l2tp vpn client for only one device

[leoo2001]

I don't know if this is the correct thread to post this question but since I'm running Merlin firmware will ask here anyway. I have a vpn subscription from a provider that offers only l2tp protocol, but my need is to connect only 1 device to this server as I'm using it to watch iptv which is not banned in my current destination but runs very choppy and unstable. I was been told to look for a provider with l2tp protocol as the connection is a lot faster than openvpn encrypted protocol.
With the credetials nad the configuration provided, when i activate the vpn client on merlin firmware my entire network is redirected to to another country and this is not what i need. Have been searching on internet how to configure some rules to allow only specified device to use the vpn tunnel but with no luck. Only information that have been able to find was some configuration for l2tp on the original asus firmware that establishes to emulate some second "router" only with the vpn created. But wasn't explained in details and I cannot figure how to do it myself.

 

[Martineau]

..., when i activate the [L2TP] vpn client on merlin firmware my entire network is redirected to another country and this is not what i need. Have been searching on internet how to configure some rules to allow only specified device to use the vpn tunnel but with no luck. .

You will need a script that should be run AFTER the PPTP/L2TP connection is established.

I think this script may still work...haven't needed to use PPTP/L2TP for a long time (Selective routing using OpenVPN is sooo much easier!)

EDIT: 22-Nov-2019 Updated to allow multiple clients to be selectively routed.

e.g. /jffs/scripts/PPTP_Select.sh

#!/bin/sh
#
#    PPTP_Select  {IP_address[,IP_address…]} [pptp_interface]
#
#    PPTP_Select  12.34.56.7
#                 Will route 12.34.56.7 via PPTP/L2TP interface ppp5 (default)
#    PPTP_Select  12.34.56.7 ppp10
#                 Will route 12.34.56.7 via PPTP/L2TP interface ppp10
#
#
VER="v1.01"
logger -st "($(basename $0))" $$ $VER PPTP/L2TP Client Selective routing starting....." $0${*:+ $*}"

MYROUTER=$(nvram get computer_name)
USEPATH="/tmp/mnt/$MYROUTER"
HOSTNAME=

if [ ! -z $1 ];then
   IPADDR=$1
   ETC="/etc"                   # Hack to get around snbforum code block!!!
   HOSTNAME=`grep -i "$IP_ADDR" /$ETC/hosts.dnsmasq | awk '{print $2}'`
else
   logger -st "($(basename $0))" $$ "**ERROR missing arg1: IP_ADDR"
   echo -e "\a"
   exit 99
fi

if [ -z "$2" ];then
   dev="ppp5"
else
   dev=$2
fi

MY_VPNTAB=99       # Now read from /jffs/configs/VPNSelect
TAG_MARK=0x6000    # Now read from /jffs/configs/VPNSelect
VPN_PRIO=9000
IP_LIST=$(echo "$IPADDR" | tr ',' ' ')

# Extract the P-t-P address unlike OpenVPN where we extract/use the local VPN address!
# ppp5    inet addr:10.200.25.2  P-t-P:10.200.24.1  Mask:255.255.255.255
PPTP_IP=$(ifconfig $dev | grep 'P-t-P:' | awk '{ print $3}' | cut -d: -f2 |  awk '{ print $1}')  # 10.200.24.1
ip rule del table $MY_VPNTAB 2> /dev/null > /dev/null
ip route flush table $MY_VPNTAB

# Unlike OpenVPN we can't specify route-nopull so do it manually...
logger -st "($(basename $0))" $$ "CMD: ip route delete default via $PPTP_IP dev $dev"
ip route delete default via $PPTP_IP dev $dev 2> /dev/null >/dev/null
PPTP_subnet=${PPTP_IP%.*}

logger -st "($(basename $0))" $$ "CMD: route -n add -net $PPTP_subnet".0" netmask 255.255.255.0 $dev"
route -n add -net $PPTP_subnet".0" netmask 255.255.255.0 $dev

# Unlike Openvpn we do not specify an address in the table defined for PPTP use
logger -st "($(basename $0))" $$ "CMD: ip route add default dev $dev table $MY_VPNTAB"
ip route add default dev $dev table $MY_VPNTAB

