OpenVPN Selective routing and VOIP issues. Anyone else experiencing this?

[janosek]

Hello,

So here is the situation. I got OpenVPN and selective routing to work on Merlin's firmware on my RT-AC66u such that my desktop and VOIP go through my ISP and my PS3, Nexus 10 and laptop go through the VPN.

Before I added a sleep 20 to my selective routing script, there was a timing issue where the script would basically be ignored and all devices would go through the VPN and I would have to reboot several times until it actually worked. In this situation, I knew I was not selectively routing because my my VOIP would connect for a minute and then disconnect because my service provider seemingly does not like the VOIP to connect through a different IP address.

After I added the sleep 20 to my script, it seemed to help. Now on practically every boot I have tried so far, my desktop goes through the ISP, but I still have an issue with the VOIP reconnecting after rebooting the router. If my desktop is selectively routed to my ISP, my VOIP must also be, but it still doesn't reconnect after bootup. I can reboot several times, to no avail. The only way to fix this is to stick a pin in the reset button on my cable modem (also had to do this on my DSL Modem when I had DSL a few weeks ago) and also reboot the router at the same time. During bootup, I can see the voip box turn off and on again and then it connects.

Does anyone know why I would need to reset the cable modem? Its such a black box, can't really find out anything.


I have been investigating possible solutions.
1) I thought maybe I could get a Technicolor DHG574 cable modem with built in VOIP. But my ISP said it is not approved and, even then, I can't seem to find a reseller online.

2) add a gigabit switch between my RT-ac66u and cable modem, connecting my linksys VOIP to the switch instead of the router. That way, the VOIP should always be stable. Do you think this will work? I was going to try it out tonight. Its only $34 for a 5 port DLINK Gigabit switch.

Anyone else have any thoughts?

 

[westy]

Hello Janosek,

First I would like to thank you for your posts on this site. I have been following them to add selective routing to my configuration and it has worked perfectly. I am, however, experiencing the same (or similar) problems that you have. The issue I am having is that everything is going to to VPN except for what I have specifically (through identifying the IP address) in the script.

I am curious about adding the sleep 20 to the script. Do you literally add the phrase "script 20" to the script? Does it matter where it appears in the script?

I am sorry I am not providing you any help here but I would sure appreciate yours.

Also, I have VOIP (Vonage) and a switch. I have never put the switch between the router and the modem as I don't think it will work? I could try and let you know before you fork out the dough to purchase a switch.

 

[westy]

Ok...I thought I had selective routing working but I apparently don't. It is either all going through the VPN (if the VPN is on) or not. I can't get specific devices to route. Any suggestions? I tried adding a sleep 20 to the script but it didn't seem to matter.

This is the script I have currently added to wan-start

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


# EXAMPLES:
#
# All LAN traffic will bypass the VPN (Useful to put this rule first,
# so all traffic bypasses the VPN and you can configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
# Ports 80 and 443 will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
# All traffic from a PS3 on the WAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.158 -j MARK --set-mark 0

# All traffic from a AppleTV on the WAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.111 -j MARK --set-mark 0

# All traffic from a ONKYO on the WAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.166 -j MARK --set-mark 0

# All traffic from a MACPRO on the WAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.159 -j MARK --set-mark 1

# All traffic from a MACPRO on the WAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.77 -j MARK --set-mark 1

# All traffic from iPhone on the WAN will use the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.57 -j MARK --set-mark 1

I am really green so I likely have something messed up but I have no way of knowing what that is. Any help would really be appreciated.

 

[pachocco1]

I notice something along these lines as well.

Original configuration for selective VPN was to have the scripting in the WAN-STARTUP file. After some reboot testing, the scripting rules were not in effect after some of the reboots. (Please note that I do not use the SLEEP function)

The scripting was re-applied at a SSH prompt and worked as intended.

The Merlin WIKI indicates that WAN-START would be the likely place to load the VPN script. Since this did not appear to work consistently for me I put in in FIREWALL-START which appears to work every time for me. YMMV.

 

[neilh]

Selective routing would help me solve my PS3 issue I think too. Is there a way to select certain IP's or IP ranges to not go thru the VPN?


Thanks
Neil

 

[westy]

Pachocco1 thanks for advice I will give that a try and report back the results.

Neilh, Janosek, the originator of this post has some excellent information on selective routing (this is where I got started with it). In particular this one http://forums.smallnetbuilder.com/showthread.php?t=9311

This one also discusses how to route ip ranges
http://www.linksysinfo.org/index.php?threads/any-way-to-bypass-vpn-selectively.33468/#post-164693

 

[westy]

Pachocco1 I put the script into firewall-start as you suggested and rebooted a couple of times but with no luck. Everything is still being routed through the VPN...grrrrr. I am at my wits end. This wouldn't have anything to do with running 3.0.0.4.354.27 would it? *Grasping at straws*

P.s. Sorry for hijacking the thread.

 

[kaiguy]

I believe a lot of the iptables entries came from this thread. It has a pretty lengthy discussion about it, and may be of some help.

