OpenVPN policy routing guide?

[sortadan]

In the latest update we got:

"NEW: OpenVPN policy routing. You can select client IPs or destination IPs which you want to route through your VPN tunnel. You can enter a single IP (192.168.0.1) or a whole subnet in CIDR format (for example 74.125.226.112/30). You can optionally block WAN access to these as well when the tunnel goes down."

Thanks Merlin et al!

Sounds awesome, has anyone seen a blog post or a how-to on this yet? A quick google search yields a bunch of stuff related to dd-wrt, but nothing on how to set this up on asuswrt, is it much the same?

 

[L&LD]

Did you try here https://github.com/RMerl/asuswrt-merlin/wiki

 

[RMerlin]

In the latest update we got:

"NEW: OpenVPN policy routing. You can select client IPs or destination IPs which you want to route through your VPN tunnel. You can enter a single IP (192.168.0.1) or a whole subnet in CIDR format (for example 74.125.226.112/30). You can optionally block WAN access to these as well when the tunnel goes down."

Thanks Merlin et al!

Sounds awesome, has anyone seen a blog post or a how-to on this yet? A quick google search yields a bunch of stuff related to dd-wrt, but nothing on how to set this up on asuswrt, is it much the same?

Documentation is in the included README.

 

[sortadan]

Thanks!

The key is "OpenVPN Client" -> "Redirect Internet traffic" -> "Policy Rules"
then a From and To map will show up where I specify CIDR routing rules.

For future reference https://github.com/RMerl/asuswrt-merlin/commit/081bf5b59d01df208c11013b2998acaa0bed94ab :

OpenVPN client policy routing
-----------------------------
When configuring your router to act as an OpenVPN client (for instance
to connect your whole LAN to an OpenVPN tunnel provider), you can
define policies that determines which clients, or which destinations
should be routed through the tunnel, rather than having all of your
traffic automatically routed through it.

On the OpenVPN Clients page, set "Redirect Internet traffic" to
"Policy RUles". A new section will appear below, where you can
add routing rules. The "Source IP" is your local client, while
"Destination" is the remote server on the Internet. The field can be
left empty (or set to 0.0.0.0) to signify "any IP". You can also
specify a whole subnet, in CIDR notation (for example, 74.125.226.112/30).

For example, to have all your clients use the VPN tunnel when trying to
access an IP from this block that belongs to Google:

RouteGoogle 0.0.0.0 74.125.0.0/16

Another setting exposed when enabling Policy routing is to prevent your
routed clients from accessing the Internet if the VPN tunnel goes down.
To do so, enable "Block routed clients if tunnel goes down". Note that
this setting only works if your OpenVPN client did establish a tunnel,
and that this tunnel went down for some reason.

 

[chrisloup]

can I confirm this: eg: does the order matter.

example: I want all traffic to go through the VPN (for all pc's, devices on my lan) except for traffic to blizzard's servers.

is Line 1 correct. or should it be added to the end?

ROUTEexception 0.0.0.0 0.0.0.0 VPN
routeblizzard1 0.0.0.0 5.42.160.0/20 WAN
routeblizzard2 0.0.0.0 5.42.176.0/32 WAN
routeblizzard3 0.0.0.0 5.42.176.0/20 WAN
routeblizzard4 0.0.0.0 5.42.192.0/32 WAN
routeblizzard5 0.0.0.0 185.60.112.0/23 WAN
routeblizzard6 0.0.0.0 185.60.114.0/32 WAN
routeblizzard7 0.0.0.0 185.60.114.0/23 WAN
routeblizzard8 0.0.0.0 185.60.116.0/32 WAN
routeblizzard9 0.0.0.0 12.129.222.0/23 WAN
routeblizzard10 0.0.0.0 12.129.224.0/32 WAN
routeblizzard11 0.0.0.0 12.129.254.0/23 WAN
routeblizzard12 0.0.0.0 12.130.0.0/32 WAN
routeblizzard13 0.0.0.0 12.130.244.0/22 WAN
routeblizzard14 0.0.0.0 12.130.248.0/32 WAN
routeblizzard15 0.0.0.0 199.108.32.0/20 WAN
routeblizzard16 0.0.0.0 199.108.48.0/32 WAN
routeblizzard17 0.0.0.0 199.108.48.0/20 WAN
routeblizzard18 0.0.0.0 199.108.64.0/32 WAN
routeblizzard19 0.0.0.0 12.0.0.0/8 WAN
routeblizzard20 0.0.0.0 103.4.114.0/23 WAN