# Selectively route the LAN device(s) via the PPTP/L2TP link
if [ ! -z "$IPADDR" ];then
   for IPADDR in $IP_LIST
   do
     ip rule add from $IPADDR table $MY_VPNTAB prio $VPN_PRIO
     VPN_PRIO=$((VPN_PRIO+1))
   done
   logger -st "($(basename $0))" $$ "LAN device" $HOSTNAME "("$IPADDR") forced via PPTP/L2TP" $PPTP_IP "("$dev")"
fi

ip route flush cache
logger -st "($(basename $0))" $$ "PPTP/L2TP Client Selective routing complete."

exit 0

 

[leoo2001]

Thank you for your reply and the script. I will give it a try, hopefully it works. Im also using openvpn with policy rules with another provider and its a lot easy to configure. Unfortunately in this case i have to stick to l2tp

 

[fotoflo]

@Martineau Thank you! The script is great and I got it working - now routing all Apple TV traffic through L2TP VPN (which is much faster than OpenVPN).

One shortcoming is that it has to be manually executed after turning on the VPN.

I noticed in the wiki that the OS provides postconf scripts for certain events, but if i read it correctly, postconf actually runs before the service starts, and there is no post conf for L2TP anyway.... so is there a good way to run this script automatically?

Thanks!

 

[swashbuckle]

Hi - a newbie here with no prior experience in running user scripts for my ac88u.

I'm using the L2TP client in asus merlin to establish an IPSec connection but would only like traffic from one IP address to be encrypted.

A couple of questions I hope someone can kindly help with -

• Do any of the values in the script above have to be edited or is everything copy and paste?
• Does the script have to be executed and how should I go about doing so?
  
• How do I add the selected device/IP address to the script?
• How do I turn the script off are L2TP usage?

Many thanks!

 

[renmet]

@Martineau Thank you! The script is great and I got it working - now routing all Apple TV traffic through L2TP VPN (which is much faster than OpenVPN).

One shortcoming is that it has to be manually executed after turning on the VPN.

I noticed in the wiki that the OS provides postconf scripts for certain events, but if i read it correctly, postconf actually runs before the service starts, and there is no post conf for L2TP anyway.... so is there a good way to run this script automatically?

Thanks!

Hello,

can you tell me your script modifications? With this script i only will get one device added to the L2TP tunnel.

Thanks for your help

kindly regards

 

[Martineau]

With this script i only will get one device added to the L2TP tunnel.

can you tell me your script modifications?

If you are referring to my script in post #2

Change LINE 3

#    PPTP_Select  {IP_address} [pptp_interface]

to

#    PPTP_Select  {IP_address[,IP_address…]} [pptp_interface]

Change LINE 35

VPN_PRIO=9000

to

VPN_PRIO=9000
IP_LIST=$(echo "$IPADDR | tr ',' ' '")

Change LINE 57(58)

ip rule add from $IPADDR table $MY_VPNTAB prio $VPN_PRIO

to

for IPADDR in $IP_LIST
   do
     ip rule add from $IPADDR table $MY_VPNTAB prio $VPN_PRIO
     VPN_PRIO=$((VPN_PRIO+1))
   done

then you can now pass a comma-separated-value (CSV) list of multiple IPs to the script

e.g. Route 192.168.1.111 and 192.168.1.222 via the tunnel

/jffs/scripts/PPTP_Select.sh "192.168.1.111,192.168.1.222"

 

[renmet]

If you are referring to my script in post #2

Change LINE 3

#    PPTP_Select  {IP_address} [pptp_interface]

to

#    PPTP_Select  {IP_address[,IP_address…]} [pptp_interface]

Change LINE 35

VPN_PRIO=9000

to

VPN_PRIO=9000
IP_LIST=$(echo "$IPADDR | tr ',' ' '"

Change LINE 57(58)

ip rule add from $IPADDR table $MY_VPNTAB prio $VPN_PRIO

to

for IPADDR in $IP_LIST
   do
     ip rule add from $IPADDR table $MY_VPNTAB prio $VPN_PRIO
     VPN_PRIO=$((VPN_PRIO+1))
   done

then you can now pass a comma-separated-value (CSV) list of multiple IPs to the script

e.g. Route 192.168.1.111 and 192.168.1.222 via the tunnel

/jffs/scripts/PPTP_Select.sh "192.168.1.111,192.168.1.222"

Thanks for your help but after this modifications i only get an error if i try to launch the script

admin@ASUS-AC87:/jffs/scripts# /jffs/scripts/PPTP_Select.sh "192.168.1.111,192.168.1.222"
(PPTP_Select.sh): 3684 PPTP/L2TP Client Selective routing starting..... /jffs/scripts/PPTP_Select.sh 192.168.1.111,192.168.1.222
/jffs/scripts/PPTP_Select.sh: line 70: syntax error: unexpected end of file (expecting ")")
admin@ASUS-AC87:/jffs/scripts#

