Help with Tomato/RMerlin Asuswrt selective routing over two openvpn clients

Discussion in 'Routers' started by janosek, Jan 16, 2013.

  1. janosek

    janosek Regular Contributor

    Joined:
    Jan 8, 2013
    Messages:
    137
    Hello,

    I have spend days searching how to selectively route openvpn over TWO clients, but all I have found is people asking the question in a "Solved" forum, but no solution.

    Here is my code to selectively route with one VPN.
    It is not mine. It was modified from here, with much gratitiude:
    http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/


    #!/bin/sh

    touch /tmp/000wanstarted

    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done


    #US VPN

    #
    # Delete and table 100 and flush any existing rules if they exist.
    #
    ip route flush table 100
    ip route del default table 100
    ip rule del fwmark 1 table 100
    ip route flush cache
    iptables -t mangle -F PREROUTING


    ip route add default table 100 via $(nvram get wan_gateway)
    ip rule add fwmark 1 table 100
    ip route flush cache


    # Define the routing policies for the traffic. The rules will be applied in the #order that they are listed. In the end, packets with MARK set to "0" will
    # pass through the VPN. If MARK is set to "1" it will bypass the VPN.


    # All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1


    # All traffic from Laptop will use US VPN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0


    # All traffic from PS3 will use the US VPN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0


    # All traffic from Nexus 10 will use the US VPN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0



    # All traffic from VOIP will use the WAN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1

    # Ports 38666 will bypass the VPN (in the future, another VPN)
    iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 1
    iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 1



    exit 0

    I would like to set up a second VPN and route some ports through there, but when I try to bring a second openvpn client up, everything stops working.

    I tried modifying cornasdf's method to my own usages:
    http://cornasdf.blogspot.ca/2012/10/dd-wrt-openvpn-and-selectively-routing.html
    but it did not work in my setup. Here is what I got:

    Here is my environment setup script:

    ###################################################

    mkdir /jffs/scripts/customvpn
    mkdir /jffs/scripts/customvpn/us
    mkdir /jffs/scripts/customvpn/uk
    echo "-----BEGIN CERTIFICATE-----
    <SNIP>
    -----END CERTIFICATE-----" >> /jffs/scripts/customvpn/ca.crt

    chmod 700 /jffs/scripts/customvpn/ca.crt


    #Setup uk Tunnel Config
    echo script-security 3 > /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo daemon >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo client >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo dev tun0 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo proto udp >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo remote <UK_VPN_ADDRESS> 1194 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo resolv-retry 30 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo nobind >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo persist-key >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo persist-tun >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    #echo redirect-gateway def1 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo comp-lzo adaptive >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    #echo route-up /jffs/scripts/customvpn/uk/route-up-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    #echo down-pre /jffs/scripts/customvpn/uk/route-down-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo verb 15 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo status-version 2 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    #echo route-nopull >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo mute-replay-warnings >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    echo mssfix 1396 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
    #echo status /jffs/scripts/status_uk >> /jffs/scripts/customvpn/uk/openvpn-uk.conf



    chmod 700 /jffs/scripts/customvpn/uk/openvpn-uk.conf


    #Setup US Tunnel Config

    echo script-security 3 > /jffs/scripts/customvpn/us/openvpn-US.conf
    echo daemon >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo client >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo dev tun1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo proto udp >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo remote <US_VPN_ADDRESS>1194 >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo resolv-retry 30 >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo nobind >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo persist-key >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo persist-tun >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/us/openvpn-US.conf
    #echo redirect-gateway def1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo comp-lzo adaptive >> /jffs/scripts/customvpn/us/openvpn-US.conf
    #echo route-up /jffs/scripts/customvpn/us/route-up-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
    #echo down-pre /jffs/scripts/customvpn/us/route-down-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo verb 15 >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo status-version 2 >> /jffs/scripts/customvpn/us/openvpn-US.conf
    #echo route-nopull >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo mute-replay-warnings >> /jffs/scripts/customvpn/us/openvpn-US.conf
    echo mssfix 1396 >> /jffs/scripts/customvpn/us/openvpn-US.conf
    #echo status /jffs/scripts/status_us >> /jffs/scripts/customvpn/us/openvpn-US.conf

    chmod 700 /jffs/scripts/customvpn/us/openvpn-US.conf

    #tun0 route up script
    echo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-up-uk.sh

    chmod 700 /jffs/scripts/customvpn/uk/route-up-uk.sh
    #tun0 route down script
    echo iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-down-uk.sh
    chmod 700 /jffs/scripts/customvpn/uk/route-down-uk.sh

    #tun1 route up script
    echo iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-up-US.sh
    chmod 700 /jffs/scripts/customvpn/us/route-up-US.sh
    #tun1 route down script
    echo iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-down-US.sh
    chmod 700 /jffs/scripts/customvpn/us/route-down-US.sh


    #General Config
    echo <USER> > /jffs/scripts/customvpn/password.txt
    echo <PASS> >> /jffs/scripts/customvpn/password.txt

    chmod 700 /jffs/scripts/customvpn/password.txt

    exit 0

    #############################################

    wan_start:

    #!/bin/sh

    touch /tmp/000phase2wanstarted

    modprobe tun

    #Setup tunnels.
    /usr/bin/killall openvpn

    /usr/sbin/openvpn --config /jffs/scripts/customvpn/uk/openvpn-uk.conf
    sleep 10
    /usr/sbin/openvpn --config /jffs/scripts/customvpn/us/openvpn-US.conf
    sleep 10


    #The tunnels can take a couple seconds to establish. Hold for 5 seconds to allow for this



    # get gateway addresses
    IspGateway=$(ip route list table main | awk '/default/ { print $3}')
    tun0Gateway=$(ip route list table main | awk '/tun0/ { print $1}')
    tun1Gateway=$(ip route list table main | awk '/tun1/ { print $1}')



    # Create fwmark to table bindings
    ip rule add fwmark 1 table main # ISP
    ip rule add fwmark 2 table 2 # Tunnel 0 uk
    ip rule add fwmark 3 table 3 # Tunnel 1 US

    # Create table to tunnel bindings
    ip route add default via $tun0Gateway dev tun0 table 2 #Send out uk Tunnel
    ip route add default via $tun1Gateway dev tun1 table 3 #Send out US Tunnel


    # First it is necessary to disable Reverse Path Filtering on all
    # current and future network interfaces:
    for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i
    done



    # All LAN traffic will bypass the VPNs (Useful to put this rule first, so all traffic bypasses the VPNs and you can # configure exceptions afterwards)
    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1



    #uk tunnel rules
    # Ports 38666 will go through the uk tunnel
    iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 2
    iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 2

    #US Tunnel rules

    # All traffic from Laptop will use US VPN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 3


    # All traffic from PS3 will use the US VPN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 3


    # All traffic from Nexus 10 will use the US VPN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 3



    # All traffic from VOIP will use the WAN
    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1



    exit 0

    ################################################


    Does anyone have a working script? The above just kills everything. If anyone can help, I would be grateful.
     
  2. Log in / Register to remove this ad

Share This Page