 

[Martineau]

can I confirm this: eg: does the order matter.

example: I want all traffic to go through the VPN (for all pc's, devices on my lan) except for traffic to blizzard's servers.

is Line 1 correct. or should it be added to the end?

ROUTEexception 0.0.0.0 0.0.0.0 VPN
routeblizzard1 0.0.0.0 5.42.160.0/20 WAN
routeblizzard2 0.0.0.0 5.42.176.0/32 WAN
routeblizzard3 0.0.0.0 5.42.176.0/20 WAN
routeblizzard4 0.0.0.0 5.42.192.0/32 WAN
routeblizzard5 0.0.0.0 185.60.112.0/23 WAN
routeblizzard6 0.0.0.0 185.60.114.0/32 WAN
routeblizzard7 0.0.0.0 185.60.114.0/23 WAN
routeblizzard8 0.0.0.0 185.60.116.0/32 WAN
routeblizzard9 0.0.0.0 12.129.222.0/23 WAN
routeblizzard10 0.0.0.0 12.129.224.0/32 WAN
routeblizzard11 0.0.0.0 12.129.254.0/23 WAN
routeblizzard12 0.0.0.0 12.130.0.0/32 WAN
routeblizzard13 0.0.0.0 12.130.244.0/22 WAN
routeblizzard14 0.0.0.0 12.130.248.0/32 WAN
routeblizzard15 0.0.0.0 199.108.32.0/20 WAN
routeblizzard16 0.0.0.0 199.108.48.0/32 WAN
routeblizzard17 0.0.0.0 199.108.48.0/20 WAN
routeblizzard18 0.0.0.0 199.108.64.0/32 WAN
routeblizzard19 0.0.0.0 12.0.0.0/8 WAN
routeblizzard20 0.0.0.0 103.4.114.0/23 WAN

The WAN vs VPN order in the GUI doesn't matter...RMerlin will add (prioritise) the WAN rules first (in the order that they are defined so ensure that the rules are in the correct order for the WAN routing - i.e. generic rules last!) then similarly for the selective VPN rules, since this is the way that the feature was originally designed. (Normally everything goes via the WAN unless specified to use the VPN!)

If you issue

ip   rule

then you should be able to see the order in which the rules fire, and you don't want to see the 'ALL via table 111' (aka VPN) at the top - which will only be the case if there are no WAN rules!

 

[chrisloup]

ROUTEexception 0.0.0.0 0.0.0.0 VPN

apparently this rule does not work.

(ie: I can't have a route all to vpn except traffic going to blizzard).

I have to do
192.168.1.2 0.0.0.0 VPN
192.168.1.3 0.0.0.0 VPN
192.168.1.4 0.0.0.0 VPN
192.168.1.5 0.0.0.0 VPN
...
192.168.1.100 0.0.0.0 VPN

if I want that to happen.

---
I also tried 192.168.1.0/24 0.0.0.0 VPN

 

[RMerlin]

I also tried 192.168.1.0/24 0.0.0.0 VPN

That rule will work, but you also need an exception rule with your router's IP, forcing it to go through the ISP.

 

[jammin]

This is a great feature, thanks Merlin!

However is there any way to include port-based rules in the selective routing? ie. I'd like to route BitTorrent traffic over the VPN, or usenet traffic over WAN.

Is this the only way to achieve this at the moment?
https://github.com/RMerl/asuswrt-me...ver-VPN-and-Drop-connections-if-VPN-goes-down

 

[Martineau]

have

This is a great feature, thanks Merlin!

However is there any way to include port-based rules in the selective routing? ie. I'd like to route BitTorrent traffic over the VPN, or usenet traffic over WAN.