 

[neilh]

This type of router programming is new to me so has anyone been able to get this to work before I try and learn how to program it. I am familiar with the router but not with adding scripts and such.

Thanks
Neil

 

[janosek]

Hello,

I haven't upgraded to .354. I am still on .270.25b, actually. I am more selective with my updates because 25b works very well after RMerlin's OpenVPN optimizations.

Anyway, it usually takes me a few reboots to get selective routing to work with my VOIP. Usually the selective routing part is fine, but the VOIP refuses to connect to the server. I often have to hit the reset button on my cable modem and unplug the voip. After that, it will usually connect.

I always use http://www.ip2location.com/
on a computer I am not routing through openvpn and also on my tablet, which is routed through openvpn. If one goes through my ISP, the other goes through the openvpn and my voip connects, I am good to go with my PS3 and laptop.

 

[neilh]

Guys is there a layman's understanding on how to accomplish this? I am just not getting what I need to do. All I want to do is route an ip or ips around the vpn.


Thanks
Neil

 

[westy]

Neilh, I am far from an authority but I believe I followed the process correctly. That said, I don't have selective routing working...Here is the process that I followed.

1. You need to tweak the script I posted earlier in this thread to reflect the IP you want to route.
2. Copy that script, telnet into your router by typing telnet 192.168.1.1 (by default)
3. You need to add the script to an existing script so type cd /jffs/scripts/ hit enter
4. The two scripts suggested in this post to paste your script into are wan-start or firewall-start
5. To do that, type vi wan-start hit enter (vi is a built in text editor but you may want to consult a "cheat sheet" http://www.lagmonster.org/docs/vi.html)
6. Paste your script
7. Hit ESC then type :wq (this saves and quits the script)
8. Reboot your modem (may have to do this a couple of times)
9. Test your routed device by using a tool such as http://www.geoiptool.com/ or the one Janosek posted earlier.

I hope this works for you. For the rest of the community how did I do?

 

[janosek]

This whole process is super flaky and I haven't figured out how to get it to work reliably on every boot. I tried sleep 5, sleep 10, sleep 15, sleep 20.

This evening, my internet disconnected and I tried 5 reboots and it still wouldn't selectively route properly.

What I ended up doing is logging into the router, toggling the VPN off, logging into SSH via putty, running /jffs/scripts/wan-start manually (by going to the folder and doing ./wan-start) and after it ran, toggling the VPN back on.

I did an ip2location.com on my desktop that should go through the ISP and it finally did. Also my VOIP was working too.

So if all else fails, you might try the manual route.

 

[westy]

I just tried to run the wan-start using ./wan-start in the /jffs/scripts/ directory but it returned a Permission denied error...any thoughts? Do I need to turn permissions on somewhere?

 

[RMerlin]

I just tried to run the wan-start using ./wan-start in the /jffs/scripts/ directory but it returned a Permission denied error...any thoughts? Do I need to turn permissions on somewhere?

Script must be flagged as eXecutable:

chmod a+rx /jffs/scripts/wan-start

 

[janosek]

That could help your selective routing issues. If it is not executable, then the router can't execute it on boot.

 

[westy]

RMerlin, first let me say thank you so much for developing this awesome adaptation! It is truly excellent. I would also like to thank you for taking the time to weigh in on this and report that making the file executable did the trick. Sorry for being so noobish...

janosek, I'd like to thank you as well for your posts. They really did help me get my head around this when I had no idea what I was doing (I only marginally know what I am doing now). Anyhow, it is the script you posted that is running my selective routing, so thank you!

So, for those that are interested, once I made the wan-start file executable following RMerlin's advice, I then manually ran the script as janosek suggested ./wan-start and voilà it works as expected. IP addresses that are routed through the VPN are routing, those routed to the WAN are going through the WAN and those that have not been identified are also by default going through the WAN.

I am one happy Dude. Thanks for the help everyone!

 

[janosek]

Now we just need to figure out the timing issues that prevent it from working properly on router boot up, because the sleep command isn't cutting it.

RMerlin: It appears that the script needs to run before openvpn client connects. I wonder if it would be possible to create a "OPENVPN-SCRIPT" that executes after openvpn is loaded, but before the vpn connection is activated?

 

[RMerlin]

Now we just need to figure out the timing issues that prevent it from working properly on router boot up, because the sleep command isn't cutting it.

RMerlin: It appears that the script needs to run before openvpn client connects. I wonder if it would be possible to create a "OPENVPN-SCRIPT" that executes after openvpn is loaded, but before the vpn connection is activated?

As a workaround, you can keep using the same script you currently are, but disable the "Connect on WAN" on the webui. At the end of your script put this to start the connection:

service start_vpnclient1

 

[janosek]

As a workaround, you can keep using the same script you currently are, but disable the "Connect on WAN" on the webui. At the end of your script put this to start the connection:

service start_vpnclient1

I am cautiously optimistic that this will solve the reliability issue of selective routing!

I turned off the router and turned it back on and it worked the first time!

I will give it some time. If it continues to work, I will put together a formal HOW-TO guide.

Thanks again for that tip!