What's new

Need help figuring out routing traffic by Application through OpenVPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

soul4kills

New Around Here
So I recently got an RT-AX86S and just found out about merlin and have been messing with it a lot to get the most out of it.

Right now I've been trying to figure out how to route only my torrent traffic through OpenVPN on the router. It took me a while to piece together a working solution for it and was successful in setting up OpenVPN routing by port.

But after analyzing what ports were being utilized it isn't enough to route the torrent traffic to the OpenVPN because the port you set in the torrent client is only a listening port. Once connections are made, it's connected with whatever port Windows decides. So for incoming connections they do go to the port set, but for outgoing connections, it is with a random range of ports.

So I researched a little further and saw that you can route by GID group. So that's where I'm stuck at.

I see that the router is able to identify the torrent traffic as "Torrent Series" in Traffic Analyzer. How do I utilize that to set my iptables to route that type of traffic through the VPN.
 
The OpenVPN client, using the VPN Director, is only capable of routing selectively based on the source and/or destination IP, NOT ports.
 
Yes, if you want to do it *manually*, that's what you'll have to do. But the VPN Director is NOT capable of this itself.
 
I've already done it. But that's not what I'm asking.

I'm wondering how to use the same marking indicators that the router uses in the traffic analyzer to identify that traffic in iptables to reroute it.
 
I honestly don't how the TA is tracking torrents, or how well. In years past, that used to be a lot easier. But w/ the increasing use of secure protocols, that getting harder and harder. And the router has been no exception. Much of the URL-based blocking doesn't work anymore for that reason.

If the torrent was running on the router itself, I'd recommend multi-homing it w/ another IP (e.g., 192.168.2.1) and binding the torrent application to that IP through its config file. Now you can easily route that traffic based on that source IP, irrespective of any other criteria.

You could do something similar w/ a Windows machine. Multi-home the router (e.g., 192.168.2.1) *and* the PC (e.g., 192.168.2.2) and bind the torrent app to the new network. And now route based on the PC's source IP.

At least that's the way I would typically solve it, esp. knowing that being able to detect traffic from a specific app is NOT easy these days. And for those features like TA that claim to have that capability, it probably involves deep packet inspection and pattern recognition. Something beyond just identifying specific ports. Therefore, it's probably going to be easier if you can find a way to bind the app to a specific source IP and using the policy based routing features already available w/ the VPN Director.

But hey, maybe someone w/ better knowledge of the TA can provide better help.
 
P.S. Years ago I used to solve this kind of probably another way as well. I'd run the app on a bridged VM, so it necessarily had its own unique source IP. Of course, that's a heavy solution compared to just multi-homing the PC, but it might work for some ppl. We now have container technology as well (e.g., Docker), making these types of configurations much lighter weight.
 
I'm mostly doing this to learn. Using the Built in torrent downloader was my other option and routing that to the vpn.

I kind of almost figured out what i'm trying to do.

add "ip rule add from 0/0 fwmark ""torrentmark"" table ovpnc1 prio 9996" this to nat-start but what i'm missing is the fwmark of the torrent packets which the router has already marked.
So adding this would route all those torrent packets to the OpenVPN1 client. I think.
 
[deleted]
i realized why what i wrote was completely not helpful
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top