Hello,
I have spend days searching how to selectively route openvpn over TWO clients, but all I have found is people asking the question in a "Solved" forum, but no solution.
Here is my code to selectively route with one VPN.
It is not mine. It was modified from here, with much gratitiude:
http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#!/bin/sh
touch /tmp/000wanstarted
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
#US VPN
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
# Define the routing policies for the traffic. The rules will be applied in the #order that they are listed. In the end, packets with MARK set to "0" will
# pass through the VPN. If MARK is set to "1" it will bypass the VPN.
# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0
# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0
# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1
# Ports 38666 will bypass the VPN (in the future, another VPN)
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 1
exit 0
I would like to set up a second VPN and route some ports through there, but when I try to bring a second openvpn client up, everything stops working.
I tried modifying cornasdf's method to my own usages:
http://cornasdf.blogspot.ca/2012/10/dd-wrt-openvpn-and-selectively-routing.html
but it did not work in my setup. Here is what I got:
Here is my environment setup script:
###################################################
mkdir /jffs/scripts/customvpn
mkdir /jffs/scripts/customvpn/us
mkdir /jffs/scripts/customvpn/uk
echo "-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----" >> /jffs/scripts/customvpn/ca.crt
chmod 700 /jffs/scripts/customvpn/ca.crt
#Setup uk Tunnel Config
echo script-security 3 > /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo daemon >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo client >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo dev tun0 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo proto udp >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo remote <UK_VPN_ADDRESS> 1194 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo nobind >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-key >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-tun >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-up /jffs/scripts/customvpn/uk/route-up-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo down-pre /jffs/scripts/customvpn/uk/route-down-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo verb 15 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo status-version 2 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-nopull >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo status /jffs/scripts/status_uk >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
chmod 700 /jffs/scripts/customvpn/uk/openvpn-uk.conf
#Setup US Tunnel Config
echo script-security 3 > /jffs/scripts/customvpn/us/openvpn-US.conf
echo daemon >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo client >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo dev tun1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo proto udp >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo remote <US_VPN_ADDRESS>1194 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo nobind >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-key >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-tun >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-up /jffs/scripts/customvpn/us/route-up-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo down-pre /jffs/scripts/customvpn/us/route-down-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo verb 15 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo status-version 2 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-nopull >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo status /jffs/scripts/status_us >> /jffs/scripts/customvpn/us/openvpn-US.conf
chmod 700 /jffs/scripts/customvpn/us/openvpn-US.conf
#tun0 route up script
echo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-up-uk.sh
chmod 700 /jffs/scripts/customvpn/uk/route-up-uk.sh
#tun0 route down script
echo iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-down-uk.sh
chmod 700 /jffs/scripts/customvpn/uk/route-down-uk.sh
#tun1 route up script
echo iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-up-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-up-US.sh
#tun1 route down script
echo iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-down-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-down-US.sh
#General Config
echo <USER> > /jffs/scripts/customvpn/password.txt
echo <PASS> >> /jffs/scripts/customvpn/password.txt
chmod 700 /jffs/scripts/customvpn/password.txt
exit 0
#############################################
wan_start:
#!/bin/sh
touch /tmp/000phase2wanstarted
modprobe tun
#Setup tunnels.
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /jffs/scripts/customvpn/uk/openvpn-uk.conf
sleep 10
/usr/sbin/openvpn --config /jffs/scripts/customvpn/us/openvpn-US.conf
sleep 10
#The tunnels can take a couple seconds to establish. Hold for 5 seconds to allow for this
# get gateway addresses
IspGateway=$(ip route list table main | awk '/default/ { print $3}')
tun0Gateway=$(ip route list table main | awk '/tun0/ { print $1}')
tun1Gateway=$(ip route list table main | awk '/tun1/ { print $1}')
# Create fwmark to table bindings
ip rule add fwmark 1 table main # ISP
ip rule add fwmark 2 table 2 # Tunnel 0 uk
ip rule add fwmark 3 table 3 # Tunnel 1 US
# Create table to tunnel bindings
ip route add default via $tun0Gateway dev tun0 table 2 #Send out uk Tunnel
ip route add default via $tun1Gateway dev tun1 table 3 #Send out US Tunnel
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
# All LAN traffic will bypass the VPNs (Useful to put this rule first, so all traffic bypasses the VPNs and you can # configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#uk tunnel rules
# Ports 38666 will go through the uk tunnel
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 2
#US Tunnel rules
# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 3
# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 3
# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 3
# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1
exit 0
################################################
Does anyone have a working script? The above just kills everything. If anyone can help, I would be grateful.
I have spend days searching how to selectively route openvpn over TWO clients, but all I have found is people asking the question in a "Solved" forum, but no solution.
Here is my code to selectively route with one VPN.
It is not mine. It was modified from here, with much gratitiude:
http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#!/bin/sh
touch /tmp/000wanstarted
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
#US VPN
#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
# Define the routing policies for the traffic. The rules will be applied in the #order that they are listed. In the end, packets with MARK set to "0" will
# pass through the VPN. If MARK is set to "1" it will bypass the VPN.
# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 0
# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 0
# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1
# Ports 38666 will bypass the VPN (in the future, another VPN)
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 1
exit 0
I would like to set up a second VPN and route some ports through there, but when I try to bring a second openvpn client up, everything stops working.
