OpenVPN Client - Routing Certain IP Addresses Only

[reach4thelasers]

I've got the Merlin OpenVPN client up and running with my VPN Service EarthVPN. All traffic is being routed via the VPN.

However I want to restrict using the VPN Connection to Certain IP Addresses.

I've tried disabling "Redirect Internet Traffic" and then adding the following to my Custom Configuration:
route-nopull
route 124.248.205.21 255.255.255.0

But it does not have the desired effect. Can I achieve what I want to do, and if so how?

 

[Bogey]

Did you take a look at this guide?
https://github.com/RMerl/asuswrt-me...ver-VPN-and-Drop-connections-if-VPN-goes-down

 

[bilboSNB]

Also look at this post which is the method that I use:
http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-4#post-101202

 

[Hans-Göran Puke]

These guides seem to enable you to route all traffic from a certain device either into the VPN-tunnel or to your normal ISP gateway. That's all fine, but would it not be even better if it was possible to route all traffic going TO a certain IP-address (or even domain) through the VPN-tunnel and leave all others through the normal ISP gateway? In this way, you could have traffic sent to, say Netflix or Hulu, go through the VPN-tunnel (with its exit in the US), but all other traffic would be unaffected. Thus you would be able to enjoy for instance US geo-blocked content on ALL your clients.

Anyone knows if this is possible to achieve with Merlin?

 

[Bogey]

These guides seem to enable you to route all traffic from a certain device either into the VPN-tunnel or to your normal ISP gateway. That's all fine, but would it not be even better if it was possible to route all traffic going TO a certain IP-address (or even domain) through the VPN-tunnel and leave all others through the normal ISP gateway? In this way, you could have traffic sent to, say Netflix or Hulu, go through the VPN-tunnel (with its exit in the US), but all other traffic would be unaffected. Thus you would be able to enjoy for instance US geo-blocked content on ALL your clients.

Anyone knows if this is possible to achieve with Merlin?

Yes that was my objective too and I succeeded.
You can find the results of my quest here:
http://www.snbforums.com/threads/se...opening-ports-with-openvpn.23225/#post-172273

 

[primitivo]

These guides seem to enable you to route all traffic from a certain device either into the VPN-tunnel or to your normal ISP gateway. That's all fine, but would it not be even better if it was possible to route all traffic going TO a certain IP-address (or even domain) through the VPN-tunnel and leave all others through the normal ISP gateway? In this way, you could have traffic sent to, say Netflix or Hulu, go through the VPN-tunnel (with its exit in the US), but all other traffic would be unaffected. Thus you would be able to enjoy for instance US geo-blocked content on ALL your clients.

Anyone knows if this is possible to achieve with Merlin?

I don't think it is possible. Netflix, Hulu etc. are using a lot of different servers and IPs, so you would need to have a whole list of their IPs. It would be better to route domains instead of IPs but I don't think it is possible either.

 

[Bogey]

Merlin, has my manual configuration became obsolete with your latest firmware?

 

[RMerlin]

Merlin, has my manual configuration became obsolete with your latest firmware?

And what was your manual configuration doing?

 

[Martineau]

And what was your manual configuration doing?

Merlin, has my manual configuration became obsolete with your latest firmware?

Not entirely....your post #5 shows that you require port (GMAIL ?) selective routing so that will still need to be performed manually although on ARM routers, you need to ensure that the fwmark tagging isn't trashed when the DPI engine refresh runs.

But for specific devices or CIDR subnets simply use the GUI or use a script to update the NVRAM variable then schedule the disruptive refresh when convenient, or set the appropriate variables, before manually calling RMerlin's script with the appropriate arg!

 

[Bogey]

And what was your manual configuration doing?

Oops, my bad. I thought was replying in the thread I started on selective routing:
http://www.snbforums.com/threads/se...opening-ports-with-openvpn.23225/#post-172273

Not entirely....your post #5 shows that you require port (GMAIL ?) selective routing so that will still need to be performed manually although on ARM routers, you need to ensure that the fwmark tagging isn't trashed when the DPI engine refresh runs.

But for specific devices or CIDR subnets simply use the GUI or use a script to update the NVRAM variable then schedule the disruptive refresh when convenient, or set the appropriate variables, before manually calling RMerlin's script with the appropriate arg!

I don't want to hijack this thread (perhaps a mod can cut and past?) but a short reply back on Martineau post:
Would only that single line in the firewall-start script (iptables -I FORWARD ! -o tun11 -s 192.168.0.103 ! --dport 587 -j DROP) be enough?

 

[RMerlin]

Oops, my bad. I thought was replying in the thread I started on selective routing:
http://www.snbforums.com/threads/se...opening-ports-with-openvpn.23225/#post-172273


I don't want to hijack this thread (perhaps a mod can cut and past?) but a short reply back on Martineau post:
Would only that single line in the firewall-start script (iptables -I FORWARD ! -o tun11 -s 192.168.0.103 ! --dport 587 -j DROP) be enough?

You could create an exception rule with the destination being the SMTP server's IP.

 

[Martineau]

You could create an exception rule with the destination being the SMTP server's IP.

Perhaps.....but the OP's intention is to block ALL traffic via the WAN except for certain ports:

iptables -I FORWARD ! -o tun11 -s 192.168.0.103 -m multiport ! --dports 80,443,587 -j DROP

So clearly, whist a complete and 100% comprehensive list of ALL GMAIL SMTP servers could potentially be identified/defined, it will not completely satisfy the intended/expected requirement and could not be guaranteed?

i.e. How will an exception rule to the whole of the Internet be viable to match the selective port routing for 80/443!

 

[Bogey]

Am I correct that 'Virtual Server / Port Forwarding' settings do not apply to traffic over VPN (those specified in the policy rules in 'OpenVPN Clients')?

 

[cosmoxl]

Am I correct that 'Virtual Server / Port Forwarding' settings do not apply to traffic over VPN (those specified in the policy rules in 'OpenVPN Clients')?

that's correct. the following is the pattern you'd use to forward traffic from the TUN device to LAN device. Change LAN IP address, TUN device, and the port forwarded as necessary.

iptables -I FORWARD -i tun11 -p udp -d 192.168.2.42 --dport 49749 -j ACCEPT

iptables -I FORWARD -i tun11 -p tcp -d 192.168.2.42 --dport 49749 -j ACCEPT

iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 49749 -j DNAT --to-destination 192.168.2.42

iptables -t nat -I PREROUTING -i tun11 -p udp --dport 49749 -j DNAT --to-destination 192.168.2.42