What's new

Help with Tomato/RMerlin Asuswrt selective routing over two openvpn clients

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

janosek

Regular Contributor
Hello,

I have spend days searching how to selectively route openvpn over TWO clients, but all I have found is people asking the question in a "Solved" forum, but no solution.

Here is my code to selectively route with one VPN.
It is not mine. It was modified from here, with much gratitiude:
http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/


#!/bin/sh

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done


#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING


ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


# Define the routing policies for the traffic. The rules will be applied in the #order that they are listed. In the end, packets with MARK set to "0" will
# pass through the VPN. If MARK is set to "1" it will bypass the VPN.


# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1


# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0


# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0


# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0



# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1

# Ports 38666 will bypass the VPN (in the future, another VPN)
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 1



exit 0

I would like to set up a second VPN and route some ports through there, but when I try to bring a second openvpn client up, everything stops working.

I tried modifying cornasdf's method to my own usages:
http://cornasdf.blogspot.ca/2012/10/dd-wrt-openvpn-and-selectively-routing.html
but it did not work in my setup. Here is what I got:

Here is my environment setup script:

###################################################

mkdir /jffs/scripts/customvpn
mkdir /jffs/scripts/customvpn/us
mkdir /jffs/scripts/customvpn/uk
echo "-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----" >> /jffs/scripts/customvpn/ca.crt

chmod 700 /jffs/scripts/customvpn/ca.crt


#Setup uk Tunnel Config
echo script-security 3 > /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo daemon >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo client >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo dev tun0 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo proto udp >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo remote <UK_VPN_ADDRESS> 1194 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo nobind >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-key >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-tun >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-up /jffs/scripts/customvpn/uk/route-up-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo down-pre /jffs/scripts/customvpn/uk/route-down-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo verb 15 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo status-version 2 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-nopull >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo status /jffs/scripts/status_uk >> /jffs/scripts/customvpn/uk/openvpn-uk.conf



chmod 700 /jffs/scripts/customvpn/uk/openvpn-uk.conf


#Setup US Tunnel Config

echo script-security 3 > /jffs/scripts/customvpn/us/openvpn-US.conf
echo daemon >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo client >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo dev tun1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo proto udp >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo remote <US_VPN_ADDRESS>1194 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo nobind >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-key >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-tun >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-up /jffs/scripts/customvpn/us/route-up-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo down-pre /jffs/scripts/customvpn/us/route-down-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo verb 15 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo status-version 2 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-nopull >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo status /jffs/scripts/status_us >> /jffs/scripts/customvpn/us/openvpn-US.conf

chmod 700 /jffs/scripts/customvpn/us/openvpn-US.conf

#tun0 route up script
echo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-up-uk.sh

chmod 700 /jffs/scripts/customvpn/uk/route-up-uk.sh
#tun0 route down script
echo iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-down-uk.sh
chmod 700 /jffs/scripts/customvpn/uk/route-down-uk.sh

#tun1 route up script
echo iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-up-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-up-US.sh
#tun1 route down script
echo iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-down-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-down-US.sh


#General Config
echo <USER> > /jffs/scripts/customvpn/password.txt
echo <PASS> >> /jffs/scripts/customvpn/password.txt

chmod 700 /jffs/scripts/customvpn/password.txt

exit 0

#############################################

wan_start:

#!/bin/sh

touch /tmp/000phase2wanstarted

modprobe tun

#Setup tunnels.
/usr/bin/killall openvpn

/usr/sbin/openvpn --config /jffs/scripts/customvpn/uk/openvpn-uk.conf
sleep 10
/usr/sbin/openvpn --config /jffs/scripts/customvpn/us/openvpn-US.conf
sleep 10


#The tunnels can take a couple seconds to establish. Hold for 5 seconds to allow for this



# get gateway addresses
IspGateway=$(ip route list table main | awk '/default/ { print $3}')
tun0Gateway=$(ip route list table main | awk '/tun0/ { print $1}')
tun1Gateway=$(ip route list table main | awk '/tun1/ { print $1}')



# Create fwmark to table bindings
ip rule add fwmark 1 table main # ISP
ip rule add fwmark 2 table 2 # Tunnel 0 uk
ip rule add fwmark 3 table 3 # Tunnel 1 US

# Create table to tunnel bindings
ip route add default via $tun0Gateway dev tun0 table 2 #Send out uk Tunnel
ip route add default via $tun1Gateway dev tun1 table 3 #Send out US Tunnel


# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done



# All LAN traffic will bypass the VPNs (Useful to put this rule first, so all traffic bypasses the VPNs and you can # configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1



#uk tunnel rules
# Ports 38666 will go through the uk tunnel
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 2

#US Tunnel rules

# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 3


# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 3


# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 3



# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1



exit 0

################################################


Does anyone have a working script? The above just kills everything. If anyone can help, I would be grateful.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top