L2TP Client Internet Routing

[Herlix]

Hi!

I'm new here and I have just installed the Asuswrt-Merlin 738.50 on my RT-AC56U.

My "problem": I am connected to a L2TP VPN setup and the client is connected. My problem is that I don't want to route all traffic through the vpn, I'd like to use it as a second network. (the option was there on my previous router, rt-n56u) There's no built in option to choose this at the client part within the router.

Is there a pain-free way to do this?

// Alex

 

[Martineau]

Hi!

I'm new here and I have just installed the Asuswrt-Merlin 738.50 on my RT-AC56U.

My "problem": I am connected to a L2TP VPN setup and the client is connected. My problem is that I don't want to route all traffic through the vpn, I'd like to use it as a second network. (the option was there on my previous router, rt-n56u) There's no built in option to choose this at the client part within the router.

Is there a pain-free way to do this?

// Alex

I had a quick look and I was able to adapt my Openvpn Selective routing script to create a PPTP/L2TP compatible one..

#!/bin/sh

# (Credit to SmallNetBuilder members dpjanda and drsebestyen)

MY_VPNTAB=99 # Now read from /jffs/configs/VPNSelect
TAG_MARK=3 # Now read from /jffs/configs/VPNSelect

# Use 'ppp5' as the default device interface unless passed as arg
if [ "X$1" = "X" ];then
dev="ppp5"
else
dev=$1
fi
PPTP_ID=`echo $dev | tr '[a-z]' '[A-Z]'`

# Extract the P-t-P address unlike OpenVPN where we use the provided local VPN address!
# ppp5 inet addr:10.200.25.2 P-t-P:10.200.24.1 Mask:255.255.255.255
PPTP_IP=$(ifconfig $dev | grep 'P-t-P:' | awk '{ print $3}' | cut -d: -f2 | awk '{ print $1}')

# Create new table to route VPN traffic when tagged with MARK. (Credit to SmallNetBuilder member DJR747)
# or to be associated with a WiFi Guest SSID.
ip route flush table $MY_VPNTAB
ip rule del fwmark $TAG_MARK
ip rule del table $MY_VPNTAB

ip route flush cache
iptables -t mangle -F PREROUTING

# Disable Reverse Path Filtering on current VPN network interface:
echo 0 > /proc/sys/net/ipv4/conf/$dev/rp_filter

# Unlike OpenVPN we can't specify route-nopull so do it manually...after the event
ip route delete default via $PPTP_IP dev $dev
PPTP_subnet=`echo $PPTP_IP | awk 'BEGIN { FS = "." } {print $1"."$2"."$3}'`
route -n add -net $PPTP_subnet".0" netmask 255.255.255.0 $dev

# Unlike Openvpn we do not specify an address in the table defined for selective PPTP routing
ip route add default dev $dev table $MY_VPNTAB
ip rule add fwmark $TAG_MARK table $MY_VPNTAB

# Route a device via the PPTP/L2TP VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx -j MARK --set-mark $TAG_MARK

Unlike OpenVPN, it is difficult (without breaking the GUI status panel?) to automatically run this script when the L2TP client makes a successful connection.

However as a test,

1. Manually start the L2TP client.
All traffic is routed via the L2TP VPN
2. Verify that the L2TP interface is 'ppp5'
3. Run this Selective routing PPTP/L2TP script (pass the real L2TP interface if not 'ppp5' as an arg)
All traffic goes via the WAN except the device tagged with fwmark 3

Regards,

 

[Herlix]

Hi!

Thanks for the answer.

So I am suppose to run the script and see if it works. I'm kind of new with scripts too!

how do I use them and create a new? I'm enabled JJFS map in admin but now what?

// Alex

 

[Martineau]

Hi!

Thanks for the answer.

So I am suppose to run the script and see if it works. I'm kind of new with scripts too!

how do I use them and create a new? I'm enabled JJFS map in admin but now what?

// Alex

RTFM,

https://github.com/RMerl/asuswrt-merlin/wiki

and if you are not comfortable using unix command line editors such as vi/nano via SSH/TELNET, then from Windows, install WinSCP to set up an SCP (not SFTP) connection to the router for cut'n'paste editing of the script.

Regards,

 

[Herlix]

RTFM,

https://github.com/RMerl/asuswrt-merlin/wiki

and if you are not comfortable using unix command line editors such as vi/nano via SSH/TELNET, then from Windows, install WinSCP to set up an SCP (not SFTP) connection to the router for cut'n'paste editing of the script.

Regards,

Thanks!

I've learned abit and worked around with Entware-arm version. I've used the script you gave but it did not seem to work.

As of this I'm not able to be connected with the router, I'll have to connect with each unit separately. OpenVPN should be the choice of use since all of the routers have got it installed. Though I've never seemed to get it working.

I have not found any guide on strongswan either, could be nice to have my phone attached to a more secure connection.

// Alex