Here is the full script

#!/bin/sh
#
#    PPTP_Select  {IP_address[,IP_address…]} [pptp_interface]
#
#    PPTP_Select  12.34.56.7
#                 Will route 12.34.56.7 via PPTP/L2TP interface ppp5 (default)
#    PPTP_Select  12.34.56.7 ppp10
#                 Will route 12.34.56.7 via PPTP/L2TP interface ppp10
#
#
logger -st "($(basename $0))" $$ PPTP/L2TP Client Selective routing starting....." $0${*:+ $*}"

MYROUTER=$(nvram get computer_name)
USEPATH="/tmp/mnt/$MYROUTER"
HOSTNAME=

if [ ! -z $1 ];then
   IPADDR=$1
   ETC="/etc"                   # Hack to get around snbforum code block!!!
   HOSTNAME=`grep -i "$IP_ADDR" /$ETC/hosts.dnsmasq | awk '{print $2}'`
else
   logger -st "($(basename $0))" $$ "**ERROR missing arg1: IP_ADDR"
   echo -e "\a"
   exit 99
fi

if [ -z "$2" ];then
   dev="ppp5"
else
   dev=$2
fi

MY_VPNTAB=99       # Now read from /jffs/configs/VPNSelect
TAG_MARK=0x6000    # Now read from /jffs/configs/VPNSelect
VPN_PRIO=9000
IP_LIST=$(echo "$IPADDR | tr ',' ' '"

# Extract the P-t-P address unlike OpenVPN where we extract/use the local VPN address!
# ppp5    inet addr:10.200.25.2  P-t-P:10.200.24.1  Mask:255.255.255.255
PPTP_IP=$(ifconfig $dev | grep 'P-t-P:' | awk '{ print $3}' | cut -d: -f2 |  awk '{ print $1}')  # 10.200.24.1
ip rule del table $MY_VPNTAB 2> /dev/null > /dev/null
ip route flush table $MY_VPNTAB

# Unlike OpenVPN we can't specify route-nopull so do it manually...
logger -st "($(basename $0))" $$ "CMD: ip route delete default via $PPTP_IP dev $dev"
ip route delete default via $PPTP_IP dev $dev 2> /dev/null >/dev/null
PPTP_subnet=${PPTP_IP%.*}

logger -st "($(basename $0))" $$ "CMD: route -n add -net $PPTP_subnet".0" netmask 255.255.255.0 $dev"
route -n add -net $PPTP_subnet".0" netmask 255.255.255.0 $dev

# Unlike Openvpn we do not specify an address in the table defined for PPTP use
logger -st "($(basename $0))" $$ "CMD: ip route add default dev $dev table $MY_VPNTAB"
ip route add default dev $dev table $MY_VPNTAB

# Selectively route the LAN device(s) via the PPTP/L2TP link
if [ ! -z "$IPADDR" ];then
   for IPADDR in $IP_LIST
   do
     ip rule add from $IPADDR table $MY_VPNTAB prio $VPN_PRIO
     VPN_PRIO=$((VPN_PRIO+1))
   done
   logger -st "($(basename $0))" $$ "LAN device" $HOSTNAME "("$IPADDR") forced via PPTP/L2TP" $PPTP_IP "("$dev")"
fi

ip route flush cache
logger -st "($(basename $0))" $$ "PPTP/L2TP Client Selective routing complete."

exit 0

Thanks for your help

kindly regards

 

[Martineau]

Thanks for your help but after this modifications i only get an error if i try to launch the script

admin@ASUS-AC87:/jffs/scripts# /jffs/scripts/PPTP_Select.sh "192.168.1.111,192.168.1.222"
(PPTP_Select.sh): 3684 PPTP/L2TP Client Selective routing starting..... /jffs/scripts/PPTP_Select.sh 192.168.1.111,192.168.1.222

/jffs/scripts/PPTP_Select.sh: line 70: syntax error: unexpected end of file (expecting ")")

admin@ASUS-AC87:/jffs/scripts#

Apologies for the typo - missing ')'

Here is the corrected LINE 70

IP_LIST=$(echo "$IPADDR | tr ',' ' '")

 

[renmet]

