What's new

Routing with multiple OpenVPN clients running

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

thebatfink

Occasional Visitor
Hi,

Is it possible with merlin to have two OpenVPN clients running and route specific destination IP's through specific OpenVPN clients for the same source IP? For example:

Source IP = 192.168.1.100 | Destination IP = 55.55.55.55 | OpenVPN Client 1

..and then all other traffic to:
Source IP = 192.168.1.100 | Destination IP = 0.0.0.0 | OpenVPN Client 2

But still ensure DNS is not going through WAN (goes through either as long as it's not WAN) and 192.168.1.100 will be blocked if VPN goes down?

Thanks
Batfink
 
Last edited:
Hey thanks. The link you gave is just for configuring single client though right? I already have that OK, it is this requirement to push specific destination to different vpn from same source I am struggling with.

I had a scan through first 10 or so pages of vpn forum, where is the guide? Did you write it?

Thanks

EDIT I created thread in vpn forum, probably better asked their :) thanks for the ideas thus far.
 
Last edited:
thebatfink, the link you need is in the wiki, takes digging, your tunnels should work fine as long as there no port or IP conflict, the wiki is specific how you need to keep the IP address pool under .100. Cheers.
 
I’m going to have to work for this aren’t I :) So I did some reading of the wiki and also on netfilter.org on the iptables command / function / whatever it is.. I’m hoping you would be so kind as to help me understand a couple of points and if I am going in the right direction!

So on the wiki here https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing-(manual-method)

First question, I assume I’ll need to do the above as I won’t use the GUI anymore for policy routing right? To setup my router as I have it currently (1 OpenVPN client with one source IP having all its traffic pushed through the VPN) I guess I can pretty much copy it..

Code:
#!/bin/sh

sleep 2

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

ip route show table main | grep -Ev ^default | grep -Ev tun11\
  | while read ROUTE ; do
     ip route add table 100 $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0

exit 1

Second question, I believe the last two lines are marking packets which are not from 192.168.1.2 as 1 and those which are as 0 so we can differentiate what should happen to the packets right? But I am curious, how does it know what should be done with something marked 0? Like where does it say anything marked 0 send to tun11?

Third question, I am curious how the logic works for matching, does it work down the entire list of iptable entries evaluating each one until all are evaluated (i.e. it doesn’t stop once something is true)? So for example a packet which is from 192.168.1.2 is first marked 1 because that statement is true (which I assume all traffic would be) but then if it also matches true on the second entry (which it will if coming from 192.168.1.2) it would be changed from being marked 1 to marked 0? Is this right?

So then assuming this is correct I can add another rule to match on the source and destination and mark those with a different number:

Code:
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 --dst-range 55.55.55.55 -j MARK --set-mark 2

Then can push those marked 0 to WAN, 1 to tun11 and 2 to tun12?

Thanks
 
Last edited:

I have stated many times that the script is flawed, however, as the firmware now supports basic Selective routing then simply use the GUI

e.g.

VPN Client 1
Accept DNS Configuration=EXCLUSIVE
Block routed clients if tunnel goes down=YES

Code:
LAN100 192.168.1.100 55.55.55.55 vpn

VPN Client 2
Accept DNS Configuration=EXCLUSIVE
Block routed clients if tunnel goes down=YES

Code:
LAN100 192.168.1.100 0.0.0.0 vpn

NOTE: The flaw with the GUI solution above is that if VPN Client 1 is DOWN, whilst 192.168.1.100 access to 55.55.55.55 is correctly BLOCKED, all other 192.168.1.100 traffic will fail since its traffic will be unable to access VPN Client 1's DNS as this will be referenced before VPN Client 2's DNS.

If the above GUI solution does not meet your needs then an additional rule may be required.
 
Hi, when I do this I no longer can resolve hostnames on the source machine? I have to set Client 1 VPN Accept DNS Configuration to Disabled to get it working.. If it is relevant Client one provider is PureVPN.

Question is is that normal and what DNS is being used?

Thanks!
 
thebatfink; indeed, anything worth learning takes time, when it isn't given away. Without intending to seem preachy, you'll find you can increase your skill level, become more confident and learn more, even though everyone wants what they want, as soon as yesterday. Keep researching the wiki/forums, and you'll reach a moment when you'll see the answer you need without having to wait for anyone to get back to you. Many members help and lend a great deal of their time and expertise when they can, but between families, work and projects, pointing someone in the right direction is all that's needed. Almost anything that can be asked on a subject has been, and is answered in many ways. Best advice, to keep honing your search-fu skills, use the forum search tool and your regular search engine. Simple, short questions with various phrasing helps you locate relevant answers faster, so don't become discouraged.

