually issue the following commands via SSH replacing '?' with the appropriate VPN Client instance.

ip rule del fwmark 0x?000
ip rule add fwmark 0x?000 table 11? prio 999?

ip route flush cache

iptables -t mangle -D PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x?000/0x?000
iptables -t mangle -A PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x?000/0x?000

Once you are satisfied it works, (https://ipleak.net from any LAN/WiFi device) permanently add them to /jffs/scripts/nat-start.

NOTE: The above PREROUTING rule applies to ALL devices except the router itself, e.g. 'curl' commands etc. on the router will always be routed via the WAN. If all http/https traffic is to be routed via the WAN, then the PREROUTING rule will need to be changed.

 

[BenC]

Thanks for your assistance. I'll give this a go and report how it turned out.

 

[BenC]

I'm having trouble identifying my VPN client instance. Is it 6?

Thanks.

If so, when entering I get this;

 

[Martineau]

I'm having trouble identifying my VPN client instance. Is it 6?

NO! can you not read the screen? ....where does it say 6?

entering I get this;

The '-D' means delete, so it ensures that unnecessary duplicate rules are not created by the '-I' insert command if/when the nat-start script is re-run.

 

[BenC]

Ease up there tiger, no need to be aggressive. I asked a question, that's all. One day you'll ask a question about something you're new to also.

Thanks for the pics, ill continue trying to configure as per your instructions.

edit. Works, thanks again.

 

[BenC]

Is it possible to exempt a specific internal IP from these rules? Netflix blocks VPN use it seeems.

 

[Jack Yaz]

Is it possible to exempt a specific internal IP from these rules? Netflix blocks VPN use it seeems.

I'd imagine you need a rule prior to this one, specifying the route for that source IP

 

[BenC]

Thanks. Any ideas on what that might look like? Reading about iptables syntax is hurting my brain.

 

[CaptainSTX]

Thanks. Any ideas on what that might look like? Reading about iptables syntax is hurting my brain.

You can always find another VPN provider. I have no issues when using some servers from Astrill for Netflix and none with any of the StrongVPN servers I have used.

 

[BenC]

Thanks ill have a look. For now a simpler solution would be to just exempt the IP of my TV as thats the only device we use netflix for. I've tried to add a new route for packets from that TV but so far I can't get it to work.

 

[BenC]

For the purposes of helping anyone else, I got it working using this code ;

#!/bin/sh

sleep 2

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -D PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0/0
iptables -t mangle -A PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0/0

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.67 -j MARK --set-mark 1

exit 1

Packets marked with 1 are sent via the WAN. Packets marked via 0 are sent through the VPN. In this example, 192.168.0.67 (my tv) is marked 1 and is sent via WAN.

Thanks all for their help.

 

[Xentrk]

Thanks. Any ideas on what that might look like? Reading about iptables syntax is hurting my brain.

TorGuard VPN with PrivateIP can get around N. Flix and Hulu VPN blocks.

 

[Xentrk]

For the purposes of helping anyone else, I got it working using this code ;

#!/bin/sh

sleep 2

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -D PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0/0
iptables -t mangle -A PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0/0

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.0.67 -j MARK --set-mark 1

exit 1

Packets marked with 1 are sent via the WAN. Packets marked via 0 are sent through the VPN. In this example, 192.168.0.67 (my tv) is marked 1 and is sent via WAN.

Thanks all for their help.

Just so you know, the same can be done using the VPN Web Gui. Please see the instructions here in the VPN forum:

https://www.snbforums.com/threads/h...and-other-vpn-providers-380-66_4-06-11.30851/

 

[Martineau]

Just so you know, the same can be done using the VPN Web Gui

Unfortunately you cannot selectively route ports/ipsets via the GUI.

However, I would not recommend that the legacy script https://www.snbforums.com/threads/vpn-routing-issue.39591/#post-330223 is used..it is inherently flawed and will definitely fail in configurations where multiple concurrent VPN connections are required.

I propose that the following technique addresses the custom edge case requirements of the OP.

Spoiler: Selective Port routing for LAN with exclusions

# All LAN/WiFi device http/https requests will use the VPN, but device xxx.xxx.xxx.xxx will be excluded and use the WAN

ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

ip rule del fwmark 0x?000
ip rule add fwmark 0x?000 table 11? prio 999?

ip route flush cache

iptables -t mangle -D PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x?000/0x?000
iptables -t mangle -A PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x?000/0x?000

iptables -t mangle -D PREROUTING -i br0 -s xxx.xxx.xxx.xxx -p tcp -m multiport -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -s xxx.xxx.xxx.xxx -p tcp -m multiport -j MARK --set-mark 0x7000/0x7000

and FWMARK 0x7000 will use the WAN and FWMARK 0x?000 will use the VPN instance identified by '?'

I did consider inserting RPDB FWMARK rules within the individual VPN Client ranges as allocated by RMerlin's vpnrouting.sh script i.e. PRIO 1000-2000 (or lower 3000?) rather than using PRIO 9990-9005 which would then still allow use of the GUI Policy Rules for subnet/device selective routing as alluded to by @Xentrk but for my purposes I decided to make the Selective Port Routing have a higher priority than the Selective Routing Policy Rules.

 

[pattiri]

Unfortunately you cannot selectively route ports/ipsets via the GUI.

However, I would not recommend that the legacy script https://www.snbforums.com/threads/vpn-routing-issue.39591/#post-330223 is used..it is inherently flawed and will definitely fail in configurations where multiple concurrent VPN connections are required.

I propose that the following technique addresses the custom edge case requirements of the OP.

Spoiler: Selective Port routing for LAN with exclusions

# All LAN/WiFi device http/https requests will use the VPN, but device xxx.xxx.xxx.xxx will be excluded and use the WAN

ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

ip rule del fwmark 0x?000
ip rule add fwmark 0x?000 table 11? prio 999?

ip route flush cache

iptables -t mangle -D PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x?000/0x?000
iptables -t mangle -A PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x?000/0x?000

iptables -t mangle -D PREROUTING -i br0 -s xxx.xxx.xxx.xxx -p tcp -m multiport -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -s xxx.xxx.xxx.xxx -p tcp -m multiport -j MARK --set-mark 0x7000/0x7000

and FWMARK 0x7000 will use the WAN and FWMARK 0x?000 will use the VPN instance identified by '?'

I did consider inserting RPDB FWMARK rules within the individual VPN Client ranges as allocated by RMerlin's vpnrouting.sh script i.e. PRIO 1000-2000 (or lower 3000?) rather than using PRIO 9990-9005 which would then still allow use of the GUI Policy Rules for subnet/device selective routing as alluded to by @Xentrk but for my purposes I decided to make the Selective Port Routing have a higher priority than the Selective Routing Policy Rules.

Sorry for my noobness but could you please correct where I'm wrong.

- I'm using VPN Client 1 so I should put 1 for all "?" right?
- and put this script to nat-start with starting "#!/bin/sh" and make it executable of course.
- I should also enable Start with WAN my VPN Client 1 and select Redirect Internet traffic as Policy Rules.

but when I run;

admin@Fatiii:/tmp/home/root# ip rule del fwmark 0x7000
RTNETLINK answers: No such file or directory

 

[Martineau]

- I'm using VPN Client 1 so I should put 1 for all "?" right?

Yes.

but when I run;

admin@Fatiii:/tmp/home/root# ip rule del fwmark 0x7000
RTNETLINK answers: No such file or directory

It is best practice to ensure that a rule does not exist before adding/inserting to prevent duplicates.

The 'error message' is simply stating that the rule does not exist, so as your intention is to delete the rule then this is acceptable.

NOTE: For a delete request it is usually safe to suppress such messages by using

ip rule del fwmark 0x7000 2> /dev/null

 

[pattiri]

Yes.


It is best practice to ensure that a rule does not exist before adding/inserting to prevent duplicates.

The 'error message' is simply stating that the rule does not exist, so as your intention is to delete the rule then this is acceptable.

NOTE: For a delete request it is usually safe to suppress such messages by using

ip rule del fwmark 0x7000 2> /dev/null

Thank you @Martineau. you're my hero

 

[Tatankov]

Ensure you have enabled 'Redirect Internet traffic=Policy Rules' in the VPN Client GUI used for the PIA connection.

Manually issue the following commands via SSH replacing '?' with the appropriate VPN Client instance.

ip rule del fwmark 0x?000
ip rule add fwmark 0x?000 table 11? prio 999?

ip route flush cache

iptables -t mangle -D PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x?000/0x?000
iptables -t mangle -A PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x?000/0x?000

Once you are satisfied it works, (https://ipleak.net from any LAN/WiFi device) permanently add them to /jffs/scripts/nat-start.

NOTE: The above PREROUTING rule applies to ALL devices except the router itself, e.g. 'curl' commands etc. on the router will always be routed via the WAN. If all http/https traffic is to be routed via the WAN, then the PREROUTING rule will need to be changed.

Thanks alot for this "recipe".
Worked like a charm, I am now only tunneling tcp port 8000.

One (maybe) stupid question.
Can I use a similar rule to force all DNS requests to go encrypted through the VPN Tunnel? :

iptables -t mangle -A PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp,udp -m multiport --dport 53 -j MARK --set-mark 0x?000/0x?000

Makes sense?

Thanks

 

[Martineau]

Thanks alot for this "recipe".
Worked like a charm, I am now only tunneling tcp port 8000.

One (maybe) stupid question.
Can I use a similar rule to force all DNS requests to go encrypted through the VPN Tunnel? :

iptables -t mangle -A PREROUTING -i br0 ! -s $(nvram get lan_ipaddr) -p tcp,udp -m multiport --dport 53 -j MARK --set-mark 0x?000/0x?000

Makes sense?

Thanks

Technically yes...although can use the far easier VPN GUI option to set 'Accept DNS configuration=EXCLUSIVE' (depending on your requirements) to add entries to the DNSVPN? chain instead of using the fwmark technique.