I tried modifying cornasdf's method to my own usages:
http://cornasdf.blogspot.ca/2012/10/dd-wrt-openvpn-and-selectively-routing.html
but it did not work in my setup. Here is what I got:
Here is my environment setup script:
###################################################
mkdir /jffs/scripts/customvpn
mkdir /jffs/scripts/customvpn/us
mkdir /jffs/scripts/customvpn/uk
echo "-----BEGIN CERTIFICATE-----
<SNIP>
-----END CERTIFICATE-----" >> /jffs/scripts/customvpn/ca.crt
chmod 700 /jffs/scripts/customvpn/ca.crt
#Setup uk Tunnel Config
echo script-security 3 > /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo daemon >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo client >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo dev tun0 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo proto udp >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo remote <UK_VPN_ADDRESS> 1194 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo nobind >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-key >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo persist-tun >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-up /jffs/scripts/customvpn/uk/route-up-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo down-pre /jffs/scripts/customvpn/uk/route-down-uk.sh >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo verb 15 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo status-version 2 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo route-nopull >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
#echo status /jffs/scripts/status_uk >> /jffs/scripts/customvpn/uk/openvpn-uk.conf
chmod 700 /jffs/scripts/customvpn/uk/openvpn-uk.conf
#Setup US Tunnel Config
echo script-security 3 > /jffs/scripts/customvpn/us/openvpn-US.conf
echo daemon >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo client >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo dev tun1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo proto udp >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo remote <US_VPN_ADDRESS>1194 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo resolv-retry 30 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo nobind >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-key >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo persist-tun >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo ca /jffs/scripts/customvpn/ca.crt >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo redirect-gateway def1 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo auth-user-pass /jffs/scripts/customvpn/password.txt >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo comp-lzo adaptive >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-up /jffs/scripts/customvpn/us/route-up-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo down-pre /jffs/scripts/customvpn/us/route-down-US.sh >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo verb 15 >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo status-version 2 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo route-nopull >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mute-replay-warnings >> /jffs/scripts/customvpn/us/openvpn-US.conf
echo mssfix 1396 >> /jffs/scripts/customvpn/us/openvpn-US.conf
#echo status /jffs/scripts/status_us >> /jffs/scripts/customvpn/us/openvpn-US.conf
chmod 700 /jffs/scripts/customvpn/us/openvpn-US.conf
#tun0 route up script
echo iptables -A POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-up-uk.sh
chmod 700 /jffs/scripts/customvpn/uk/route-up-uk.sh
#tun0 route down script
echo iptables -D POSTROUTING -t nat -o tun0 -j MASQUERADE > /jffs/scripts/customvpn/uk/route-down-uk.sh
chmod 700 /jffs/scripts/customvpn/uk/route-down-uk.sh
#tun1 route up script
echo iptables -A POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-up-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-up-US.sh
#tun1 route down script
echo iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE > /jffs/scripts/customvpn/us/route-down-US.sh
chmod 700 /jffs/scripts/customvpn/us/route-down-US.sh
#General Config
echo <USER> > /jffs/scripts/customvpn/password.txt
echo <PASS> >> /jffs/scripts/customvpn/password.txt
chmod 700 /jffs/scripts/customvpn/password.txt
exit 0
#############################################
wan_start:
#!/bin/sh
touch /tmp/000phase2wanstarted
modprobe tun
#Setup tunnels.
/usr/bin/killall openvpn
/usr/sbin/openvpn --config /jffs/scripts/customvpn/uk/openvpn-uk.conf
sleep 10
/usr/sbin/openvpn --config /jffs/scripts/customvpn/us/openvpn-US.conf
sleep 10
#The tunnels can take a couple seconds to establish. Hold for 5 seconds to allow for this
# get gateway addresses
IspGateway=$(ip route list table main | awk '/default/ { print $3}')
tun0Gateway=$(ip route list table main | awk '/tun0/ { print $1}')
tun1Gateway=$(ip route list table main | awk '/tun1/ { print $1}')
# Create fwmark to table bindings
ip rule add fwmark 1 table main # ISP
ip rule add fwmark 2 table 2 # Tunnel 0 uk
ip rule add fwmark 3 table 3 # Tunnel 1 US
# Create table to tunnel bindings
ip route add default via $tun0Gateway dev tun0 table 2 #Send out uk Tunnel
ip route add default via $tun1Gateway dev tun1 table 3 #Send out US Tunnel
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done
# All LAN traffic will bypass the VPNs (Useful to put this rule first, so all traffic bypasses the VPNs and you can # configure exceptions afterwards)
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#uk tunnel rules
# Ports 38666 will go through the uk tunnel
iptables -t mangle -A PREROUTING -p tcp --dport 38666 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p udp --dport 38666 -j MARK --set-mark 2
#US Tunnel rules
# All traffic from Laptop will use US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.248 -j MARK --set-mark 3
# All traffic from PS3 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.10 -j MARK --set-mark 3
# All traffic from Nexus 10 will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 3
# All traffic from VOIP will use the WAN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.152 -j MARK --set-mark 1
exit 0
################################################
Does anyone have a working script? The above just kills everything. If anyone can help, I would be grateful.