Is this the only way to achieve this at the moment?
https://github.com/RMerl/asuswrt-merlin/wiki/How-to-Direct-Traffic-over-VPN-and-Drop-connections-if-VPN-goes-down

Yes, you will still need to use the fwmark tagging technique.

Set up RPDB rules for tagging..

ip rule add fwmark 1 table  111 prio 30001
ip rule add fwmark 2 table  112 prio 30002
ip rule add fwmark 3 table main prio 30003
ip route flush cache

then simply add your various selective PORT routing rules with appropriate tags

e.g. Port 80 will be via the WAN, Ports 9001:9005 will be via VPN Client2, and Port 8001 will be via VPN Client1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx    -p tcp --dport 9001:9005 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx    -p tcp --dport 8001      -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range xxx.xxx.xxx.xxx/24 -p tcp --dport 80        -j MARK --set-mark 3

NOTE: If you have ARM router (AC56/68 etc.) then you may need to ensure that the tagging rules are defined in nat-start, as the Trend Micro DPI engine will arbitrarily flush the mangle PREROUTING chain.

 

[Bogey]

Set up RPDB rules for tagging..

ip rule add fwmark 1 table  111 prio 30001
ip rule add fwmark 2 table  112 prio 30002
ip rule add fwmark 3 table main prio 30003
ip route flush cache

So when I add this to my original openvpn-event script, which is(partially shown here as the rest is from Merlin's wiki) :
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
| while read ROUTE ; do
ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

It becomes this?
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
| while read ROUTE ; do
ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 111 prio 30001 #vpn client1
ip rule add fwmark 2 table 112 prio 30002 #vpn client2
ip rule add fwmark 3 table main prio 30003 #no vpn, just plain wan
ip route flush cache

I'm trying to setup the following:

• Openvpn client 1 connects to the UK, Openvpn client 2 connects to the US
• PC1 with 192.168.0.100 should use openvpn client1
• PC2 with 192.168.0.115 should use openvpn client2
• PC3 with 192.168.0.103 should use wan

Thanks,
Erwin

 

[rockstead]

I just tried the latest official build and then the latest beta for AC68 and I have the same issues using the Selective routing option from the VPN client configuration.

I have redirect Internet traffic set to policy.

- By default, if I don't enter anything, it routes everything to the WAN, I would have thought that the default would be VPN.

- To get around that, I made my first entry 0.0.0.0 0.0.0.0 VPN, expecting all traffic on my network to now be routed to VPN, but that didn't happen, all traffic still hits my ISP.

- I'm left specifying an entry for every device that I need to route to VPN.

- I tried specifying a range of my IP devices to route to VPN but it would tell me that my IP address was invalid, 192.168.1.100/150 0.0.0.0 VPN.

In this config, how would I setup a guest account so that visitors at my house would hit the VPN be default? I prefer guests hitting the VPN because who knows what people surf on their devices. If my 0.0.0.0 to 0.0.0.0 VPN would work, then that would solve my problem, but it would still be nice to have guests on the Guest WiFi so that I could limit bandwidth.

Regardless, it's amazing to have the feature built in and doesn't require messing with a script.

 

[john9527]

@rockstead - You need to enter things in CIDR notation. To have policy settings that mimic the All Traffic setting (using the default router addresses for an example)

Router     192.168.1.1     0.0.0.0   WAN
Home-Lan   192.168.1.0/24  0.0.0.0   VPN

The first rule excludes the router itself from the entire 192.168.1.0/24 subnet being routed through the VPN since it needs to talk directly to the internet to make connections, get addresses, etc.

 

[mirage22]

@rockstead - You need to enter things in CIDR notation. To have policy settings that mimic the All Traffic setting (using the default router addresses for an example)

Router     192.168.1.1     0.0.0.0   WAN
Home-Lan   192.168.1.0/24  0.0.0.0   VPN

The first rule excludes the router itself from the entire 192.168.1.0/24 subnet being routed through the VPN since it needs to talk directly to the internet to make connections, get addresses, etc.