Apologies for the typo - missing ')'

Here is the corrected LINE 70

IP_LIST=$(echo "$IPADDR | tr ',' ' '")

Hello,

thanks for your fast answer. The Script has only 69 Lines and i made the new modifications in Line 36. But it is still not working

admin@ASUS-AC87:/jffs/scripts# /jffs/scripts/PPTP_Select.sh "192.168.1.111,192.168.1.222"

/jffs/scripts/PPTP_Select.sh: line 1: {IP_address[,IP_address…]}: not found

(PPTP_Select.sh): 6885 PPTP/L2TP Client Selective routing starting..... /jffs/scripts/PPTP_Select.sh 192.168.1.111,192.168.1.222

(PPTP_Select.sh): 6885 CMD: ip route delete default via 45.82.223.11 dev ppp5

(PPTP_Select.sh): 6885 CMD: route -n add -net 45.82.223.0 netmask 255.255.255.0 ppp5

route: SIOCADDRT: File exists

(PPTP_Select.sh): 6885 CMD: ip route add default dev ppp5 table 99

Error: an inet prefix is expected rather than "192.168.1.111,192.168.1.222".

Error: an inet prefix is expected rather than "|".

Error: an inet prefix is expected rather than "tr".

Error: an inet prefix is expected rather than "','".

Error: an inet prefix is expected rather than "'".

Error: an inet prefix is expected rather than "'".

(PPTP_Select.sh): 6885 PPTP/L2TP Client Selective routing complete.

Here is the hole script with the new line 36

#!/bin/sh
#
#    PPTP_Select  {IP_address[,IP_address…]} [pptp_interface]
#
#    PPTP_Select  12.34.56.7
#                 Will route 12.34.56.7 via PPTP/L2TP interface ppp5 (default)
#    PPTP_Select  12.34.56.7 ppp10
#                 Will route 12.34.56.7 via PPTP/L2TP interface ppp10
#
#
logger -st "($(basename $0))" $$ PPTP/L2TP Client Selective routing starting....." $0${*:+ $*}"

MYROUTER=$(nvram get computer_name)
USEPATH="/tmp/mnt/$MYROUTER"
HOSTNAME=

if [ ! -z $1 ];then
   IPADDR=$1
   ETC="/etc"                   # Hack to get around snbforum code block!!!
   HOSTNAME=`grep -i "$IP_ADDR" /$ETC/hosts.dnsmasq | awk '{print $2}'`
else
   logger -st "($(basename $0))" $$ "**ERROR missing arg1: IP_ADDR"
   echo -e "\a"
   exit 99
fi

if [ -z "$2" ];then
   dev="ppp5"
else
   dev=$2
fi

MY_VPNTAB=99       # Now read from /jffs/configs/VPNSelect
TAG_MARK=0x6000    # Now read from /jffs/configs/VPNSelect
VPN_PRIO=9000
IP_LIST=$(echo "$IPADDR | tr ',' ' '")

# Extract the P-t-P address unlike OpenVPN where we extract/use the local VPN address!
# ppp5    inet addr:10.200.25.2  P-t-P:10.200.24.1  Mask:255.255.255.255
PPTP_IP=$(ifconfig $dev | grep 'P-t-P:' | awk '{ print $3}' | cut -d: -f2 |  awk '{ print $1}')  # 10.200.24.1
ip rule del table $MY_VPNTAB 2> /dev/null > /dev/null
ip route flush table $MY_VPNTAB

# Unlike OpenVPN we can't specify route-nopull so do it manually...
logger -st "($(basename $0))" $$ "CMD: ip route delete default via $PPTP_IP dev $dev"
ip route delete default via $PPTP_IP dev $dev 2> /dev/null >/dev/null
PPTP_subnet=${PPTP_IP%.*}

logger -st "($(basename $0))" $$ "CMD: route -n add -net $PPTP_subnet".0" netmask 255.255.255.0 $dev"
route -n add -net $PPTP_subnet".0" netmask 255.255.255.0 $dev

# Unlike Openvpn we do not specify an address in the table defined for PPTP use
logger -st "($(basename $0))" $$ "CMD: ip route add default dev $dev table $MY_VPNTAB"
ip route add default dev $dev table $MY_VPNTAB

# Selectively route the LAN device(s) via the PPTP/L2TP link
if [ ! -z "$IPADDR" ];then
   for IPADDR in $IP_LIST
   do
     ip rule add from $IPADDR table $MY_VPNTAB prio $VPN_PRIO
     VPN_PRIO=$((VPN_PRIO+1))
   done
   logger -st "($(basename $0))" $$ "LAN device" $HOSTNAME "("$IPADDR") forced via PPTP/L2TP" $PPTP_IP "("$dev")"
fi

ip route flush cache
logger -st "($(basename $0))" $$ "PPTP/L2TP Client Selective routing complete."

exit 0

regards

 

[Martineau]

I made the new modifications in Line 36. But it is still not working

Please change LINE 36

IP_LIST=$(echo "$IPADDR" | tr ',' ' ')

and make sure script is in Linux format

dos2unix /jffs/scripts/PPTP_Select.sh

 

[renmet]

Please change LINE 36

IP_LIST=$(echo "$IPADDR" | tr ',' ' ')

and make sure script is in Linux format

dos2unix /jffs/scripts/PPTP_Select.sh

Hi,

thanks for your help, the script is now working perfect. The only problem is that it want run on startup. i added a line in

/jffs/scripts/service-start

like

/jffs/scripts/PPTP_Select.sh "192.168.1.2,192.168.1.3"

but it didn't work. If i run the same command in the cli everything is working. How do you launch the script on startup?

regards

 

[Martineau]

I i added a line in

/jffs/scripts/service-start

/jffs/scripts/PPTP_Select.sh "192.168.1.2,192.168.1.3"

but it didn't work. If i run the same command in the cli everything is working.

The service-start event is running far too early i.e. before the L2TP connection is UP, so you need to wait until the L2TP session is available before enabling the Selective Routing....

I think I posted 'UP_PPTP_L2TP.sh' script that allows manual control over the start request, but I've extracted code from my OpenVPN 'VPN_Client_Switch.sh' script that may be useful, as a standalone script called asynchronously from

wan-start deprecated since firmware v384.15 (8-Feb-2020) use wan-event script for 'connected' state

/jffs/scripts/Waitfor_L2TP.sh   &          # Run script in background

Waitfor_L2TP.sh

#!/bin/sh

Say(){
   echo -e $$ $@ | logger -st "($(basename $0))"
}
ANSIColours() {
    cRESET="\e[0m";cBLA="\e[30m";cRED="\e[31m";cGRE="\e[32m";cYEL="\e[33m";cBLU="\e[34m";cMAG="\e[35m";cCYA="\e[36m";cGRA="\e[37m";cFGRESET="\e[39m"
    cBGRA="\e[90m";cBRED="\e[91m";cBGRE="\e[92m";cBYEL="\e[93m";cBBLU="\e[94m";cBMAG="\e[95m";cBCYA="\e[96m";cBWHT="\e[97m"
    aBOLD="\e[1m";aDIM="\e[2m";aUNDER="\e[4m";aBLINK="\e[5m";aREVERSE="\e[7m"
    aBOLDr="\e[21m";aDIMr="\e[22m";aUNDERr="\e[24m";aBLINKr="\e[25m";aREVERSEr="\e[27m"
    cWRED="\e[41m";cWGRE="\e[42m";cWYEL="\e[43m";cWBLU="\e[44m";cWMAG="\e[45m";cWCYA="\e[46m";cWGRA="\e[47m"
    cYBLU="\e[93;48;5;21m"
    xHOME="\e[H";xERASE="\e[K";xERASEDOWN="\e[J";xERASEUP="\e[1J";xCSRPOS="\e[s";xPOSCSR="\e[u"
}
Check_PPTP_L2TPState(){

      local I=0
      local OK=0
      local IFNAME=$2

      if [ "$1" = "2" ]; then
         local WSTATE="connect"
         local WAIT_TXT="may take 20-30 secs"
      fi
      if [ "$1" = "0" ]; then
         local WSTATE="disconnect"
         local WAIT_TXT="may take 10 secs"
      fi

      echo -e $cBCYA >&2
      Say "Waiting $3 secs for" $PROTOCOL "VPN Client ("$VPNTAG") to" $WSTATE"....."$WAIT_TXT

      echo -e $cBRED >&2
      while [ $I -lt $3 ]; do
        sleep 1
        #Say "Waiting for" $PROTOCOL "VPN Client to" $WSTATE"....." $i
        local STATUS=$(ifconfig $IFNAME 2> /dev/null)
        if [ -z "$STATUS" ] && [ "$WSTATE" == "disconnect" ];then
           OK="1"
           break
        fi

