RMerlin
Asuswrt-Merlin dev
I have it too. I think it comes from avahi, used by the Time Machine support.
Selective Routing with Asuswrt-Merlin
- Thread starter janosek
- Start date
I have it too. I think it comes from avahi, used by the Time Machine support.
I've been trying to get this to work, and from what I can tell the policy rules option in the openvpn client section doesn't work properly for me. I set my pc (connected by wifi) as the source ip but then all other devices on my network lose internet connectivity. I tried on two android phones and all I get is DNS_PROBE_FINISHED_BAD_CONFIG on chrome. I also tried doing the reverse and setting my phone to use the vpn but I get the same result.
Any ideas?
Any ideas?
RMerlin
Asuswrt-Merlin dev
What are you using as DNS mode on the VPN client? If it's set to exclusive, try changing it - it's possible that your tunnel provider's DNS don't work outside of the tunnel.
After about 5 hours of fiddling I got to that conclusion and everything works now
Thanks for the reply though
RMerlin
Asuswrt-Merlin dev
After about 5 hours of fiddling I got to that conclusion and everything works now
I spent some time trying to come up with an elegant solution to this, and unfortunately none that comes to mind, beside disabling exclusive mode whenever policy-based routing is enabled.
Ideally, what we'd need is for dnsmasq to be able to use a specific nameserver based on the client's IP. Otherwise, people will have to disable strict mode, and rely on DNSFilter to enforce their provider's DNS for the routed clients.
Is it possible to forward/direct specific traffic from an OpenVPN server to an OpenVPN client?
I'm running both a server and client on my AC68U router (378.53) and traffic to specific IPs (e.g. 216.146.38.70 This is a 'what is my ip' site) goes through the VPN client when accessing the site on the LAN. However when connected through the VPN server, the connection is dropped due to a firewall rule:
I'm running both a server and client on my AC68U router (378.53) and traffic to specific IPs (e.g. 216.146.38.70 This is a 'what is my ip' site) goes through the VPN client when accessing the site on the LAN. However when connected through the VPN server, the connection is dropped due to a firewall rule:
Disabling this command in firewall-start allows traffic on the VPN server to access the site but the IP is of my ISP, not the VPN client. This means that traffic from the VPN server is not being redirected to the VPN client. Is there an iptables rule to do this?
Amazing how things have changed in the past two years. What Merlin recently implemented in .54 was what I dreamt of when I thought about the above quote. Suffice to say, I was able to take a few minutes (all it took with some googling) and implemented phase 3. I am even considering upgrading to an RT-AC87U from my RT-AC66U to get some extra VPN performance!
So what I did was set up both VPN clients. The first in the US, without any encryption or compression in order to bypass location restrictions for Netflix. I used policy routing to route my PS3, Nexus 10 and my basement "Smart TV" to use the US VPN for Netflix. The second client is more interesting and will require the faster RT-AC87U if I want it to work well. Anyway, I set it up using the Swiss VPN address. I created a second IP address on my PC using the instructions here:
http://www.daktronics.com/Support/KB/Pages/how to add a secondary ip address to a computer.aspx
I set up IP addresses 192.168.1.100 and 192.168.1.200 to my desktop.
I then set the VPN to accept DNS configuration exclusively and to block routed clients if the VPN goes down. I then policy routed 192.168.1.200 through the Swiss VPN.
Finally, I googled how to bind utorrent to 192.168.1.200 and found this site:
http://www.ibvpn.com/billing/knowle...ad-Torrents-only-via-VPN-Windows-OpenVPN.html
I then fired up utorrent and then logged onto my torrent site and confirmed the my torrents were seeding through the Swiss VPN. I then checked http://www.iplocation.net/ and found that my normal traffic on my PC is still going through my ISP. So it looks like I finally got to phase 3, thanks to Merlin's fantastic work!
Hello..
I have an issue that, while on the surface looks like a private internet access VPN issue, its actually a routing and route issue.
Here is the situation.
I am on .54_1 on an RT-AC66u
I have client 1 as US VPN with no encryption or compression
I have client 2 as Swiss VPN with encryption.
I have policy routing for my TV and tablet to go through client 1 and I set up a second IP address for my desktop such that 192.168.1.100 goes through ISP and 192.168.1.200 is policy routed through swiss VPN. Everything looks great.
I use forcebindip to force bind firefox to 192.168.1.200 and I set utorrent to bind to 192.168.1.200 as well. I set my DNS to be google because I had dns leaks that I could not resolve.
Here is the issue. I am trying to use Private Internet Access port forwarding to open up a port for utorrent, but in the above setup, I keep getting "Port forwarding not available for this region". The Swiss VPN has port forwarding. After some googling, I discovered that the request for the port forward opening needs to go through the Swiss VPN in order to return a port. In order to test that the script works, I turned off client 1 and set client 2 (swiss VPN) to route all traffic. When I ran the script below with my credentials, I got a port back. When I set swiss vpn to policy routing, and turned back client 1, I get "Port forwarding not available for this region". The thing is, I bind the HTTP connection to 192.168.1.200, which is policy routed through the Swiss VPN. The call to http://myexternalip.com/raw returns the swiss VPN IP address, so why does the second call think it is not coming from the network?
One thing I can think of is that I am using google DNS on both windows and overriding my ISP on the router. Could the DNS lookup interfere? If all traffic goes through the Swiss VPN, does it use the PIA DNS server?
Any insight would be helpful.
I have an issue that, while on the surface looks like a private internet access VPN issue, its actually a routing and route issue.
Here is the situation.
I am on .54_1 on an RT-AC66u
I have client 1 as US VPN with no encryption or compression
I have client 2 as Swiss VPN with encryption.
I have policy routing for my TV and tablet to go through client 1 and I set up a second IP address for my desktop such that 192.168.1.100 goes through ISP and 192.168.1.200 is policy routed through swiss VPN. Everything looks great.
I use forcebindip to force bind firefox to 192.168.1.200 and I set utorrent to bind to 192.168.1.200 as well. I set my DNS to be google because I had dns leaks that I could not resolve.
Here is the issue. I am trying to use Private Internet Access port forwarding to open up a port for utorrent, but in the above setup, I keep getting "Port forwarding not available for this region". The Swiss VPN has port forwarding. After some googling, I discovered that the request for the port forward opening needs to go through the Swiss VPN in order to return a port. In order to test that the script works, I turned off client 1 and set client 2 (swiss VPN) to route all traffic. When I ran the script below with my credentials, I got a port back. When I set swiss vpn to policy routing, and turned back client 1, I get "Port forwarding not available for this region". The thing is, I bind the HTTP connection to 192.168.1.200, which is policy routed through the Swiss VPN. The call to http://myexternalip.com/raw returns the swiss VPN IP address, so why does the second call think it is not coming from the network?
One thing I can think of is that I am using google DNS on both windows and overriding my ISP on the router. Could the DNS lookup interfere? If all traffic goes through the Swiss VPN, does it use the PIA DNS server?
Any insight would be helpful.
Code:
import urllib, urllib2, httplib, socket, re, random, string, json, sys
API_URL = "https://www.privateinternetaccess.com/vpninfo/port_forward_assignment"
user = '*'
pw = '*'
pia_client_id = ''
Internal_IP = '192.168.1.200'
#********************************
#This code binds the HTTP request to the selected Internal_IP above
#Code from
#http://stackoverflow.com/questions/1150332/source-interface-with-python-and-urllib2
class BindableHTTPConnection(httplib.HTTPConnection):
def connect(self):
"""Connect to the host and port specified in __init__."""
self.sock = socket.socket()
self.sock.bind((self.source_ip, 0))
if isinstance(self.timeout, float):
self.sock.settimeout(self.timeout)
self.sock.connect((self.host,self.port))
def BindableHTTPConnectionFactory(source_ip):
def _get(host, port=None, strict=None, timeout=0):
bhc=BindableHTTPConnection(host, port=port, strict=strict, timeout=timeout)
bhc.source_ip=source_ip
return bhc
return _get
class BindableHTTPHandler(urllib2.HTTPHandler):
def http_open(self, req):
return self.do_open(BindableHTTPConnectionFactory(Internal_IP), req)
opener = urllib2.build_opener(BindableHTTPHandler)
#******************************
#install opener so that this interface will be used throughout
urllib2.install_opener(opener)
ip = re.search("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$",urllib2.urlopen('http://myexternalip.com/raw').read())
print "IP Address:", ip.group(0)
if pia_client_id == "":
pia_client_id = "".join([random.choice(string.letters) for i in xrange(32)])
print "PIA Client ID:", pia_client_id
# This code is from:
#https://www.privateinternetaccess.com/forum/discussion/180/port-forwarding-without-the-application-advanced-users/p2
#
# Gather the (possibly multi-line) JSON response and create a python dict
# out of it
request = urllib2.Request(API_URL, urllib.urlencode(
{ 'user':user
, 'pass':pw
, 'client_id':pia_client_id
, 'local_ip':ip.group(0)
}
))
response = ""
for line in urllib2.urlopen(request).readlines():
response += line
resp = json.loads(response)
# Now either print out the forwarded port or an error message.
if "port" in resp:
print "Forwarded port:", resp["port"]
elif "error" in resp:
print "Error: %s" % resp["error"]
sys.exit(-1)
else:
print "Error: no idea what failed!"
sys.exit(-2)OK. Here is the route information where the above script works:
In the above set up, everything is routed through the tunnel 2 VPN and PIA recognizes the HTTPS call and provides a port.
When I turn on the other VPN and policy route the IP I want, it does not work and the route looks like:
Again the HTTP request in the above script correctly gives me the external ip of tunnel 2, but the HTTPS call is not being recognized as going through the tunnel 2 VPN, I feel the solution is simple, but it is beyond my knowledge.
Code:
Destination Gateway Genmask Flags Metric Ref Use Iface
23.233.6.129 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.183.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun12
23.233.6.128 0.0.0.0 255.255.255.224 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 23.233.6.129 0.0.0.0 UG 0 0 0 eth0In the above set up, everything is routed through the tunnel 2 VPN and PIA recognizes the HTTPS call and provides a port.
When I turn on the other VPN and policy route the IP I want, it does not work and the route looks like:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
208.167.254.98 23.233.6.129 255.255.255.255 UGH 0 0 0 eth0
10.182.1.9 0.0.0.0 255.255.255.255 UH 0 0 0 tun12
23.233.6.129 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.100.3.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun11
81.17.25.2 23.233.6.129 255.255.255.255 UGH 0 0 0 eth0
23.233.6.128 0.0.0.0 255.255.255.224 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 23.233.6.129 0.0.0.0 UG 0 0 0 eth0If I get rid of my second ip address to my network card and just route the single ip address, 192.168.1.100, through the second tunnel, the script also works fine.
So I have to figure out why I can make an HTTP request that binds to 192.168.1.200 that is policy routed through tunnel 2 and get the external ip of the tunnel, but when I try to use the same interface to make an HTTPS request, the PIA server doesn't recognize me as going through the tunnel 2.
So I have to figure out why I can make an HTTP request that binds to 192.168.1.200 that is policy routed through tunnel 2 and get the external ip of the tunnel, but when I try to use the same interface to make an HTTPS request, the PIA server doesn't recognize me as going through the tunnel 2.
Hi, I'm currently trying to redirect all traffic on one of my ports to the VPN and have it also block the traffic should the VPN go down. That doesn't seem to be the case when I toggle the ON/OFF switch. Is this normal?
Custom Configuration:
vpn_route_up.sh:
firewall-start:
Custom Configuration:
Code:
...
route-nopull
script-security 2
route-up /jffs/scripts/vpn_route_up.shvpn_route_up.sh:
Code:
#!/bin/sh
logger -t "($(basename $0))" $$ Selective OpenVPN Starting... " $0${*:+ $*}."
ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush cache
tun_if="tun11"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')
ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10
echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 59606 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -p udp --dport 59606 -j MARK --set-mark 10firewall-start:
Code:
iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p tcp --dport 59606 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p udp --dport 59606 -j DROP
Last edited:
Martineau
Part of the Furniture
Did you check if the firewall-start rules were created/applied?
Code:
iptables -nv -L --lineI think the firewall-start syntax should be:
Code:
iptables -I FORWARD -s 192.168.1.0/24 ! -o tun11 -p tcp --dport 59606 -j DROP
iptables -I FORWARD -s 192.168.1.0/24 ! -o tun11 -p udp --dport 59606 -j DROPUnfortunately it's still not appearing in the list:
Code:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- tun11 * 0.0.0.0/0 0.0.0.0/0
2 358 38893 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 0 0 DROP all -- !br0 eth0 0.0.0.0/0 0.0.0.0/0
4 18 724 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
5 0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0
7 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
8 252 25171 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0Martineau
Part of the Furniture
As I posted, the iptable syntax in your original post doesn't work...here is the output when I tried your command then my revised command:
Code:
admin@RT-AC56U:/tmp/home/root# iptables -I FORWARD -s 192.168.1.0/24 -o ! tun11 -p udp --dport 59606 -j DROP
Bad argument `tun11'
Try `iptables -h' or 'iptables --help' for more information.
admin@RT-AC56U:/tmp/home/root# iptables -I FORWARD -s 192.168.1.0/24 ! -o tun11 -p udp --dport 59606 -j DROP
admin@RT-AC56U:/tmp/home/root#If the iptable rule can be added manually, but not automatically after a reboot, then the invocation script must be in error.
Yeah the invocation script must be in error; I made the correction to the script awhile ago and I can add the rule manually it just does not appear when used in firewall-start. The script's permissions are correct, any idea what else I could troubleshoot?
Martineau
Part of the Furniture
Just the usual tedious testing...
i.e. add appropriate debugging lines in the script
Code:
logger -s -t "($(basename $0))" $$ Blocking WAN Port 59606
iptables -I FORWARD -s 192.168.1.0/24 ! -o tun11 -p udp --dport 59606 -j DROP
logger -s -t "($(basename $0))" $$ Blocked WAN Port 59606
etc.Run firewall-start manually
..and of course you have allowed the JFFS scripts to be executed on the Admin->System tab? for firmwares 378.53+
pat.ibulaire
Occasional Visitor
Hi everybody this script look very good because it works with both a vpnclient and vpn server running on my Merlin routeur. I'm trying to adapt this script to my situation but I have a little problem : the tun_ip I should use is not the inet addr given by ifconfig but the gateway pushed the vpnclient by the server. So to succeed I need
- to avoid the route nopull directive
- find that gateway ip from a route -n or a ip route list
- deleting the route pushed to the client
- running the script with the the gateway address as tun_ip
I succeed to do this manually but I'm unable to write a script that extract the gateway from route -n I hope someone can tell me a good trick. Thank you in advance.
Here is the ip route list output :
74.131.173.17 via 192.168.0.1 dev eth0
192.168.0.1 dev eth0 scope link
74.131.168.128/27 dev tap11 proto kernel scope link src 74.131.162.132
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.10
192.168.2.0/24 dev br0 proto kernel scope link src 192.168.2.1
127.0.0.0/8 dev lo scope link lo scope link
0.0.0.0/1 via 74.131.169.129 dev tap11
128.0.0.0/1 via 74.131.169.129 dev tap11
default via 192.168.0.1 dev eth0
the ip gateway I need to extract is the 74.131.169.129 from the line 8
afterward I delete that route a run the script and it works
Bogey
Regular Contributor
I noticed janosek is trying to achieve the same, as are a few others. But haven't seen any replies, does that mean nobody knows or nobody cares?