Hi,

This is one rule I am trying to figure out for some time. With this rule switched on, does Trend Micro AI protection send all queries to its server off the VPN? Which means, we have a leak, right? Our ISP will be able to see in plain sight the type of queries coming from our computers, although it wont be able to block it at the DNS level, if it chooses to in a blocking country.

 

[rockstead]

@rockstead - You need to enter things in CIDR notation. To have policy settings that mimic the All Traffic setting (using the default router addresses for an example)

Router     192.168.1.1     0.0.0.0   WAN
Home-Lan   192.168.1.0/24  0.0.0.0   VPN

The first rule excludes the router itself from the entire 192.168.1.0/24 subnet being routed through the VPN since it needs to talk directly to the internet to make connections, get addresses, etc.

I used your example but I did the opposite, so I only have 1 entry

Router 192.168.1.1 0.0.0.0 VPN

It still directs all traffic to my ISP, unless I put in a 2nd entry

Router 192.168.1.1 0.0.0.0 VPN
My laptop 192.168.1.100 0.0.0.0 VPN

Now my laptop points to my VPN, but everything else still points to ISP.

 

[RMerlin]

Hi,

This is one rule I am trying to figure out for some time. With this rule switched on, does Trend Micro AI protection send all queries to its server off the VPN? Which means, we have a leak, right? Our ISP will be able to see in plain sight the type of queries coming from our computers, although it wont be able to block it at the DNS level, if it chooses to in a blocking country.

Considering that Trendmicro is a security company, it's highly unlikely that they are sending that info over plaintext http. It's most likely encrypted over SSL, so your ISP won't be able to see what those requests contain.

Feel free to do some Wireshark analysis if you are that worried and want to be sure.

 

[Martineau]

I'm trying to setup the following:

• Openvpn client 1 connects to the UK, Openvpn client 2 connects to the US
• PC1 with 192.168.0.100 should use openvpn client1
• PC2 with 192.168.0.115 should use openvpn client2
• PC3 with 192.168.0.103 should use wan

Thanks,
Erwin

No idea why you have quoted my post , my additional RPDB fwmark rule information is only relevant if you wish to selectively route PORTS (rather than nominated devices or I/P subnets) via the VPN Client(s).

For your simple 3 PC requirements you do not even need a script, simply enter the required entries PC1, and PC2 into the Policy routing Panels for their respective VPNs.
By default PC3 should use the WAN anyway.

 

[cosmoxl]

my experience with policy routing is that I cannot get the router to go through VPN at all. with a rule such as 192.168.2.0/24 (router at 192.168.2.1) to all destination IP through VPN all LAN clients go through VPN but router does not. So, I see no reason to create a special rule to have router go through WAN.

 

[rockstead]

That rule will work, but you also need an exception rule with your router's IP, forcing it to go through the ISP.

RMerlin, thank you for bringing this great feature to the GUI.

I have some issues, maybe it's my understanding but it's not working as expected.

By default, I want all traffic to go through the VPN, this way wireless guests will hit the VPN.

So based on the example you gave I tried the following, I'm using DHCP and my IP range is 192.168.1.2 - 192.168.1.254

192.168.1.2/254 0.0.0.0 VPN - Gives me an error message that the IP does not exist.

So after lots of trial and error, I found the most I can do the range is with the /32 switch and anything more will tell me that the IP is invalid.

192.168.1.2/32 0.0.0.0 VPN works and any range less than /32 works as well.

192.168.1.2/33 0.0.0.0 VPN does not work and anything greater than /33 does not work.

Am I doing something wrong? or is it a bug that it won't let me do my full IP range?

 

[tim]

192.168.1.2/32 0.0.0.0 VPN works and any range less than /32 works as well.

192.168.1.2/33 0.0.0.0 VPN does not work and anything greater than /33 does not work.

Am I doing something wrong? or is it a bug that it won't let me do my full IP range?

An IPv4 address is 32 bits, CIDR notation specifies the number of leading '1' bits to create the mask. The number after the / can only be from 0 to 32.

See https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing