OpenVPN Client by policy rules help

[BeachBum]

I am running Merlin 380.57 and have the Open VPN Client connected and running. I want to set it up so that only certain devices on my network are running through the VPN, not everything on the network.

I get the Source IP, but what it the "Destination IP" field for in the rules list?

 

[RMerlin]

I am running Merlin 380.57 and have the Open VPN Client connected and running. I want to set it up so that only certain devices on my network are running through the VPN, not everything on the network.

I get the Source IP, but what it the "Destination IP" field for in the rules list?

Please see the firmware's documentation. There's a section in the README explaining the fields and giving various examples.

 

[BeachBum]

Ah I see it now. Thanks Ill git it a shot and see how it goes...

 

[pixeler02]

I route all traffic and then add exceptions with the following rules:

Description Source IP Destination IP Iface
all 192.168.1.1/24 0.0.0.0 VPN
games1 192.168.1.180 0.0.0.0 WAN
games2 192.168.1.181 0.0.0.0 WAN
appletv 192.168.1.182 0.0.0.0 WAN

You can see there I've specified games1, games2 and appletv to use WAN (bypass the VPN).
However I would love to know if there's a way to specify an address range in one line.

For example above, how I would specify all addresses in range 192.168.1.180-192.168.1.190 to go through WAN, instead of needing to specify them individually? Perhaps not possible?

 

[RMerlin]

Not possible, unless you were subnetting. The IP must be entered in CIDR format if you want to specify a range.

 

[pixeler02]

Not possible, unless you were subnetting. The IP must be entered in CIDR format if you want to specify a range.

Thank you for answering that, it's good to know!

 

[Martineau]

For example above, how I would specify all addresses in range 192.168.1.180-192.168.1.190 to go through WAN, instead of needing to specify them individually? Perhaps not possible?

Whilst the GUI doesn't allow it, technically you can use a script.
NOTE: RMerlin does not advocate the use of fwmarks (although both ASUS and RMerlin's code use them )

#!/bin/sh

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

TAG_MARK=128
RPDB_TABLE=254          # 254=WAN,11x=VPNx  (NOTE: 380.58+ will allow 100=wan0,111=ovpnc1,112=ovpnc2 etc.)

IP_RANGE="192.168.1.180-192.168.1.190"


ip rule add fwmark $TAG_MARK lookup $RPDB_TABLE prio 999
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $IP_RANGE -j MARK --set-mark $TAG_MARK

although the RPDB rule will not be visible in the GUI! ...however, you can always create a 'dummy' entry via the GUI to 'remind' you to check the external script!

 

[john9527]

For example above, how I would specify all addresses in range 192.168.1.180-192.168.1.190 to go through WAN, instead of needing to specify them individually? Perhaps not possible?

Or, you can use a range to CIDR calculator
http://www.ipaddressguide.com/cidr

IP Range to CIDR
This tool converts IP range to CIDR.

CIDR, 192.168.1.180-192.168.1.190:
192.168.1.180/30
192.168.1.184/30
192.168.1.188/31
192.168.1.190/32

 

[BeachBum]

I route all traffic and then add exceptions with the following rules:

Description Source IP Destination IP Iface
all 192.168.1.1/24 0.0.0.0 VPN
games1 192.168.1.180 0.0.0.0 WAN
games2 192.168.1.181 0.0.0.0 WAN
appletv 192.168.1.182 0.0.0.0 WAN...

This is a better way to do it actually, I've set it up like this and so far it seems to be running well..