        # Explicity check for 'UP' rather than 'POINTOPOINT' as it can take a few secs after PPP5 exists to actually show 'UP'
        local STATUS=$(ifconfig $IFNAME 2> /dev/null | grep -o "UP")
        if [ ! -z "$STATUS" ] && [ "$WSTATE" == "connect" ];then
           OK="1"
           break
        fi

        I=$((I + 1))

      done

      if [ "$OK" = "1" ];then
            echo -e $cBYEL >&2
            Say $PROTOCOL "VPN Client ("$VPNTAG")" $WSTATE"'d in" $I "secs"
            echo -e $cBRED >&2
            echo 0
            return 0
      else
            echo -e  >&2
            Say "***ERROR***" $PROTOCOL "VPN Client ("$VPNTAG") FAILED to" $WSTATE "after" $I "secs"
            echo -e "\a" >&2
            echo 1
            return 1
      fi

}


ANSIColours
PROTOCOL="L2TP"
VPNTAG="ppp5"

RC=$(Check_PPTP_L2TPState "2" "$VPNTAG" "60")               # Wait 60 secs, and use '2' as 'connect' status (similar to OpenVPN)
[ $RC -eq 0 ] && { Say "Selective Routing configuration starting"; /jffs/scripts/PPTP_Select.sh "192.168.1.2,192.168.1.3"; }

 

[Martineau]

Thank you so much for replying to my questions.
I managed to do what I wanted in the end thanks to all your posts.

First, I was wrong and thought I needed to add the ip of my target domain to the "ip rule" function.

What I really needed was to be able to specify a domain. If there's a request to that specific domain, route it to ppp5 (is this the only pptp client name?)

So I searched again and found your solution: https://www.snbforums.com/threads/route-certain-domains-through-client-vpn.49451/

I did the following:

1. in the router config page, I started the PPTP client (activate)
2. used your PPTP select script and point it to a non-existent IP, so all other clients go to WAN. otherwise all will go through pptp.. Is my observation correct?
3. issued this command: ipset create EXAMPLE_BYPASS_V4 hash:ip family inet
4. added this line to dnsmasq.conf.add: ipset=/targetdomain.com/EXAMPLE_BYPASS_V4
5. restarted using service restart_dnsmasq
6. issued this command: iptables -I PREROUTING -t mangle -m set --match-set EXAMPLE_BYPASS_V4 dst -j MARK --set-mark 1
7. issued this command: ip rule add prio 100 fwmark 1 lookup 99 (99 is your vpntab I believe)

That's it and it works!

Thank you for all your guide! They are really helpful

Many thanks for the feedback - much appreciated.

My only issue is I have to do them manually.

Is there a way to trigger these automatically on boot?
e.g. start pptp automatically and run them as scripts?

see script Waitfor_L2TP.sh (called from 'wan-start') and you could add your custom code at the end of the script.

I'd also like to add your script here so it checks if my pptp is down: ChkVPN9.sh/

Simply set up the cron job to request the 'ChkVPN9.sh' script at regular intervals

e.g. for a check every 5 mins, add the following line to the end of 'Waitfor_L2TP.sh'

cru a ChkVPN "*/5 * * * * /jffs/scripts/ChkVPN9.sh"'

 

[jobski]

Many thanks for the feedback - much appreciated.

see script Waitfor_L2TP.sh (called from 'wan-start') and you could add your custom code at the end of the script.

Simply set up the cron job to request the 'ChkVPN9.sh' script at regular intervals

e.g. for a check every 5 mins, add the following line to the end of 'Waitfor_L2TP.sh'

cru a ChkVPN "*/5 * * * * /jffs/scripts/ChkVPN9.sh"'

Thanks for that, I was meant to post it here again but you beat me to it.

When I restarted my router and did the steps 1-7, it doesn't work anymore.

If I use your script with a real client IP, it still works. It's just the selective routing with ipset rule (EXAMPLE_BYPASS_V4) + iptable mark that doesn't. What happens now is if I access targetdomain.com it gives me connection time outs.

Is there anything in my steps that I shouldn't repeat when I restart the router? Any hints on where I should look at (iptables/ipset/ip rule..etc)?

Thank you, again!

 

[Martineau]

When I restarted my router and did the steps 1-7, it doesn't work anymore.

If I use your script with a real client IP, it still works. It's just the selective routing with ipset rule (EXAMPLE_BYPASS_V4) + iptable mark that doesn't. What happens now is if I access targetdomain.com it gives me connection time outs.