Anyway, I found this post, where the guy has achieved the same that a couple of us are after. Unfortunately it's for DD-WRT and not AsusWRT.
http://cornasdf.blogspot.nl/2012/10/dd-wrt-openvpn-and-selectively-routing.html
Surely a network guru must be able to interpret this and translate it to an Asuswrt usable script for mere mortals like me
Thanks,
Erwin
Martineau
Part of the Furniture
I noticed janosek is trying to achieve the same, as are a few others. But haven't seen any replies, does that mean nobody knows or nobody cares?
Anyway, I found this post, where the guy has achieved the same that a couple of us are after. Unfortunately it's for DD-WRT and not AsusWRT.
http://cornasdf.blogspot.nl/2012/10/dd-wrt-openvpn-and-selectively-routing.html
Surely a network guru must be able to interpret this and translate it to an Asuswrt usable script for mere mortals like me
Thanks,
Erwin
Probably the second?
I already replied to you in your other thread..
http://www.snbforums.com/threads/openvpn-policy-routing-guide.24384/page-2#post-191834
basically the DD-WRT information you refer to has already been 'translated' to work under RMerlin's firmware...although adapted/cloned would be a better description as the example iptable rules work unmodified on any Linux based environment.
I haven't seen any indication that you have followed my previous advice and ditched the use of your custom openvpn-event script in favour of using the user-friendly Policy routing rules provided by the GUI.
i.e. prove that you can selectively route devices through either of the VPN Client connections.
Then since Selective port routing is not available via the GUI, you will need to manually add the three RPDB rules for fwmark tagging and then simply apply the fwmark tagging iptables rules for your selected port requirements.
Bogey
Regular Contributor
I know you're kidding! (and so was I)
I followed up on your post telling that; I want to be able to selectively rout ports. I haven't laid out the complete network, not to make things more complicated than they already are. But to shed some light: I have a few applications (that use a unique port) that connect to the office, these require a VPN. BUT I also have my personal VPN. So when travelling abroad (for a living that is, not the occasional holiday (*) ) I want uhm...need to be able to redirect ports to WAN, VPN1 and VPN2 from the same computer. And that's just one computer.
I already achieved that with both the script and the GUI. Thanks to your suggestions I was able to do that in multiple ways; selectively routing devices is not the problem.
Exactly! Question remains: how do I do that, is it as simple as altering the script with the few lines (as I wrote in the post in red)?
Thanks for helping me out Martineau, I really appreciate it.
Regards,
Erwin
(*) We (me and 2 to 3 collegues) set up shop at the client's office, and we bring our own router (so we can connect to eachother without the hassle of security, permission etc.). Every team member (team members rotate) requires VPN access to the office, but we'd like to watch national television remote as well, hence the 2 VPNs and selective port routing.
Last edited:
Similar threads
Similar threads
Similar threads
-
-
OpenVPN / site to site with special security/routing constraints
- Started by MarkusI
- Replies: 7
-
Bug Report: nvram chilli_enable=1 when guest network is removed causes no routing to occur
- Started by Acru
- Replies: 2
-
[Help] Routing VPN server through VPN client (external VPN Provider)
- Started by GuardYaGrill
- Replies: 14
-
-
-
-
Offloading ssl/tls for https (the router handling the https, routing http through)
- Started by JCompagner
- Replies: 7
-
-
Latest threads
-
-
LAN > DHCP List - Manually Assigned Name + Icon DONT SAVE
- Started by copperhead
- Replies: 2
-
-
-
RT-AC87U 5GHz frequently dropping after latest signature update
- Started by bibbis
- Replies: 0
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!