Martineau is spot on, and you should be able to get this done using the router GUI, unless I've misread the intent of your post. You've probably already done this; go to the LAN tab, and under DHCP Server, at the bottom of the page, use Manually Assigned IP around the DHCP list (Max Limit: 128), and using the drop down menu, assign/apply each of your devices/MACs within the IP address range for your OpenVPN clients. You -can- list quad9, google or whatever in WAN, but be sure to tick the 'no' box, so your WAN /ISP doesn't automatically assign theirs. Your OpenVPN client will either append or ignore those you list to theirs or not. If you don't want any fall-back DNS at all, to reduce the chances of leaks, you don't hate to list any DNS servers in the WAN or LAN DHCP server tabs. Your VPNs DNS is part of their config, unless I've misconstrued what you want to do with the GUI.

This makes it quick/easy to locate/route the devices in your OpenVPN clients, and Martineau's advice saves you having to look that info up. If one of your OpenVPN tunnel goes down, you should know very quickly since your traffic will come to a screeching halt, so you many wish to have a spare OpenVPN config/tunnel or two ready to be loaded in case of emergency. Depending on how many OpenVPN configs/tunnels are available in your router model's firmware, all you may have to do is turn off the tunnel that's gone down, then turn on the standby OpenVPN config, after you reassign the devices to it. Didn't mean to go on so, and hope this is relevant to your situation. Good luck and Cheers.
 
Last edited:
Hi, when I do this I no longer can resolve hostnames on the source machine? I have to set Client 1 VPN Accept DNS Configuration to Disabled to get it working.. If it is relevant Client one provider is PureVPN.

Question is is that normal and what DNS is being used?

Depends...

Issue the following to see the Exclusive DNS setup when it fails,
Code:
iptables --line -t nat -nvL DNSVPN1  2>/dev/null

iptables --line -t nat -nvL DNSVPN2 2>/dev/null
You may then try an alternative DNS server for a VPN Client by including
e.g.
Code:
dhcp-option DNS 9.9.9.9
then reissue the command
Code:
iptables --line -t nat -nvL DNSVPN1  2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null
If the above is not acceptable then try using

Accept DNS Configuration=STRICT
 
Martineau, On one of our tunnels, Strict works when Exclusive doesn't. Would adding quad9 in the GUI LAN-DHCP Server tab work for him? Cheers.
 
Martineau, On one of our tunnels, Strict works when Exclusive doesn't. Would adding quad9 in the GUI LAN-DHCP Server tab work for him? Cheers.

You can add the DNS of your choice in the GUI, OpenDNS,Comodo,Torguard,Dyn,Anycast aka Opennic,Adguard or Adguardplus,freedns, Cloudflare etc., and of course there are even some free regional 'public' DNS servers but use these at at your own risk.:eek:

I did post aboubt my VPN ISP's DNS no longer worked in EXCLUSIVE mode and their 'solution'
Solution for HMA issue - no longer push discrete private 10.xxx.xxx.xxx DNS servers per regional Client connection

hence my openvpnclientX.postconf script to process any of the 'commercial' free DNS servers.

so clearly, if the usual DNS leak test doesn't show your WAN ISP's DNS servers (i.e.you are using say Quad9 via the WAN) is this then sufficient obfuscation?...or should you use DNScrypt etc.?

NOTE: In STRICT mode then you would be using the most recent ACTIVE VPN DNS but then lose the ability to have separate DNS servers per Client.
 
Martineau, I didn't intend to confuse OPs issue, was asking a question of your comment on quad9 actually We normally don't have anything dropped to WAN; the router and tunnels are running long before anything on our net is turned on at the start of each day, and if the tunnel goes down, the kill switch stops it cold.

The way our VPN providers tunnels are configured, each provider pushes what it needs for it's DNS internally in the config. Placing quad9, google, Comodo etc as in the prior post,doesn't seem to have much if any effect on either of the two tunnels (from either provider) unless one of the devices is removed/redirected manually to WAN; if that has to happen, it's only for trouble shooting and involves an OpenVPN client running on the device/PC..

On one of the older VPN's tunnels, 10.10.10.10 will sign the device into the VPN's net, then they redirect the tunnel where it should go. I'm not sure I said that correctly, so pardon my faux pas, insufficient sleep these days. The tunnel from the other vendor is a streaming IP for video only, and though it see's whatever DNS is listed in the LAN DHCP, it remarks/appends/adds it into the config mix because I can see it in the logs, but it doesn't have any impact on the tunnel config or over-ride the VPN's internal settings.

I had to shut a tunnel down a couple weeks ago when it suddenly failed and the DNS that was sitting there still did nothing; the kill switch had done it's job. There was no DNS server listed in WAN, so I removed the PC from the VPN tunnel and dropped it to WAN, which immediately changed the equation, and the extra DNS listing actually had the intended effect. The provider's team had apparently migrated the config/tunnel we used, to a new server without notifying us, rude and never a good thing. As soon as I entered/applied quad9 in the WAN DNS, after removing the machine from the non-functioning config/tunnel, I then used a PC OpenVPN client to download a new working config to upload onto the router and replace the old config that had failed. I checked for WebRTC leakage before, during and after, but nothing was leaking to anyone, anywhere that I could detect. I hope that clarifies it a bit, excuse the flub. Cheers.
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top