Is there anything in my steps that I shouldn't repeat when I restart the router? Any hints on where I should look at (iptables/ipset/ip rule..etc)?

If you aren't using OpenVPN Client 1, as per Wiki article you should try using fwmark '0x1000/0x1000' rather than '1'

e.g. Steps 6 and 7 should be changed to

iptables -I PREROUTING -t mangle -m set --match-set EXAMPLE_BYPASS_V4 dst -j MARK --set-mark 0x1000/0x1000

ip rule add prio 99 fwmark 0x1000/0x1000 lookup 99

So after a reboot, you should check that the RPDB rules are correctly in place, and that the '-t mangle PREROUTING' IPSET fwmark tagging rule is being matched.

ip rule

iptables --line -t mangle -nvL PREROUTING

ip route show table 99

If the rules are 'missing' then check that they are being applied correctly in the firewall-start script.

 

[jobski]

If you aren't using OpenVPN Client 1, as per Wiki article you should try using fwmark '0x1000/0x1000' rather than '1'

e.g. Steps 6 and 7 should be changed to

iptables -I PREROUTING -t mangle -m set --match-set EXAMPLE_BYPASS_V4 dst -j MARK --set-mark 0x1000/0x1000

ip rule add prio 99 fwmark 0x1000/0x1000 lookup 99

So after a reboot, you should check that the RPDB rules are correctly in place, and that the '-t mangle PREROUTING' IPSET fwmark tagging rule is being matched.

ip rule

iptables --line -t mangle -nvL PREROUTING

ip route show table 99

If the rules are 'missing' then check that they are being applied correctly in the firewall-start script.

I tried it and still has the same issue

The pkts and bytes are going up whenever I visit targetdomain.com so I believe the filter is working but isn't going through to ppp5 (PPTP).

iptables --line -t mangle -nvL PREROUTING

Chain PREROUTING (policy ACCEPT 826K packets, 1215M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       74  3848 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set EXAMPLE_BYPASS_V4 dst MARK or 0x1000

ip route show table 99

default dev ppp5  scope link

ip rule

0:      from all lookup local
9000:   from all fwmark 0x1000/0x1000 lookup 99
32766:  from all lookup main
32767:  from all lookup default

 

[Martineau]

I tried it and still has the same issue

The pkts and bytes are going up whenever I visit targetdomain.com so I believe the filter is working but isn't going through to ppp5 (PPTP).

iptables --line -t mangle -nvL PREROUTING

Chain PREROUTING (policy ACCEPT 826K packets, 1215M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       74  3848 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set EXAMPLE_BYPASS_V4 dst MARK or 0x1000

ip route show table 99

default dev ppp5  scope link

ip rule

0:      from all lookup local
9000:   from all fwmark 0x1000/0x1000 lookup 99
32766:  from all lookup main
32767:  from all lookup default

Does the following show any output?

ip -s route show cache xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx e.g. targetdomain.com (You can redact the IP address) is one of the IPs in the IPSET

Furthermore, if you issue

ip rule add from LAN.IP.xxx.xxx table 99 prio 10000

ip route flush cache

ip rule

then presumably all traffic from LAN.IP.xxx.xxx is again correctly routed via interface ppp5?

 

[jobski]

Does the following show any output?

ip -s route show cache xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx e.g. targetdomain.com (You can redact the IP address) is one of the IPs in the IPSET

Furthermore, if you issue

ip rule add from LAN.IP.xxx.xxx table 99 prio 10000

ip route flush cache

ip rule

then presumably all traffic from LAN.IP.xxx.xxx is again correctly routed via interface ppp5?

Yes, you are correct, no output from the first command.

After doing the second set of commands, visiting targetdomain.com works for that client IP and "ip -s route show cache 190.18.121.221" now shows a result on one of the IPs.

result

190.18.121.221 from 192.168.100.100 dev ppp5  src 192.168.100.1  mark 0x1000
    cache <src-direct>  used 510 age 7sec mtu 1400 advmss 1360 hoplimit 64 iif br0
190.18.121.221 via 118.110.111.1 dev eth0  src 118.140.111.101
    cache  used 1 age 425sec mtu 1500 advmss 1460 hoplimit 64

All just as you've said!

 

[OMNI619]

L2TP Is much faster but less encrypted and vulnerable

Sent from my SM-G930V using Tapatalk