l2tp vpn client for only one device

[Martineau]

Yes, you are correct, no output from the first command.

After doing the second set of commands, visiting targetdomain.com works for that client IP and "ip -s route show cache 190.18.121.221" now shows a result on one of the IPs.

result

190.18.121.221 from 192.168.100.100 dev ppp5  src 192.168.100.1  mark 0x1000
    cache <src-direct>  used 510 age 7sec mtu 1400 advmss 1360 hoplimit 64 iif br0
190.18.121.221 via 118.110.111.1 dev eth0  src 118.140.111.101
    cache  used 1 age 425sec mtu 1500 advmss 1460 hoplimit 64

All just as you've said!

What happens if you issue:

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i;done

 

[jobski]

What happens if you issue:

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $i;done

It produces a couple of blank lines when I run it. Is that an issue?

 

[Martineau]

It produces a couple of blank lines when I run it. Is that an issue?

It doesn't display anything, but the command sets the flag in the files to '0'

You can issue the following to see the contents:

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo -en $i"=";cat $i;done

i.e. immediately after a boot the flags should be '1'

The flags used to be reset by the OpenVPN 'vpnrouting.sh' script but was removed in the recent firmware, so it could be that is why it works for me.

I'm 100% sure you did (initially) see it working, but something must now be missing if it no longer works.

The RPDB rules simply dictates which routing table to use, so if you can't get the IPSET to be selectively routed via the PPTP VPN, then you would need to add a rule for each of the target IPs
e.g.

ip rule add to xxx.xxx.xxx.xxx table 99 prio 900x

etc.

 

[jobski]

It doesn't display anything, but the command sets the flag in the files to '0'

You can issue the following to see the contents:

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo -en $i"=";cat $i;done

i.e. immediately after a boot the flags should be '1'

The flags used to be reset by the OpenVPN 'vpnrouting.sh' script but was removed in the recent firmware, so it could be that is why it works for me.

I'm 100% sure you did (initially) see it working, but something must now be missing if it no longer works.

The RPDB rules simply dictates which routing table to use, so if you can't get the IPSET to be selectively routed via the PPTP VPN, then you would need to add a rule for each of the target IPs
e.g.

ip rule add to xxx.xxx.xxx.xxx table 99 prio 900x

etc.

Thank you so much!

With further testing, I found out that the culprit is the website I am trying to route. The IP's for some of the domain are changing that's why it doesn't always work.

The best way is to route the whole client through ppp5 but I only need to route it when it connects to that particular domain.

This might be veering off a bit on the topic but is it possible to run the command "ip rule add from LAN.IP.xxx.xxx table 99 prio 10000" when it satisfies an IPTABLE mange PREROUTING rule?

And then when it doesn't hit it anymore for a certain period of time, delete the ip rule.

I was thinking the command "iptables --line -t mangle -nvL PREROUTING" could be used. If the packets/bytes doesn't change anymore after a certain period, then we can delete the ip rule.

Is this feasible?

 

[Martineau]

With further testing, I found out that the culprit is the website I am trying to route.

The IP's for some of the domain are changing that's why it doesn't always work.

...but isn't that is why you said you implemented

4. added this line to dnsmasq.conf.add: ipset=/targetdomain.com/EXAMPLE_BYPASS_V4
5. restarted using service restart_dnsmasq

so dnsmasq always dynamically populates the IPSET with the latest/most current address retrieved from whichever DNS server you are using.

This might be veering off a bit on the topic but is it possible to run the command "ip rule add from LAN.IP.xxx.xxx table 99 prio 10000" when it satisfies an IPTABLE mange PREROUTING rule?
And then when it doesn't hit it anymore for a certain period of time, delete the ip rule.

I was thinking the command "iptables --line -t mangle -nvL PREROUTING" could be used. If the packets/bytes doesn't change anymore after a certain period, then we can delete the ip rule.

Is this feasible?

Yes - although if you are happy to arbitrarily allow access to the domain via the WAN 'sometimes' then I don't see the reasoning i.e. why bother with VPN PPTP Selective domain routing in the first place?

 

[jobski]

...but isn't that is why you said you implemented

so dnsmasq always dynamically populates the IPSET with the latest/most current address retrieved from whichever DNS server you are using.

Yes - although if you are happy to arbitrarily allow access to the domain via the WAN 'sometimes' then I don't see the reasoning i.e. why bother with VPN PPTP Selective domain routing in the first place?

IKR, my original intention was for this to just work via that domain.
Good note on dnsmasq, I thought it was set just when the service starts.
I'll investigate further on the site. Basically the site is geoblocked and I could only access it via VPN. I am guessing it uses another source/domain for geoblocking and just adding targetdomain.com won't cut it.

 

[steve1977]

Thanks a lot for posting the script. This is exactly what I am looking for. I'd like to route only some devices through my L2TP VPN, which is set up on the Router.

Unfortunately, my scripting skills are zero. I have a few questions:

1) Does this script work for L2TP or only for PPTP? Anything I'd need to change to make it work for L2TP?

2) Can I start to L2TP clients on my Router? I'd like to route some devices through an US VPN (L2TP), while some other devices through a French VPN (L2TP). My VPN provider allows several parallel connections, but it seems that starting two VPN clients on the router creates trouble / conflict.

3) Any chance for a quick "how to". I know how to use putty to ssh into the router. I know how to use nano. And that's about it. No idea how to copy the script, no idea how to execute it. And most importantly, no idea how to make the edits to match my setup.


I read this thread several times, but not clear whether the comments are referring to the same, recently updated script?

Thanks again for your help!!!

 

[steve1977]

I got the script working, so questions #1 and #3 are answered. It works with L2TP and is just a simple copy & paste.

#2 is still not clear. Is it possible to run two instances of the L2TP client at the same time? One with a US IP and one with a French IP? And then route some devices through one and others through the other. Doesn't seem possible?

Also, I realized another issue. How to remove a device from the VPN, which I had routed via the script? I tried running the script again without this device IP, but the decice stayed routed through the VPN. Also starting and stopping didn't help. Only thing that worked was to re-start the router.

ANy thoughts and help is appreciated!

 

[Martineau]

Also, I realized another issue. How to remove a device from the VPN, which I had routed via the script? I tried running the script again without this device IP, but the decice stayed routed through the VPN. Also starting and stopping didn't help. Only thing that worked was to re-start the router.

You need to delete the device rule from the RPDB table.

Use the following to list the active RPDB rules

ip rule

then issue the delete command

ip rule del from xxx.xxx.xxx.xxx table 99

 

[steve1977]

Excellent. Thanks so much. This was easy!!!

Any idea whether there is any way to run two L2TP clients at the same time? It does work for openvpn, but doesn't seem to be possible for L2TP?

 

[Martineau]

Any idea whether there is any way to run two L2TP clients at the same time? It does work for openvpn, but doesn't seem to be possible for L2TP?

The GUI only supports the creation on one L2TP/PPTP interface (ppp5), but technically there is nothing to prevent you from creating your required second conconcurrent L2TP/PPTP interface.

I recall I posted 'UP_PPTP.sh' years ago which shows how to initiate the appropriate L2TP/PPTP interface from a script, but given the compromised security of the PPTP protocol,it is much safer to use OpenVPN, so I would recommend you try and migrate to OpenVPN.

 

[steve1977]

You need to delete the device rule from the RPDB table.

Use the following to list the active RPDB rules

ip rule

then issue the delete command

ip rule del xxx.xxx.xxx.xxx table 99

Actually, just tried and didn't work? Getting the error message below:

Error: argument "192.168.11.147" is wrong: Failed to parse rule type

 

[steve1977]

The GUI only supports the creation on one L2TP/PPTP interface (ppp5), but technically there is nothing to prevent you from creating your required second conconcurrent L2TP/PPTP interface.

I recall I posted 'UP_PPTP.sh' years ago which shows how to initiate the appropriate L2TP/PPTP interface from a script, but given the compromised security of the PPTP protocol,it is much safer to use OpenVPN, so I would recommend you try and migrate to OpenVPN.

I actually had openvpn working. Unfortunately, it is blocked in my geography, so I cannot get it working. It would make everything so much easier as it allows everything that I'd like to do.

I am reading a lot about shadowsocks being the holy grail that is working these days, but haven't found anything how to actually get this to work...

 

[Martineau]

Actually, just tried and didn't work? Getting the error message below:

Error: argument "192.168.11.147" is wrong: Failed to parse rule type

Apologies, corrected missing parameter in OP...try

ip rule del from xxx.xxx.xxx.xxx table 99

 

[WATYF]

Has something changed that would prevent the script in the OP from working any more?

I put it in /jffs/scripts and ran it like so:

./PPTP_Select.sh "192.168.1.254"


This was the output:

(PPTP_Select.sh): 5416 v1.01 PPTP/L2TP Client Selective routing starting..... ./ PPTP_Select.sh 192.168.1.254

(PPTP_Select.sh): 5416 CMD: ip route delete default via 192.168.5.1 dev ppp5

(PPTP_Select.sh): 5416 CMD: route -n add -net 192.168.5.0 netmask 255.255.255.0 ppp5

(PPTP_Select.sh): 5416 CMD: ip route add default dev ppp5 table 99

(PPTP_Select.sh): 5416 LAN device (192.168.1.254) forced via PPTP/L2TP 192.168.5 .1 (ppp5)

(PPTP_Select.sh): 5416 PPTP/L2TP Client Selective routing complete.


ip rule looked this this after the script ran:

0: from all lookup local

9000: from 192.168.1.254 lookup 99

32766: from all lookup main

32767: from all lookup default


But nothing changed. All of my devices are still going through the VPN. I only want the IP I specified to use the VPN. Is there something else I need to do?

 

[Martineau]

Has something changed that would prevent the script in the OP from working any more?

I put it in /jffs/scripts and ran it like so:

./PPTP_Select.sh "192.168.1.254"


This was the output:

(PPTP_Select.sh): 5416 v1.01 PPTP/L2TP Client Selective routing starting..... ./ PPTP_Select.sh 192.168.1.254

(PPTP_Select.sh): 5416 CMD: ip route delete default via 192.168.5.1 dev ppp5

(PPTP_Select.sh): 5416 CMD: route -n add -net 192.168.5.0 netmask 255.255.255.0 ppp5

(PPTP_Select.sh): 5416 CMD: ip route add default dev ppp5 table 99

(PPTP_Select.sh): 5416 LAN device (192.168.1.254) forced via PPTP/L2TP 192.168.5 .1 (ppp5)

(PPTP_Select.sh): 5416 PPTP/L2TP Client Selective routing complete.


ip rule looked this this after the script ran:

0: from all lookup local

9000: from 192.168.1.254 lookup 99

32766: from all lookup main

32767: from all lookup default


But nothing changed. All of my devices are still going through the VPN. I only want the IP I specified to use the VPN. Is there something else I need to do?

Are the PPTP special override default rules still enforced?

e.g.

ip route | grep -E "^0\.|^128."

0.0.0.0/1 via xxx.xxx.xxx.xxx dev ppp5 
128.0.0.0/1 via xxx.xxx.xxx.xxx dev ppp5

 

[WATYF]

Are the PPTP special override default rules still enforced?

e.g.

ip route | grep -E "^0\.|^128."

0.0.0.0/1 via xxx.xxx.xxx.xxx dev ppp5
128.0.0.0/1 via xxx.xxx.xxx.xxx dev ppp5

After I activate the PPTP VPN and run the PPTP_Select script, the output of that command looks like this:

0.0.0.0/1 via 192.168.5.1 dev ppp5
128.0.0.0/1 via 192.168.5.1 dev ppp5

Before I run the script, there is no output of that command.

 

[Martineau]

After I activate the PPTP VPN and run the PPTP_Select script, the output of that command looks like this:

0.0.0.0/1 via 192.168.5.1 dev ppp5
128.0.0.0/1 via 192.168.5.1 dev ppp5

Before I run the script, there is no output of that command.

Try the following commands

ip route del 0.0.0.0/1

ip route del 128.0.0.0/1

to delete the rules, and now only the rule to direct to Selectively route 192.168.1.254 via the PPTP dev ppp5 interface should remain

ip rule

ip route show table 99

ip route | grep -E "^0\.|^128."

 

[WATYF]

Try the following commands

ip route del 0.0.0.0/1

ip route del 128.0.0.0/1

to delete the rules, and now only the rule to direct to Selectively route 192.168.1.254 via the PPTP dev ppp5 interface should remain

ip rule

ip route show table 99

ip route | grep -E "^0\.|^128."

You're a lifesaver, man. That worked.

So, to be clear, I have to turn on the VPN, run the script, and also run:

ip route del 0.0.0.0/1

ip route del 128.0.0.0/1

Is there any way to get this to happen automatically when I turn on the VPN?

 

[WATYF]

Or conversely, is there a way to turn on the VPN using a script? Then I could just setup a one-click way to do everything.

I know I'm being greedy at this point.